[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Never mind... my `--chain` option disappeared... not quite there yet >_< """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263806421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast thanks for review. PR updated. No longer inheriting `BaseCertObject`. `--chain` now defined server-side and no longer implies `--all`. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263805812 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 5344e37..9b989ef 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 505232c..a3751d1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -745,44 +745,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
[Freeipa-devel] [freeipa PR#174][comment] add log module
URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ Hello, I have sent fixing of missing translations as separated PR in https://github.com/freeipa/freeipa/pull/286. The changes in the ipaserver/rpcserver.py file was used for parsing the apache error.log information to ipa.log that was used for providing the interfaces of Web UI log module. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263801899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 From db851f34fe4544be55604b9675570a6fb2a0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Nov 2016 18:54:01 +1000 Subject: [PATCH 1/7] Remove unused function argument Remove an unused function argument. Also rename the function to have a more accurate name. Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/server/install.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 1f2e8a4..861f48e 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -242,7 +242,7 @@ def check_dirsrv(unattended): raise ScriptError(msg) -def set_subject_in_config(realm_name, dm_password, suffix, subject_base): +def set_subject_base_in_config(realm_name, dm_password, subject_base): ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( installutils.realm_to_serverid(realm_name) ) @@ -846,8 +846,7 @@ def install(installer): os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) -set_subject_in_config(realm_name, dm_password, - ipautil.realm_to_suffix(realm_name), options.subject) +set_subject_base_in_config(realm_name, dm_password, options.subject_base) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. From 84a92acf701c82798e1079e9c9e201b881881130 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH 2/7] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py| 4 +++- ipaserver/install/installutils.py | 7 --- ipaserver/install/ipa_cacert_manage.py | 7 +-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index efc8c87..2ff66af 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -100,7 +100,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_ca_file = installutils.load_external_cert( -options.external_cert_files, options.subject) +options.external_cert_files, +DN(('CN', 'Certificate Authority'), options.subject) +) elif options.external_ca: if cainstance.is_step_one_done(): raise ScriptError( diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a6cde89..2f311b4 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1092,7 +1092,8 @@ def check_entropy(): except ValueError as e: root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e) -def load_external_cert(files, subject_base): + +def load_external_cert(files, ca_subject): """ Load and verify external CA certificate chain from multiple files. @@ -1100,7 +1101,7 @@ def load_external_cert(files, subject_base): chain formats. :param files: Names of files to import -:param subject_base: Subject name base for IPA certificates +:param ca_subject: IPA CA subject DN :returns: Temporary file with the IPA CA certificate and temporary file with the external CA certificate chain """ @@ -1114,7 +1115,7 @@ def load_external_cert(files, subject_base): except RuntimeError as e: raise ScriptError(str(e)) -ca_subject = DN(('CN', 'Certificate Authority'), subject_base) +ca_subject = DN(ca_subject) ca_nickname = None cache = {} for nickname, _trust_flags in nssdb.list_certs(): diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 5a278f4..4082dfa 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -192,8 +192,6 @@ def renew_external_step_2(self, ca, old_cert_der): options = self.options conn = api.Backend.ldap2 -cert_file, ca_file = installutils.load_external_cert( -options.external_cert_files, x509.subject_base()) old_cert_obj = x509.load_certificate(old_cert_der, x509.DER) old_der_subject =
[Freeipa-devel] [freeipa PR#285][opened] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: opened PR body: """ When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 From 0f7826cbf3ecd4b42a17ba9e0f83be9a9509b398 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 29 Nov 2016 21:15:29 +0100 Subject: [PATCH] Check the result of cert request in replica installer When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORCertificate issuance failed ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 --- ipaserver/install/certs.py | 12 +--- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index ab2379b..45602ba 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -647,13 +647,11 @@ def export_pem_cert(self, nickname, location): def request_service_cert(self, nickname, principal, host, pwdconf=False): if pwdconf: self.create_password_conf() -reqid = certmonger.request_cert(nssdb=self.secdir, -nickname=nickname, -principal=principal, -subject=host, -passwd_fname=self.passwd_fname) -# Now wait for the cert to appear. Check three times then abort -certmonger.wait_for_request(reqid, timeout=60) +certmonger.request_and_wait_for_cert(nssdb=self.secdir, + nickname=nickname, + principal=principal, + subject=host, + passwd_fname=self.passwd_fname) class _CrossProcessLock(object): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @martbab Welcome to the party! This discussion has been running for a very long time and in multiple places. Let me bring you up to speed. First of all the requirements in ```ipasetup.py``` are completely unrelated to distribution packaging (RPM, DEB, whatever). PyPI packaging follows slightly different rules. For example you don't get carefully curated packages, downstream patches for build issues or a known working set of packages. It's a bit more wild west and fast moving. I was against bumping the version in the spec file because the bump is not required for my work. The other insisted on it. Next up a version information like "cryptography >= 0.9" means that any version equal or greater than 0.9 is known to work. If you follow upstream development of OpenSSL and Cryptography closely then you are aware that any version of cryptography < 1.3 does no longer compile against a recent version of OpenSSL 1.0.2. CFFI bindings are very sensitive to subtle changes in the ABI and C API. OpenSSL tend to break both every now and then. Finally this discussion is pointless. I will bump the version requirements of cryptography to 1.7.0 in a matter of weeks. BZ for RHEL has been filed. The version 1.7.0 hasn't been released yet. it will contain two important fixes (lock and osrandom) and a new feature for @frasertweedale (multi RDN). ``` $ python3 -m venv /tmp/cryptovenv $ . /tmp/cryptovenv/bin/activate (cryptovenv) $ pip install 'cryptography==0.9' Collecting cryptography==0.9 Downloading cryptography-0.9.tar.gz (302kB) 100% || 303kB 122kB/s Collecting idna (from cryptography==0.9) Using cached idna-2.1-py2.py3-none-any.whl Collecting pyasn1 (from cryptography==0.9) Using cached pyasn1-0.1.9-py2.py3-none-any.whl Collecting six>=1.4.1 (from cryptography==0.9) Using cached six-1.10.0-py2.py3-none-any.whl Requirement already satisfied (use --upgrade to upgrade): setuptools in ./cryptovenv/lib/python3.5/site-packages (from cryptography==0.9) Collecting cffi>=0.8 (from cryptography==0.9) Using cached cffi-1.9.1.tar.gz Collecting pycparser (from cffi>=0.8->cryptography==0.9) Installing collected packages: idna, pyasn1, six, pycparser, cffi, cryptography Running setup.py install for cffi ... done Running setup.py install for cryptography ... error Complete output from command /tmp/cryptovenv/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-_2z81799/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-83qpivr4-record/install-record.txt --single-version-externally-managed --compile --install-headers /tmp/cryptovenv/include/site/python3.5/cryptography: running install running build running build_py creating build creating build/lib.linux-x86_64-3.5 creating build/lib.linux-x86_64-3.5/cryptography ... running build_ext building '_Cryptography_cffi_1251de2xc302a38b' extension creating build/temp.linux-x86_64-3.5 creating build/temp.linux-x86_64-3.5/src creating build/temp.linux-x86_64-3.5/src/cryptography creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings/__pycache__ gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/tmp/cryptovenv/include -I/usr/include/python3.5m -c src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c -o build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.o src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:505:6: error: conflicting types for ‘BIO_new_mem_buf’ BIO *BIO_new_mem_buf(void *, int); ^~~ In file included from /usr/include/openssl/asn1.h:65:0, from src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:220: /usr/include/openssl/bio.h:692:6: note: previous declaration of ‘BIO_new_mem_buf’ was here BIO *BIO_new_mem_buf(const void *buf, int len); ^~~ src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:2019:15: error: ‘SSLv2_method’ redeclared as different kind of symbol SSL_METHOD* (*SSLv2_method)(void) = NULL; ^~~~ In file included from src/cryptography/hazmat/bindings/__
[Freeipa-devel] [freeipa PR#275][+ack] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][+ack] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required
URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required tomaskrizek commented: """ I've created a separate [ticket](https://fedorahosted.org/freeipa/ticket/6522) and PR #284 for the change discussed offline, since it seemed out of the scope for this ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/267#issuecomment-263639123 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][closed] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Author: pspacek Title: #281: Accept server host names resolvable only using /etc/hosts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/281/head:pr281 git checkout pr281 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][+pushed] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0e093f938d8126f11fed920b7381ba6e3d07da5b ipa-4-4: https://fedorahosted.org/freeipa/changeset/47ee2870d83eeb9b07137c765d3feb41da8b02c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263640668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Ok I am fine with this. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263640183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][+pushed] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ccd3677b50eab2223ddf1e1b6682c20fc695ad24 https://fedorahosted.org/freeipa/changeset/452dc97aba12288a23c20f519f4c1c0d4408b765 ipa-4-4: https://fedorahosted.org/freeipa/changeset/62061a3a0444c65dc058ee1b9d0ef0096b621be3 https://fedorahosted.org/freeipa/changeset/b5ab5c1cef09555417e912fa767d78e4afa10872 """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263639311 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][closed] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][+ack] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for addressing the issues. The implementation is somehow minimal, however in the future it can be extended as needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263638790 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#284][opened] ipautil: check for open ports on all resolved IPs
URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: opened PR body: """ When a hostname is provided to host_port_open, it should check if ports are open for ALL IPs that are resolved from the hostname, instead of checking whether the port is reachable on at least one of the IPs. https://fedorahosted.org/freeipa/ticket/6522 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 From 15f9f9168630f44003e9975253b69ea921b1446e Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 29 Nov 2016 18:19:07 +0100 Subject: [PATCH] ipautil: check for open ports on all resolved IPs When a hostname is provided to host_port_open, it should check if ports are open for ALL IPs that are resolved from the hostname, instead of checking whether the port is reachable on at least one of the IPs. https://fedorahosted.org/freeipa/ticket/6522 --- install/tools/ipa-replica-conncheck | 5 +++-- ipapython/ipautil.py| 39 +++-- 2 files changed, 36 insertions(+), 8 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 544116e..9a30385 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -315,8 +315,9 @@ def port_check(host, port_list): ports_udp_warning = [] # conncheck could not verify that port is open for port in port_list: try: -port_open = ipautil.host_port_open(host, port.port, -port.port_type, socket_timeout=CONNECT_TIMEOUT) +port_open = ipautil.host_port_open( +host, port.port, port.port_type, +socket_timeout=CONNECT_TIMEOUT, log_errors=True) except socket.gaierror: raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host) if port_open: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 1c95a81..167479d 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -55,6 +55,12 @@ GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user +PROTOCOL_NAMES = { +socket.SOCK_STREAM: 'tcp', +socket.SOCK_DGRAM: 'udp' +} + + class UnsafeIPAddress(netaddr.IPAddress): """Any valid IP address with or without netmask.""" @@ -866,7 +872,17 @@ def user_input(prompt, default = None, allow_empty = True): return ret -def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): +def host_port_open(host, port, socket_type=socket.SOCK_STREAM, + socket_timeout=None, log_errors=False): +""" +host: either hostname or IP address; + if hostname is provided, port MUST be open on ALL resolved IPs + +returns True is port is open, False otherwise +""" +port_open = True + +# port has to be open on ALL resolved IPs for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type): af, socktype, proto, _canonname, sa = res try: @@ -874,7 +890,7 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No s = socket.socket(af, socktype, proto) except socket.error: s = None -continue +raise if socket_timeout is not None: s.settimeout(socket_timeout) @@ -884,15 +900,26 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No if socket_type == socket.SOCK_DGRAM: s.send('') s.recv(512) - -return True except socket.error: -pass +port_open = False + +if log_errors: +msg = ('Failed to connect to port %(port)d %(proto)s on ' + '%(addr)s' % dict(port=port, + proto=PROTOCOL_NAMES[socket_type], + addr=sa[0])) + +# Do not log udp failures as errors (to be consistent with +# the rest of the code that checks for open ports) +if socket_type == socket.SOCK_DGRAM: +root_logger.debug(msg) +else: +root_logger.error(msg) finally: if s: s.close() -return False +return port_open def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None): host = None # all available interfaces -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ That sound like a good idea. Added such assert to the unit tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263638134 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][synchronized] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Author: martbab Title: #275: Enhance __repr__ method of Principal Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/275/head:pr275 git checkout pr275 From 53a2e9d5b64c15dfd4b65069316a957c977aafb0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 28 Nov 2016 10:22:26 +0100 Subject: [PATCH] Enhance __repr__ method of Principal `__repr__` now returns more descriptive string containing the actual principal name while keeping the ability to reconstruct the object from it. This makes principal names visible in debug logs, easing troubleshooting a bit. https://fedorahosted.org/freeipa/ticket/6505 --- ipapython/kerberos.py| 4 ipatests/test_ipapython/test_kerberos.py | 2 ++ 2 files changed, 6 insertions(+) diff --git a/ipapython/kerberos.py b/ipapython/kerberos.py index a8ebc04..3d3530c 100644 --- a/ipapython/kerberos.py +++ b/ipapython/kerberos.py @@ -181,3 +181,7 @@ def __str__(self): principal_string = u'@'.join([principal_string, realm]) return principal_string + +def __repr__(self): +return "{0.__module__}.{0.__name__}('{1}')".format( +self.__class__, self) diff --git a/ipatests/test_ipapython/test_kerberos.py b/ipatests/test_ipapython/test_kerberos.py index 7e1eca4..284d8c2 100644 --- a/ipatests/test_ipapython/test_kerberos.py +++ b/ipatests/test_ipapython/test_kerberos.py @@ -82,6 +82,8 @@ def test_principals(valid_principal): assert getattr(princ, name) == value assert unicode(princ) == principal_name +assert repr(princ) == "ipapython.kerberos.Principal('{}')".format( +principal_name) def test_multiple_unescaped_ats_raise_error(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Well from our (as upstream) POV 0.9 and later is required for Custodia to work correctly. This requirement was introduced by me in commit aa749957360b85fecaed2f9f8dc286f560b89e0b when I was building 4.3 in Copr for CentOS 7. There was ye olde 0.8 something version and I found empirically that 0.9 or later is required for replica promotion to work (at that time 1.2.1 was the most up-to-date version built in Brew IIRC). Yes, this version is ancient and vast majority of distros does not support it anymore but then it is their job to provide newer version fullfilling our Required and I see no point in artificially bumping it in upstream unless some of our code depends on functionality of newer version. I mentioned the CentOS story as an example that demonstrates that you never know on what distro your software is being ported. That said, if you are afraid that it can break the PIP use-case then I am fine with bumping the version but as @mbasti-rh said, please split version bumps into a separate commit with clean explanation of the reasons (already provided in the commit message). This makes it easier for our future selves to review the build/runtime requirements during spec file cleanups and similar work. I remember that @jcholast was very frustrated when he was cleaning up BuildRequires recently and was unable to find any reasonable explanation for many of them in git history. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263636692 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On ti, 29 marras 2016, Petr Spacek wrote: On 29.11.2016 16:02, Rob Crittenden wrote: Petr Spacek wrote: On 29.11.2016 09:11, Jan Cholasta wrote: On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. I think to do something sane is exactly the point of this, and the sanest thing we can do is to not touch NTP configuration at all: * if the NTP configuration obtained via DHCP works, we can't make it any better by touching it, only worse, * if the default NTP configuration shipped with the distribution works, we again can't make it any better by touching it, * if we are running inside container, time is synchronized by other means and we should not touch NTP configuration at all, * if neither the default NTP configuration nor the NTP configuration obtained via DHCP works and we are not running inside container, we may attempt to fix the configuration, but it will not be permanent and will work only for this specific host. I think the first 3 points cover 99% of real-life deployments, and yet we are optimized towards the remaining 1%, with the potential of breaking the configuration for the 99%. This is far from sane IMHO. +1 for Honza's point. Current NTP code is works only for initial setup and silently breaks synchronization later on. Most importantly it breaks synchronization as soon as admin removes old replicas and replaces them with new ones - there is no mechanism to update the records in the client configuration (and SRV discovery is not supported by clients). I.e. when admin decommission replicas which were around at the time of client installation, the NTP on client will silently break. This would not happen if you did not touch it. (This also implicitly means that IPA-configured NTP is broken on all clients in topologies which were completely migrated from RHEL 6 to RHEL 7.) Either DHCP or default distro config would solve the problem better. That's fair but where are the huge pile of bugs, tickets and user e-mails complaining about time? Or has nobody noticed yet? Hard to say. There might be multiple reasons for this. E.g. - Starting with Fedora 16, there is Chronyd installed by default. IPA client installer does not configure Chronyd by default so there is nothing to break. - DHCP integration still modifies IPA-generated ntp.conf. - Users who care might use configuration management tool. Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal tiran commented: """ Can you please add a test to```ipatests/test_ipapython/test_kerberos.py``` ```test_principals```? Something along the line ```assert repr(princ) == "ipapython.kerberos.Principal('{}')".format(principal_name)``` should do the trick (untested). """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263633526 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ Sorry I somehow botched that, but it worked nevertheless. I have re-worked the PR according to your comments. ``` In [1]: import ipapython.kerberos In [2]: p = ipapython.kerberos.Principal(u"HTTP/replica1.ipa.test") In [3]: p Out[3]: ipapython.kerberos.Principal('HTTP/replica1.ipa.test') In [5]: r = eval('p') In [6]: r Out[6]: ipapython.kerberos.Principal('HTTP/replica1.ipa.test') In [7]: r == p Out[7]: True ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263630652 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts pspacek commented: """ `--no-host-dns` disables all checks (theoretically) so it should be used only in special cases. Given it acts as kind of force switch, we should not advertise it. In either case the user will have to provide `--ip-address` option. Also, the user is asked for IP address in interactive mode so IMHO we are sufficiently covered. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263609320 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On 29.11.2016 16:02, Rob Crittenden wrote: > Petr Spacek wrote: >> On 29.11.2016 09:11, Jan Cholasta wrote: >>> On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: > On 22/11/16 23:15, Gabe Alford wrote: >> I would say that it is worth keeping in FreeIPA. I know myself and some >> customers use its functionality by having the clients sync to the IPA >> servers and have the servers sync to the NTP source. This way if the NTP >> source ever gets disrupted for long periods of time (which has >> happened in >> my environment) the client time drifts with the authentication source. >> This >> is the way that AD often works and is configured. > > Hello Gabe, > I agree that it's common practice to synchronize all nodes in network > with single source in order to have the same time and save bandwidth. > Also I understand that it's comfortable to let FreeIPA installer take > care of it. > But I don't think FreeIPA should do it IMO this is job for Ansible or > similar tool. Also the problem is that in some situations FreeIPA > installer makes it worse. > > Example: > > 1. Install FreeIPA server (ipa1.example.org) > 2. Install FreeIPA client on all nodes in network > 3. Install replica (ipa2.example.org) of FreeIPA server to increase > redundancy > > Now all the clients have ipa1.example.org as the only server in > /etc/ntp.conf. If the first FreeIPA server becomes unreachable all > clients will be able to contact KDC on the other server thanks to DNS > autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. >>> >>> I think to do something sane is exactly the point of this, and the sanest >>> thing we can do is to not touch NTP configuration at all: >>> >>> * if the NTP configuration obtained via DHCP works, we can't make it any >>> better by touching it, only worse, >>> * if the default NTP configuration shipped with the distribution works, we >>> again can't make it any better by touching it, >>> * if we are running inside container, time is synchronized by other means >>> and we should not touch NTP configuration at all, >>> * if neither the default NTP configuration nor the NTP configuration >>> obtained via DHCP works and we are not running inside container, we may >>> attempt to fix the configuration, but it will not be permanent and will work >>> only for this specific host. >>> >>> I think the first 3 points cover 99% of real-life deployments, and yet we >>> are >>> optimized towards the remaining 1%, with the potential of breaking the >>> configuration for the 99%. This is far from sane IMHO. >> >> +1 for Honza's point. >> >> Current NTP code is works only for initial setup and silently breaks >> synchronization later on. Most importantly it breaks synchronization as soon >> as admin removes old replicas and replaces them with new ones - there is no >> mechanism to update the records in the client configuration (and SRV >> discovery >> is not supported by clients). >> >> I.e. when admin decommission replicas which were around at the time of client >> installation, the NTP on client will silently break. This would not happen if >> you did not touch it. >> >> (This also implicitly means that IPA-configured NTP is broken on all clients >> in topologies which were completely migrated from RHEL 6 to RHEL 7.) >> >> Either DHCP or default distro config would solve the problem better. > > That's fair but where are the huge pile of bugs, tickets and user > e-mails complaining about time? Or has nobody noticed yet? Hard to say. There might be multiple reasons for this. E.g. - Starting with Fedora 16, there is Chronyd installed by default. IPA client installer does not configure Chronyd by default so there is nothing to break. - DHCP integration still modifies IPA-generated ntp.conf. - Users who care might use configuration management tool. > I'm just wondering whether dropping it altogether is the right choice or > if enhancing the time clients to say, support SRV records is a > preferable option. > > There is a real advantage in having the IPA clients using the same time > source as the IPA masters (in this case the masters themselves)
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Thinking of this some more, shouldn't be `--no-host-dns` option used and advertised if you want to set unresolvable hostname during install? """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263596975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 From d2936b349315972a1ccea5f241e58bd6554c5b44 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 17 Nov 2016 16:43:17 +0100 Subject: [PATCH] Adjustments for setup requirements * Fix some typos, missing or surplus dependencies. * Remove setup requirement on wheel since it triggers download. * Bump version of cryptography to 1.3. 0.9 no longer compiles with recent versions of OpenSSL. 1.3 is the older version that is well tested. * Bump version of gssapi to 1.2. The PyPI package for 1.1.2 has a packaging bug. It falsely requires enum34 on Python >= 3.4 ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- freeipa.spec.in | 8 ipaclient/setup.py | 7 +++ ipalib/setup.py | 1 + ipaplatform/setup.py | 3 --- ipapython/setup.py | 4 +--- ipaserver/setup.py | 2 +- ipasetup.py.in | 8 ipatests/setup.py| 18 +- 8 files changed, 23 insertions(+), 28 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6847bed..fac825b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,7 +114,7 @@ BuildRequires: python-cffi BuildRequires: samba-python BuildRequires: python-setuptools # 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-cryptography >= 1.3 BuildRequires: python-gssapi BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -187,7 +187,7 @@ Requires: mod_wsgi Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2 Requires: acl Requires: memcached Requires: python-memcached @@ -510,7 +510,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 0.9 +Requires: python-cryptography >= 1.3 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release} Provides: python3-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python3-ipaplatform} Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.1.2 +Requires: python3-gssapi >= 1.2 Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL diff --git a/ipaclient/setup.py b/ipaclient/setup.py index fb6ed0d..0183aaf 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -48,13 +48,12 @@ "ipalib", "ipapython", "python-nss", +"python-yubico", +"pyusb", "qrcode", "six", ], -setup_requires=[ -"wheel", -], -extra_requires={ +extras_require={ "ipaclient.install": ["ipaplatform"], "otptoken_yubikey": ["yubico", "usb"] } diff --git a/ipalib/setup.py b/ipalib/setup.py index 85932fc..4be3eb1 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -40,6 +40,7 @@ "ipapython", "netaddr", "pyasn1", +"pyasn1-modules", "python-nss", "six", ], diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py index b28ac8c..9c47da7 100644 --- a/ipaplatform/setup.py +++ b/ipaplatform/setup.py @@ -47,7 +47,4 @@ "python-nss", "six", ], -setup_requires=[ -"wheel", -], ) diff --git a/ipapython/setup.py b/ipapython/setup.py index c413ffa..95eb285 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -51,10 +51,8 @@ "requests", "six", ], -setup_requires=[ -"wheel", -], extras_require={ ":python_version<'3'": ["enum34"], +"certmonger": ["dbus-python"], }, ) diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 3635832..528b901 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -56,9 +56,9 @@ "ipapython", "lxml", "netaddr", -"memcache", "pyasn1", "pyldap", +"python-memcached", "python-nss", "six", # not available on PyPI diff --git a/ipasetup.py.in b/ipasetup.py.in index 1db4857..bde 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -52,9 +52,9 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { -'cryptography': 'cryptography >= 0.9', +'cryptography'
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ I see. I guess we can live with the fact that we may break such eccentric DNS topologies. I think we cannot really handle all the corner cases associated with guessing/setting hostname by ourselves anyway (yes I am not a big fan of FreeIPA stepping onto provisioning system's toes). """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263595995 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][+pushed] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/73d0d03891c8585a925f5b49739990c57f6e https://fedorahosted.org/freeipa/changeset/266b9d9c6c9b9dec10b8a70382445fa2f800dd69 """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-263595900 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][closed] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Author: martbab Title: #269: Prevent denial of replication updates during CA replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/269/head:pr269 git checkout pr269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 From 7f0ea93b037e74afef0070498ce767ddf652dfe9 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 17 Nov 2016 16:43:17 +0100 Subject: [PATCH] Adjustments for setup requirements Fix some typos, missing or surplus dependencies. Remove setup requirement on wheel since it triggers download. Bump up requirements to sensible versions. Cryptography 0.9 does not even compile on Fedora any more. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- freeipa.spec.in | 8 ipaclient/setup.py | 7 +++ ipalib/setup.py | 1 + ipaplatform/setup.py | 3 --- ipapython/setup.py | 4 +--- ipaserver/setup.py | 2 +- ipasetup.py.in | 8 ipatests/setup.py| 18 +- 8 files changed, 23 insertions(+), 28 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6847bed..fac825b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,7 +114,7 @@ BuildRequires: python-cffi BuildRequires: samba-python BuildRequires: python-setuptools # 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-cryptography >= 1.3 BuildRequires: python-gssapi BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -187,7 +187,7 @@ Requires: mod_wsgi Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2 Requires: acl Requires: memcached Requires: python-memcached @@ -510,7 +510,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 0.9 +Requires: python-cryptography >= 1.3 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release} Provides: python3-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python3-ipaplatform} Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.1.2 +Requires: python3-gssapi >= 1.2 Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL diff --git a/ipaclient/setup.py b/ipaclient/setup.py index fb6ed0d..0183aaf 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -48,13 +48,12 @@ "ipalib", "ipapython", "python-nss", +"python-yubico", +"pyusb", "qrcode", "six", ], -setup_requires=[ -"wheel", -], -extra_requires={ +extras_require={ "ipaclient.install": ["ipaplatform"], "otptoken_yubikey": ["yubico", "usb"] } diff --git a/ipalib/setup.py b/ipalib/setup.py index 85932fc..4be3eb1 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -40,6 +40,7 @@ "ipapython", "netaddr", "pyasn1", +"pyasn1-modules", "python-nss", "six", ], diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py index b28ac8c..9c47da7 100644 --- a/ipaplatform/setup.py +++ b/ipaplatform/setup.py @@ -47,7 +47,4 @@ "python-nss", "six", ], -setup_requires=[ -"wheel", -], ) diff --git a/ipapython/setup.py b/ipapython/setup.py index c413ffa..95eb285 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -51,10 +51,8 @@ "requests", "six", ], -setup_requires=[ -"wheel", -], extras_require={ ":python_version<'3'": ["enum34"], +"certmonger": ["dbus-python"], }, ) diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 3635832..528b901 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -56,9 +56,9 @@ "ipapython", "lxml", "netaddr", -"memcache", "pyasn1", "pyldap", +"python-memcached", "python-nss", "six", # not available on PyPI diff --git a/ipasetup.py.in b/ipasetup.py.in index 1db4857..bde 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -52,9 +52,9 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { -'cryptography': 'cryptography >= 0.9', +'cryptography': 'cryptography >= 1.3', 'dnspython': 'dnspython >= 1.13', -'gssapi': 'gssapi > 1.1.2', +'gssapi': 'gssapi >= 1.2.0', 'ipaclient': 'ipaclient == @VERSION@',
Re: [Freeipa-devel] NTP in FreeIPA
Petr Spacek wrote: > On 29.11.2016 09:11, Jan Cholasta wrote: >> On 28.11.2016 20:57, Rob Crittenden wrote: >>> David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: > I would say that it is worth keeping in FreeIPA. I know myself and some > customers use its functionality by having the clients sync to the IPA > servers and have the servers sync to the NTP source. This way if the NTP > source ever gets disrupted for long periods of time (which has > happened in > my environment) the client time drifts with the authentication source. > This > is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. >>> >>> Remember that the goal of IPA was to herd together a bunch of software >>> to make hard things easier. This included dealing with the 5-minute >>> Kerberos window so ntp was configured on the client and server (which is >>> less of any issue now). >>> >>> When making changes you have to ask yourself who are you making this >>> easier for: you or the user. >>> >>> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >>> of success? I'd think so. I >>> >>> If someone wants to configure it using Ansible they can use the >>> --no-ntp. If they want to use different time servers they can pass in >>> --ntp-server. But by default IMHO it should do something sane to give a >>> good experience. >> >> I think to do something sane is exactly the point of this, and the sanest >> thing we can do is to not touch NTP configuration at all: >> >> * if the NTP configuration obtained via DHCP works, we can't make it any >> better by touching it, only worse, >> * if the default NTP configuration shipped with the distribution works, we >> again can't make it any better by touching it, >> * if we are running inside container, time is synchronized by other means >> and we should not touch NTP configuration at all, >> * if neither the default NTP configuration nor the NTP configuration >> obtained via DHCP works and we are not running inside container, we may >> attempt to fix the configuration, but it will not be permanent and will work >> only for this specific host. >> >> I think the first 3 points cover 99% of real-life deployments, and yet we are >> optimized towards the remaining 1%, with the potential of breaking the >> configuration for the 99%. This is far from sane IMHO. > > +1 for Honza's point. > > Current NTP code is works only for initial setup and silently breaks > synchronization later on. Most importantly it breaks synchronization as soon > as admin removes old replicas and replaces them with new ones - there is no > mechanism to update the records in the client configuration (and SRV discovery > is not supported by clients). > > I.e. when admin decommission replicas which were around at the time of client > installation, the NTP on client will silently break. This would not happen if > you did not touch it. > > (This also implicitly means that IPA-configured NTP is broken on all clients > in topologies which were completely migrated from RHEL 6 to RHEL 7.) > > Either DHCP or default distro config would solve the problem better. That's fair but where are the huge pile of bugs, tickets and user e-mails complaining about time? Or has nobody noticed yet? I'm just wondering whether dropping it altogether is the right choice or if enhancing the time clients to say, support SRV records is a preferable option. There is a real advantage in having the IPA clients using the same time source as the IPA masters (in this case the masters themselves). Like Simo I have mixed feelings about this and won't push on it anymore but completely dropping features should be well-considered and a last resort IMHO. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][opened] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Author: martbab Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Action: opened PR body: """ This is https://github.com/freeipa/freeipa/pull/269 rebased on top of ipa-4-4 branch. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/283/head:pr283 git checkout pr283 From 9c97bd9d566c74220c1ca695378dc6caf60e5f85 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 23 Nov 2016 16:55:38 +0100 Subject: [PATCH 1/2] upgrade: add replica bind DN group check interval to CA topology config Without this attribute explicitly set the replication plugin won't recognize updates from members of 'replication managers' sysaccount group, leading to stuck replica CA installation. https://fedorahosted.org/freeipa/ticket/6508 --- install/share/ca-topology.uldif | 1 + 1 file changed, 1 insertion(+) diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index fea591b..8fe38e7 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -12,3 +12,4 @@ default: cn: ca dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX +add: nsds5replicabinddngroupcheckinterval: 60 From e58c23d29d1c9b163f1538ecabb6cbb482cbf881 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 23 Nov 2016 16:58:39 +0100 Subject: [PATCH 2/2] replication: ensure bind DN group check interval is set on replica config This is a safeguard ensuring valid replica configuration against incorrectly upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on their domain/ca topology config. https://fedorahosted.org/freeipa/ticket/6508 --- ipaserver/install/replication.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 56c75e7..42ee303 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -454,6 +454,12 @@ def replica_config(self, conn, replica_id, replica_binddn): if replica_groupdn not in binddn_groups: mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', replica_groupdn)) + +if 'nsds5replicabinddngroupcheckinterval' not in entry: +mod.append( +(ldap.MOD_ADD, + 'nsds5replicabinddngroupcheckinterval', + '60')) if mod: conn.modify_s(dn, mod) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts pspacek commented: """ This entierly depens on configuration. Imagine following imaginary company setup: - public part of DNS tree is `example.com.` - private part of DNS tree is `corp.` - resolv.conf contains `corp` in search list Now an admin is going to install IPA instance for publicly available services at server `srv1.ipa.example.com.`. The name `srv1.ipa.example.com.` is not resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS will try to lookup `srv1.ipa.example.com.`. It might (depending on configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally exist (as an IPA server for company internal purposes). This is purely hypotetical, I'm just trying to show that the code is subtly broken. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263589129 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#268][+pushed] Build system must regenerate file when template changes
URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes
URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ba6ae666acaf8b930d18f45efc7c9c9faad3526b https://fedorahosted.org/freeipa/changeset/6857de02f3a9c2d7e99e33863be3c65f71fa0d58 https://fedorahosted.org/freeipa/changeset/89739a6c910461a3cac3abc1bf2ff162c7c5bc82 https://fedorahosted.org/freeipa/changeset/6fcfe689f47a02df023de69f62c889d9b4dc26fe https://fedorahosted.org/freeipa/changeset/6aa360775a781bee5a2fdd884cbfa33b545fcbb4 https://fedorahosted.org/freeipa/changeset/a89f63c5a62c4a02fc248a095f539a099a9c28c5 """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-263584306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#268][closed] Build system must regenerate file when template changes
URL: https://github.com/freeipa/freeipa/pull/268 Author: pspacek Title: #268: Build system must regenerate file when template changes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/268/head:pr268 git checkout pr268 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ Ticket updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263581781 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ All bootstrap() calls without an explicit confdir argument are fine. If you think otherwise, please list all calls and give me a compelling reason to have them ignore IPA_CONFDIR. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263580703 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][+ack] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality apophys commented: """ Thank you for rebasing the commits. The test looks good. """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263578009 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 From fab31aff4cc3950651ee1114d4b1d874aa4c7e0f Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Wed, 16 Nov 2016 12:57:49 +0100 Subject: [PATCH 1/2] Created idview tracker Needed for basic certs in idoverrides tests https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/tracker/idview_plugin.py | 116 ++ 1 file changed, 116 insertions(+) create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py new file mode 100644 index 000..e7bb39b --- /dev/null +++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py @@ -0,0 +1,116 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api +from ipapython.dn import DN +from ipatests.test_xmlrpc.tracker.base import Tracker +from ipatests.util import assert_deepequal +from ipatests.test_xmlrpc import objectclasses + +import six + +if six.PY3: +unicode = str + + +class IdviewTracker(Tracker): +"""Class for idview tests""" + +retrieve_keys = { +u'cn' +} + +retrieve_all_keys = retrieve_keys | { +u'description', u'objectclass', u'dn' +} + +create_keys = retrieve_all_keys +find_all_keys = retrieve_all_keys + +def del_cert_from_idoverrideuser(self, username, cert): +result = api.Command.idoverrideuser_remove_cert( +self.cn, username, usercertificate=cert +) +return dict( +usercertificate=result['result'].get('usercertificate', []), +value=result.get('value'), +summary=result.get('summary') +) + +def add_cert_to_idoverrideuser(self, username, cert): +result = api.Command.idoverrideuser_add_cert( +self.cn, username, usercertificate=cert +) +return dict( +usercertificate=result['result'].get('usercertificate', []), +value=result.get('value'), +summary=result.get('summary') +) + +def __init__(self, cn, **kwargs): +super(IdviewTracker, self).__init__(default_version=None) +self.cn = cn +self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn) +self.kwargs = kwargs + +def make_create_command(self): +return self.make_command( +'idview_add', self.cn, **self.kwargs +) + +def make_delete_command(self): +return self.make_command( +'idview_del', self.cn, **self.kwargs +) + +def make_retrieve_command(self, all=False, raw=False): +""" Make function that retrieves a idview using idview-show """ +return self.make_command('idview_show', self.cn, all=all) + +def make_find_command(self, *args, **kwargs): +""" Make function that finds idview using idview-find """ +return self.make_command('idview_find', *args, **kwargs) + +def make_update_command(self, updates): +""" Make function that updates idview using idview-mod """ +return self.make_command('idview_mod', self.cn, **updates) + +def track_create(self): +self.attrs = dict( +cn=(self.cn,), +dn=unicode(self.dn), +idoverrideusers=[], +objectclass=objectclasses.idview +) +if 'description' in self.kwargs: +self.attrs['description'] = self.kwargs['description'] +self.exists = True + +def make_add_idoverrideuser_command(self, username, options=None): +options = options or {} +""" Make function that adds a member to a group """ +return self.make_command('idoverrideuser_add', self.cn, username, + **options) + +def idoverrideuser_add(self, user): +command = self.make_add_idoverrideuser_command(user.name) +result = command() +self.attrs['idoverrideusers'].append(result['value']) +self.check_idoverrideuser_add(result, user) + +def check_create(self, result, extra_keys=()): +""" Check 'user-add' command result """ +expected = self.filter_attrs(self.create_keys | set(extra_keys)) +assert_deepequal(dict( +summary=u'Added ID View "%s"' % self.cn, +result=self.filter_attrs(expected), +value=self.cn +), result) + +def check_idoverrideuser_add(self, result, user): +""" Checks 'group_add_member' command result """ +assert_deepequal( +u'Added User ID override "%s"' % user.name, +result['summary'] +) From 4948bf77193ab9e31ac1dcaefa97cc55dab24750 Mon Sep 17 00:00:00 2001 F
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ Last I checked the ticket was still open. The ticket was trying to solve the same issue as this PR although its aim shifted (see the link I posted in the comments). """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263576832 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ Ticket https://fedorahosted.org/freeipa/ticket/6474 is closed as wontfix and even doesn't seems right to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263575595 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ Ok, > Why do you see a relationship between the subject DN of a X.509 and the > directoryName general name in SAN X.509v3 extension? According to RFC 5280 section 4.1.2.6 the subject DN and SANs are equivallent in terms of identifying the subject entity: > The subject field identifies the entity associated with the public > key stored in the subject public key field. The subject name MAY be > carried in the subject field and/or the subjectAltName extension. Compare how the subject DN is defined in RFC 5280 section 4.1.2.6: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. ... with how the DN SAN is defined in RFC 5280 section 4.2.1.6: > When the subjectAltName extension contains a DN in the directoryName, > the encoding rules are the same as those specified for the issuer > field in Section 4.1.2.4. The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. See that there is no mention of any semantical difference between them as means of identifying the subject entity. Further specifications such as the name constraints extension also treat them equally. RFC 5280 section 4.2.1.10: > Restrictions of the form directoryName MUST be applied to the subject > field in the certificate (when the certificate includes a non-empty > subject field) and to any names of type directoryName in the > subjectAltName extension. > The subject follows different rules, e.g. a disjunct set of RDN attributes. I could not find any mention of this in RFC 5280 nor the X.500 series of standards. I'm assuming it's because it's not there. > Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Neither RFC 5280 nor the X.500 series of standards impose any restrictions on the attributes used. However, RFC 5280 section 4.1.2.4 says: > In addition, **implementations of this specification MUST be prepared** > **to receive the domainComponent attribute**, as defined in [RFC4519]. > With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up > with different subject DNs but with the same directoryName GN SAN entry. Currently we in fact end up with the same subject DN. Which is just fine, as they refer to the same subject entity. > The directoryName is designed to hold a LDAP DN. I don't think that's true, as there is no mention of this in the directoryName SAN specification (see above). > A certificate's Subject DN is not really a distinguishing name in the sense > of a unique identifier. Let me quote RFC 5280 section 4.1.2.6 again: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). **The DN MUST be unique for each subject** > **entity certified by the one CA as defined by the issuer field**. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263574255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install mbasti-rh commented: """ Patch does not apply to 4.4.3 branch """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-263574061 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 From 01cec191ead6a32ad7a71f7dd4080edc18c8630f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 17 Nov 2016 16:43:17 +0100 Subject: [PATCH] Adjustments for setup requirements Fix some typos, missing or surplus dependencies. Remove setup requirement on wheel since it triggers download. Bump up requirements to sensible versions. Cryptography 0.9 does not even compile on Fedora any more. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- freeipa.spec.in | 8 ipaclient/setup.py | 8 ++-- ipalib/setup.py | 4 +--- ipaplatform/setup.py | 3 --- ipapython/setup.py | 4 +--- ipaserver/setup.py | 5 + ipasetup.py.in | 8 ipatests/setup.py| 18 +- 8 files changed, 22 insertions(+), 36 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3865ed8..8788b9c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,7 +114,7 @@ BuildRequires: python-cffi BuildRequires: samba-python BuildRequires: python-setuptools # 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-cryptography >= 1.3 BuildRequires: python-gssapi BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -187,7 +187,7 @@ Requires: mod_wsgi Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2 Requires: acl Requires: memcached Requires: python-memcached @@ -510,7 +510,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 0.9 +Requires: python-cryptography >= 1.3 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release} Provides: python3-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python3-ipaplatform} Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.1.2 +Requires: python3-gssapi >= 1.2 Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL diff --git a/ipaclient/setup.py b/ipaclient/setup.py index fc5609b..e3ec079 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -48,13 +48,9 @@ "ipalib", "ipapython", "python-nss", +"python-yubico", +"pyusb", "qrcode", "six", ], -setup_requires=[ -"wheel", -], -extra_requires={ -"otptoken_yubikey": ["yubico", "usb"] -} ) diff --git a/ipalib/setup.py b/ipalib/setup.py index 98af7ab..94d78de 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -41,10 +41,8 @@ "ipapython", "netaddr", "pyasn1", +"pyasn1-modules", "python-nss", "six", ], -setup_requires=[ -"wheel", -], ) diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py index 97311de..98a9f08 100644 --- a/ipaplatform/setup.py +++ b/ipaplatform/setup.py @@ -46,7 +46,4 @@ "python-nss", "six", ], -setup_requires=[ -"wheel", -], ) diff --git a/ipapython/setup.py b/ipapython/setup.py index 087086e..772ecfd 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -54,11 +54,9 @@ "requests", "six", ], -setup_requires=[ -"wheel", -], extras_require={ ":python_version<'3'": ["enum34"], +"certmonger": ["dbus-python"], }, entry_points={ 'custodia.authorizers': [ diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 5c38843..edc3113 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -54,9 +54,9 @@ "ipapython", "lxml", "netaddr", -"memcache", "pyasn1", "pyldap", +"python-memcached", "python-nss", "six", # not available on PyPI @@ -66,7 +66,4 @@ # "python-SSSDConfig", # "samba-python", ], -setup_requires=[ -"wheel", -], ) diff --git a/ipasetup.py.in b/ipasetup.py.in index 1db4857..bde 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -52,9 +52,9 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { -'cryptog
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ Would you rather claim to be compatible with a broken, unsupported, and old version? """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263571342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][closed] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][+pushed] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a291c6ded91611ea2bd1a1fdb96314721d73a75f """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263569947 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 From b08686c53950ee848418f2560454ef7f35cc850c Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Wed, 16 Nov 2016 12:57:49 +0100 Subject: [PATCH 1/2] Created idview tracker Needed for basic certs in idoverrides tests https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/tracker/idview_plugin.py | 119 ++ 1 file changed, 119 insertions(+) create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py new file mode 100644 index 000..e0be0b4 --- /dev/null +++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py @@ -0,0 +1,119 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api +from ipapython.dn import DN +from ipatests.test_xmlrpc.tracker.base import Tracker +from ipatests.util import assert_deepequal +from ipatests.test_xmlrpc import objectclasses + +import six + +if six.PY3: +unicode = str + + +class IdviewTracker(Tracker): +"""Class for idview tests""" + +retrieve_keys = { +u'cn' +} + +retrieve_all_keys = retrieve_keys | { +u'description', u'objectclass', u'dn' +} + +create_keys = retrieve_all_keys +find_all_keys = retrieve_all_keys + +cert_add_cmd = api.Command.idoverrideuser_add_cert +cert_del_cmd = api.Command.idoverrideuser_remove_cert + +def del_cert_from_idoverride(self, username, cert): +result = self.cert_del_cmd(self.cn, + username, + usercertificate=cert) +return dict( +usercertificate=result['result'].get('usercertificate', []), +value=result.get('value'), +summary=result.get('summary') +) + +def add_cert_to_idoverride(self, username, cert): +result = self.cert_add_cmd(self.cn, + username, + usercertificate=cert) +return dict( +usercertificate=result['result'].get('usercertificate', []), +value=result.get('value'), +summary=result.get('summary') +) + +def __init__(self, cn, **kwargs): +super(IdviewTracker, self).__init__(default_version=None) +self.cn = cn +self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn) +self.kwargs = kwargs + +def make_create_command(self): +return self.make_command( +'idview_add', self.cn, **self.kwargs +) + +def make_delete_command(self): +return self.make_command( +'idview_del', self.cn, **self.kwargs +) + +def make_retrieve_command(self, all=False, raw=False): +""" Make function that retrieves a idview using idview-show """ +return self.make_command('idview_show', self.cn, all=all) + +def make_find_command(self, *args, **kwargs): +""" Make function that finds idview using idview-find """ +return self.make_command('idview_find', *args, **kwargs) + +def make_update_command(self, updates): +""" Make function that updates idview using idview-mod """ +return self.make_command('idview_mod', self.cn, **updates) + +def track_create(self): +self.attrs = dict( +cn=(self.cn,), +dn=unicode(self.dn), +idoverrideusers=[], +objectclass=objectclasses.idview +) +if 'description' in self.kwargs: +self.attrs['description'] = self.kwargs['description'] +self.exists = True + +def make_add_idoverrideuser_command(self, username, options=None): +options = options or {} +""" Make function that adds a member to a group """ +return self.make_command('idoverrideuser_add', self.cn, username, + **options) + +def idoverrideuser_add(self, user): +command = self.make_add_idoverrideuser_command(user.name) +result = command() +self.attrs['idoverrideusers'].append(result['value']) +self.check_idoverrideuser_add(result, user) + +def check_create(self, result, extra_keys=()): +""" Check 'user-add' command result """ +expected = self.filter_attrs(self.create_keys | set(extra_keys)) +assert_deepequal(dict( +summary=u'Added ID View "%s"' % self.cn, +result=self.filter_attrs(expected), +value=self.cn +), result) + +def check_idoverrideuser_add(self, result, user): +""" Checks 'group_add_member' command result """ +assert_deepequal( +
[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 From e776974018333974becba97af56df20ab250a4b7 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Wed, 16 Nov 2016 12:57:49 +0100 Subject: [PATCH 1/2] Created idview tracker Needed for basic certs in idoverrides tests https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/objectclasses.py | 6 ++ ipatests/test_xmlrpc/tracker/idview_plugin.py | 119 ++ 2 files changed, 125 insertions(+) create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..cad4c48 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,9 @@ u'top', u'ipaca', ] + +idview = [ +u'ipaIDView', +u'top', +u'nsContainer' +] diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py new file mode 100644 index 000..e0be0b4 --- /dev/null +++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py @@ -0,0 +1,119 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api +from ipapython.dn import DN +from ipatests.test_xmlrpc.tracker.base import Tracker +from ipatests.util import assert_deepequal +from ipatests.test_xmlrpc import objectclasses + +import six + +if six.PY3: +unicode = str + + +class IdviewTracker(Tracker): +"""Class for idview tests""" + +retrieve_keys = { +u'cn' +} + +retrieve_all_keys = retrieve_keys | { +u'description', u'objectclass', u'dn' +} + +create_keys = retrieve_all_keys +find_all_keys = retrieve_all_keys + +cert_add_cmd = api.Command.idoverrideuser_add_cert +cert_del_cmd = api.Command.idoverrideuser_remove_cert + +def del_cert_from_idoverride(self, username, cert): +result = self.cert_del_cmd(self.cn, + username, + usercertificate=cert) +return dict( +usercertificate=result['result'].get('usercertificate', []), +value=result.get('value'), +summary=result.get('summary') +) + +def add_cert_to_idoverride(self, username, cert): +result = self.cert_add_cmd(self.cn, + username, + usercertificate=cert) +return dict( +usercertificate=result['result'].get('usercertificate', []), +value=result.get('value'), +summary=result.get('summary') +) + +def __init__(self, cn, **kwargs): +super(IdviewTracker, self).__init__(default_version=None) +self.cn = cn +self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn) +self.kwargs = kwargs + +def make_create_command(self): +return self.make_command( +'idview_add', self.cn, **self.kwargs +) + +def make_delete_command(self): +return self.make_command( +'idview_del', self.cn, **self.kwargs +) + +def make_retrieve_command(self, all=False, raw=False): +""" Make function that retrieves a idview using idview-show """ +return self.make_command('idview_show', self.cn, all=all) + +def make_find_command(self, *args, **kwargs): +""" Make function that finds idview using idview-find """ +return self.make_command('idview_find', *args, **kwargs) + +def make_update_command(self, updates): +""" Make function that updates idview using idview-mod """ +return self.make_command('idview_mod', self.cn, **updates) + +def track_create(self): +self.attrs = dict( +cn=(self.cn,), +dn=unicode(self.dn), +idoverrideusers=[], +objectclass=objectclasses.idview +) +if 'description' in self.kwargs: +self.attrs['description'] = self.kwargs['description'] +self.exists = True + +def make_add_idoverrideuser_command(self, username, options=None): +options = options or {} +""" Make function that adds a member to a group """ +return self.make_command('idoverrideuser_add', self.cn, username, + **options) + +def idoverrideuser_add(self, user): +command = self.make_add_idoverrideuser_command(user.name) +result = command() +self.attrs['idoverrideusers'].append(result['value']) +self.check_idoverrideuser_add(result, user) + +def check_create(self, result, extra_keys=()): +""" Check 'user-add' command result """ +expected = se
[Freeipa-devel] [freeipa PR#282][opened] replicainstall: give correct error message on DL mismatch
URL: https://github.com/freeipa/freeipa/pull/282 Author: stlaz Title: #282: replicainstall: give correct error message on DL mismatch Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6510 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/282/head:pr282 git checkout pr282 From 88eef020e93b7f23c7de0a2f8a3bd3611395bf61 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 29 Nov 2016 14:08:19 +0100 Subject: [PATCH] replicainstall: give correct error message on DL mismatch https://fedorahosted.org/freeipa/ticket/6510 --- ipaserver/install/server/replicainstall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index a7b333c..0f45bea 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -557,7 +557,7 @@ def check_domain_level(api, expected): # available current = constants.DOMAIN_LEVEL_0 -if expected == constants.DOMAIN_LEVEL_0: +if current == constants.DOMAIN_LEVEL_0: message = ( "You must provide a file generated by ipa-replica-prepare to " "create a replica when the domain is at level 0." -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][+ack] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][synchronized] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 From 462bdca9aea5d6668a01bf420097df59d38eb4c5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 28 Nov 2016 14:52:21 +0100 Subject: [PATCH] DNS: URI records: bump python-dns requirements Support for DNS URI records has been added in python-dns 1.13 https://fedorahosted.org/freeipa/ticket/6344 --- freeipa.spec.in | 10 +- ipasetup.py.in | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index c683ad3..f336fae 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -124,8 +124,8 @@ BuildRequires: python-memcached BuildRequires: python-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 -# 1.11.0: resolver.YXDOMAIN, Resolver.set_flags -BuildRequires: python-dns >= 1.11.0 +# 1.13: python-dns URI record support +BuildRequires: python-dns >= 1.13 BuildRequires: jsl BuildRequires: python-yubico # pki Python package @@ -254,7 +254,7 @@ Requires: python-gssapi >= 1.1.2 Requires: python-sssdconfig Requires: python-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.11.1 +Requires: python-dns >= 1.13 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs @@ -411,7 +411,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.11.1 +Requires: python-dns >= 1.13 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -526,7 +526,7 @@ Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests Requires: python-custodia -Requires: python-dns >= 1.11.1 +Requires: python-dns >= 1.13 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb diff --git a/ipasetup.py.in b/ipasetup.py.in index fac4b25..1db4857 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -53,7 +53,7 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { 'cryptography': 'cryptography >= 0.9', -'dnspython': 'dnspython >= 1.11.1', +'dnspython': 'dnspython >= 1.13', 'gssapi': 'gssapi > 1.1.2', 'ipaclient': 'ipaclient == @VERSION@', 'ipalib': 'ipalib == @VERSION@', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements mbasti-rh commented: """ Thank you, fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263562846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ So create a separate commits: - fixes ipasetup.py - bumps python-gssapi for pypi, with proper explanation in commit message and maybe comment in code may be helpful. And we will be happy because we have reason why it needs to be raised and this reason can be found in git history. I'm still not persuaded with need for bumping cryptography. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263554517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ So can you imagine some scenario where this behavior may cause issues? Some exotic DNS setup maybe? """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263553887 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ You said Fedora, I didn't. The build bug is not related to Fedora at all. Cryptography 0.9 does not build on any distribution or platform with a recent version of OpenSSL. Touché, I said Fedora in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ You said Fedora, I didn't. The build bug is not related to Fedora at all. Cryptography 0.9 does not build on any distribution or platform with a recent version of OpenSSL. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ > PS: There is no technical reason to bump the version of python-gssapi in > freeipa.spec. The enum34 dependency issues is solely a Python packaging bug. > It does not affect RPM packages. Since you insist on syncing PyPI versions > with RPM versions, I had to bump both. Have it your way. So finally we have reason to bump version, which should be docummented in git history as separate commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552388 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ PS: There is no technical reason to bump the version of python-gssapi in freeipa.spec. The enum34 dependency issues is solely a Python packaging bug. It does not affect RPM packages. Since you insist on syncing PyPI versions with RPM versions, I had to bump both. Have it your way. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552051 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ > @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped > because 1.1.x has wrong dependency information for Python 3 (enum34). So, this is broken fedora dependency on fedora side? If yes then this should be fixed by fedora downstream patch. I don't see reason why upstream version should have raised dependency just because fedora is broken. > cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are > the oldest releases that are actually been tested by QE. I did not bother to > verify older releases because I consider it a waste of time and resources. In > a couple of weeks we have to bump up cryptography to 1.7 anyway. I don't see reason why bumping requires just because we are unable to build on fedora. Fedora is not the only linux distro. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552072 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#273][closed] Build: workaround bug while calling parallel make from rpmbuild
URL: https://github.com/freeipa/freeipa/pull/273 Author: pspacek Title: #273: Build: workaround bug while calling parallel make from rpmbuild Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/273/head:pr273 git checkout pr273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#273][comment] Build: workaround bug while calling parallel make from rpmbuild
URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/132b475c2586f3ced68724355e9c45722dccf604 """ See the full comment at https://github.com/freeipa/freeipa/pull/273#issuecomment-263551875 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#273][+pushed] Build: workaround bug while calling parallel make from rpmbuild
URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tomaskrizek commented: """ @frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while the Subject DN does not. In that case, this PR makes sense to me as is. I also don't see the need to validate Subject DN and SAN DN differently, since they use different representation (subject is a more generic identifier, as @tiran pointed out; while SAN DN should be the unique LDAP DN identifier). """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263550747 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#174][comment] add log module
URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module mbasti-rh commented: """ Hello, what I meant was to send fixing of missing translations strings as separated PR and if you identified any parts of code that should be logged too, you can send a PR too. Basically your changes in: `ipalib/plugins/config.py` and at the end of `ipaserver/rpcserver.py` (but the second one need discussion first why is that needed) """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263550567 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. I did not bother to verify older releases because I consider it a waste of time and resources. In a couple of weeks we have to bump up cryptography to 1.7 anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263550183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263550183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][+ack] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ I checked the rebase again as well as ran the tests. The changes in the PR clean the code nicely aside from doing what's proposed in the given ticket. The issues from CI and QuantifiedCode are only caused by moving the code in between modules. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263548530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ @tiran You can split patch to useful part and please send unneeded bumping of requires as separate pull request, we can continue with discussion there about bumping versions. It is unrelated part of patch and should be in separated commit anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263547842 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ I'm on topic and I'm trying to understand your point. Why do you see a relationship between the subject DN of a X.509 and the directoryName general name in SAN X.509v3 extension? It doesn't make sense to me. The subject follows different rules, e.g. a disjunct set of RDN attributes. Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Further more a CA usually imposes some policies and requires the certificate's subject to have fixed C, O, OU etc values. With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up with different subject DNs but with the same directoryName GN SAN entry. The directoryName is designed to hold a LDAP DN. By the way, I was quoting the RFC to give some context. With X.509 there is no such thing as an obvious thing. In fact multiple certs with the same Subject DN is very relevant and important for this topic. A certificate's Subject DN is not really a distinguishing name in the sense of a unique identifier. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263546428 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ Please explain, all of the affected scripts are server-only and thus not related to the integration effort and most probably won't work correctly with non-server configuration anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263540749 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @tiran, could you please stay on topic? I haven't said anything about it being mandatory, and it's not the point anyway (consistency between subject DN and DN SAN validation is). About CA being allowed to issue multiple certs with the same subject DN, thanks for stating the obvious, but again, not the point here. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263539133 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ @jcholast I'm not familiar with any standard that mandates that a X.509 Subject DN should identify a subject in a directory. Which standard mandates the relationship? RFC 5280 only requires that the Subject DN must be unique for each entity. A CA is allowed to issue multiple certs with the same Subject DN for the same entity. https://tools.ietf.org/html/rfc5280#section-4.1.2.6 """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263536634 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ I fixed a few. Some scripts deliberately do not have the confdir flag in bootstrap. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263532412 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ This PR breaks almost all tests in test_ipalib/test_crud.py with `AttributeError: 'API' object has no attribute 'env'`. This error can be observed in some other tests: http://pastebin.com/8EjE2QVS (please disregard the DNS tests failures). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263532334 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][synchronized] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 From 686ade0be3bffd8bda3795728163d5d27df0b9ad Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 28 Nov 2016 16:24:33 +0100 Subject: [PATCH 1/2] Set explicit confdir option for global contexts Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes --- client/ipa-client-automount | 1 + install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- install/migration/migration.py | 3 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +++- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/restart_dirsrv | 3 ++- install/restart_scripts/stop_pkicad | 3 ++- install/share/copy-schema-to-ca.py | 3 ++- install/share/wsgi.py | 6 -- install/tools/ipa-httpd-kdcproxy| 3 ++- install/tools/ipa-replica-conncheck | 4 +++- install/tools/ipactl| 5 - ipaclient/install/client.py | 1 + ipaclient/ipa_certupdate.py | 2 +- ipaserver/install/ipa_backup.py | 2 +- ipaserver/install/ipa_ldap_updater.py | 2 +- ipaserver/install/ipa_restore.py| 1 + ipaserver/install/ipa_server_upgrade.py | 2 +- ipaserver/install/ipa_winsync_migrate.py| 3 ++- ipaserver/install/ldapupdate.py | 4 +++- ipaserver/install/server/install.py | 2 ++ ipaserver/install/server/replicainstall.py | 19 +-- 22 files changed, 53 insertions(+), 24 deletions(-) diff --git a/client/ipa-client-automount b/client/ipa-client-automount index 53c0537..93b1eaf 100755 --- a/client/ipa-client-automount +++ b/client/ipa-client-automount @@ -383,6 +383,7 @@ def main(): cfg = dict( context='cli_installer', +confdir=paths.ETC_IPA, in_server=False, debug=options.debug, verbose=0, diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7389a5e..2e137ad 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -494,7 +494,7 @@ def main(): 'ipaCACertRenewal': renew_ca_cert, } -api.bootstrap(in_server=True, context='renew') +api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/migration/migration.py b/install/migration/migration.py index 4743279..73e4777 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -24,6 +24,7 @@ import errno from wsgiref.util import request_uri +from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipaldap @@ -72,7 +73,7 @@ def application(environ, start_response): # API object only for configuration, finalize() not needed api = create_api(mode=None) -api.bootstrap(context='server', in_server=True) +api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True) try: bind(api.env.ldap_uri, api.env.basedn, form_data['username'].value, form_data['password'].value) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index b663daa..073e254 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -9,6 +9,7 @@ from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipapython.ipautil import kinit_keytab from ipaplatform.constants import constants +from ipaplatform.paths import paths import sys import os import pwd @@ -94,7 +95,8 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') +api.bootstrap(in_server=True, debug=env.debug, log=None, + context='server', confdir=paths.ETC_IPA) api.finalize(
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension frasertweedale commented: """ @jcholast OK. Let's put this PR on ice for now... I may well take up your suggestion to allow subject DN to match LDAP DN, but I don't have the cycles for it right now. Thanks for your feedback. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263524060 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs need not match it as well - both the subject DN and DN SANs are supposed to identify the subject in the directory, and for us the directory is LDAP. There should be no special casing one way or the other, if something is allowed for the subject DN it must be allowed for DN SANs and vice-versa (with the exception of the special handling of the most specific CN in subject DN of server certificates). The fact that we currently require a non-LDAP subject DN in `cert-request` is a different issue. All I'm asking for is consistency. If we first allowed the subject DN to match the LDAP DN I would be perfectly happy with this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263521018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 From ceceeb67b37510779fe26902ecc1cb89d66d9d2f Mon Sep 17 00:00:00 2001 From: David Kupka Date: Mon, 28 Nov 2016 15:56:30 +0100 Subject: [PATCH] installer: Stop adding distro-specific NTP servers into ntp.conf Distribution packaged ntpd has servers preconfigured in ntp.conf so there's no point in trying to add them again during FreeIPA server installation. https://fedorahosted.org/freeipa/ticket/6486 --- ipaserver/install/ntpinstance.py | 17 - 1 file changed, 17 deletions(-) diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py index 716eb08..a8b1f61 100644 --- a/ipaserver/install/ntpinstance.py +++ b/ipaserver/install/ntpinstance.py @@ -20,7 +20,6 @@ from ipaserver.install import service from ipaserver.install import sysupgrade -from ipapython import ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger @@ -60,20 +59,7 @@ def __write_config(self): self.fstore.backup_file(paths.NTP_CONF) self.fstore.backup_file(paths.SYSCONFIG_NTPD) -# We use the OS variable to point it towards either the rhel -# or fedora pools. Other distros should be added in the future -# or we can get our own pool. -os = "" -if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): -os = "fedora" -elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): -os = "rhel" - srv_vals = [] -srv_vals.append("0.%s.pool.ntp.org" % os) -srv_vals.append("1.%s.pool.ntp.org" % os) -srv_vals.append("2.%s.pool.ntp.org" % os) -srv_vals.append("3.%s.pool.ntp.org" % os) srv_vals.append("127.127.1.0") fudge = ["fudge", "127.127.1.0", "stratum", "10"] @@ -96,9 +82,6 @@ def __write_config(self): break if match: srv_vals.remove(srv) -else: -file_changed = True -line = "" elif opt[0] == "fudge": if opt[0:4] == fudge[0:4]: fudge_present = True -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ You missed a few: ``` daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None) doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap) install/restart_scripts/renew_ra_cert:39:api.bootstrap(in_server=True, context='restart') install/tools/ipa-adtrust-install:269:api.bootstrap(**cfg) install/tools/ipa-ca-install:262:api.bootstrap(in_server=True, ra_plugin='dogtag') install/tools/ipa-compat-manage:105:api.bootstrap(context='cli', in_server=True, debug=options.debug) install/tools/ipa-csreplica-manage:418:api.bootstrap(**api_env) install/tools/ipa-dns-install:139:api.bootstrap(**cfg) install/tools/ipa-managed-entries:75:api.bootstrap(context='cli', debug=options.debug) install/tools/ipa-nis-manage:118:api.bootstrap(context='cli', debug=options.debug, in_server=True) install/tools/ipa-replica-manage:1512:api.bootstrap(**api_env) ipapython/dnssec/ldapkeydb.py:417:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file ipaserver/advise/base.py:238:api.bootstrap(in_server=False, context='cli') ipaserver/advise/base.py:240:advise_api.bootstrap(in_server=False, context='cli') ipaserver/install/ipa_cacert_manage.py:99:api.bootstrap(in_server=True) ipaserver/install/ipa_kra_install.py:80:api.bootstrap(in_server=True) ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True) ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True) ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True) ipatests/test_ipaserver/test_ldap.py:114:myapi.bootstrap(context='cli', in_server=True) ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri) lite-server.py:130:(options, args) = api.bootstrap_with_global_options(parser, context='lite') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263513330 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][edited] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: edited Changed field: body Original value: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization jcholast commented: """ Yes, my above comment is wrong (sorry). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263505232 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for the change of the order and using the objectclasses module. There are still things I'd like to be changed, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263505112 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On 29.11.2016 09:11, Jan Cholasta wrote: > On 28.11.2016 20:57, Rob Crittenden wrote: >> David Kupka wrote: >>> On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. >>> >>> Hello Gabe, >>> I agree that it's common practice to synchronize all nodes in network >>> with single source in order to have the same time and save bandwidth. >>> Also I understand that it's comfortable to let FreeIPA installer take >>> care of it. >>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>> similar tool. Also the problem is that in some situations FreeIPA >>> installer makes it worse. >>> >>> Example: >>> >>> 1. Install FreeIPA server (ipa1.example.org) >>> 2. Install FreeIPA client on all nodes in network >>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>> redundancy >>> >>> Now all the clients have ipa1.example.org as the only server in >>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>> clients will be able to contact KDC on the other server thanks to DNS >>> autodiscovery in libkrb5 but will be unable to synchronize time. >> >> Remember that the goal of IPA was to herd together a bunch of software >> to make hard things easier. This included dealing with the 5-minute >> Kerberos window so ntp was configured on the client and server (which is >> less of any issue now). >> >> When making changes you have to ask yourself who are you making this >> easier for: you or the user. >> >> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >> of success? I'd think so. I >> >> If someone wants to configure it using Ansible they can use the >> --no-ntp. If they want to use different time servers they can pass in >> --ntp-server. But by default IMHO it should do something sane to give a >> good experience. > > I think to do something sane is exactly the point of this, and the sanest > thing we can do is to not touch NTP configuration at all: > > * if the NTP configuration obtained via DHCP works, we can't make it any > better by touching it, only worse, > * if the default NTP configuration shipped with the distribution works, we > again can't make it any better by touching it, > * if we are running inside container, time is synchronized by other means > and we should not touch NTP configuration at all, > * if neither the default NTP configuration nor the NTP configuration > obtained via DHCP works and we are not running inside container, we may > attempt to fix the configuration, but it will not be permanent and will work > only for this specific host. > > I think the first 3 points cover 99% of real-life deployments, and yet we are > optimized towards the remaining 1%, with the potential of breaking the > configuration for the 99%. This is far from sane IMHO. +1 for Honza's point. Current NTP code is works only for initial setup and silently breaks synchronization later on. Most importantly it breaks synchronization as soon as admin removes old replicas and replaces them with new ones - there is no mechanism to update the records in the client configuration (and SRV discovery is not supported by clients). I.e. when admin decommission replicas which were around at the time of client installation, the NTP on client will silently break. This would not happen if you did not touch it. (This also implicitly means that IPA-configured NTP is broken on all clients in topologies which were completely migrated from RHEL 6 to RHEL 7.) Either DHCP or default distro config would solve the problem better. Petr^2 Spacek >> There don't seem to be a ton of NTP tickets and I don't recall a lot of >> user's pressing for it to go away (the reverse, many times their >> problems revolve around time not being synced). I wonder if a survey on >> freeipa-users would be in order to see how hot an issue this really is. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ From offline discussion I got that the PR should actually work in the end. I'll make the review. """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263503377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 From d46e1a38bb65e20439a6772fbba08df7c4fcef11 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 25 Nov 2016 17:23:29 +0100 Subject: [PATCH 1/2] replica-conncheck: improve error message during replicainstall Replica conncheck may fail for other reasons then network misconfiguration. For example, an incorrect admin password might be provided. Since conncheck is ran as a separate script in quiet mode, no insightful error message can be displayed. https://fedorahosted.org/freeipa/ticket/6497 --- ipaserver/install/replication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index ba35c49..35066c2 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -105,7 +105,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca, if result.returncode != 0: raise ScriptError( "Connection check failed!" -"\nPlease fix your network settings according to error messages above." +"\nSee /var/log/ipareplica-conncheck.log for more information." "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.") else: print("Connection check OK") From 916ea2d4e4eb0230a6f371b3d4d83dc055994cc6 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 25 Nov 2016 17:27:16 +0100 Subject: [PATCH 2/2] replica-conncheck: improve message logging Make sure all messages displayed on screen to the user can be found in the log as well. The messages are also logged if the script is ran in quiet mode. https://fedorahosted.org/freeipa/ticket/6497 --- install/tools/ipa-replica-conncheck | 97 +++-- 1 file changed, 51 insertions(+), 46 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 7ec1ef8..225a0df 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -47,7 +47,6 @@ from cryptography.hazmat.primitives import serialization CONNECT_TIMEOUT = 5 RESPONDERS = [ ] -QUIET = False CCACHE_FILE = None KRB5_CONFIG = None @@ -60,7 +59,7 @@ class SshExec(object): def __call__(self, command, verbose=False): # Bail if ssh is not installed if self.cmd is None: -print("WARNING: ssh not installed, skipping ssh test") +root_logger.warning("WARNING: ssh not installed, skipping ssh test") return ('', '', 0) tmpf = tempfile.NamedTemporaryFile() @@ -108,10 +107,6 @@ BASE_PORTS = [ ] -def print_info(msg): -if not QUIET: -print(msg) - def parse_options(): def ca_cert_file_callback(option, opt, value, parser): if not os.path.exists(value): @@ -205,10 +200,6 @@ def parse_options(): if not options.hostname: options.hostname = socket.getfqdn() -if options.quiet: -global QUIET -QUIET = True - return safe_options, options def logging_setup(options): @@ -217,7 +208,8 @@ def logging_setup(options): if os.getegid() == 0 and options.log_to_file: log_file = paths.IPAREPLICA_CONNCHECK_LOG -standard_logging_setup(log_file, debug=options.debug) +standard_logging_setup(log_file, verbose=(not options.quiet), + debug=options.debug, console_format='%(message)s') def clean_responders(responders): if not responders: @@ -328,13 +320,14 @@ def port_check(host, port_list): else: ports_failed.append(port) result = "FAILED" -print_info(" %s (%d): %s" % (port.description, port.port, result)) +root_logger.info(" %s (%d): %s" % (port.description, port.port, result)) if ports_udp_warning: -print("The following UDP ports could not be verified as open: %s" \ -% ", ".join(str(port.port) for port in ports_udp_warning)) -print("This can happen if they are already bound to an application") -print("and ipa-replica-conncheck cannot attach own UDP responder.") +root_logger.warning( +("The following UDP ports could not be verified as open: %s\n" + "This can happen if they are already bound to an application\n" + "and ipa-replica-conncheck cannot attach own UDP responder.") +% ", ".join(str(port.port) for port in ports_udp_warning)) if ports_failed: msg_ports = [] @@ -362,29 +355,34 @@ def main(): "PKI-CA: Directory Service port")) if options.replica: -print_info("Check connection
Re: [Freeipa-devel] NTP in FreeIPA
On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. I think to do something sane is exactly the point of this, and the sanest thing we can do is to not touch NTP configuration at all: * if the NTP configuration obtained via DHCP works, we can't make it any better by touching it, only worse, * if the default NTP configuration shipped with the distribution works, we again can't make it any better by touching it, * if we are running inside container, time is synchronized by other means and we should not touch NTP configuration at all, * if neither the default NTP configuration nor the NTP configuration obtained via DHCP works and we are not running inside container, we may attempt to fix the configuration, but it will not be permanent and will work only for this specific host. I think the first 3 points cover 99% of real-life deployments, and yet we are optimized towards the remaining 1%, with the potential of breaking the configuration for the 99%. This is far from sane IMHO. There don't seem to be a ton of NTP tickets and I don't recall a lot of user's pressing for it to go away (the reverse, many times their problems revolve around time not being synced). I wonder if a survey on freeipa-users would be in order to see how hot an issue this really is. rob -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code