[Freeipa-devel] [PATCH] 0100 Track lightweight CAs on replica installation
Hi folks, Please review attached patch which fixes https://fedorahosted.org/freeipa/ticket/6019. Thanks, Fraser From 558ec02053154b472b0505e6c2279095f296cb9c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 23 Aug 2016 16:14:30 +1000 Subject: [PATCH] Track lightweight CAs on replica installation Add Certmonger tracking requests for lightweight CAs on replica installation. As part of this change, extract most of the lightweight CA tracking code out of ipa-certupdate and into cainstance. Fixes: https://fedorahosted.org/freeipa/ticket/6019 --- ipaclient/ipa_certupdate.py | 53 +-- ipalib/constants.py | 2 ++ ipaserver/install/cainstance.py | 80 + 3 files changed, 91 insertions(+), 44 deletions(-) diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index e59047a2705eb8ccb98b5213c4c8771f55a29bc5..2b33934619aa69e941fb292660ede5f925799142 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -29,10 +29,7 @@ from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, errors, x509, certstore -from ipalib.constants import IPA_CA_CN - -IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' -RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' +from ipalib.constants import IPA_CA_NICKNAME, RENEWAL_CA_NAME class CertUpdate(admintool.AdminTool): command_name = 'ipa-certupdate' @@ -85,11 +82,8 @@ class CertUpdate(admintool.AdminTool): certs = certstore.get_ca_certs(ldap, api.env.basedn, api.env.realm, ca_enabled) -# find lightweight CAs (on renewal master only) -lwcas = [] -for ca_obj in api.Command.ca_find()['result']: -if IPA_CA_CN not in ca_obj['cn']: -lwcas.append(ca_obj) +# find lightweight CAs +lwcas = api.Command.ca_find()['result'] api.Backend.rpcclient.disconnect() finally: @@ -98,8 +92,12 @@ class CertUpdate(admintool.AdminTool): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): self.update_server(certs) -for entry in lwcas: -self.server_track_lightweight_ca(entry) +try: +from ipaserver.install import cainstance +cainstance.add_lightweight_ca_tracking_requests(self.log, lwcas) +except Exception as e: +self.log.exception( +"Failed to add lightweight CA tracking requests") self.update_client(certs) @@ -163,39 +161,6 @@ class CertUpdate(admintool.AdminTool): self.update_file(paths.CA_CRT, certs) -def server_track_lightweight_ca(self, entry): -nickname = "{} {}".format(IPA_CA_NICKNAME, entry['ipacaid'][0]) -criteria = { -'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, -'cert-nickname': nickname, -'ca-name': RENEWAL_CA_NAME, -} -request_id = certmonger.get_request_id(criteria) -if request_id is None: -try: -certmonger.dogtag_start_tracking( -secdir=paths.PKI_TOMCAT_ALIAS_DIR, -pin=certmonger.get_pin('internal'), -pinfile=None, -nickname=nickname, -ca=RENEWAL_CA_NAME, -pre_command='stop_pkicad', -post_command='renew_ca_cert "%s"' % nickname, -) -request_id = certmonger.get_request_id(criteria) -certmonger.modify(request_id, profile='ipaCACertRenewal') -self.log.debug( -'Lightweight CA renewal: ' -'added tracking request for "%s"', nickname) -except RuntimeError as e: -self.log.error( -'Lightweight CA renewal: Certmonger failed to ' -'start tracking certificate: %s', e) -else: -self.log.debug( -'Lightweight CA renewal: ' -'already tracking certificate "%s"', nickname) - def update_file(self, filename, certs, mode=0o444): certs = (c[0] for c in certs if c[2] is not False) try: diff --git a/ipalib/constants.py b/ipalib/constants.py index 0574bb3aa457dd79a6d64f6b8a6b57161d32da92..d5b918c49d695c5a15bee576d88902700743e263 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -273,3 +273,5 @@ CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' IPA_CA_CN = u'ipa' IPA_CA_RECORD = "ipa-ca" +IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' +RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2ec02d6628ebc9e3a9bad141ec636c84eab14cef..7c2f1e1a29a201ff53555e76a2d5aa8
[Freeipa-devel] [freeipa PR#11] Removed unwanted line break from RefererError Dialog message (opened)
Akasurde's pull request #11: "Removed unwanted line break from RefererError Dialog message" was opened PR body: Fixes: https://fedorahosted.org/freeipa/ticket/5932 Signed-off-by: Abhijeet Kasurde See the full pull-request at https://github.com/freeipa/freeipa/pull/11 freeipa-pr-11.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation
On 08/16/2016 03:04 PM, Martin Kosek wrote: On 08/16/2016 08:12 PM, Alexander Bokovoy wrote: On Tue, 16 Aug 2016, Ben Lipton wrote: On 08/10/2016 08:52 AM, Ben Lipton wrote: The pull request at https://github.com/LiptonB/freeipa/pull/4/commits has been brought up to date (with a force push), and also includes 3 more patches, described below. The patchset is also attached. To make sure that everything applies, I just regenerated the whole set, though there may not be meaningful changes. After a discussion about how to address some of the concerns that have been voiced about this project, there have been some changes to the project direction. So, I wanted to provide an update about what the plans are. If you have objections or feel that I'm not representing it correctly, please let me know. Since we have yet to see all the ways people will want to use this feature, the immediate goal is to provide something that we can iterate on. To make this easier, we will avoid storing rule data on the server or modifying the server schema, as those changes would need to be supported long term/handled correctly on update. I plan to approach this as follows: - Separate the provider of mapping rules into a separate component from the generation of a config based on those rules - Build an alternative rule provider that reads local files rather than querying IPA - Move the implementation of CSR config formatting from the server API into a library (where should this go? ipalib? ipapython?), and then provide a client-side command that builds a config using the library. Up to you -- ipapython is traditionally used for very basic dependencies when nothing is configured and is used by both installers and the framework, ipalib -- for common code in the framework itself. - Templates for at least two profiles ("user" profile with CN=, subject and email address SAN, "service" profile with CN=, subject and DNS SAN) will be provided. Users will be able to build custom profiles by putting files in the appropriate directories on their client machines (but we will not guarantee backward compatibility for the format of these files). - If we decide to move forward with storing rules on the server, the library call can be referenced from the server code, using the rule provider that pulls rules from the API. However, at that point we may also go in the direction of making automatic cert generation fully the responsibility of Dogtag, and keep the CSR-generation approach client-side only. Comments welcome! Unless the changes are more complex than I anticipate, I hope to have a prototype of this approach for review by the end of this week. The summary above looks fine. +1, this looks good to me too. Thanks Ben, good job! Martin it took a little longer than I expected, but the client-side implementation is now available for review at https://github.com/freeipa/freeipa/pull/10. Please take a look when you get a chance. Thanks! Ben -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (opened)
LiptonB's pull request #10: "Client-side CSR autogeneration" was opened PR body: Adds a library that builds scripts that builds CSRs. Adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. Adds rules for the caIPAserviceCert profile, as well as a new userCert profile, stored in json files in /usr/share/ipa/csr. The rule provider is a separate class so that it can be replaced easily if we ever want to move rules to the server side. See the full pull-request at https://github.com/freeipa/freeipa/pull/10 freeipa-pr-10.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#4] Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup (closed)
pspacek's pull request #4: "Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#4] Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup (label change)
pspacek's pull request #4: "Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#4] Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup (comment)
mbasti-rh commented on a pull request Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1142c3a28079316e2946ef008ad52e7e4cf89863 See the full comment at https://github.com/freeipa/freeipa/pull/4#issuecomment-241483260 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#4] Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup (label change)
pspacek's pull request #4: "Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
I've attached the updated patch. Hopefully I didn't forget anything else this time. On 08/22/2016 05:48 PM, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 -- Tomas Krizek From 5a0e3586a8fd3b31ad8fa2ce092e01e9b36154fc Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 22 Aug 2016 19:04:21 +0200 Subject: [PATCH] Validate key in otptoken-add Make the OTP token key mandatory and show an appropriate error message if the user enters an empty key. https://fedorahosted.org/freeipa/ticket/6200 --- API.txt | 2 +- VERSION | 4 ++-- ipaserver/plugins/otptoken.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9..3039832d3b250b5e29b8b932763ef17a479cbd5a 100644 --- a/API.txt +++ b/API.txt @@ -3271,7 +3271,7 @@ option: DateTime('ipatokennotafter?', cli_name='not_after') option: DateTime('ipatokennotbefore?', cli_name='not_before') option: StrEnum('ipatokenotpalgorithm?', autofill=True, cli_name='algo', default=u'sha1', values=[u'sha1', u'sha256', u'sha384', u'sha512']) option: IntEnum('ipatokenotpdigits?', autofill=True, cli_name='digits', default=6, values=[6, 8]) -option: OTPTokenKey('ipatokenotpkey?', autofill=True, cli_name='key') +option: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') option: Str('ipatokenowner?', cli_name='owner') option: Str('ipatokenserial?', cli_name='serial') option: Int('ipatokentotpclockoffset?', autofill=True, cli_name='offset', default=0) diff --git a/VERSION b/VERSION index a8b89ed305bcfdf2990a7400d005a68d734fa7e8..9473c820ed7b776a3fda1378f160d2e27f31c3ee 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=212 -# Last change: ab: service: add flag to allow S4U2Self +IPA_API_VERSION_MINOR=213 +# Last change: tkrizek: ipatokenotpkey: set as required diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py index 39012e2f9106c33c520e19f14331fc440333015a..15b25e07a905257f016de68a3d9e182447699d0e 100644 --- a/ipaserver/plugins/otptoken.py +++ b/ipaserver/plugins/otptoken.py @@ -208,7 +208,7 @@ class otptoken(LDAPObject): label=_('Serial'), doc=_('Token serial (informational only)'), ), -OTPTokenKey('ipatokenotpkey?', +OTPTokenKey('ipatokenotpkey', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 22.08.2016 17:48, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 [root@vm-058-107 ~]# ipa otptoken-add --key='ORSXG5DFON2AU===' Usage: ipa [global-options] otptoken-add [ID] [options] ipa: error: --key option does not take a value Well patch doesnt work for me, Honza may know if this is expected behavior of framework or just params bug Martin62 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#9] ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires (comment)
mbasti-rh commented on a pull request Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/b0e43d5ec879fc56c38328cd9f01b04d8b6a870d See the full comment at https://github.com/freeipa/freeipa/pull/9#issuecomment-241477746 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#9] ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires (closed)
martbab's pull request #9: "ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/9 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#9] ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires (label change)
martbab's pull request #9: "ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/9 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#8] add python-libsss_nss_idmap and python-sss to BuildRequires (closed)
martbab's pull request #8: "add python-libsss_nss_idmap and python-sss to BuildRequires" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/8 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#8] add python-libsss_nss_idmap and python-sss to BuildRequires (label change)
martbab's pull request #8: "add python-libsss_nss_idmap and python-sss to BuildRequires" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/8 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#8] add python-libsss_nss_idmap and python-sss to BuildRequires (comment)
martbab commented on a pull request Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a4f4cac993afa1c0bd1585d14a26d4ce1f729b95 See the full comment at https://github.com/freeipa/freeipa/pull/8#issuecomment-241477680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#9] ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires (label change)
martbab's pull request #9: "ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/9 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#9] ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires (comment)
abbra commented on a pull request The backport is OK too. See the full comment at https://github.com/freeipa/freeipa/pull/9#issuecomment-241476574 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#9] ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires (opened)
martbab's pull request #9: "ipa-4-3: add python-libsss_nss_idmap and python-sss to BuildRequires" was opened PR body: This fixes pylint failing on import errors during 'lint' phase of build. https://fedorahosted.org/freeipa/ticket/6244 See the full pull-request at https://github.com/freeipa/freeipa/pull/9 freeipa-pr-9.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#8] add python-libsss_nss_idmap and python-sss to BuildRequires (comment)
abbra commented on a pull request Looks good to me. See the full comment at https://github.com/freeipa/freeipa/pull/8#issuecomment-241474126 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#8] add python-libsss_nss_idmap and python-sss to BuildRequires (label change)
martbab's pull request #8: "add python-libsss_nss_idmap and python-sss to BuildRequires" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/8 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#8] add python-libsss_nss_idmap and python-sss to BuildRequires (opened)
martbab's pull request #8: "add python-libsss_nss_idmap and python-sss to BuildRequires" was opened PR body: This fixes pylint failing on import errors during 'lint' phase of build. https://fedorahosted.org/freeipa/ticket/6244 See the full pull-request at https://github.com/freeipa/freeipa/pull/8 freeipa-pr-8.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#5] migrate-ds: Mention --enable-migration in error message about migraion mode (label change)
pspacek's pull request #5: "migrate-ds: Mention --enable-migration in error message about migraion mode" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#5] migrate-ds: Mention --enable-migration in error message about migraion mode (comment)
mbasti-rh commented on a pull request Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0f4df2f03df09ebced37ff0dd49d489782b85d73 See the full comment at https://github.com/freeipa/freeipa/pull/5#issuecomment-241460779 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#5] migrate-ds: Mention --enable-migration in error message about migraion mode (closed)
pspacek's pull request #5: "migrate-ds: Mention --enable-migration in error message about migraion mode" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#7] config-mod: normalize attribute names for --usersearch/--groupsearch (comment)
mbasti-rh commented on a pull request Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3ac2709f4b026e7c7153777f7472c383fe99a175 See the full comment at https://github.com/freeipa/freeipa/pull/7#issuecomment-241458780 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#7] config-mod: normalize attribute names for --usersearch/--groupsearch (label change)
pspacek's pull request #7: "config-mod: normalize attribute names for --usersearch/--groupsearch" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/7 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#7] config-mod: normalize attribute names for --usersearch/--groupsearch (closed)
pspacek's pull request #7: "config-mod: normalize attribute names for --usersearch/--groupsearch" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/7 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Patch 0019] Corrected minor spell check in AD Trust information doc messages
On 22.08.2016 17:05, Abhijeet Kasurde wrote: Hi All, On 08/22/2016 05:47 PM, Martin Basti wrote: On 22.08.2016 14:07, Alexander Bokovoy wrote: On Mon, 22 Aug 2016, Abhijeet Kasurde wrote: Hi All, Please find the patch attached. It's a minor spelling correction so, I have not created ticket for this. ACK. Please don't update .pot files, we are doing it before release automatically using Zanata. Please find updated patch. Thanks master: * c9419411c95baa67a5bf61fad0adc239e289e4dc Corrected minor spell check in AD Trust information doc messages -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Patch 0019] Corrected minor spell check in AD Trust information doc messages
Hi All, On 08/22/2016 05:47 PM, Martin Basti wrote: On 22.08.2016 14:07, Alexander Bokovoy wrote: On Mon, 22 Aug 2016, Abhijeet Kasurde wrote: Hi All, Please find the patch attached. It's a minor spelling correction so, I have not created ticket for this. ACK. Please don't update .pot files, we are doing it before release automatically using Zanata. Please find updated patch. -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io From 7b2165b6cd903d82399ac3e8e7966431e8f41824 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Mon, 22 Aug 2016 17:25:06 +0530 Subject: [PATCH] Corrected minor spell check in AD Trust information doc messages Signed-off-by: Abhijeet Kasurde --- install/tools/ipa-adtrust-install | 2 +- ipaclient/remote_plugins/2_114/trust.py | 2 +- ipaclient/remote_plugins/2_156/trust.py | 2 +- ipaclient/remote_plugins/2_164/trust.py | 2 +- ipaserver/plugins/trust.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index ca09ca97b1c0c159a1ed3bfb048f879f51e4275d..170b110b0084e6368201e3ff2bafe7714818a0cf 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -448,7 +448,7 @@ def main(): print("") print("WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \ % (object_count)) -print("Installer can add them to the list of IPA masters allowed to access infromation about trusts.") +print("Installer can add them to the list of IPA masters allowed to access information about trusts.") print("If you choose to do so, you also need to restart LDAP service on those masters.") print("Refer to ipa-adtrust-install(1) man page for details.") print("") diff --git a/ipaclient/remote_plugins/2_114/trust.py b/ipaclient/remote_plugins/2_114/trust.py index 1976f4a25a4c9868abb246d2569736ebdf100ab1..69226663a0310ffb88f474969331403e20399486 100644 --- a/ipaclient/remote_plugins/2_114/trust.py +++ b/ipaclient/remote_plugins/2_114/trust.py @@ -936,7 +936,7 @@ class trustdomain_add(Method): @register() class trustdomain_del(Method): -__doc__ = _("Remove infromation about the domain associated with the trust.") +__doc__ = _("Remove information about the domain associated with the trust.") takes_args = ( parameters.Str( diff --git a/ipaclient/remote_plugins/2_156/trust.py b/ipaclient/remote_plugins/2_156/trust.py index 369ffcd181a60b373aadc4bd0314423af76f2f53..39a56383140622faa3f6ea4d64654f5710413791 100644 --- a/ipaclient/remote_plugins/2_156/trust.py +++ b/ipaclient/remote_plugins/2_156/trust.py @@ -950,7 +950,7 @@ class trustdomain_add(Method): @register() class trustdomain_del(Method): -__doc__ = _("Remove infromation about the domain associated with the trust.") +__doc__ = _("Remove information about the domain associated with the trust.") takes_args = ( parameters.Str( diff --git a/ipaclient/remote_plugins/2_164/trust.py b/ipaclient/remote_plugins/2_164/trust.py index 369ffcd181a60b373aadc4bd0314423af76f2f53..39a56383140622faa3f6ea4d64654f5710413791 100644 --- a/ipaclient/remote_plugins/2_164/trust.py +++ b/ipaclient/remote_plugins/2_164/trust.py @@ -950,7 +950,7 @@ class trustdomain_add(Method): @register() class trustdomain_del(Method): -__doc__ = _("Remove infromation about the domain associated with the trust.") +__doc__ = _("Remove information about the domain associated with the trust.") takes_args = ( parameters.Str( diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index b9d9b122a90de62946307b99b44932129eb611e8..26f85c26f17dc5c987ee66c9c40cac1c80cf2212 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1602,7 +1602,7 @@ class trustdomain_add(LDAPCreate): @register() class trustdomain_del(LDAPDelete): -__doc__ = _('Remove infromation about the domain associated with the trust.') +__doc__ = _('Remove information about the domain associated with the trust.') msg_summary = _('Removed information about the trusted domain "%(value)s"') -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate
Marx, Peter wrote: Im testing with certmonger 0.78.6 (patched for the GETCACertChain bug) against two EJBCA servers. For verification I a use a second SCEP client called jSCEP. I started certmonger in debug mode with /usr/libexec/certmonger/certmonger-session -n -d 15 The CA file in /root/.config/certmonger/cas looks like this: id=Test_Sweden ca_aka=SCEP (certmonger 0.78.6) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/scep-submit -u http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe -i "mx_kd3" ca_capabilities=POSTPKIOperation,Renewal,SHA-1 scep_ca_identifier=iCOM Kunde1 Schweden ca_encryption_cert=-BEGIN CERTIFICATE- -END CERTIFICATE- ca_encryption_issuer_cert=-BEGIN CERTIFICATE- -END CERTIFICATE- It looks to me that certmonger can't verify the signature of the returned PKCS#7 data. I'd double check the value of ca_encryption_issuer_cert. rob Issuing the request getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 -p /tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' s gives this log: 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 136 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0aa690. 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0aa690. 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->135->73 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->136->74 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request. 2016-08-22 10:31:13 [23135] Read value "0" from "/proc/sys/crypto/fips_enabled". 2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode. 2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic Crypto Services). 2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'. 2016-08-22 10:31:13 [23135] Located the key 'husky201'. 2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key. 2016-08-22 10:31:13 [23135] Key is an RSA key. 2016-08-22 10:31:13 [23135] Key size is 2048. 2016-08-22 10:31:13 [23136] Read value "0" from "/proc/sys/crypto/fips_enabled". 2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode. 2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'. 2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to be set. 2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'. 2016-08-22 10:31:13 [23136] Error locating certificate. 2016-08-22 10:31:13 [22931] Request7('husky201') starts in state 'NEWLY_ADDED' 2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_START_READING_KEYINFO' 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now. 2016-08-22 10:31:13 [22931] Started Request7('husky201'). 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0. 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_READING_KEYINFO' 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 11. 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0. 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 140 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 141 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0ae0a0. 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0ae0a0. 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->140->75 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->141->76 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called /org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname. 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0. 2016-08-22 10:31:13 [23137] Read value "0" from "/proc/sys/crypto/fips_enabled". 2016-08-22 10:31:13 [23137] Not attempting to set NSS FIPS mode. 2016-08-22 10:
[Freeipa-devel] [PATCH 0039][Tests] ID views tests do not recognize 'krbcanonicalname' attribute
Hi, ID views tests still do not recognize 'krbcanonicalname' attribute - fix attached. Lenka From 6610280a0bae7116c0d790ffa75b6f1a2208365a Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Mon, 22 Aug 2016 15:41:01 +0200 Subject: [PATCH] Tests: ID views tests do not recognize krbcanonicalname attribute https://fedorahosted.org/freeipa/ticket/6242 --- ipatests/test_xmlrpc/test_idviews_plugin.py | 8 1 file changed, 8 insertions(+) diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index eeadc7ceca6c81afe5004898f67e0727f480efe3..591d002882dee75568baa6b39eeec476961a91e8 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -804,6 +804,8 @@ class test_idviews(Declarative): l=[u'Undisclosed location 1'], krbprincipalname=[ u'host/%s@%s' % (get_fqdn(host1), api.env.realm)], +krbcanonicalname=[ +u'host/%s@%s' % (get_fqdn(host1), api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[get_fqdn(host1)], @@ -832,6 +834,8 @@ class test_idviews(Declarative): l=[u'Undisclosed location 2'], krbprincipalname=[ u'host/%s@%s' % (get_fqdn(host2), api.env.realm)], +krbcanonicalname=[ +u'host/%s@%s' % (get_fqdn(host2), api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[get_fqdn(host2)], @@ -860,6 +864,8 @@ class test_idviews(Declarative): l=[u'Undisclosed location 3'], krbprincipalname=[ u'host/%s@%s' % (get_fqdn(host3), api.env.realm)], +krbcanonicalname=[ +u'host/%s@%s' % (get_fqdn(host3), api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[get_fqdn(host3)], @@ -1453,6 +1459,8 @@ class test_idviews(Declarative): l=[u'Undisclosed location 4'], krbprincipalname=[ u'host/%s@%s' % (get_fqdn(host4), api.env.realm)], +krbcanonicalname=[ +u'host/%s@%s' % (get_fqdn(host4), api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[get_fqdn(host4)], -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Patch 0019] Corrected minor spell check in AD Trust information doc messages
On 22.08.2016 14:07, Alexander Bokovoy wrote: On Mon, 22 Aug 2016, Abhijeet Kasurde wrote: Hi All, Please find the patch attached. It's a minor spelling correction so, I have not created ticket for this. ACK. Please don't update .pot files, we are doing it before release automatically using Zanata. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0038][Tests] ID views does not recognize ipakrboktoauthasdelegate attribute
On 22.08.2016 14:06, Alexander Bokovoy wrote: On Mon, 22 Aug 2016, Lenka Doudova wrote: Hi, due to implementation of [1] some ID views tests fail because they do not recognize ipakrboktoauthasdelegate attribute. Providing fix for this. Ticket: https://fedorahosted.org/freeipa/ticket/6241 ACK. Pushed to master: 3d159c39c72ac43ae502f0cb978e534aa37f3b20 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Patch 0019] Corrected minor spell check in AD Trust information doc messages
On Mon, 22 Aug 2016, Abhijeet Kasurde wrote: Hi All, Please find the patch attached. It's a minor spelling correction so, I have not created ticket for this. ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
On 08/19/2016 10:28 AM, Alexander Bokovoy wrote: On Wed, 17 Aug 2016, Martin Babinsky wrote: On 08/08/2016 01:27 PM, Alexander Bokovoy wrote: Hi! Attached two patches attempt to fix some of the issues we see with child domains. SSSD only 'sees' users from child domains if there is an ID range for each of them. However, after refactoring of trust code when external trust was introduced, part of the range creation had wrong assumption that if a trusted domain exists, its range also exists. This is now fixed to try to create range even if the domain exists. In fact, because the older code was not going to the range creation for trusted domains which already existed, adding ranges was done incorrectly: ID ranges use full domain name and don't need - hierarchy, but the code was passing both parent and the child names. As result, an attempt to create an ID range for parent was done instead of the child. Parent ID range already existed so we never got to create child ID ranges at all in that case. Finally, there is a fix in SSSD to properly generate CA paths so that libkrb5 can calculate correct trust path via forest root (parent) domain. While looking at that, I also decided to simplify logic in ipa-kdb driver because for cross-forest trust we never can transit to the child domain directly, we always have to use the forest root domain. However, old code could actually set a immediate domain's parent instead of the forest root for deep level trust relationship within the forest we trust. As we still cannot get to second level or beyond directly or via their actual parent domain, we always have to go through the forest root domain. The simplified code enforces this logic. ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2. Rebased version attached. Thanks, Pushed to: master: a14ebbea895a20f5a68052e32ba65c4fd7fdf670 ipa-4-3: 775c868bacc01286eafc97e8126937d76ee53e1e ipa-4-2: ac6248430ce3358e75e6eebf01db5b9dfc55cac0 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0038][Tests] ID views does not recognize ipakrboktoauthasdelegate attribute
On Mon, 22 Aug 2016, Lenka Doudova wrote: Hi, due to implementation of [1] some ID views tests fail because they do not recognize ipakrboktoauthasdelegate attribute. Providing fix for this. Ticket: https://fedorahosted.org/freeipa/ticket/6241 ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Patch 0019] Corrected minor spell check in AD Trust information doc messages
Hi All, Please find the patch attached. It's a minor spelling correction so, I have not created ticket for this. -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io From 7a1a129ab6a174cd2ea5920f93d0e819ec47f160 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Mon, 22 Aug 2016 17:25:06 +0530 Subject: [PATCH] Corrected minor spell check in AD Trust information doc messages Signed-off-by: Abhijeet Kasurde --- install/po/ipa.pot | 2 +- install/tools/ipa-adtrust-install | 2 +- ipaclient/remote_plugins/2_114/trust.py | 2 +- ipaclient/remote_plugins/2_156/trust.py | 2 +- ipaclient/remote_plugins/2_164/trust.py | 2 +- ipaserver/plugins/trust.py | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/install/po/ipa.pot b/install/po/ipa.pot index 3284c0dc9aff49f227aeb26b003e30c01e9dc81e..96a957198cc98a6ea74bb19e861685fb9962fa91 100644 --- a/install/po/ipa.pot +++ b/install/po/ipa.pot @@ -16226,7 +16226,7 @@ msgid "Allow access from the trusted domain" msgstr "" #: ipaserver/plugins/trust.py:1590 -msgid "Remove infromation about the domain associated with the trust." +msgid "Remove information about the domain associated with the trust." msgstr "" #: ipaserver/plugins/trust.py:1592 diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index ca09ca97b1c0c159a1ed3bfb048f879f51e4275d..170b110b0084e6368201e3ff2bafe7714818a0cf 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -448,7 +448,7 @@ def main(): print("") print("WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \ % (object_count)) -print("Installer can add them to the list of IPA masters allowed to access infromation about trusts.") +print("Installer can add them to the list of IPA masters allowed to access information about trusts.") print("If you choose to do so, you also need to restart LDAP service on those masters.") print("Refer to ipa-adtrust-install(1) man page for details.") print("") diff --git a/ipaclient/remote_plugins/2_114/trust.py b/ipaclient/remote_plugins/2_114/trust.py index 1976f4a25a4c9868abb246d2569736ebdf100ab1..69226663a0310ffb88f474969331403e20399486 100644 --- a/ipaclient/remote_plugins/2_114/trust.py +++ b/ipaclient/remote_plugins/2_114/trust.py @@ -936,7 +936,7 @@ class trustdomain_add(Method): @register() class trustdomain_del(Method): -__doc__ = _("Remove infromation about the domain associated with the trust.") +__doc__ = _("Remove information about the domain associated with the trust.") takes_args = ( parameters.Str( diff --git a/ipaclient/remote_plugins/2_156/trust.py b/ipaclient/remote_plugins/2_156/trust.py index 369ffcd181a60b373aadc4bd0314423af76f2f53..39a56383140622faa3f6ea4d64654f5710413791 100644 --- a/ipaclient/remote_plugins/2_156/trust.py +++ b/ipaclient/remote_plugins/2_156/trust.py @@ -950,7 +950,7 @@ class trustdomain_add(Method): @register() class trustdomain_del(Method): -__doc__ = _("Remove infromation about the domain associated with the trust.") +__doc__ = _("Remove information about the domain associated with the trust.") takes_args = ( parameters.Str( diff --git a/ipaclient/remote_plugins/2_164/trust.py b/ipaclient/remote_plugins/2_164/trust.py index 369ffcd181a60b373aadc4bd0314423af76f2f53..39a56383140622faa3f6ea4d64654f5710413791 100644 --- a/ipaclient/remote_plugins/2_164/trust.py +++ b/ipaclient/remote_plugins/2_164/trust.py @@ -950,7 +950,7 @@ class trustdomain_add(Method): @register() class trustdomain_del(Method): -__doc__ = _("Remove infromation about the domain associated with the trust.") +__doc__ = _("Remove information about the domain associated with the trust.") takes_args = ( parameters.Str( diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index f2e0b1ee4b261ddc4f29477f46b7f4027af18892..cee82e9d5cfaec36115d1bdd4d30573320548385 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1602,7 +1602,7 @@ class trustdomain_add(LDAPCreate): @register() class trustdomain_del(LDAPDelete): -__doc__ = _('Remove infromation about the domain associated with the trust.') +__doc__ = _('Remove information about the domain associated with the trust.') msg_summary = _('Removed information about the trusted domain "%(value)s"') -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#3] User add fix #6199 (synchronize)
mbasti-rh's pull request #3: "User add fix #6199" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/3 freeipa-pr-3.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0038][Tests] ID views does not recognize ipakrboktoauthasdelegate attribute
Hi, due to implementation of [1] some ID views tests fail because they do not recognize ipakrboktoauthasdelegate attribute. Providing fix for this. Ticket: https://fedorahosted.org/freeipa/ticket/6241 Lenka [1] https://fedorahosted.org/freeipa/ticket/5764 From 8b4fb5f85f81bc1f414a4e95731ca0f763c2fe18 Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Mon, 22 Aug 2016 13:39:32 +0200 Subject: [PATCH] Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute Due to implementation of [1], new attribute 'ipakrboktoauthasdelegate' was presented, but is not recognized by ID views tests, thus causing them to fail. [1] https://fedorahosted.org/freeipa/ticket/5764 https://fedorahosted.org/freeipa/ticket/6241 --- ipatests/test_xmlrpc/test_idviews_plugin.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index 9cd44fe2f8263c14015001af6a79e10ff9801903..eeadc7ceca6c81afe5004898f67e0727f480efe3 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -1027,6 +1027,7 @@ class test_idviews(Declarative): objectclass=objectclasses.host, serverhostname=[host3], ipaassignedidview=[idview1], +ipakrboktoauthasdelegate=False, ), ), ), @@ -1056,6 +1057,7 @@ class test_idviews(Declarative): serverhostname=[host2], memberof_hostgroup=[hostgroup2], memberofindirect_hostgroup=[hostgroup1], +ipakrboktoauthasdelegate=False, ), ), ), @@ -1109,6 +,7 @@ class test_idviews(Declarative): memberof_hostgroup=[hostgroup2], memberofindirect_hostgroup=[hostgroup1], ipaassignedidview=[idview1], +ipakrboktoauthasdelegate=False, ), ), ), @@ -1138,6 +1141,7 @@ class test_idviews(Declarative): serverhostname=[host1], memberof_hostgroup=[hostgroup1], ipaassignedidview=[idview1], +ipakrboktoauthasdelegate=False, ), ), ), @@ -1210,6 +1214,7 @@ class test_idviews(Declarative): objectclass=objectclasses.host, serverhostname=[host1], memberof_hostgroup=[hostgroup1], +ipakrboktoauthasdelegate=False, ), ), ), @@ -1237,6 +1242,7 @@ class test_idviews(Declarative): managing_host=[get_fqdn(host3)], objectclass=objectclasses.host, serverhostname=[host3], +ipakrboktoauthasdelegate=False, ), ), ), @@ -1489,6 +1495,7 @@ class test_idviews(Declarative): managing_host=[get_fqdn(host4)], objectclass=objectclasses.host, serverhostname=[host4], +ipakrboktoauthasdelegate=False, ), ), ), -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] invoking ipa-certupdate from within installer
On Mon, Aug 22, 2016 at 10:00:57AM +0200, Jan Cholasta wrote: > Hi, > > On 22.8.2016 09:37, Fraser Tweedale wrote: > > #6019 requires adding tracking requests for existing lightweight CAs > > as part of replica installation. ipa-certupdate has logic to do > > this. > > > > Before I go ahead and implement, there are a few approaches I want > > to mention and seek feedback from team members before I commit to > > one. > > > > 1. invoke ipa-certupdate as a subprocess, from > > CAInstance.configure_replica. This is the simplest approach. Not > > much else to say about it, really :) > > > > 2. invoke ipa-certupdate's main() from the installer. This is > > slightly more work because currently it would fail due to API > > already having been initialised. > > > > 3. extract all logic for adding tracking requests such that it can > > be invoked separately; then refactor ipa-certupdate to call it as > > well as calling it from CAInstance.configure_replica. This is the > > most work. > > > > I lean towards (1) or (3). If you wish it to be done a certain way > > say your piece. > > (4) Extract the relevant code from ipa-certupdate into a separate function > and call it from CAInstance.configure_replica(). > > I would not go with (1) or (2) because it does more than track the certs. I > would also not go with (3) because it requires extensive changes not > suitable for 4.4. > (4) is exactly what I meant in (3) - (I was too vague). (3/4) it is. Thanks for input. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0207, 0218-0219 Solving trust conflicts and external trust topology fixes
On 08/18/2016 05:13 PM, Martin Babinsky wrote: On 08/18/2016 01:25 PM, Martin Babinsky wrote: On 08/17/2016 01:20 PM, Alexander Bokovoy wrote: On Wed, 17 Aug 2016, Martin Babinsky wrote: Hi Alexander, patch 207: LGTM, but I have a feeling that the patch should be linked to both #6021 and #6076 so that it is not lost during backports. patch 218: ipalib/errors.py: 1.) I'm not sure if TrustTopologyConflictError should inherit from InvocationError. The semantics of InvocationError implies that something was wrong when trying to invoke the command (a param failed to validate/convert, incorrect number of args, etc.), while this is more of an exception during command execution (no. and type of params was correct, command started to execute but encountered an error condition). Thus I think it should inherit from ExecutionError. CC'ing Jan for more thoughts on this. Using ExecutionError would work to me too, as long as we display the error to a user. Why is TrustTopologyConflictSolved listed amogn public errors? Since it is used only in dcerpc.py to restart trust establishment after resolving conflicts, it should be a private exception in dcerpc.py for this purpose. I originally wanted to make it a warning -- i.e. if we fixed the conflict, return the result and show the warning that we did solve the conflict. After all, the code is modifying another trusted forest's topology on behalf of the user. I can move the error class to dcerpc.py 3.) Also please split the exception format string like this so that the line is not too long (there is not much we can do about doctest so leave that line as it is): @@ -882,7 +882,8 @@ class TrustTopologyConflictError(InvocationError): """ errno = 3017 -format = _("Forest '%(forest)s' has existing trust to forest(s) %(domains)s which prevents a trust to '%(conflict)s'") +format = _("Forest '%(forest)s' has existing trust to forest(s) " + "%(domains)s which prevents a trust to '%(conflict)s'") Do not worry about gettext, it can handle it just fine, there are plenty of examples in server plugins, for example. Done. ipaserver/dcerpc.py: 1.) I think that instead of returning result and raising TrustTopologyConflictError based on that, the 'clear_ftinfo_conflict' can raise this exception directly. You can have an empty list defined at the beginning instead of 'result list', append unresolvable conflicts to it and then at the end of the method check if it is non-empty and raise the exception. Good suggestion, fixed. 2.) +# In the code below: +# self -- the forest we establish trust to +# another_domain -- a forest that establishes trust to 'self' +# cinfo -- lsa_ForestTrustCollisionInfo structure that contain +# set of of lsa_ForestTrustCollisionRecord structures I would add this directly into the method docstring: """ ... :param self: the forest we establish trust to :param another_domain: a forest that establishes trust to 'self' :param cinfo: lsa_ForestTrustCollisionInfo structure that contain set of of lsa_ForestTrustCollisionRecord structures """ Added. Additionally, the behavior specifed in previous comment can be added using :raises: stanza: """ :raises: errors.TrustTopologyConflictError if there are unresolvable namespace conflicts between trusted domains """ Added. 3.) rewriting 'clear_ftinfo_conflict' according to point 1.) will allow to simplify code in 'update_ftinfo' like this: """ -res = self.clear_ftinfo_conflict(another_domain, cinfo) -if len(res[1]) != 0: -domains = [x.name.string for x in res[1]] -raise errors.TrustTopologyConflictError( - target=self.info['dns_domain'], - conflict=another_domain.info['dns_domain'], - domains=domains) -else: -raise errors.TrustTopologyConflictSolved( - target=self.info['dns_domain'], - conflict=another_domain.info['dns_domain']) +self.clear_ftinfo_conflict(another_domain, cinfo) +raise errors.TrustTopologyConflictSolved( +target=self.info['dns_domain'], +conflict=another_domain.info['dns_domain']) """ done. Patch 218: 1.) typo in the commit message: """ ... suffixes are forest-wide, there *are could be* user accounts in the ... """ Fixed. Updated patches attached. PATCH 207: ACK, I am attaching rebased version for ipa-4-3. Please check if the rebase is correct. PATCH 218: I am attaching rebased version for control. Unfortunately, I am unable to properly test conflict resolution due to reasons beyond my control but it does not break any ordinary workflows and code looks OK, so ACK. I have noticed that raising of TrustTopologyConflictSolved is broken. I have changed the base class to Exception and it works. Attaching patches with the
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate
I'm testing with certmonger 0.78.6 (patched for the GETCACertChain bug) against two EJBCA servers. For verification I a use a second SCEP client called jSCEP. I started certmonger in debug mode with "/usr/libexec/certmonger/certmonger-session -n -d 15" The CA file in /root/.config/certmonger/cas looks like this: id=Test_Sweden ca_aka=SCEP (certmonger 0.78.6) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/scep-submit -u http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe -i "mx_kd3" ca_capabilities=POSTPKIOperation,Renewal,SHA-1 scep_ca_identifier=iCOM Kunde1 Schweden ca_encryption_cert=-BEGIN CERTIFICATE- -END CERTIFICATE- ca_encryption_issuer_cert=-BEGIN CERTIFICATE- -END CERTIFICATE- Issuing the request "getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 -p /tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' -s" gives this log: 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 136 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0aa690. 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0aa690. 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->135->73 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->136->74 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request. 2016-08-22 10:31:13 [23135] Read value "0" from "/proc/sys/crypto/fips_enabled". 2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode. 2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic Crypto Services). 2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'. 2016-08-22 10:31:13 [23135] Located the key 'husky201'. 2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key. 2016-08-22 10:31:13 [23135] Key is an RSA key. 2016-08-22 10:31:13 [23135] Key size is 2048. 2016-08-22 10:31:13 [23136] Read value "0" from "/proc/sys/crypto/fips_enabled". 2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode. 2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'. 2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to be set. 2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'. 2016-08-22 10:31:13 [23136] Error locating certificate. 2016-08-22 10:31:13 [22931] Request7('husky201') starts in state 'NEWLY_ADDED' 2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_START_READING_KEYINFO' 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now. 2016-08-22 10:31:13 [22931] Started Request7('husky201'). 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0. 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_READING_KEYINFO' 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 11. 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0. 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 140 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 141 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0ae0a0. 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0ae0a0. 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0. 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->140->75 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->141->76 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called /org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname. 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0. 2016-08-22 10:31:13 [23137] Read value "0" from "/proc/sys/crypto/fips_enabled". 2016-08-22 10:31:13 [23137] Not attempting to set NSS FIPS mode. 2016-08-22 10:31:13 [23137] Skipping NSS internal slot (NSS Generic Crypto Services). 2016-08-22 10:31:13 [23137] Found token 'NSS Certificate DB'. 2016-08-22 10:31:13 [23137] Located the key 'husky201'. 2016-08-22 10:31:13
[Freeipa-devel] [freeipa PR#6] adtrust-install: Mention AD GC port 3286 in list of required ports (label change)
pspacek's pull request #6: "adtrust-install: Mention AD GC port 3286 in list of required ports" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#6] adtrust-install: Mention AD GC port 3286 in list of required ports (comment)
mbasti-rh commented on a pull request Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3cf80e747d0172f7a80f5393c4481392e4448ca6 See the full comment at https://github.com/freeipa/freeipa/pull/6#issuecomment-241373805 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#6] adtrust-install: Mention AD GC port 3286 in list of required ports (closed)
pspacek's pull request #6: "adtrust-install: Mention AD GC port 3286 in list of required ports" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0036, 0037][Tests] Host/service tests do not recognize newly added attribute
Hi, attached patches fix test fails occuring since patch for [1] was pushed. Ticket for tests: https://fedorahosted.org/freeipa/ticket/6240 Lenka [1] https://fedorahosted.org/freeipa/ticket/5764 From 4e152c92008ebcab69aa07d2a1f50649e71563ab Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Mon, 22 Aug 2016 10:32:50 +0200 Subject: [PATCH 1/2] Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute Due to [1] being implemented, retrieve and search tests with --all option specified fail due to extra attribute. [1] https://fedorahosted.org/freeipa/ticket/5764 Ticket: https://fedorahosted.org/freeipa/ticket/6240 --- ipatests/test_xmlrpc/tracker/host_plugin.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py index 45be169e0c9567f8c7d7a73f2eb8155e9c3d6cfc..756190667bdfb56db970a3914814b07fc4c8b9dc 100644 --- a/ipatests/test_xmlrpc/tracker/host_plugin.py +++ b/ipatests/test_xmlrpc/tracker/host_plugin.py @@ -40,7 +40,7 @@ class HostTracker(KerberosAliasMixin, Tracker): retrieve_all_keys = retrieve_keys | { u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid', u'krbcanonicalname', u'managing_host', u'objectclass', -u'serverhostname'} +u'serverhostname', u'ipakrboktoauthasdelegate'} create_keys = retrieve_keys | {'objectclass', 'ipauniqueid', 'randompassword'} update_keys = retrieve_keys - {'dn'} @@ -112,6 +112,7 @@ class HostTracker(KerberosAliasMixin, Tracker): ipakrbrequirespreauth=True, managing_host=[self.fqdn], serverhostname=[self.shortname], +ipakrboktoauthasdelegate=False, ) self.exists = True -- 2.7.4 From 36695099f1c2b500c7bb1633db387775f1e2ff3d Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Mon, 22 Aug 2016 12:08:04 +0200 Subject: [PATCH 2/2] Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute Due to [1] being implemented, retrieve and search tests with --all option specified fail due to extra attribute. [1] https://fedorahosted.org/freeipa/ticket/5764 Ticket: https://fedorahosted.org/freeipa/ticket/6240 --- ipatests/test_xmlrpc/test_service_plugin.py| 2 ++ ipatests/test_xmlrpc/tracker/service_plugin.py | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index 56e2c7a7a0570cb15dc5d27dcdba488da089350f..0e8c8ea30aa48a4e47b5a6f816995f6a7c81f258 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -256,6 +256,7 @@ class test_service(Declarative): has_keytab=False, ipakrbrequirespreauth=True, ipakrbokasdelegate=False, +ipakrboktoauthasdelegate=False, ), ), ), @@ -319,6 +320,7 @@ class test_service(Declarative): managedby_host=[fqdn1], ipakrbrequirespreauth=True, ipakrbokasdelegate=False, +ipakrboktoauthasdelegate=False, ), ], ), diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index 3b970b98985f6d0528aba369064f889256853b79..fe34390e268b53cc4717ce75aff139c510a7 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -44,7 +44,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData', u'krbLastPwdChange', u'krbLoginFailedCount', u'memberof', u'objectClass', u'ipakrbrequirespreauth', -u'ipakrbokasdelegate'} +u'ipakrbokasdelegate', u'ipakrboktoauthasdelegate'} create_keys = (retrieve_keys | {u'objectclass', u'ipauniqueid'}) - { u'usercertificate', u'has_keytab'} @@ -94,7 +94,8 @@ class ServiceTracker(KerberosAliasMixin, Tracker): u'ipauniqueid': [fuzzy_uuid], u'managedby_host': [self.host_fqdn], u'krbcanonicalname': [u'{0}'.format(self.name)], -u'has_keytab': False +u'has_keytab': False, +u'ipakrboktoauthasdelegate': False, } for key in self.options: -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies
On 08/19/2016 04:06 PM, Martin Basti wrote: On 19.08.2016 12:37, Pavel Vomacka wrote: On 08/16/2016 08:21 AM, Stanislav Laznicka wrote: On 08/12/2016 06:48 PM, Petr Spacek wrote: On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to the discussion we led here earlier. Please check the design page http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest changes are in the Implementation and Feature Management sections. I also added a short How to Use section. Thank you for the review! I will add some comments inline. Nice page! On the high level it all makes sense. ad LDAP schema == 1) Why accessTime attribute is MAY in ipaTimeRule object class? Does it make sense to have the object without accessTime? I do not think so. My idea was that we allow users prepare a few time rule objects before filling them with the actual times. Also, it could be good to add description attribute to the object class and incorporate it into commands (including find). Definitely a good idea, I will work that in. 2) Besides all this, I spent few minutes in dark history of IPA. The accessTime attribute was introduced back in 2009 in commit "55ba300c7cb59cf05b16cc01281f51d93eb25acf" aka "Incorporate new schema for IPAv2". The commit does not contain any reasoning for the change but I can see that the attribute is already used as MAY in old object classes ipaHBACRule and ipaSELinuxUserMap. Is any of these a problem? I believe that the accessTime attribute was originally brought to IPA when there was an implementation of time policies for HBAC objects and it's been rotting there ever since those capabilities were removed. We may eventually use a new attribute for storage of the time strings as accessTime by definition is multi-valued which is not what's currently desired (although we may end up with it some day in the future). However, I don't think any other use of accessTime should be a problem as it's been obsoleted for a long time. Why is it even in ipaSELinuxUserMap object class? I'm sorry to say I have no idea. I used it for what it originally was - a means for storing time strings at HBAC rules. Commit 55512dc938eb4a9a6655e473beab587e340af55c does not mention any reason for doing so. I cannot see any other problem so the low-level stuff is good and can be implemented. ad User interface = We need to polish the user interface so it really usable. At least the web interface should contain some shortcuts. E.g. when I'm adding a new HBAC rule, the "time" section should contain also "something" to immediately add new time rule so I do not need to go to time rules first and then go back to HBAC page. I'm definitely for creating a field where admin can choose a existing time rule when creating a new HBAC. But I'm not sure about possibility to create and define new time rule in dialog for creating new HBAC. I think that mixing these two things together is like a possibility to create a new user when you are creating a user group. Which is mixing two different things together. I can imagine a button like "Create HBAC and add a new time rule to it" which could store new HBAC rule and immediately take admin to the page (or dialog) where admin can create a new time rule with prefilled HBAC rule. But as you write below it would be good to discuss it with some UX designer. I'm not UX guru, but if you add button there and show dialog window to create new timerule and then automatically assign it to the HBACrule it may work for me :) Similarly, dialog for rule modification should allow to easily change all the values, warn if time rules is shared, and also have an easy way to 'disconnect' the time rule, i.e. make a copy of it and edit only the new copy (instead of the shared original). All of these points are really good. All these are user interface things not affecting the low-level stuff. Maybe you should sat down with some UX designer, talk about these cases and draw some hand-made pictures. I will add Pavel V. to CC, we may want to discuss this. I do not believe that this will require any changes in schema so you can polish SSSD and framework implementation in meantime. On the link below is a PROTOTYPE-patched FreeIPA that covers most of the CLI functionality (except for the creation of iCalendar strings from options) for better illustration of the design. https://github.com/stlaz/freeipa/tree/timerules_2 Honestly I did not look at the code today :-) Overall, I'm glad to see current proposal. After so many iteration, we reached something which does not have any glaring problem :-) It definitely felt better to be writing it with all the previous knowledge. Thank you! :-) LGTM with all previous comments Thank you for the review, my comments are inline (Nitpick mode enabled: True) 1. It may not be clear from design that client is actuall
[Freeipa-devel] [freeipa PR#7] config-mod: normalize attribute names for --usersearch/--groupsearch (comment)
abbra commented on a pull request Looks good to me. Thanks. See the full comment at https://github.com/freeipa/freeipa/pull/7#issuecomment-241345286 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#7] config-mod: normalize attribute names for --usersearch/--groupsearch (label change)
pspacek's pull request #7: "config-mod: normalize attribute names for --usersearch/--groupsearch" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/7 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek From cdb4861416b07d1c17c1dbe6ddf67f1861322ff0 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 22 Aug 2016 10:15:42 +0200 Subject: [PATCH] Validate key in otptoken-add Make the OTP token key mandatory and show an appropriate error message if the user enters an empty key. https://fedorahosted.org/freeipa/ticket/6200 --- ipaserver/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py index 39012e2f9106c33c520e19f14331fc440333015a..15b25e07a905257f016de68a3d9e182447699d0e 100644 --- a/ipaserver/plugins/otptoken.py +++ b/ipaserver/plugins/otptoken.py @@ -208,7 +208,7 @@ class otptoken(LDAPObject): label=_('Serial'), doc=_('Token serial (informational only)'), ), -OTPTokenKey('ipatokenotpkey?', +OTPTokenKey('ipatokenotpkey', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#5] migrate-ds: Mention --enable-migration in error message about migraion mode (comment)
mbasti-rh commented on a pull request Works for me See the full comment at https://github.com/freeipa/freeipa/pull/5#issuecomment-241343377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#5] migrate-ds: Mention --enable-migration in error message about migraion mode (label change)
pspacek's pull request #5: "migrate-ds: Mention --enable-migration in error message about migraion mode" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#7] config-mod: normalize attribute names for --usersearch/--groupsearch (opened)
pspacek's pull request #7: "config-mod: normalize attribute names for --usersearch/--groupsearch" was opened PR body: https://fedorahosted.org/freeipa/ticket/6236 See the full pull-request at https://github.com/freeipa/freeipa/pull/7 freeipa-pr-7.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] invoking ipa-certupdate from within installer
Hi, On 22.8.2016 09:37, Fraser Tweedale wrote: #6019 requires adding tracking requests for existing lightweight CAs as part of replica installation. ipa-certupdate has logic to do this. Before I go ahead and implement, there are a few approaches I want to mention and seek feedback from team members before I commit to one. 1. invoke ipa-certupdate as a subprocess, from CAInstance.configure_replica. This is the simplest approach. Not much else to say about it, really :) 2. invoke ipa-certupdate's main() from the installer. This is slightly more work because currently it would fail due to API already having been initialised. 3. extract all logic for adding tracking requests such that it can be invoked separately; then refactor ipa-certupdate to call it as well as calling it from CAInstance.configure_replica. This is the most work. I lean towards (1) or (3). If you wish it to be done a certain way say your piece. (4) Extract the relevant code from ipa-certupdate into a separate function and call it from CAInstance.configure_replica(). I would not go with (1) or (2) because it does more than track the certs. I would also not go with (3) because it requires extensive changes not suitable for 4.4. Thanks, Fraser Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#6] adtrust-install: Mention AD GC port 3286 in list of required ports (comment)
abbra commented on a pull request Sounds good to me. Thanks. See the full comment at https://github.com/freeipa/freeipa/pull/6#issuecomment-241337413 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#6] adtrust-install: Mention AD GC port 3286 in list of required ports (label change)
pspacek's pull request #6: "adtrust-install: Mention AD GC port 3286 in list of required ports" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] invoking ipa-certupdate from within installer
#6019 requires adding tracking requests for existing lightweight CAs as part of replica installation. ipa-certupdate has logic to do this. Before I go ahead and implement, there are a few approaches I want to mention and seek feedback from team members before I commit to one. 1. invoke ipa-certupdate as a subprocess, from CAInstance.configure_replica. This is the simplest approach. Not much else to say about it, really :) 2. invoke ipa-certupdate's main() from the installer. This is slightly more work because currently it would fail due to API already having been initialised. 3. extract all logic for adding tracking requests such that it can be invoked separately; then refactor ipa-certupdate to call it as well as calling it from CAInstance.configure_replica. This is the most work. I lean towards (1) or (3). If you wish it to be done a certain way say your piece. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa/freeipa #6] adtrust-install: Mention AD GC port 3286 in list of required ports (opened)
pspacek's pull request #6: "adtrust-install: Mention AD GC port 3286 in list of required ports" was opened PR body: Port name "msft-gc" is taken form /etc/services file provided by package setup-2.10.1-1.fc24.noarch. https://fedorahosted.org/freeipa/ticket/6235 See the full pull-request at https://github.com/freeipa/freeipa/pull/6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0090, 0092..0094 cert-show: show subject alternative names
On 19.8.2016 13:11, Fraser Tweedale wrote: Bump for review. On Mon, Aug 15, 2016 at 05:15:16PM +1000, Fraser Tweedale wrote: Thanks for reviews. Rebased and updated patches attached (and one new patch). No substantive changes to 92..94. Patch order is: 92-2, 93-2, 94-2, 98, 90-3 Other comments inline. Thanks, Fraser On Fri, Aug 12, 2016 at 11:33:28AM +0200, Jan Cholasta wrote: Patch 0092: ACK Patch 0093: ACK Patch 0094: ACK Please fix this PEP8 issue before pushing: ./ipaserver/plugins/cert.py:597:17: W503 line break before binary operator Patch 0098: ACK Patch 0090: 1) Generic otherNames (san_other) do not work correctly. The OID is not included in the value and names with complex type other than KerberosPrincipal are not parsed correctly. The value should include the OID and DER blob of the name. Updated to use "OID:b64(DER)" as the attribute value. OK. 2) With --all, san_other should be included in the result for all otherNames, even the known ones, to provide (limited) forward compatibility. Done; when --all given, known otherName kinds are included in 'san_other' attribute in addition to their own attribute. OK. 3) Do we have to support *all* the name types? I mean we could, for the sake of completeness, but it might be easier to just keep the few ones we actually care about (email, DNS name, principal name, UPN and directory name in your patch 0095). Yeah, why not support them all? See also Petr's comments in other branch of thread. Works for me, but see Lukáš's reply, I think he has a point. Maybe we can make a compromise and show only supported name types by default and everything with --all? 4) +obj.setdefault(attr_name, []).append(unicode(name)) The value should not (always) be unicode, but of the type declared by the param (unicode or ipapython.kerberos.Principal or ipapython.dnsutil.DNSName). I now pass the value to the constructor of whatever type the parameter uses: attr_value = self.params[attr_name].type(name_formatted) obj.setdefault(attr_name, []).append(attr_value) OK. 5) san_directoryname should be a DNParam rather than Str. 6) Could we use "Subject " instead of "Subject Alternative Name ()" for labels? Or something else which is shorter and has the name type more "visible" than the current form. 7) The patch needs a rebase. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code