[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Never mind... my `--chain` option disappeared... not quite there yet >_< """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263806421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast thanks for review. PR updated. No longer inheriting `BaseCertObject`. `--chain` now defined server-side and no longer implies `--all`. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263805812 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to
use the new function.
Part of: https://fedorahosted.org/freeipa/ticket/6178
---
ipalib/x509.py | 23 +-
ipapython/certdb.py | 9 ++-
ipaserver/install/cainstance.py | 52 +++--
3 files changed, 43 insertions(+), 41 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..caf0ddc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -48,7 +48,9 @@
from ipalib import api
from ipalib import util
from ipalib import errors
+from ipaplatform.paths import paths
from ipapython.dn import DN
+from ipapython import ipautil
if six.PY3:
unicode = str
@@ -56,7 +58,9 @@
PEM = 0
DER = 1
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename):
return load_certificate_list(f.read())
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+paths.OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
def is_self_signed(certificate, datatype=PEM):
cert = load_certificate(certificate, datatype)
return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 5344e37..9b989ef 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
continue
if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-OPENSSL, 'pkcs7',
-'-print_certs',
-]
try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
except ipautil.CalledProcessError as e:
if label == 'CERTIFICATE':
root_logger.warning(
@@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
filename, line, e)
continue
else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
loaded = True
continue
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 505232c..a3751d1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -745,44 +745,30 @@ def __import_ca_chain(self):
# makes openssl throw up.
data = base64.b64decode(chain)
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
# Ok, now we have all the certificates in certs, walk through it
# and pull out each certificate and add it to our database
-st = 1
-en = 0
-subid = 0
ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-os.close(chain_fd)
-(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
[Freeipa-devel] [freeipa PR#174][comment] add log module
URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ Hello, I have sent fixing of missing translations as separated PR in https://github.com/freeipa/freeipa/pull/286. The changes in the ipaserver/rpcserver.py file was used for parsing the apache error.log information to ipa.log that was used for providing the interfaces of Web UI log module. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263801899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245
Author: frasertweedale
Title: #245: Allow full customisability of IPA CA subject DN
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/245/head:pr245
git checkout pr245
From db851f34fe4544be55604b9675570a6fb2a0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 11 Nov 2016 18:54:01 +1000
Subject: [PATCH 1/7] Remove unused function argument
Remove an unused function argument. Also rename the function to
have a more accurate name.
Part of: https://fedorahosted.org/freeipa/ticket/2614
---
ipaserver/install/server/install.py | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 1f2e8a4..861f48e 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -242,7 +242,7 @@ def check_dirsrv(unattended):
raise ScriptError(msg)
-def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
+def set_subject_base_in_config(realm_name, dm_password, subject_base):
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
installutils.realm_to_serverid(realm_name)
)
@@ -846,8 +846,7 @@ def install(installer):
os.chmod(paths.IPA_CA_CRT, 0o644)
ca_db.publish_ca_cert(paths.IPA_CA_CRT)
-set_subject_in_config(realm_name, dm_password,
- ipautil.realm_to_suffix(realm_name), options.subject)
+set_subject_base_in_config(realm_name, dm_password, options.subject_base)
# Apply any LDAP updates. Needs to be done after the configuration file
# is created. DS is restarted in the process.
From 84a92acf701c82798e1079e9c9e201b881881130 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 16 Nov 2016 19:31:19 +1000
Subject: [PATCH 2/7] installutils: remove hardcoded subject DN assumption
`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`. In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).
Part of: https://fedorahosted.org/freeipa/ticket/2614
---
ipaserver/install/ca.py| 4 +++-
ipaserver/install/installutils.py | 7 ---
ipaserver/install/ipa_cacert_manage.py | 7 +--
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index efc8c87..2ff66af 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -100,7 +100,9 @@ def install_check(standalone, replica_config, options):
"--external-ca.")
external_cert_file, external_ca_file = installutils.load_external_cert(
-options.external_cert_files, options.subject)
+options.external_cert_files,
+DN(('CN', 'Certificate Authority'), options.subject)
+)
elif options.external_ca:
if cainstance.is_step_one_done():
raise ScriptError(
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index a6cde89..2f311b4 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1092,7 +1092,8 @@ def check_entropy():
except ValueError as e:
root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e)
-def load_external_cert(files, subject_base):
+
+def load_external_cert(files, ca_subject):
"""
Load and verify external CA certificate chain from multiple files.
@@ -1100,7 +1101,7 @@ def load_external_cert(files, subject_base):
chain formats.
:param files: Names of files to import
-:param subject_base: Subject name base for IPA certificates
+:param ca_subject: IPA CA subject DN
:returns: Temporary file with the IPA CA certificate and temporary file
with the external CA certificate chain
"""
@@ -1114,7 +1115,7 @@ def load_external_cert(files, subject_base):
except RuntimeError as e:
raise ScriptError(str(e))
-ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
+ca_subject = DN(ca_subject)
ca_nickname = None
cache = {}
for nickname, _trust_flags in nssdb.list_certs():
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 5a278f4..4082dfa 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -192,8 +192,6 @@ def renew_external_step_2(self, ca, old_cert_der):
options = self.options
conn = api.Backend.ldap2
-cert_file, ca_file = installutils.load_external_cert(
-options.external_cert_files, x509.subject_base())
old_cert_obj = x509.load_certificate(old_cert_der, x509.DER)
old_der_subject =
[Freeipa-devel] [freeipa PR#285][opened] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: opened PR body: """ When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 From 0f7826cbf3ecd4b42a17ba9e0f83be9a9509b398 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 29 Nov 2016 21:15:29 +0100 Subject: [PATCH] Check the result of cert request in replica installer When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORCertificate issuance failed ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 --- ipaserver/install/certs.py | 12 +--- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index ab2379b..45602ba 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -647,13 +647,11 @@ def export_pem_cert(self, nickname, location): def request_service_cert(self, nickname, principal, host, pwdconf=False): if pwdconf: self.create_password_conf() -reqid = certmonger.request_cert(nssdb=self.secdir, -nickname=nickname, -principal=principal, -subject=host, -passwd_fname=self.passwd_fname) -# Now wait for the cert to appear. Check three times then abort -certmonger.wait_for_request(reqid, timeout=60) +certmonger.request_and_wait_for_cert(nssdb=self.secdir, + nickname=nickname, + principal=principal, + subject=host, + passwd_fname=self.passwd_fname) class _CrossProcessLock(object): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements
tiran commented:
"""
@martbab Welcome to the party! This discussion has been running for a very long
time and in multiple places. Let me bring you up to speed.
First of all the requirements in ```ipasetup.py``` are completely unrelated to
distribution packaging (RPM, DEB, whatever). PyPI packaging follows slightly
different rules. For example you don't get carefully curated packages,
downstream patches for build issues or a known working set of packages. It's a
bit more wild west and fast moving. I was against bumping the version in the
spec file because the bump is not required for my work. The other insisted on
it.
Next up a version information like "cryptography >= 0.9" means that any version
equal or greater than 0.9 is known to work. If you follow upstream development
of OpenSSL and Cryptography closely then you are aware that any version of
cryptography < 1.3 does no longer compile against a recent version of OpenSSL
1.0.2. CFFI bindings are very sensitive to subtle changes in the ABI and C API.
OpenSSL tend to break both every now and then.
Finally this discussion is pointless. I will bump the version requirements of
cryptography to 1.7.0 in a matter of weeks. BZ for RHEL has been filed. The
version 1.7.0 hasn't been released yet. it will contain two important fixes
(lock and osrandom) and a new feature for @frasertweedale (multi RDN).
```
$ python3 -m venv /tmp/cryptovenv
$ . /tmp/cryptovenv/bin/activate
(cryptovenv) $ pip install 'cryptography==0.9'
Collecting cryptography==0.9
Downloading cryptography-0.9.tar.gz (302kB)
100% || 303kB 122kB/s
Collecting idna (from cryptography==0.9)
Using cached idna-2.1-py2.py3-none-any.whl
Collecting pyasn1 (from cryptography==0.9)
Using cached pyasn1-0.1.9-py2.py3-none-any.whl
Collecting six>=1.4.1 (from cryptography==0.9)
Using cached six-1.10.0-py2.py3-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): setuptools in
./cryptovenv/lib/python3.5/site-packages (from cryptography==0.9)
Collecting cffi>=0.8 (from cryptography==0.9)
Using cached cffi-1.9.1.tar.gz
Collecting pycparser (from cffi>=0.8->cryptography==0.9)
Installing collected packages: idna, pyasn1, six, pycparser, cffi, cryptography
Running setup.py install for cffi ... done
Running setup.py install for cryptography ... error
Complete output from command /tmp/cryptovenv/bin/python3 -u -c "import
setuptools,
tokenize;__file__='/tmp/pip-build-_2z81799/cryptography/setup.py';exec(compile(getattr(tokenize,
'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))"
install --record /tmp/pip-83qpivr4-record/install-record.txt
--single-version-externally-managed --compile --install-headers
/tmp/cryptovenv/include/site/python3.5/cryptography:
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.5
creating build/lib.linux-x86_64-3.5/cryptography
...
running build_ext
building '_Cryptography_cffi_1251de2xc302a38b' extension
creating build/temp.linux-x86_64-3.5
creating build/temp.linux-x86_64-3.5/src
creating build/temp.linux-x86_64-3.5/src/cryptography
creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat
creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings
creating
build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings/__pycache__
gcc -pthread -Wno-unused-result -Wsign-compare
-DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
-D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/tmp/cryptovenv/include
-I/usr/include/python3.5m -c
src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c
-o
build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.o
src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:505:6:
error: conflicting types for ‘BIO_new_mem_buf’
BIO *BIO_new_mem_buf(void *, int);
^~~
In file included from /usr/include/openssl/asn1.h:65:0,
from
src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:220:
/usr/include/openssl/bio.h:692:6: note: previous declaration of
‘BIO_new_mem_buf’ was here
BIO *BIO_new_mem_buf(const void *buf, int len);
^~~
src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:2019:15:
error: ‘SSLv2_method’ redeclared as different kind of symbol
SSL_METHOD* (*SSLv2_method)(void) = NULL;
^~~~
In file included from
src/cryptography/hazmat/bindings/__
[Freeipa-devel] [freeipa PR#275][+ack] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][+ack] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required
URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required tomaskrizek commented: """ I've created a separate [ticket](https://fedorahosted.org/freeipa/ticket/6522) and PR #284 for the change discussed offline, since it seemed out of the scope for this ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/267#issuecomment-263639123 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][closed] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Author: pspacek Title: #281: Accept server host names resolvable only using /etc/hosts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/281/head:pr281 git checkout pr281 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][+pushed] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0e093f938d8126f11fed920b7381ba6e3d07da5b ipa-4-4: https://fedorahosted.org/freeipa/changeset/47ee2870d83eeb9b07137c765d3feb41da8b02c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263640668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Ok I am fine with this. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263640183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][+pushed] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ccd3677b50eab2223ddf1e1b6682c20fc695ad24 https://fedorahosted.org/freeipa/changeset/452dc97aba12288a23c20f519f4c1c0d4408b765 ipa-4-4: https://fedorahosted.org/freeipa/changeset/62061a3a0444c65dc058ee1b9d0ef0096b621be3 https://fedorahosted.org/freeipa/changeset/b5ab5c1cef09555417e912fa767d78e4afa10872 """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263639311 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][closed] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][+ack] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for addressing the issues. The implementation is somehow minimal, however in the future it can be extended as needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263638790 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#284][opened] ipautil: check for open ports on all resolved IPs
URL: https://github.com/freeipa/freeipa/pull/284
Author: tomaskrizek
Title: #284: ipautil: check for open ports on all resolved IPs
Action: opened
PR body:
"""
When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.
https://fedorahosted.org/freeipa/ticket/6522
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/284/head:pr284
git checkout pr284
From 15f9f9168630f44003e9975253b69ea921b1446e Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Tue, 29 Nov 2016 18:19:07 +0100
Subject: [PATCH] ipautil: check for open ports on all resolved IPs
When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.
https://fedorahosted.org/freeipa/ticket/6522
---
install/tools/ipa-replica-conncheck | 5 +++--
ipapython/ipautil.py| 39 +++--
2 files changed, 36 insertions(+), 8 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 544116e..9a30385 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -315,8 +315,9 @@ def port_check(host, port_list):
ports_udp_warning = [] # conncheck could not verify that port is open
for port in port_list:
try:
-port_open = ipautil.host_port_open(host, port.port,
-port.port_type, socket_timeout=CONNECT_TIMEOUT)
+port_open = ipautil.host_port_open(
+host, port.port, port.port_type,
+socket_timeout=CONNECT_TIMEOUT, log_errors=True)
except socket.gaierror:
raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
if port_open:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 1c95a81..167479d 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -55,6 +55,12 @@
GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user
+PROTOCOL_NAMES = {
+socket.SOCK_STREAM: 'tcp',
+socket.SOCK_DGRAM: 'udp'
+}
+
+
class UnsafeIPAddress(netaddr.IPAddress):
"""Any valid IP address with or without netmask."""
@@ -866,7 +872,17 @@ def user_input(prompt, default = None, allow_empty = True):
return ret
-def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):
+def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
+ socket_timeout=None, log_errors=False):
+"""
+host: either hostname or IP address;
+ if hostname is provided, port MUST be open on ALL resolved IPs
+
+returns True is port is open, False otherwise
+"""
+port_open = True
+
+# port has to be open on ALL resolved IPs
for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):
af, socktype, proto, _canonname, sa = res
try:
@@ -874,7 +890,7 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No
s = socket.socket(af, socktype, proto)
except socket.error:
s = None
-continue
+raise
if socket_timeout is not None:
s.settimeout(socket_timeout)
@@ -884,15 +900,26 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No
if socket_type == socket.SOCK_DGRAM:
s.send('')
s.recv(512)
-
-return True
except socket.error:
-pass
+port_open = False
+
+if log_errors:
+msg = ('Failed to connect to port %(port)d %(proto)s on '
+ '%(addr)s' % dict(port=port,
+ proto=PROTOCOL_NAMES[socket_type],
+ addr=sa[0]))
+
+# Do not log udp failures as errors (to be consistent with
+# the rest of the code that checks for open ports)
+if socket_type == socket.SOCK_DGRAM:
+root_logger.debug(msg)
+else:
+root_logger.error(msg)
finally:
if s:
s.close()
-return False
+return port_open
def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None):
host = None # all available interfaces
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ That sound like a good idea. Added such assert to the unit tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263638134 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][synchronized] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275
Author: martbab
Title: #275: Enhance __repr__ method of Principal
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/275/head:pr275
git checkout pr275
From 53a2e9d5b64c15dfd4b65069316a957c977aafb0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 28 Nov 2016 10:22:26 +0100
Subject: [PATCH] Enhance __repr__ method of Principal
`__repr__` now returns more descriptive string containing the actual principal
name while keeping the ability to reconstruct the object from it.
This makes principal names visible in debug logs, easing troubleshooting a
bit.
https://fedorahosted.org/freeipa/ticket/6505
---
ipapython/kerberos.py| 4
ipatests/test_ipapython/test_kerberos.py | 2 ++
2 files changed, 6 insertions(+)
diff --git a/ipapython/kerberos.py b/ipapython/kerberos.py
index a8ebc04..3d3530c 100644
--- a/ipapython/kerberos.py
+++ b/ipapython/kerberos.py
@@ -181,3 +181,7 @@ def __str__(self):
principal_string = u'@'.join([principal_string, realm])
return principal_string
+
+def __repr__(self):
+return "{0.__module__}.{0.__name__}('{1}')".format(
+self.__class__, self)
diff --git a/ipatests/test_ipapython/test_kerberos.py b/ipatests/test_ipapython/test_kerberos.py
index 7e1eca4..284d8c2 100644
--- a/ipatests/test_ipapython/test_kerberos.py
+++ b/ipatests/test_ipapython/test_kerberos.py
@@ -82,6 +82,8 @@ def test_principals(valid_principal):
assert getattr(princ, name) == value
assert unicode(princ) == principal_name
+assert repr(princ) == "ipapython.kerberos.Principal('{}')".format(
+principal_name)
def test_multiple_unescaped_ats_raise_error():
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Well from our (as upstream) POV 0.9 and later is required for Custodia to work correctly. This requirement was introduced by me in commit aa749957360b85fecaed2f9f8dc286f560b89e0b when I was building 4.3 in Copr for CentOS 7. There was ye olde 0.8 something version and I found empirically that 0.9 or later is required for replica promotion to work (at that time 1.2.1 was the most up-to-date version built in Brew IIRC). Yes, this version is ancient and vast majority of distros does not support it anymore but then it is their job to provide newer version fullfilling our Required and I see no point in artificially bumping it in upstream unless some of our code depends on functionality of newer version. I mentioned the CentOS story as an example that demonstrates that you never know on what distro your software is being ported. That said, if you are afraid that it can break the PIP use-case then I am fine with bumping the version but as @mbasti-rh said, please split version bumps into a separate commit with clean explanation of the reasons (already provided in the commit message). This makes it easier for our future selves to review the build/runtime requirements during spec file cleanups and similar work. I remember that @jcholast was very frustrated when he was cleaning up BuildRequires recently and was unable to find any reasonable explanation for many of them in git history. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263636692 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On ti, 29 marras 2016, Petr Spacek wrote: On 29.11.2016 16:02, Rob Crittenden wrote: Petr Spacek wrote: On 29.11.2016 09:11, Jan Cholasta wrote: On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. I think to do something sane is exactly the point of this, and the sanest thing we can do is to not touch NTP configuration at all: * if the NTP configuration obtained via DHCP works, we can't make it any better by touching it, only worse, * if the default NTP configuration shipped with the distribution works, we again can't make it any better by touching it, * if we are running inside container, time is synchronized by other means and we should not touch NTP configuration at all, * if neither the default NTP configuration nor the NTP configuration obtained via DHCP works and we are not running inside container, we may attempt to fix the configuration, but it will not be permanent and will work only for this specific host. I think the first 3 points cover 99% of real-life deployments, and yet we are optimized towards the remaining 1%, with the potential of breaking the configuration for the 99%. This is far from sane IMHO. +1 for Honza's point. Current NTP code is works only for initial setup and silently breaks synchronization later on. Most importantly it breaks synchronization as soon as admin removes old replicas and replaces them with new ones - there is no mechanism to update the records in the client configuration (and SRV discovery is not supported by clients). I.e. when admin decommission replicas which were around at the time of client installation, the NTP on client will silently break. This would not happen if you did not touch it. (This also implicitly means that IPA-configured NTP is broken on all clients in topologies which were completely migrated from RHEL 6 to RHEL 7.) Either DHCP or default distro config would solve the problem better. That's fair but where are the huge pile of bugs, tickets and user e-mails complaining about time? Or has nobody noticed yet? Hard to say. There might be multiple reasons for this. E.g. - Starting with Fedora 16, there is Chronyd installed by default. IPA client installer does not configure Chronyd by default so there is nothing to break. - DHCP integration still modifies IPA-generated ntp.conf. - Users who care might use configuration management tool. Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275
Title: #275: Enhance __repr__ method of Principal
tiran commented:
"""
Can you please add a test to```ipatests/test_ipapython/test_kerberos.py```
```test_principals```? Something along the line ```assert repr(princ) ==
"ipapython.kerberos.Principal('{}')".format(principal_name)``` should do the
trick (untested).
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/275#issuecomment-263633526
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275
Title: #275: Enhance __repr__ method of Principal
martbab commented:
"""
Sorry I somehow botched that, but it worked nevertheless. I have re-worked the
PR according to your comments.
```
In [1]: import ipapython.kerberos
In [2]: p = ipapython.kerberos.Principal(u"HTTP/replica1.ipa.test")
In [3]: p
Out[3]: ipapython.kerberos.Principal('HTTP/replica1.ipa.test')
In [5]: r = eval('p')
In [6]: r
Out[6]: ipapython.kerberos.Principal('HTTP/replica1.ipa.test')
In [7]: r == p
Out[7]: True
```
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/275#issuecomment-263630652
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts pspacek commented: """ `--no-host-dns` disables all checks (theoretically) so it should be used only in special cases. Given it acts as kind of force switch, we should not advertise it. In either case the user will have to provide `--ip-address` option. Also, the user is asked for IP address in interactive mode so IMHO we are sufficiently covered. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263609320 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On 29.11.2016 16:02, Rob Crittenden wrote: > Petr Spacek wrote: >> On 29.11.2016 09:11, Jan Cholasta wrote: >>> On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: > On 22/11/16 23:15, Gabe Alford wrote: >> I would say that it is worth keeping in FreeIPA. I know myself and some >> customers use its functionality by having the clients sync to the IPA >> servers and have the servers sync to the NTP source. This way if the NTP >> source ever gets disrupted for long periods of time (which has >> happened in >> my environment) the client time drifts with the authentication source. >> This >> is the way that AD often works and is configured. > > Hello Gabe, > I agree that it's common practice to synchronize all nodes in network > with single source in order to have the same time and save bandwidth. > Also I understand that it's comfortable to let FreeIPA installer take > care of it. > But I don't think FreeIPA should do it IMO this is job for Ansible or > similar tool. Also the problem is that in some situations FreeIPA > installer makes it worse. > > Example: > > 1. Install FreeIPA server (ipa1.example.org) > 2. Install FreeIPA client on all nodes in network > 3. Install replica (ipa2.example.org) of FreeIPA server to increase > redundancy > > Now all the clients have ipa1.example.org as the only server in > /etc/ntp.conf. If the first FreeIPA server becomes unreachable all > clients will be able to contact KDC on the other server thanks to DNS > autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. >>> >>> I think to do something sane is exactly the point of this, and the sanest >>> thing we can do is to not touch NTP configuration at all: >>> >>> * if the NTP configuration obtained via DHCP works, we can't make it any >>> better by touching it, only worse, >>> * if the default NTP configuration shipped with the distribution works, we >>> again can't make it any better by touching it, >>> * if we are running inside container, time is synchronized by other means >>> and we should not touch NTP configuration at all, >>> * if neither the default NTP configuration nor the NTP configuration >>> obtained via DHCP works and we are not running inside container, we may >>> attempt to fix the configuration, but it will not be permanent and will work >>> only for this specific host. >>> >>> I think the first 3 points cover 99% of real-life deployments, and yet we >>> are >>> optimized towards the remaining 1%, with the potential of breaking the >>> configuration for the 99%. This is far from sane IMHO. >> >> +1 for Honza's point. >> >> Current NTP code is works only for initial setup and silently breaks >> synchronization later on. Most importantly it breaks synchronization as soon >> as admin removes old replicas and replaces them with new ones - there is no >> mechanism to update the records in the client configuration (and SRV >> discovery >> is not supported by clients). >> >> I.e. when admin decommission replicas which were around at the time of client >> installation, the NTP on client will silently break. This would not happen if >> you did not touch it. >> >> (This also implicitly means that IPA-configured NTP is broken on all clients >> in topologies which were completely migrated from RHEL 6 to RHEL 7.) >> >> Either DHCP or default distro config would solve the problem better. > > That's fair but where are the huge pile of bugs, tickets and user > e-mails complaining about time? Or has nobody noticed yet? Hard to say. There might be multiple reasons for this. E.g. - Starting with Fedora 16, there is Chronyd installed by default. IPA client installer does not configure Chronyd by default so there is nothing to break. - DHCP integration still modifies IPA-generated ntp.conf. - Users who care might use configuration management tool. > I'm just wondering whether dropping it altogether is the right choice or > if enhancing the time clients to say, support SRV records is a > preferable option. > > There is a real advantage in having the IPA clients using the same time > source as the IPA masters (in this case the masters themselves)
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Thinking of this some more, shouldn't be `--no-host-dns` option used and advertised if you want to set unresolvable hostname during install? """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263596975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255
Author: tiran
Title: #255: Adjustments for setup requirements
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/255/head:pr255
git checkout pr255
From d2936b349315972a1ccea5f241e58bd6554c5b44 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] Adjustments for setup requirements
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.
* Bump version of cryptography to 1.3. 0.9 no longer compiles with
recent versions of OpenSSL. 1.3 is the older version that is
well tested.
* Bump version of gssapi to 1.2. The PyPI package for 1.1.2 has a
packaging bug. It falsely requires enum34 on Python >= 3.4
ipatests is now installable. Tests need further changes to be runable.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes
---
freeipa.spec.in | 8
ipaclient/setup.py | 7 +++
ipalib/setup.py | 1 +
ipaplatform/setup.py | 3 ---
ipapython/setup.py | 4 +---
ipaserver/setup.py | 2 +-
ipasetup.py.in | 8
ipatests/setup.py| 18 +-
8 files changed, 23 insertions(+), 28 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6847bed..fac825b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,7 +114,7 @@ BuildRequires: python-cffi
BuildRequires: samba-python
BuildRequires: python-setuptools
# 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires: python-cryptography >= 0.6
+BuildRequires: python-cryptography >= 1.3
BuildRequires: python-gssapi
BuildRequires: pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -187,7 +187,7 @@ Requires: mod_wsgi
Requires: mod_auth_gssapi >= 1.4.0
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2
Requires: acl
Requires: memcached
Requires: python-memcached
@@ -510,7 +510,7 @@ Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
-Requires: python-cryptography >= 0.9
+Requires: python-cryptography >= 1.3
Requires: python-netaddr
Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
@@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release}
Provides: python3-ipaplatform = %{version}-%{release}
%{?python_provide:%python_provide python3-ipaplatform}
Requires: %{name}-common = %{version}-%{release}
-Requires: python3-gssapi >= 1.1.2
+Requires: python3-gssapi >= 1.2
Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index fb6ed0d..0183aaf 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -48,13 +48,12 @@
"ipalib",
"ipapython",
"python-nss",
+"python-yubico",
+"pyusb",
"qrcode",
"six",
],
-setup_requires=[
-"wheel",
-],
-extra_requires={
+extras_require={
"ipaclient.install": ["ipaplatform"],
"otptoken_yubikey": ["yubico", "usb"]
}
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 85932fc..4be3eb1 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -40,6 +40,7 @@
"ipapython",
"netaddr",
"pyasn1",
+"pyasn1-modules",
"python-nss",
"six",
],
diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
index b28ac8c..9c47da7 100644
--- a/ipaplatform/setup.py
+++ b/ipaplatform/setup.py
@@ -47,7 +47,4 @@
"python-nss",
"six",
],
-setup_requires=[
-"wheel",
-],
)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index c413ffa..95eb285 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -51,10 +51,8 @@
"requests",
"six",
],
-setup_requires=[
-"wheel",
-],
extras_require={
":python_version<'3'": ["enum34"],
+"certmonger": ["dbus-python"],
},
)
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 3635832..528b901 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -56,9 +56,9 @@
"ipapython",
"lxml",
"netaddr",
-"memcache",
"pyasn1",
"pyldap",
+"python-memcached",
"python-nss",
"six",
# not available on PyPI
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 1db4857..bde 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -52,9 +52,9 @@ class build_py(setuptools_build_py):
PACKAGE_VERSION = {
-'cryptography': 'cryptography >= 0.9',
+'cryptography'
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ I see. I guess we can live with the fact that we may break such eccentric DNS topologies. I think we cannot really handle all the corner cases associated with guessing/setting hostname by ourselves anyway (yes I am not a big fan of FreeIPA stepping onto provisioning system's toes). """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263595995 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][+pushed] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/73d0d03891c8585a925f5b49739990c57f6e https://fedorahosted.org/freeipa/changeset/266b9d9c6c9b9dec10b8a70382445fa2f800dd69 """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-263595900 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][closed] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Author: martbab Title: #269: Prevent denial of replication updates during CA replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/269/head:pr269 git checkout pr269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255
Author: tiran
Title: #255: Adjustments for setup requirements
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/255/head:pr255
git checkout pr255
From 7f0ea93b037e74afef0070498ce767ddf652dfe9 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] Adjustments for setup requirements
Fix some typos, missing or surplus dependencies. Remove setup
requirement on wheel since it triggers download. Bump up requirements to
sensible versions. Cryptography 0.9 does not even compile on Fedora any
more.
ipatests is now installable. Tests need further changes to be runable.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes
---
freeipa.spec.in | 8
ipaclient/setup.py | 7 +++
ipalib/setup.py | 1 +
ipaplatform/setup.py | 3 ---
ipapython/setup.py | 4 +---
ipaserver/setup.py | 2 +-
ipasetup.py.in | 8
ipatests/setup.py| 18 +-
8 files changed, 23 insertions(+), 28 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6847bed..fac825b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,7 +114,7 @@ BuildRequires: python-cffi
BuildRequires: samba-python
BuildRequires: python-setuptools
# 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires: python-cryptography >= 0.6
+BuildRequires: python-cryptography >= 1.3
BuildRequires: python-gssapi
BuildRequires: pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -187,7 +187,7 @@ Requires: mod_wsgi
Requires: mod_auth_gssapi >= 1.4.0
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2
Requires: acl
Requires: memcached
Requires: python-memcached
@@ -510,7 +510,7 @@ Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
-Requires: python-cryptography >= 0.9
+Requires: python-cryptography >= 1.3
Requires: python-netaddr
Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
@@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release}
Provides: python3-ipaplatform = %{version}-%{release}
%{?python_provide:%python_provide python3-ipaplatform}
Requires: %{name}-common = %{version}-%{release}
-Requires: python3-gssapi >= 1.1.2
+Requires: python3-gssapi >= 1.2
Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index fb6ed0d..0183aaf 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -48,13 +48,12 @@
"ipalib",
"ipapython",
"python-nss",
+"python-yubico",
+"pyusb",
"qrcode",
"six",
],
-setup_requires=[
-"wheel",
-],
-extra_requires={
+extras_require={
"ipaclient.install": ["ipaplatform"],
"otptoken_yubikey": ["yubico", "usb"]
}
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 85932fc..4be3eb1 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -40,6 +40,7 @@
"ipapython",
"netaddr",
"pyasn1",
+"pyasn1-modules",
"python-nss",
"six",
],
diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
index b28ac8c..9c47da7 100644
--- a/ipaplatform/setup.py
+++ b/ipaplatform/setup.py
@@ -47,7 +47,4 @@
"python-nss",
"six",
],
-setup_requires=[
-"wheel",
-],
)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index c413ffa..95eb285 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -51,10 +51,8 @@
"requests",
"six",
],
-setup_requires=[
-"wheel",
-],
extras_require={
":python_version<'3'": ["enum34"],
+"certmonger": ["dbus-python"],
},
)
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 3635832..528b901 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -56,9 +56,9 @@
"ipapython",
"lxml",
"netaddr",
-"memcache",
"pyasn1",
"pyldap",
+"python-memcached",
"python-nss",
"six",
# not available on PyPI
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 1db4857..bde 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -52,9 +52,9 @@ class build_py(setuptools_build_py):
PACKAGE_VERSION = {
-'cryptography': 'cryptography >= 0.9',
+'cryptography': 'cryptography >= 1.3',
'dnspython': 'dnspython >= 1.13',
-'gssapi': 'gssapi > 1.1.2',
+'gssapi': 'gssapi >= 1.2.0',
'ipaclient': 'ipaclient == @VERSION@',
Re: [Freeipa-devel] NTP in FreeIPA
Petr Spacek wrote: > On 29.11.2016 09:11, Jan Cholasta wrote: >> On 28.11.2016 20:57, Rob Crittenden wrote: >>> David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: > I would say that it is worth keeping in FreeIPA. I know myself and some > customers use its functionality by having the clients sync to the IPA > servers and have the servers sync to the NTP source. This way if the NTP > source ever gets disrupted for long periods of time (which has > happened in > my environment) the client time drifts with the authentication source. > This > is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. >>> >>> Remember that the goal of IPA was to herd together a bunch of software >>> to make hard things easier. This included dealing with the 5-minute >>> Kerberos window so ntp was configured on the client and server (which is >>> less of any issue now). >>> >>> When making changes you have to ask yourself who are you making this >>> easier for: you or the user. >>> >>> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >>> of success? I'd think so. I >>> >>> If someone wants to configure it using Ansible they can use the >>> --no-ntp. If they want to use different time servers they can pass in >>> --ntp-server. But by default IMHO it should do something sane to give a >>> good experience. >> >> I think to do something sane is exactly the point of this, and the sanest >> thing we can do is to not touch NTP configuration at all: >> >> * if the NTP configuration obtained via DHCP works, we can't make it any >> better by touching it, only worse, >> * if the default NTP configuration shipped with the distribution works, we >> again can't make it any better by touching it, >> * if we are running inside container, time is synchronized by other means >> and we should not touch NTP configuration at all, >> * if neither the default NTP configuration nor the NTP configuration >> obtained via DHCP works and we are not running inside container, we may >> attempt to fix the configuration, but it will not be permanent and will work >> only for this specific host. >> >> I think the first 3 points cover 99% of real-life deployments, and yet we are >> optimized towards the remaining 1%, with the potential of breaking the >> configuration for the 99%. This is far from sane IMHO. > > +1 for Honza's point. > > Current NTP code is works only for initial setup and silently breaks > synchronization later on. Most importantly it breaks synchronization as soon > as admin removes old replicas and replaces them with new ones - there is no > mechanism to update the records in the client configuration (and SRV discovery > is not supported by clients). > > I.e. when admin decommission replicas which were around at the time of client > installation, the NTP on client will silently break. This would not happen if > you did not touch it. > > (This also implicitly means that IPA-configured NTP is broken on all clients > in topologies which were completely migrated from RHEL 6 to RHEL 7.) > > Either DHCP or default distro config would solve the problem better. That's fair but where are the huge pile of bugs, tickets and user e-mails complaining about time? Or has nobody noticed yet? I'm just wondering whether dropping it altogether is the right choice or if enhancing the time clients to say, support SRV records is a preferable option. There is a real advantage in having the IPA clients using the same time source as the IPA masters (in this case the masters themselves). Like Simo I have mixed feelings about this and won't push on it anymore but completely dropping features should be well-considered and a last resort IMHO. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][opened] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Author: martbab Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Action: opened PR body: """ This is https://github.com/freeipa/freeipa/pull/269 rebased on top of ipa-4-4 branch. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/283/head:pr283 git checkout pr283 From 9c97bd9d566c74220c1ca695378dc6caf60e5f85 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 23 Nov 2016 16:55:38 +0100 Subject: [PATCH 1/2] upgrade: add replica bind DN group check interval to CA topology config Without this attribute explicitly set the replication plugin won't recognize updates from members of 'replication managers' sysaccount group, leading to stuck replica CA installation. https://fedorahosted.org/freeipa/ticket/6508 --- install/share/ca-topology.uldif | 1 + 1 file changed, 1 insertion(+) diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index fea591b..8fe38e7 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -12,3 +12,4 @@ default: cn: ca dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX +add: nsds5replicabinddngroupcheckinterval: 60 From e58c23d29d1c9b163f1538ecabb6cbb482cbf881 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 23 Nov 2016 16:58:39 +0100 Subject: [PATCH 2/2] replication: ensure bind DN group check interval is set on replica config This is a safeguard ensuring valid replica configuration against incorrectly upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on their domain/ca topology config. https://fedorahosted.org/freeipa/ticket/6508 --- ipaserver/install/replication.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 56c75e7..42ee303 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -454,6 +454,12 @@ def replica_config(self, conn, replica_id, replica_binddn): if replica_groupdn not in binddn_groups: mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', replica_groupdn)) + +if 'nsds5replicabinddngroupcheckinterval' not in entry: +mod.append( +(ldap.MOD_ADD, + 'nsds5replicabinddngroupcheckinterval', + '60')) if mod: conn.modify_s(dn, mod) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts pspacek commented: """ This entierly depens on configuration. Imagine following imaginary company setup: - public part of DNS tree is `example.com.` - private part of DNS tree is `corp.` - resolv.conf contains `corp` in search list Now an admin is going to install IPA instance for publicly available services at server `srv1.ipa.example.com.`. The name `srv1.ipa.example.com.` is not resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS will try to lookup `srv1.ipa.example.com.`. It might (depending on configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally exist (as an IPA server for company internal purposes). This is purely hypotetical, I'm just trying to show that the code is subtly broken. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263589129 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#268][+pushed] Build system must regenerate file when template changes
URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes
URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ba6ae666acaf8b930d18f45efc7c9c9faad3526b https://fedorahosted.org/freeipa/changeset/6857de02f3a9c2d7e99e33863be3c65f71fa0d58 https://fedorahosted.org/freeipa/changeset/89739a6c910461a3cac3abc1bf2ff162c7c5bc82 https://fedorahosted.org/freeipa/changeset/6fcfe689f47a02df023de69f62c889d9b4dc26fe https://fedorahosted.org/freeipa/changeset/6aa360775a781bee5a2fdd884cbfa33b545fcbb4 https://fedorahosted.org/freeipa/changeset/a89f63c5a62c4a02fc248a095f539a099a9c28c5 """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-263584306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#268][closed] Build system must regenerate file when template changes
URL: https://github.com/freeipa/freeipa/pull/268 Author: pspacek Title: #268: Build system must regenerate file when template changes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/268/head:pr268 git checkout pr268 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ Ticket updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263581781 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ All bootstrap() calls without an explicit confdir argument are fine. If you think otherwise, please list all calls and give me a compelling reason to have them ignore IPA_CONFDIR. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263580703 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][+ack] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality apophys commented: """ Thank you for rebasing the commits. The test looks good. """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263578009 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From fab31aff4cc3950651ee1114d4b1d874aa4c7e0f Mon Sep 17 00:00:00 2001
From: Oleg Fayans
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker
Needed for basic certs in idoverrides tests
https://fedorahosted.org/freeipa/ticket/6412
---
ipatests/test_xmlrpc/tracker/idview_plugin.py | 116 ++
1 file changed, 116 insertions(+)
create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py
diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..e7bb39b
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+def del_cert_from_idoverrideuser(self, username, cert):
+result = api.Command.idoverrideuser_remove_cert(
+self.cn, username, usercertificate=cert
+)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverrideuser(self, username, cert):
+result = api.Command.idoverrideuser_add_cert(
+self.cn, username, usercertificate=cert
+)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['value'])
+self.check_idoverrideuser_add(result, user)
+
+def check_create(self, result, extra_keys=()):
+""" Check 'user-add' command result """
+expected = self.filter_attrs(self.create_keys | set(extra_keys))
+assert_deepequal(dict(
+summary=u'Added ID View "%s"' % self.cn,
+result=self.filter_attrs(expected),
+value=self.cn
+), result)
+
+def check_idoverrideuser_add(self, result, user):
+""" Checks 'group_add_member' command result """
+assert_deepequal(
+u'Added User ID override "%s"' % user.name,
+result['summary']
+)
From 4948bf77193ab9e31ac1dcaefa97cc55dab24750 Mon Sep 17 00:00:00 2001
F
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ Last I checked the ticket was still open. The ticket was trying to solve the same issue as this PR although its aim shifted (see the link I posted in the comments). """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263576832 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ Ticket https://fedorahosted.org/freeipa/ticket/6474 is closed as wontfix and even doesn't seems right to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263575595 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ Ok, > Why do you see a relationship between the subject DN of a X.509 and the > directoryName general name in SAN X.509v3 extension? According to RFC 5280 section 4.1.2.6 the subject DN and SANs are equivallent in terms of identifying the subject entity: > The subject field identifies the entity associated with the public > key stored in the subject public key field. The subject name MAY be > carried in the subject field and/or the subjectAltName extension. Compare how the subject DN is defined in RFC 5280 section 4.1.2.6: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. ... with how the DN SAN is defined in RFC 5280 section 4.2.1.6: > When the subjectAltName extension contains a DN in the directoryName, > the encoding rules are the same as those specified for the issuer > field in Section 4.1.2.4. The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. See that there is no mention of any semantical difference between them as means of identifying the subject entity. Further specifications such as the name constraints extension also treat them equally. RFC 5280 section 4.2.1.10: > Restrictions of the form directoryName MUST be applied to the subject > field in the certificate (when the certificate includes a non-empty > subject field) and to any names of type directoryName in the > subjectAltName extension. > The subject follows different rules, e.g. a disjunct set of RDN attributes. I could not find any mention of this in RFC 5280 nor the X.500 series of standards. I'm assuming it's because it's not there. > Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Neither RFC 5280 nor the X.500 series of standards impose any restrictions on the attributes used. However, RFC 5280 section 4.1.2.4 says: > In addition, **implementations of this specification MUST be prepared** > **to receive the domainComponent attribute**, as defined in [RFC4519]. > With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up > with different subject DNs but with the same directoryName GN SAN entry. Currently we in fact end up with the same subject DN. Which is just fine, as they refer to the same subject entity. > The directoryName is designed to hold a LDAP DN. I don't think that's true, as there is no mention of this in the directoryName SAN specification (see above). > A certificate's Subject DN is not really a distinguishing name in the sense > of a unique identifier. Let me quote RFC 5280 section 4.1.2.6 again: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). **The DN MUST be unique for each subject** > **entity certified by the one CA as defined by the issuer field**. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263574255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install mbasti-rh commented: """ Patch does not apply to 4.4.3 branch """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-263574061 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255
Author: tiran
Title: #255: Adjustments for setup requirements
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/255/head:pr255
git checkout pr255
From 01cec191ead6a32ad7a71f7dd4080edc18c8630f Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] Adjustments for setup requirements
Fix some typos, missing or surplus dependencies. Remove setup
requirement on wheel since it triggers download. Bump up requirements to
sensible versions. Cryptography 0.9 does not even compile on Fedora any
more.
ipatests is now installable. Tests need further changes to be runable.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes
---
freeipa.spec.in | 8
ipaclient/setup.py | 8 ++--
ipalib/setup.py | 4 +---
ipaplatform/setup.py | 3 ---
ipapython/setup.py | 4 +---
ipaserver/setup.py | 5 +
ipasetup.py.in | 8
ipatests/setup.py| 18 +-
8 files changed, 22 insertions(+), 36 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3865ed8..8788b9c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,7 +114,7 @@ BuildRequires: python-cffi
BuildRequires: samba-python
BuildRequires: python-setuptools
# 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires: python-cryptography >= 0.6
+BuildRequires: python-cryptography >= 1.3
BuildRequires: python-gssapi
BuildRequires: pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -187,7 +187,7 @@ Requires: mod_wsgi
Requires: mod_auth_gssapi >= 1.4.0
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2
Requires: acl
Requires: memcached
Requires: python-memcached
@@ -510,7 +510,7 @@ Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
-Requires: python-cryptography >= 0.9
+Requires: python-cryptography >= 1.3
Requires: python-netaddr
Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
@@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release}
Provides: python3-ipaplatform = %{version}-%{release}
%{?python_provide:%python_provide python3-ipaplatform}
Requires: %{name}-common = %{version}-%{release}
-Requires: python3-gssapi >= 1.1.2
+Requires: python3-gssapi >= 1.2
Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index fc5609b..e3ec079 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -48,13 +48,9 @@
"ipalib",
"ipapython",
"python-nss",
+"python-yubico",
+"pyusb",
"qrcode",
"six",
],
-setup_requires=[
-"wheel",
-],
-extra_requires={
-"otptoken_yubikey": ["yubico", "usb"]
-}
)
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 98af7ab..94d78de 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -41,10 +41,8 @@
"ipapython",
"netaddr",
"pyasn1",
+"pyasn1-modules",
"python-nss",
"six",
],
-setup_requires=[
-"wheel",
-],
)
diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
index 97311de..98a9f08 100644
--- a/ipaplatform/setup.py
+++ b/ipaplatform/setup.py
@@ -46,7 +46,4 @@
"python-nss",
"six",
],
-setup_requires=[
-"wheel",
-],
)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 087086e..772ecfd 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -54,11 +54,9 @@
"requests",
"six",
],
-setup_requires=[
-"wheel",
-],
extras_require={
":python_version<'3'": ["enum34"],
+"certmonger": ["dbus-python"],
},
entry_points={
'custodia.authorizers': [
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 5c38843..edc3113 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -54,9 +54,9 @@
"ipapython",
"lxml",
"netaddr",
-"memcache",
"pyasn1",
"pyldap",
+"python-memcached",
"python-nss",
"six",
# not available on PyPI
@@ -66,7 +66,4 @@
# "python-SSSDConfig",
# "samba-python",
],
-setup_requires=[
-"wheel",
-],
)
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 1db4857..bde 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -52,9 +52,9 @@ class build_py(setuptools_build_py):
PACKAGE_VERSION = {
-'cryptog
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ Would you rather claim to be compatible with a broken, unsupported, and old version? """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263571342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][closed] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][+pushed] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a291c6ded91611ea2bd1a1fdb96314721d73a75f """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263569947 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From b08686c53950ee848418f2560454ef7f35cc850c Mon Sep 17 00:00:00 2001
From: Oleg Fayans
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker
Needed for basic certs in idoverrides tests
https://fedorahosted.org/freeipa/ticket/6412
---
ipatests/test_xmlrpc/tracker/idview_plugin.py | 119 ++
1 file changed, 119 insertions(+)
create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py
diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..e0be0b4
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, cert):
+result = self.cert_del_cmd(self.cn,
+ username,
+ usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, cert):
+result = self.cert_add_cmd(self.cn,
+ username,
+ usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['value'])
+self.check_idoverrideuser_add(result, user)
+
+def check_create(self, result, extra_keys=()):
+""" Check 'user-add' command result """
+expected = self.filter_attrs(self.create_keys | set(extra_keys))
+assert_deepequal(dict(
+summary=u'Added ID View "%s"' % self.cn,
+result=self.filter_attrs(expected),
+value=self.cn
+), result)
+
+def check_idoverrideuser_add(self, result, user):
+""" Checks 'group_add_member' command result """
+assert_deepequal(
+
[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From e776974018333974becba97af56df20ab250a4b7 Mon Sep 17 00:00:00 2001
From: Oleg Fayans
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker
Needed for basic certs in idoverrides tests
https://fedorahosted.org/freeipa/ticket/6412
---
ipatests/test_xmlrpc/objectclasses.py | 6 ++
ipatests/test_xmlrpc/tracker/idview_plugin.py | 119 ++
2 files changed, 125 insertions(+)
create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..cad4c48 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,9 @@
u'top',
u'ipaca',
]
+
+idview = [
+u'ipaIDView',
+u'top',
+u'nsContainer'
+]
diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..e0be0b4
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, cert):
+result = self.cert_del_cmd(self.cn,
+ username,
+ usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, cert):
+result = self.cert_add_cmd(self.cn,
+ username,
+ usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['value'])
+self.check_idoverrideuser_add(result, user)
+
+def check_create(self, result, extra_keys=()):
+""" Check 'user-add' command result """
+expected = se
[Freeipa-devel] [freeipa PR#282][opened] replicainstall: give correct error message on DL mismatch
URL: https://github.com/freeipa/freeipa/pull/282 Author: stlaz Title: #282: replicainstall: give correct error message on DL mismatch Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6510 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/282/head:pr282 git checkout pr282 From 88eef020e93b7f23c7de0a2f8a3bd3611395bf61 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 29 Nov 2016 14:08:19 +0100 Subject: [PATCH] replicainstall: give correct error message on DL mismatch https://fedorahosted.org/freeipa/ticket/6510 --- ipaserver/install/server/replicainstall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index a7b333c..0f45bea 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -557,7 +557,7 @@ def check_domain_level(api, expected): # available current = constants.DOMAIN_LEVEL_0 -if expected == constants.DOMAIN_LEVEL_0: +if current == constants.DOMAIN_LEVEL_0: message = ( "You must provide a file generated by ipa-replica-prepare to " "create a replica when the domain is at level 0." -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][+ack] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][synchronized] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277
Author: mbasti-rh
Title: #277: DNS: URI records: bump python-dns requirements
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/277/head:pr277
git checkout pr277
From 462bdca9aea5d6668a01bf420097df59d38eb4c5 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Mon, 28 Nov 2016 14:52:21 +0100
Subject: [PATCH] DNS: URI records: bump python-dns requirements
Support for DNS URI records has been added in python-dns 1.13
https://fedorahosted.org/freeipa/ticket/6344
---
freeipa.spec.in | 10 +-
ipasetup.py.in | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c683ad3..f336fae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -124,8 +124,8 @@ BuildRequires: python-memcached
BuildRequires: python-lxml
# 5.0.0: QRCode.print_ascii
BuildRequires: python-qrcode-core >= 5.0.0
-# 1.11.0: resolver.YXDOMAIN, Resolver.set_flags
-BuildRequires: python-dns >= 1.11.0
+# 1.13: python-dns URI record support
+BuildRequires: python-dns >= 1.13
BuildRequires: jsl
BuildRequires: python-yubico
# pki Python package
@@ -254,7 +254,7 @@ Requires: python-gssapi >= 1.1.2
Requires: python-sssdconfig
Requires: python-pyasn1
Requires: dbus-python
-Requires: python-dns >= 1.11.1
+Requires: python-dns >= 1.13
Requires: python-kdcproxy >= 0.3
Requires: rpm-libs
@@ -411,7 +411,7 @@ BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipalib = %{version}-%{release}
-Requires: python-dns >= 1.11.1
+Requires: python-dns >= 1.13
%description -n python2-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
@@ -526,7 +526,7 @@ Requires: python-cffi
Requires: python-ldap >= 2.4.15
Requires: python-requests
Requires: python-custodia
-Requires: python-dns >= 1.11.1
+Requires: python-dns >= 1.13
Requires: python-enum34
Requires: python-netifaces >= 0.10.4
Requires: pyusb
diff --git a/ipasetup.py.in b/ipasetup.py.in
index fac4b25..1db4857 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -53,7 +53,7 @@ class build_py(setuptools_build_py):
PACKAGE_VERSION = {
'cryptography': 'cryptography >= 0.9',
-'dnspython': 'dnspython >= 1.11.1',
+'dnspython': 'dnspython >= 1.13',
'gssapi': 'gssapi > 1.1.2',
'ipaclient': 'ipaclient == @VERSION@',
'ipalib': 'ipalib == @VERSION@',
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements
URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements mbasti-rh commented: """ Thank you, fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263562846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ So create a separate commits: - fixes ipasetup.py - bumps python-gssapi for pypi, with proper explanation in commit message and maybe comment in code may be helpful. And we will be happy because we have reason why it needs to be raised and this reason can be found in git history. I'm still not persuaded with need for bumping cryptography. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263554517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ So can you imagine some scenario where this behavior may cause issues? Some exotic DNS setup maybe? """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263553887 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ You said Fedora, I didn't. The build bug is not related to Fedora at all. Cryptography 0.9 does not build on any distribution or platform with a recent version of OpenSSL. Touché, I said Fedora in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ You said Fedora, I didn't. The build bug is not related to Fedora at all. Cryptography 0.9 does not build on any distribution or platform with a recent version of OpenSSL. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ > PS: There is no technical reason to bump the version of python-gssapi in > freeipa.spec. The enum34 dependency issues is solely a Python packaging bug. > It does not affect RPM packages. Since you insist on syncing PyPI versions > with RPM versions, I had to bump both. Have it your way. So finally we have reason to bump version, which should be docummented in git history as separate commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552388 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ PS: There is no technical reason to bump the version of python-gssapi in freeipa.spec. The enum34 dependency issues is solely a Python packaging bug. It does not affect RPM packages. Since you insist on syncing PyPI versions with RPM versions, I had to bump both. Have it your way. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552051 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ > @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped > because 1.1.x has wrong dependency information for Python 3 (enum34). So, this is broken fedora dependency on fedora side? If yes then this should be fixed by fedora downstream patch. I don't see reason why upstream version should have raised dependency just because fedora is broken. > cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are > the oldest releases that are actually been tested by QE. I did not bother to > verify older releases because I consider it a waste of time and resources. In > a couple of weeks we have to bump up cryptography to 1.7 anyway. I don't see reason why bumping requires just because we are unable to build on fedora. Fedora is not the only linux distro. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552072 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#273][closed] Build: workaround bug while calling parallel make from rpmbuild
URL: https://github.com/freeipa/freeipa/pull/273 Author: pspacek Title: #273: Build: workaround bug while calling parallel make from rpmbuild Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/273/head:pr273 git checkout pr273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#273][comment] Build: workaround bug while calling parallel make from rpmbuild
URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/132b475c2586f3ced68724355e9c45722dccf604 """ See the full comment at https://github.com/freeipa/freeipa/pull/273#issuecomment-263551875 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#273][+pushed] Build: workaround bug while calling parallel make from rpmbuild
URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tomaskrizek commented: """ @frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while the Subject DN does not. In that case, this PR makes sense to me as is. I also don't see the need to validate Subject DN and SAN DN differently, since they use different representation (subject is a more generic identifier, as @tiran pointed out; while SAN DN should be the unique LDAP DN identifier). """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263550747 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#174][comment] add log module
URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module mbasti-rh commented: """ Hello, what I meant was to send fixing of missing translations strings as separated PR and if you identified any parts of code that should be logged too, you can send a PR too. Basically your changes in: `ipalib/plugins/config.py` and at the end of `ipaserver/rpcserver.py` (but the second one need discussion first why is that needed) """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263550567 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. I did not bother to verify older releases because I consider it a waste of time and resources. In a couple of weeks we have to bump up cryptography to 1.7 anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263550183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263550183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][+ack] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ I checked the rebase again as well as ran the tests. The changes in the PR clean the code nicely aside from doing what's proposed in the given ticket. The issues from CI and QuantifiedCode are only caused by moving the code in between modules. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263548530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ @tiran You can split patch to useful part and please send unneeded bumping of requires as separate pull request, we can continue with discussion there about bumping versions. It is unrelated part of patch and should be in separated commit anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263547842 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ I'm on topic and I'm trying to understand your point. Why do you see a relationship between the subject DN of a X.509 and the directoryName general name in SAN X.509v3 extension? It doesn't make sense to me. The subject follows different rules, e.g. a disjunct set of RDN attributes. Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Further more a CA usually imposes some policies and requires the certificate's subject to have fixed C, O, OU etc values. With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up with different subject DNs but with the same directoryName GN SAN entry. The directoryName is designed to hold a LDAP DN. By the way, I was quoting the RFC to give some context. With X.509 there is no such thing as an obvious thing. In fact multiple certs with the same Subject DN is very relevant and important for this topic. A certificate's Subject DN is not really a distinguishing name in the sense of a unique identifier. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263546428 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ Please explain, all of the affected scripts are server-only and thus not related to the integration effort and most probably won't work correctly with non-server configuration anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263540749 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @tiran, could you please stay on topic? I haven't said anything about it being mandatory, and it's not the point anyway (consistency between subject DN and DN SAN validation is). About CA being allowed to issue multiple certs with the same subject DN, thanks for stating the obvious, but again, not the point here. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263539133 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ @jcholast I'm not familiar with any standard that mandates that a X.509 Subject DN should identify a subject in a directory. Which standard mandates the relationship? RFC 5280 only requires that the Subject DN must be unique for each entity. A CA is allowed to issue multiple certs with the same Subject DN for the same entity. https://tools.ietf.org/html/rfc5280#section-4.1.2.6 """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263536634 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ I fixed a few. Some scripts deliberately do not have the confdir flag in bootstrap. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263532412 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ This PR breaks almost all tests in test_ipalib/test_crud.py with `AttributeError: 'API' object has no attribute 'env'`. This error can be observed in some other tests: http://pastebin.com/8EjE2QVS (please disregard the DNS tests failures). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263532334 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][synchronized] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 From 686ade0be3bffd8bda3795728163d5d27df0b9ad Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 28 Nov 2016 16:24:33 +0100 Subject: [PATCH 1/2] Set explicit confdir option for global contexts Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes --- client/ipa-client-automount | 1 + install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- install/migration/migration.py | 3 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +++- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/restart_dirsrv | 3 ++- install/restart_scripts/stop_pkicad | 3 ++- install/share/copy-schema-to-ca.py | 3 ++- install/share/wsgi.py | 6 -- install/tools/ipa-httpd-kdcproxy| 3 ++- install/tools/ipa-replica-conncheck | 4 +++- install/tools/ipactl| 5 - ipaclient/install/client.py | 1 + ipaclient/ipa_certupdate.py | 2 +- ipaserver/install/ipa_backup.py | 2 +- ipaserver/install/ipa_ldap_updater.py | 2 +- ipaserver/install/ipa_restore.py| 1 + ipaserver/install/ipa_server_upgrade.py | 2 +- ipaserver/install/ipa_winsync_migrate.py| 3 ++- ipaserver/install/ldapupdate.py | 4 +++- ipaserver/install/server/install.py | 2 ++ ipaserver/install/server/replicainstall.py | 19 +-- 22 files changed, 53 insertions(+), 24 deletions(-) diff --git a/client/ipa-client-automount b/client/ipa-client-automount index 53c0537..93b1eaf 100755 --- a/client/ipa-client-automount +++ b/client/ipa-client-automount @@ -383,6 +383,7 @@ def main(): cfg = dict( context='cli_installer', +confdir=paths.ETC_IPA, in_server=False, debug=options.debug, verbose=0, diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7389a5e..2e137ad 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -494,7 +494,7 @@ def main(): 'ipaCACertRenewal': renew_ca_cert, } -api.bootstrap(in_server=True, context='renew') +api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/migration/migration.py b/install/migration/migration.py index 4743279..73e4777 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -24,6 +24,7 @@ import errno from wsgiref.util import request_uri +from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipaldap @@ -72,7 +73,7 @@ def application(environ, start_response): # API object only for configuration, finalize() not needed api = create_api(mode=None) -api.bootstrap(context='server', in_server=True) +api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True) try: bind(api.env.ldap_uri, api.env.basedn, form_data['username'].value, form_data['password'].value) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index b663daa..073e254 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -9,6 +9,7 @@ from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipapython.ipautil import kinit_keytab from ipaplatform.constants import constants +from ipaplatform.paths import paths import sys import os import pwd @@ -94,7 +95,8 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') +api.bootstrap(in_server=True, debug=env.debug, log=None, + context='server', confdir=paths.ETC_IPA) api.finalize(
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension frasertweedale commented: """ @jcholast OK. Let's put this PR on ice for now... I may well take up your suggestion to allow subject DN to match LDAP DN, but I don't have the cycles for it right now. Thanks for your feedback. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263524060 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs need not match it as well - both the subject DN and DN SANs are supposed to identify the subject in the directory, and for us the directory is LDAP. There should be no special casing one way or the other, if something is allowed for the subject DN it must be allowed for DN SANs and vice-versa (with the exception of the special handling of the most specific CN in subject DN of server certificates). The fact that we currently require a non-LDAP subject DN in `cert-request` is a different issue. All I'm asking for is consistency. If we first allowed the subject DN to match the LDAP DN I would be perfectly happy with this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263521018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279
Author: dkupka
Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/279/head:pr279
git checkout pr279
From ceceeb67b37510779fe26902ecc1cb89d66d9d2f Mon Sep 17 00:00:00 2001
From: David Kupka
Date: Mon, 28 Nov 2016 15:56:30 +0100
Subject: [PATCH] installer: Stop adding distro-specific NTP servers into
ntp.conf
Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
https://fedorahosted.org/freeipa/ticket/6486
---
ipaserver/install/ntpinstance.py | 17 -
1 file changed, 17 deletions(-)
diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
index 716eb08..a8b1f61 100644
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -20,7 +20,6 @@
from ipaserver.install import service
from ipaserver.install import sysupgrade
-from ipapython import ipautil
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import root_logger
@@ -60,20 +59,7 @@ def __write_config(self):
self.fstore.backup_file(paths.NTP_CONF)
self.fstore.backup_file(paths.SYSCONFIG_NTPD)
-# We use the OS variable to point it towards either the rhel
-# or fedora pools. Other distros should be added in the future
-# or we can get our own pool.
-os = ""
-if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
-os = "fedora"
-elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
-os = "rhel"
-
srv_vals = []
-srv_vals.append("0.%s.pool.ntp.org" % os)
-srv_vals.append("1.%s.pool.ntp.org" % os)
-srv_vals.append("2.%s.pool.ntp.org" % os)
-srv_vals.append("3.%s.pool.ntp.org" % os)
srv_vals.append("127.127.1.0")
fudge = ["fudge", "127.127.1.0", "stratum", "10"]
@@ -96,9 +82,6 @@ def __write_config(self):
break
if match:
srv_vals.remove(srv)
-else:
-file_changed = True
-line = ""
elif opt[0] == "fudge":
if opt[0:4] == fudge[0:4]:
fudge_present = True
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ You missed a few: ``` daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None) doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap) install/restart_scripts/renew_ra_cert:39:api.bootstrap(in_server=True, context='restart') install/tools/ipa-adtrust-install:269:api.bootstrap(**cfg) install/tools/ipa-ca-install:262:api.bootstrap(in_server=True, ra_plugin='dogtag') install/tools/ipa-compat-manage:105:api.bootstrap(context='cli', in_server=True, debug=options.debug) install/tools/ipa-csreplica-manage:418:api.bootstrap(**api_env) install/tools/ipa-dns-install:139:api.bootstrap(**cfg) install/tools/ipa-managed-entries:75:api.bootstrap(context='cli', debug=options.debug) install/tools/ipa-nis-manage:118:api.bootstrap(context='cli', debug=options.debug, in_server=True) install/tools/ipa-replica-manage:1512:api.bootstrap(**api_env) ipapython/dnssec/ldapkeydb.py:417:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file ipaserver/advise/base.py:238:api.bootstrap(in_server=False, context='cli') ipaserver/advise/base.py:240:advise_api.bootstrap(in_server=False, context='cli') ipaserver/install/ipa_cacert_manage.py:99:api.bootstrap(in_server=True) ipaserver/install/ipa_kra_install.py:80:api.bootstrap(in_server=True) ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True) ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True) ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True) ipatests/test_ipaserver/test_ldap.py:114:myapi.bootstrap(context='cli', in_server=True) ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri) lite-server.py:130:(options, args) = api.bootstrap_with_global_options(parser, context='lite') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263513330 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][edited] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: edited Changed field: body Original value: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization jcholast commented: """ Yes, my above comment is wrong (sorry). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263505232 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for the change of the order and using the objectclasses module. There are still things I'd like to be changed, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263505112 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On 29.11.2016 09:11, Jan Cholasta wrote: > On 28.11.2016 20:57, Rob Crittenden wrote: >> David Kupka wrote: >>> On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. >>> >>> Hello Gabe, >>> I agree that it's common practice to synchronize all nodes in network >>> with single source in order to have the same time and save bandwidth. >>> Also I understand that it's comfortable to let FreeIPA installer take >>> care of it. >>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>> similar tool. Also the problem is that in some situations FreeIPA >>> installer makes it worse. >>> >>> Example: >>> >>> 1. Install FreeIPA server (ipa1.example.org) >>> 2. Install FreeIPA client on all nodes in network >>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>> redundancy >>> >>> Now all the clients have ipa1.example.org as the only server in >>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>> clients will be able to contact KDC on the other server thanks to DNS >>> autodiscovery in libkrb5 but will be unable to synchronize time. >> >> Remember that the goal of IPA was to herd together a bunch of software >> to make hard things easier. This included dealing with the 5-minute >> Kerberos window so ntp was configured on the client and server (which is >> less of any issue now). >> >> When making changes you have to ask yourself who are you making this >> easier for: you or the user. >> >> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >> of success? I'd think so. I >> >> If someone wants to configure it using Ansible they can use the >> --no-ntp. If they want to use different time servers they can pass in >> --ntp-server. But by default IMHO it should do something sane to give a >> good experience. > > I think to do something sane is exactly the point of this, and the sanest > thing we can do is to not touch NTP configuration at all: > > * if the NTP configuration obtained via DHCP works, we can't make it any > better by touching it, only worse, > * if the default NTP configuration shipped with the distribution works, we > again can't make it any better by touching it, > * if we are running inside container, time is synchronized by other means > and we should not touch NTP configuration at all, > * if neither the default NTP configuration nor the NTP configuration > obtained via DHCP works and we are not running inside container, we may > attempt to fix the configuration, but it will not be permanent and will work > only for this specific host. > > I think the first 3 points cover 99% of real-life deployments, and yet we are > optimized towards the remaining 1%, with the potential of breaking the > configuration for the 99%. This is far from sane IMHO. +1 for Honza's point. Current NTP code is works only for initial setup and silently breaks synchronization later on. Most importantly it breaks synchronization as soon as admin removes old replicas and replaces them with new ones - there is no mechanism to update the records in the client configuration (and SRV discovery is not supported by clients). I.e. when admin decommission replicas which were around at the time of client installation, the NTP on client will silently break. This would not happen if you did not touch it. (This also implicitly means that IPA-configured NTP is broken on all clients in topologies which were completely migrated from RHEL 6 to RHEL 7.) Either DHCP or default distro config would solve the problem better. Petr^2 Spacek >> There don't seem to be a ton of NTP tickets and I don't recall a lot of >> user's pressing for it to go away (the reverse, many times their >> problems revolve around time not being synced). I wonder if a survey on >> freeipa-users would be in order to see how hot an issue this really is. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ From offline discussion I got that the PR should actually work in the end. I'll make the review. """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263503377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276
Author: tomaskrizek
Title: #276: replica-conncheck: improve error msg + logging
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/276/head:pr276
git checkout pr276
From d46e1a38bb65e20439a6772fbba08df7c4fcef11 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Fri, 25 Nov 2016 17:23:29 +0100
Subject: [PATCH 1/2] replica-conncheck: improve error message during
replicainstall
Replica conncheck may fail for other reasons then network
misconfiguration. For example, an incorrect admin password might be
provided. Since conncheck is ran as a separate script in quiet mode,
no insightful error message can be displayed.
https://fedorahosted.org/freeipa/ticket/6497
---
ipaserver/install/replication.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index ba35c49..35066c2 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -105,7 +105,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
if result.returncode != 0:
raise ScriptError(
"Connection check failed!"
-"\nPlease fix your network settings according to error messages above."
+"\nSee /var/log/ipareplica-conncheck.log for more information."
"\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.")
else:
print("Connection check OK")
From 916ea2d4e4eb0230a6f371b3d4d83dc055994cc6 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Fri, 25 Nov 2016 17:27:16 +0100
Subject: [PATCH 2/2] replica-conncheck: improve message logging
Make sure all messages displayed on screen to the user can be found
in the log as well. The messages are also logged if the script is ran
in quiet mode.
https://fedorahosted.org/freeipa/ticket/6497
---
install/tools/ipa-replica-conncheck | 97 +++--
1 file changed, 51 insertions(+), 46 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 7ec1ef8..225a0df 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -47,7 +47,6 @@ from cryptography.hazmat.primitives import serialization
CONNECT_TIMEOUT = 5
RESPONDERS = [ ]
-QUIET = False
CCACHE_FILE = None
KRB5_CONFIG = None
@@ -60,7 +59,7 @@ class SshExec(object):
def __call__(self, command, verbose=False):
# Bail if ssh is not installed
if self.cmd is None:
-print("WARNING: ssh not installed, skipping ssh test")
+root_logger.warning("WARNING: ssh not installed, skipping ssh test")
return ('', '', 0)
tmpf = tempfile.NamedTemporaryFile()
@@ -108,10 +107,6 @@ BASE_PORTS = [
]
-def print_info(msg):
-if not QUIET:
-print(msg)
-
def parse_options():
def ca_cert_file_callback(option, opt, value, parser):
if not os.path.exists(value):
@@ -205,10 +200,6 @@ def parse_options():
if not options.hostname:
options.hostname = socket.getfqdn()
-if options.quiet:
-global QUIET
-QUIET = True
-
return safe_options, options
def logging_setup(options):
@@ -217,7 +208,8 @@ def logging_setup(options):
if os.getegid() == 0 and options.log_to_file:
log_file = paths.IPAREPLICA_CONNCHECK_LOG
-standard_logging_setup(log_file, debug=options.debug)
+standard_logging_setup(log_file, verbose=(not options.quiet),
+ debug=options.debug, console_format='%(message)s')
def clean_responders(responders):
if not responders:
@@ -328,13 +320,14 @@ def port_check(host, port_list):
else:
ports_failed.append(port)
result = "FAILED"
-print_info(" %s (%d): %s" % (port.description, port.port, result))
+root_logger.info(" %s (%d): %s" % (port.description, port.port, result))
if ports_udp_warning:
-print("The following UDP ports could not be verified as open: %s" \
-% ", ".join(str(port.port) for port in ports_udp_warning))
-print("This can happen if they are already bound to an application")
-print("and ipa-replica-conncheck cannot attach own UDP responder.")
+root_logger.warning(
+("The following UDP ports could not be verified as open: %s\n"
+ "This can happen if they are already bound to an application\n"
+ "and ipa-replica-conncheck cannot attach own UDP responder.")
+% ", ".join(str(port.port) for port in ports_udp_warning))
if ports_failed:
msg_ports = []
@@ -362,29 +355,34 @@ def main():
"PKI-CA: Directory Service port"))
if options.replica:
-print_info("Check connection
Re: [Freeipa-devel] NTP in FreeIPA
On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. I think to do something sane is exactly the point of this, and the sanest thing we can do is to not touch NTP configuration at all: * if the NTP configuration obtained via DHCP works, we can't make it any better by touching it, only worse, * if the default NTP configuration shipped with the distribution works, we again can't make it any better by touching it, * if we are running inside container, time is synchronized by other means and we should not touch NTP configuration at all, * if neither the default NTP configuration nor the NTP configuration obtained via DHCP works and we are not running inside container, we may attempt to fix the configuration, but it will not be permanent and will work only for this specific host. I think the first 3 points cover 99% of real-life deployments, and yet we are optimized towards the remaining 1%, with the potential of breaking the configuration for the 99%. This is far from sane IMHO. There don't seem to be a ton of NTP tickets and I don't recall a lot of user's pressing for it to go away (the reverse, many times their problems revolve around time not being synced). I wonder if a survey on freeipa-users would be in order to see how hot an issue this really is. rob -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
