[Freeipa-devel] [PATCH 0018] Minor fix in ipa-replica-manage MAN page

[Abhijeet Kasurde]

Hi All,

Please review patch.

Fixes: https://fedorahosted.org/freeipa/ticket/6058

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From b2a0e1133145dd672b959811711217d2960ce998 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Tue, 12 Jul 2016 17:08:06 +0530
Subject: [PATCH] Minor fix in ipa-replica-manage MAN page

Fixes: https://fedorahosted.org/freeipa/ticket/6058

Signed-off-by: Abhijeet Kasurde 
---
 install/tools/man/ipa-replica-manage.1 | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
index 68be0232fae9309b108e69f9144501be3277f503..34cd314a517ae2f74da7bc87d6336e62d7b57118 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden 
 .\"
-.TH "ipa-replica-manage" "1" "Mar 1 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-replica\-manage \- Manage an IPA replica
 .SH "SYNOPSIS"
@@ -163,15 +163,15 @@ Performing range changes as a delegated administrator (e.g. not using the Direct
 .TP
 List all masters:
  # ipa\-replica\-manage list
- srv1.example.com
- srv2.example.com
- srv3.example.com
- srv4.example.com
+ srv1.example.com: master
+ srv2.example.com: master
+ srv3.example.com: master
+ srv4.example.com: master
 .TP
 List a server's replication agreements.
  # ipa\-replica\-manage list srv1.example.com
- srv2.example.com
- srv3.example.com
+ srv2.example.com: replica
+ srv3.example.com: replica
 .TP
 Re\-initialize a replica:
  # ipa\-replica\-manage re\-initialize \-\-from srv2.example.com
-- 
2.4.11

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys

[Christian Heimes]

Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

The server.keys file and all keys are now removed when during
uninstallation of a server, too.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6015
https://fedorahosted.org/freeipa/ticket/6056
From de8f0f42f84eb5ce5e3efaf4336cbfab17793d21 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 8 Jul 2016 20:06:57 +0200
Subject: [PATCH] Secure permission and cleanup Custodia server.keys

Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

The server.keys file and all keys are now removed when during
uninstallation of a server, too.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6015
https://fedorahosted.org/freeipa/ticket/6056
---
 ipapython/secrets/kem.py  | 58 ++-
 ipaserver/install/custodiainstance.py | 25 +++
 2 files changed, 70 insertions(+), 13 deletions(-)

diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py
index d45efe8cc4fb63ae9d8c0b2c920fd1f9e5331a9d..a9238e1f7bf8d8cef393ad6b6d997c5cebea13f4 100644
--- a/ipapython/secrets/kem.py
+++ b/ipapython/secrets/kem.py
@@ -15,6 +15,8 @@ from jwcrypto.jwk import JWK
 from ipapython.secrets.common import iSecLdap
 from binascii import unhexlify
 import ldap
+import errno
+import os
 
 
 IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc'
@@ -66,7 +68,7 @@ class KEMLdap(iSecLdap):
  'princ': principal})
 r = conn.search_s(self.keysbase, scope, ldap_filter)
 if len(r) != 1:
-raise ValueError("Incorrect number of results (%d) searching for"
+raise ValueError("Incorrect number of results (%d) searching for "
  "public key for %s" % (len(r), principal))
 ipa_public_key = r[0][1]['ipaPublicKey'][0]
 jwk = self._parse_public_key(ipa_public_key)
@@ -139,11 +141,29 @@ class KEMLdap(iSecLdap):
 mods = [(ldap.MOD_REPLACE, 'ipaPublicKey', public_key)]
 conn.modify_s(dn, mods)
 
+def remove_key(self, usage, principal):
+conn = self.connect()
+scope = ldap.SCOPE_SUBTREE
+
+ldap_filter = self.build_filter(IPA_KEYS_QUERY,
+{'usage': RFC5280_USAGE_MAP[usage],
+ 'princ': principal})
+
+r = conn.search_s(self.keysbase, scope, ldap_filter)
+if not r:
+return False
+for entry in r:
+dn = r[0][0]
+conn.delete_s(dn)
+return True
+
 
 def newServerKeys(path, keyid):
 skey = JWK(generate='RSA', use='sig', kid=keyid)
 ekey = JWK(generate='RSA', use='enc', kid=keyid)
-with open(path, 'w+') as f:
+with open(path, 'w') as f:
+os.fchmod(f.fileno(), 0o600)
+os.fchown(f.fileno(), 0, 0)
 f.write('[%s,%s]' % (skey.export(), ekey.export()))
 return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')]
 
@@ -177,6 +197,9 @@ class IPAKEMKeys(KEMKeysStore):
 self.ldap_uri = conf.get('global', 'ldap_uri', None)
 self._server_keys = None
 
+def get_principal(self, servicename):
+return '%s/%s@%s' % (servicename, self.host, self.realm)
+
 def find_key(self, kid, usage):
 if kid is None:
 raise TypeError('Key ID is None, should be a SPN')
@@ -187,7 +210,7 @@ class IPAKEMKeys(KEMKeysStore):
 self.generate_keys('host')
 
 def generate_keys(self, servicename):
-principal = '%s/%s@%s' % (servicename, self.host, self.realm)
+principal = self.get_principal(servicename)
 # Neutralize the key with read if any
 self._server_keys = None
 # Generate private key and store it
@@ -197,6 +220,23 @@ class IPAKEMKeys(KEMKeysStore):
 ldapconn.set_key(KEY_USAGE_SIG, principal, pubkeys[0])
 ldapconn.set_key(KEY_USAGE_ENC, principal, pubkeys[1])
 
+def remove_server_keys(self):
+self.remove_keys('host')
+
+def remove_keys(self, servicename):
+principal = self.get_principal(servicename)
+self._server_keys = None
+# remove keys from LDAP
+ldapconn = KEMLdap(self.ldap_uri)
+ldapconn.remove_key(KEY_USAGE_SIG, principal)
+ldapconn.remove_key(KEY_USAGE_ENC, principal)
+# remove server.keys file
+try:
+os.unlink(self.config['server_keys'])
+except OSError as e:
+if 

Re: [Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance

[Christian Heimes]

On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch

My patch? Do you want me to submit a patch for 4.3 branch?

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

[Simo Sorce]

On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote:
> On 07/12/2016 02:00 PM, Martin Babinsky wrote:
> > 
> > On 07/12/2016 01:05 PM, Alexander Bokovoy wrote:
> > > 
> > > On Mon, 11 Jul 2016, Martin Babinsky wrote:
> > > > 
> > > > From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17
> > > > 00:00:00 2001
> > > > From: Martin Babinsky 
> > > > Date: Fri, 1 Jul 2016 18:09:04 +0200
> > > > Subject: [PATCH] Preserve user principal aliases during rename
> > > > operation
> > > > 
> > > > When a MODRDN is performed on the user entry, the MODRDN plugin
> > > > resets
> > > > both
> > > > krbPrincipalName and krbCanonicalName to the value constructed
> > > > from
> > > > uid. In
> > > > doing so, hovewer, any principal aliases added to the
> > > > krbPrincipalName
> > > > are
> > > > wiped clean. In this patch old aliases are fetched before the
> > > > MODRDN
> > > > operation
> > > > takes place and inserted back after it is performed.
> > > > 
> > > > This also preserves previous user logins which can be used
> > > > further for
> > > > authentication as aliases.
> > > > 
> > > > https://fedorahosted.org/freeipa/ticket/6028
> > > > ---
> > > > ipaserver/plugins/baseuser.py | 46
> > > > +++
> > > > 1 file changed, 46 insertions(+)
> > > > 
> > > > diff --git a/ipaserver/plugins/baseuser.py
> > > > b/ipaserver/plugins/baseuser.py
> > > > index
> > > > 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2
> > > > 452692a7edb342f6ac3
> > > > 
> > > > 100644
> > > > --- a/ipaserver/plugins/baseuser.py
> > > > +++ b/ipaserver/plugins/baseuser.py
> > > > @@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate):
> > > > len =
> > > > int(config.get('ipamaxusernamelength')[0])
> > > > )
> > > > )
> > > > +
> > > > +def preserve_krbprincipalname_pre(self, ldap, entry_attrs,
> > > > *keys,
> > > > **options):
> > > > +"""
> > > > +preserve user principal aliases during rename
> > > > operation. This
> > > > is the
> > > > +pre-callback part of this. Another method called
> > > > during
> > > > post-callback
> > > > +shall insert the principals back
> > > > +"""
> > > > +if options.get('rename', None) is None:
> > > > +return
> > > > +
> > > > +try:
> > > > +old_entry = ldap.get_entry(
> > > > +entry_attrs.dn, attrs_list=(
> > > > +'krbprincipalname', 'krbcanonicalname'))
> > > > +
> > > > +if 'krbcanonicalname' not in old_entry:
> > > > +return
> > > > +except errors.NotFound:
> > > > +self.obj.handle_not_found(*keys)
> > > > +
> > > > +self.context.krbprincipalname = old_entry.get(
> > > > +'krbprincipalname', [])
> > > > +
> > > > +def preserve_krbprincipalname_post(self, ldap,
> > > > entry_attrs,
> > > > **options):
> > > > +"""
> > > > +Insert the preserved aliases back to the user entry
> > > > during
> > > > rename
> > > > +operation
> > > > +"""
> > > > +if options.get('rename', None) is None or not hasattr(
> > > > +self.context, 'krbprincipalname'):
> > > > +return
> > > > +
> > > > +obj_pkey =
> > > > self.obj.get_primary_key_from_dn(entry_attrs.dn)
> > > > +canonical_name = entry_attrs['krbcanonicalname'][0]
> > > > +
> > > > +principals_to_add = tuple(p for p in
> > > > self.context.krbprincipalname if
> > > > +  p != canonical_name)
> > > > +
> > > > +if principals_to_add:
> > > > +result = self.api.Command.user_add_principal(
> > > > +obj_pkey, principals_to_add)['result']
> > > > +
> > > > +entry_attrs['krbprincipalname'] =
> > > > result.get('krbprincipalname', [])
> > > > +
> > > > def check_mail(self, entry_attrs):
> > > > if 'mail' in entry_attrs:
> > > > entry_attrs['mail'] =
> > > > self.obj.normalize_and_validate_email(entry_attrs['mail'])
> > > > @@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate):
> > > > 
> > > > self.check_objectclass(ldap, dn, entry_attrs)
> > > > self.obj.convert_usercertificate_pre(entry_attrs)
> > > > +self.preserve_krbprincipalname_pre(ldap, entry_attrs,
> > > > *keys,
> > > > **options)
> > > > 
> > > > def post_common_callback(self, ldap, dn, entry_attrs,
> > > > *keys,
> > > > **options):
> > > > assert isinstance(dn, DN)
> > > > +self.preserve_krbprincipalname_post(ldap, entry_attrs,
> > > > **options)
> > > > if options.get('random', False):
> > > > try:
> > > > entry_attrs['randompassword'] =
> > > > unicode(getattr(context, 'randompassword'))
> > > > --
> > > > 2.5.5
> > > > 
> > > The approach looks good.
> > > 
> > > For the record, we also support aliases 

Re: [Freeipa-devel] [PATCH 0552] Vault: enable client side plugins CLI

[Petr Vobornik]

On 07/12/2016 02:06 PM, Martin Babinsky wrote:
> On 07/08/2016 04:36 PM, Alexander Bokovoy wrote:
>> On Fri, 08 Jul 2016, Martin Basti wrote:
>>> Patch attached.
>>> https://fedorahosted.org/freeipa/ticket/6035
>>
>>> From 2c97c316c1db49daeda15c709f082ee083a741ad Mon Sep 17 00:00:00 2001
>>> From: Martin Basti 
>>> Date: Fri, 8 Jul 2016 15:53:25 +0200
>>> Subject: [PATCH] Enable vault-* commands on client
>>>
>>> Client plugins fot vault commands were disabled by NO_CLI=True,
>>> inherited from vault_add_interal, that is always NO_CLI=True.
>>> Introduced by this commit 8278da6967dbe425b4e0c6cf37dc1c53052525b2
>>>
>>> Removed NO_CLI=True from client side plugins for vault.
>>>
>>> https://fedorahosted.org/freeipa/ticket/6035
>> ACK.
>>
>> I haven't tested it but the change is obvious.
>>
> 
> And it works as expected, so ACK also from me.
> 

master:
* 9feeaca9fb552229638ce98086aa75905a45b48d Enable vault-* commands on client

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0184] vault-add: set the default vault type on the client side if none was given

[Stanislav Laznicka]

On 07/12/2016 02:10 PM, Martin Babinsky wrote:

Quick fix for https://fedorahosted.org/freeipa/ticket/6047

Note that it depends on mbasti's patch 552 (already acked) otherwise 
client-side vault commands would not be even visible in CLI.




ACK.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] spec: require Dogtag >= 10.3.3-3

[Petr Spacek]

On 8.7.2016 06:52, Fraser Tweedale wrote:
> On Thu, Jul 07, 2016 at 01:16:04PM +0200, Petr Spacek wrote:
>> Hello,
>>
>> IPA 4.4.0 requires Dogtag >= 10.3.4. Is this version going to be built for
>> Fedora any time soon?
>>
>> Or should I update my scripts to automatically enable
>> COPR @freeipa/freeipa-master
>> in my testing VMs?
>>
>> Thanks.
>> Petr^2 Spacek
>>
> Hi Petr,
> 
> The required features were released for Fedora as 10.3.3-3.
> Attached patch retracts the min required version accordingly.

ACK

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0184] vault-add: set the default vault type on the client side if none was given

[Martin Babinsky]

Quick fix for https://fedorahosted.org/freeipa/ticket/6047

Note that it depends on mbasti's patch 552 (already acked) otherwise 
client-side vault commands would not be even visible in CLI.


--
Martin^3 Babinsky
From b2019ce4b1dbf16b52e43d89a3d113cd5d9efc93 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 12 Jul 2016 13:44:49 +0200
Subject: [PATCH] vault-add: set the default vault type on the client side if
 none was given

`vault-add` commands does much processing depending on the vault type even
before the request is forwarded to remote server. Since default values for
parameters are now filled only on server side, the client-side logic would
fail if the vault type was not explicitly given. In this case we have to
retrieve and use the default vault type from schema.

https://fedorahosted.org/freeipa/ticket/6047
---
 ipaclient/plugins/vault.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 11210d6e1339f42598b39bcf599d3e6eacb5b9d8..b7e0cfffb2fff62fdbbf438964d124fc2dd8ac36 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -225,6 +225,11 @@ class vault_add(Local):
 def forward(self, *args, **options):
 
 vault_type = options.get('ipavaulttype')
+
+if vault_type is None:
+internal_cmd = self.api.Command.vault_add_internal
+vault_type = internal_cmd.params.ipavaulttype.default
+
 password = options.get('password')
 password_file = options.get('password_file')
 public_key = options.get('ipavaultpublickey')
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0552] Vault: enable client side plugins CLI

[Martin Babinsky]

On 07/08/2016 04:36 PM, Alexander Bokovoy wrote:

On Fri, 08 Jul 2016, Martin Basti wrote:

Patch attached.
https://fedorahosted.org/freeipa/ticket/6035



From 2c97c316c1db49daeda15c709f082ee083a741ad Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 8 Jul 2016 15:53:25 +0200
Subject: [PATCH] Enable vault-* commands on client

Client plugins fot vault commands were disabled by NO_CLI=True,
inherited from vault_add_interal, that is always NO_CLI=True.
Introduced by this commit 8278da6967dbe425b4e0c6cf37dc1c53052525b2

Removed NO_CLI=True from client side plugins for vault.

https://fedorahosted.org/freeipa/ticket/6035

ACK.

I haven't tested it but the change is obvious.



And it works as expected, so ACK also from me.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

[Martin Babinsky]

On 07/12/2016 01:05 PM, Alexander Bokovoy wrote:

On Mon, 11 Jul 2016, Martin Babinsky wrote:

From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 1 Jul 2016 18:09:04 +0200
Subject: [PATCH] Preserve user principal aliases during rename operation

When a MODRDN is performed on the user entry, the MODRDN plugin resets
both
krbPrincipalName and krbCanonicalName to the value constructed from
uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName
are
wiped clean. In this patch old aliases are fetched before the MODRDN
operation
takes place and inserted back after it is performed.

This also preserves previous user logins which can be used further for
authentication as aliases.

https://fedorahosted.org/freeipa/ticket/6028
---
ipaserver/plugins/baseuser.py | 46
+++
1 file changed, 46 insertions(+)

diff --git a/ipaserver/plugins/baseuser.py
b/ipaserver/plugins/baseuser.py
index
0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2452692a7edb342f6ac3
100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate):
len =
int(config.get('ipamaxusernamelength')[0])
)
)
+
+def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys,
**options):
+"""
+preserve user principal aliases during rename operation. This
is the
+pre-callback part of this. Another method called during
post-callback
+shall insert the principals back
+"""
+if options.get('rename', None) is None:
+return
+
+try:
+old_entry = ldap.get_entry(
+entry_attrs.dn, attrs_list=(
+'krbprincipalname', 'krbcanonicalname'))
+
+if 'krbcanonicalname' not in old_entry:
+return
+except errors.NotFound:
+self.obj.handle_not_found(*keys)
+
+self.context.krbprincipalname = old_entry.get(
+'krbprincipalname', [])
+
+def preserve_krbprincipalname_post(self, ldap, entry_attrs,
**options):
+"""
+Insert the preserved aliases back to the user entry during
rename
+operation
+"""
+if options.get('rename', None) is None or not hasattr(
+self.context, 'krbprincipalname'):
+return
+
+obj_pkey = self.obj.get_primary_key_from_dn(entry_attrs.dn)
+canonical_name = entry_attrs['krbcanonicalname'][0]
+
+principals_to_add = tuple(p for p in
self.context.krbprincipalname if
+  p != canonical_name)
+
+if principals_to_add:
+result = self.api.Command.user_add_principal(
+obj_pkey, principals_to_add)['result']
+
+entry_attrs['krbprincipalname'] =
result.get('krbprincipalname', [])
+
def check_mail(self, entry_attrs):
if 'mail' in entry_attrs:
entry_attrs['mail'] =
self.obj.normalize_and_validate_email(entry_attrs['mail'])
@@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate):

self.check_objectclass(ldap, dn, entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
+self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys,
**options)

def post_common_callback(self, ldap, dn, entry_attrs, *keys,
**options):
assert isinstance(dn, DN)
+self.preserve_krbprincipalname_post(ldap, entry_attrs,
**options)
if options.get('random', False):
try:
entry_attrs['randompassword'] =
unicode(getattr(context, 'randompassword'))
--
2.5.5


The approach looks good.

For the record, we also support aliases for hosts and service kerberos
principals but we don't support rename options for them, so there is no
need to add similar logic there.




That's right, I have updated the corresponding section of the design 
page [1] for future reference.


[1] 
http://www.freeipa.org/page/V4/Kerberos_principal_aliases#Management_framework


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

[Alexander Bokovoy]

On Mon, 11 Jul 2016, Martin Babinsky wrote:

From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 1 Jul 2016 18:09:04 +0200
Subject: [PATCH] Preserve user principal aliases during rename operation

When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.

This also preserves previous user logins which can be used further for
authentication as aliases.

https://fedorahosted.org/freeipa/ticket/6028
---
ipaserver/plugins/baseuser.py | 46 +++
1 file changed, 46 insertions(+)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 
0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2452692a7edb342f6ac3
 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate):
len = int(config.get('ipamaxusernamelength')[0])
)
)
+
+def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys, 
**options):
+"""
+preserve user principal aliases during rename operation. This is the
+pre-callback part of this. Another method called during post-callback
+shall insert the principals back
+"""
+if options.get('rename', None) is None:
+return
+
+try:
+old_entry = ldap.get_entry(
+entry_attrs.dn, attrs_list=(
+'krbprincipalname', 'krbcanonicalname'))
+
+if 'krbcanonicalname' not in old_entry:
+return
+except errors.NotFound:
+self.obj.handle_not_found(*keys)
+
+self.context.krbprincipalname = old_entry.get(
+'krbprincipalname', [])
+
+def preserve_krbprincipalname_post(self, ldap, entry_attrs, **options):
+"""
+Insert the preserved aliases back to the user entry during rename
+operation
+"""
+if options.get('rename', None) is None or not hasattr(
+self.context, 'krbprincipalname'):
+return
+
+obj_pkey = self.obj.get_primary_key_from_dn(entry_attrs.dn)
+canonical_name = entry_attrs['krbcanonicalname'][0]
+
+principals_to_add = tuple(p for p in self.context.krbprincipalname if
+  p != canonical_name)
+
+if principals_to_add:
+result = self.api.Command.user_add_principal(
+obj_pkey, principals_to_add)['result']
+
+entry_attrs['krbprincipalname'] = result.get('krbprincipalname', 
[])
+
def check_mail(self, entry_attrs):
if 'mail' in entry_attrs:
entry_attrs['mail'] = 
self.obj.normalize_and_validate_email(entry_attrs['mail'])
@@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate):

self.check_objectclass(ldap, dn, entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
+self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)

def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
+self.preserve_krbprincipalname_post(ldap, entry_attrs, **options)
if options.get('random', False):
try:
entry_attrs['randompassword'] = unicode(getattr(context, 
'randompassword'))
--
2.5.5


The approach looks good.

For the record, we also support aliases for hosts and service kerberos
principals but we don't support rename options for them, so there is no
need to add similar logic there.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0149] help: Add dnsserver commands to help topic 'dns'

[Petr Spacek]

Hello,

help: Add dnsserver commands to help topic 'dns'

https://bugzilla.redhat.com/show_bug.cgi?id=1353888

-- 
Petr^2 Spacek
From 28e5f4d195c891a2eba2970c8a915469a2b0447f Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 12 Jul 2016 12:53:52 +0200
Subject: [PATCH] help: Add dnsserver commands to help topic 'dns'

https://bugzilla.redhat.com/show_bug.cgi?id=1353888
---
 ipaserver/plugins/dnsserver.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/plugins/dnsserver.py b/ipaserver/plugins/dnsserver.py
index beddec04230d810479fff9612721cf12260bbb3a..c26be6ecb2caf59318c38010423c583bf0c50cd8 100644
--- a/ipaserver/plugins/dnsserver.py
+++ b/ipaserver/plugins/dnsserver.py
@@ -48,6 +48,8 @@ EXAMPLES:
 
 register = Registry()
 
+topic = 'dns'
+
 dnsserver_object_class = ['top', 'idnsServerConfigObject']
 
 @register()
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0056] removed unused parameter from migrate-ds

[Martin Babinsky]

On 07/11/2016 12:40 PM, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/6034




ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0550] host-find: do not show SSH keys by default

[Stanislav Laznicka]

On 07/08/2016 01:52 PM, Martin Basti wrote:

Reproducible only with 2+ hosts, patch attached.

https://fedorahosted.org/freeipa/ticket/6043



ACK.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] kdb: check for local realm in enterprise principals

[Petr Vobornik]

On 07/11/2016 05:15 PM, Martin Babinsky wrote:
> On 07/06/2016 07:01 PM, Sumit Bose wrote:
>> Hi,
>>
>> although enterprise principals for trusted domains now are working as
>> expected they do not work for the local domain:
>>
>> # kinit -E admin@IPA.DEVEL
>> kinit: Client 'admin\@IPA.DEVEL@IPA.DEVEL' not found in Kerberos
>> database while getting initial credentials
>>
>> Attached patch handles this case. It is not that nice because of the
>> duplication of ipadb_fetch_principals() and ipadb_find_principal(). But
>> I think there was a reason I do not remember why we didn't check for
>> enterprise principals before checking the local database. If there is no
>> such reason it might make sense to check for enterprise principals
>> before doing the lookup. Please let me know if I should change the patch
>> accordingly or if the current version is ok,
>>
>> bye,
>> Sumit
>>
>>
>>
> Code looks ok to me and the patch fixes the issue, so ACK.
> 

master:
* 6d6da6b281173737bd31ba4845af11a097846c05 kdb: check for local realm in
enterprise principals

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0183] ipa-advise: correct handling of plugin namespace iteration

[Petr Vobornik]

On 07/11/2016 02:30 PM, Stanislav Laznicka wrote:
> On 07/11/2016 02:18 PM, Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/6044
>>
>>
>>
> ACK.
> 
> 
> 
master:
* c1d8629b7490f443eededf0c0d0472d8285f85e8 ipa-advise: correct handling
of plugin namespace iteration

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0182] ipa-compat-manage: use server API to retrieve plugin statu

[Petr Vobornik]

On 07/12/2016 10:22 AM, Stanislav Laznicka wrote:
> On 07/12/2016 10:02 AM, Stanislav Laznicka wrote:
>> On 07/11/2016 10:50 AM, Martin Babinsky wrote:
>>> Fixes regression reported in
>>> https://fedorahosted.org/freeipa/ticket/6033
>>>
>> Hello,
>>
>> The ticket is rather cryptic as it has ipa-compat-manage in header but
>> describes error in ipa-nis-manage. Both scripts suffer with the very
>> same error, could you fix the latter as well?
>>
>> Thanks,
>> Standa
> 
> Never mind, found the ipa-nis-manage patch posted earlier in the mailing
> list ACKed although it probably hasn't been pushed yet.
> 
> ACK.
> 

master:
* a5efeb449bba47dd430a7b8ffa594ace189252f4 ipa-compat-manage: use server
API to retrieve plugin status

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0038-0040] Sub CA test patches

[Petr Vobornik]

On 07/08/2016 06:06 AM, Fraser Tweedale wrote:
> On Thu, Jul 07, 2016 at 03:46:52PM +0200, Milan Kubík wrote:
>> On 07/04/2016 08:57 AM, Fraser Tweedale wrote:
>>> Hi Milan,

>>
> Thanks Milan,
> 
> All working for me now.  ACK on all four patches.
> 
> Cheers,
> Fraser
> 

master:
* ea9b15f435c6327c6f642e3e8093796229d94598 ipatests: Tracker
implementation for Sub CA feature
* 5b37aaad7718bd0214053fd2e758ba7dc332e21d ipatests: Extend CAACL suite
to cover Sub CA members
* d88a12f1f59640bb6593169aa4c7ea204af18cee ipatests: Test Sub CA with
CAACL and certificate profile
* 0277a89825cf0d8d1099f537d9eb4ab1020751d2 ipatests: remove ipacertbase
option from test CSR configuration


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0181] ipa-nis-manage: Use server API to retrieve plugin status

[Petr Vobornik]

On 07/06/2016 11:18 AM, Florence Blanc-Renaud wrote:
> On 07/04/2016 01:36 PM, Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/6027
>>
>>
>>
> Hi Martin,
> 
> I tested your patch and it correctly fixes the issue.
> Ack,
> 
> Flo.
> 

master:
* c5cc79f1ad2ef1eb81ad3d9cea2882a7ae1825b2 ipa-nis-manage: Use server
API to retrieve plugin status

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0087 uninstall: untrack lightweight CA certs

[Petr Vobornik]

On 07/04/2016 10:18 AM, Martin Babinsky wrote:
> On 07/04/2016 05:10 AM, Fraser Tweedale wrote:
>> The attached patch fixes
>> https://fedorahosted.org/freeipa/ticket/6020
>>
>> Thanks,
>> Fraser
>>
>>
>>
> ACK.
> 

master:
* 88841a561922fd9a57f3c473833f2ff26c8061ec uninstall: untrack
lightweight CA certs

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0182] ipa-compat-manage: use server API to retrieve plugin statu

[Stanislav Laznicka]

On 07/12/2016 10:02 AM, Stanislav Laznicka wrote:

On 07/11/2016 10:50 AM, Martin Babinsky wrote:
Fixes regression reported in 
https://fedorahosted.org/freeipa/ticket/6033



Hello,

The ticket is rather cryptic as it has ipa-compat-manage in header but 
describes error in ipa-nis-manage. Both scripts suffer with the very 
same error, could you fix the latter as well?


Thanks,
Standa


Never mind, found the ipa-nis-manage patch posted earlier in the mailing 
list ACKed although it probably hasn't been pushed yet.


ACK.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0182] ipa-compat-manage: use server API to retrieve plugin statu

[Stanislav Laznicka]

On 07/11/2016 10:50 AM, Martin Babinsky wrote:

Fixes regression reported in https://fedorahosted.org/freeipa/ticket/6033




Hello,

The ticket is rather cryptic as it has ipa-compat-manage in header but 
describes error in ipa-nis-manage. Both scripts suffer with the very 
same error, could you fix the latter as well?


Thanks,
Standa
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

[Alexander Bokovoy]

On Tue, 12 Jul 2016, Fraser Tweedale wrote:

Attached patch is a doc change, addressing
https://fedorahosted.org/freeipa/ticket/6002.

Thanks,
Fraser



From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 12 Jul 2016 15:11:11 +1000
Subject: [PATCH] caacl: expand plugin documentation

Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
---
ipaserver/plugins/caacl.py | 34 --
1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index 
9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -23,14 +23,36 @@ if six.PY3:
__doc__ = _("""
Manage CA ACL rules.

-This plugin is used to define rules governing which principals are
-permitted to have certificates issued using a given certificate
-profile.
+This plugin is used to define rules governing which CAs and profiles
+may be used to issue certificates to particular principals or groups
+of principals.

-PROFILE ID SYNTAX:
+SUBJECT PRINCIPAL SCOPE:

-A Profile ID is a string without spaces or punctuation starting with a letter
-and followed by a sequence of letters, digits or underscore ("_").
+For a certificate request to be allowed, the principal(s) that are
+the subject of a certificate request (not necessarily the principal
+actually requesting the certificate) must be included in the scope
+of a CA ACL that also includes the target CA and profile.
+
+Users can be included by name, group or the "all users" category.
+Hosts can be included by name, hostgroup or the "all hosts"
+category.  Services can be included by service name or the "all
+services" category.  CA ACLs may be associated with a single type of
+principal, or multiple types.
+
+CERTIFICATE AUTHORITY SCOPE:
+
+A CA ACL can be associated with one or more CAs by name, or by the
+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
+association implies an association with the 'ipa' CA (and only this
+CA).
+
+PROFILE SCOPE:
+
+A CA ACL can be associated with one or more profiles by Profile ID.
+The Profile ID is a string without spaces or punctuation starting
+with a letter and followed by a sequence of letters, digits or
+underscore ("_").

EXAMPLES:


ACK. Reads well.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0057] Don't show part of warning containing --force-ntpd in replica install

[Stanislav Laznicka]

On 07/11/2016 04:27 PM, Petr Vobornik wrote:

On 07/11/2016 01:23 PM, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/6046




Isn't the bug about something else?

The issue was that ipa-replica-install doesn't have --force-ntpd option.
It is an option of ipa-client-install which is run from replica installer.

The unattended mode is unrelated.


My understanding is that the bug says that '--force-ntpd' option should 
not be shown when ipa-client-install is run during replica installation.


During replica installation, the ipa-client-install script is run with 
the '--unattended' flag in the 'ensure_enrolled()' function. Being a 
separate script, there's not many options on how to pass the information 
not to show the message to ipa-client-install. Using the already used 
flag to get rid of the message seemed easiest to me. Introducing a new 
'hidden' flag (like '--from-replica'), on the other hand, seems a bit harsh.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code