[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From 9e2e1fb71a6ef34cab56206346dc193305d71d82 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..2ac1041 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ This change is working for me, including having the expected behaviour for WebUI. @tomaskrizek please provide steps to reproduce your WebUI behaviour. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268710308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From 34ca89d344c623432dfec1bb04f4776cd9546eb6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..2ac1041 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ I would like to review this as well, so removing ACK to prevent pushing this to master """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-268577216 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][-ack] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ Works for me, server installation including DNSSEC worked fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-268575899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][+ack] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ > @tomaskrizek FYI, the current documentation states that ipa-certupdate must > be run after ipa-ca-install (see > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/CA-less-to-CA.html). Bad UX, please open a RFE ticket for ipa-ca-install to execute certupdate automatically when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268561239 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][closed] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/bdbb1c34a2f5ef864cd3a943dcd047cde20de681 """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268560529 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][+pushed] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][+ack] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][opened] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Author: martbab Title: #361: This PR implements a number of improvements for our Travis CI: Action: opened PR body: """ * split out the test runner part into a standalone script, .travis.yml should now only define test matrix, set environment variables and process output after failure * mark the project as Python one, implement support for running builds using different python version (future-proofing against incoming Python2/3 CI) and cache job dependencies * use separate job for pep8/linters. This shaves off ca 6-8 minutes from overall build time. You should get CI results in 26 min compared to previous 33 min """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/361/head:pr361 git checkout pr361 From a59ecbc489393ad9d509bd4718ffb87e3197c355 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 10:11:20 +0100 Subject: [PATCH 1/8] Bump up ipa-docker-test-runner version --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e870213..c32c5d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ before_install: - pip install pep8 - > pip3 install - git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0 + git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: - > From ab0c72c08bf222c3903c6681d562284169aa2f02 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:47:31 +0100 Subject: [PATCH 2/8] travis: mark FreeIPA as python project --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index c32c5d7..2855bf2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +language: python services: - docker From 0a8de3a9758459c1aab64fa475771694e3c869ff Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:01:00 +0100 Subject: [PATCH 3/8] Put the commands informing and displaying build logs on single line This prevents Travis log collector to add separate expansion marks to the echo output and the actuall log output. --- .travis.yml | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2855bf2..28f481f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -39,7 +39,5 @@ script: --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set after_failure: - - echo "Test runner output:" - - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log - - echo "PEP-8 errors:" - - cat pep8_errors.log +- echo "Test runner output:"; tail -n 5000 ci_results_${TRAVIS_BRANCH}.log +- echo "PEP-8 errors:"; cat pep8_errors.log From 8172ea91f1e23cfe16e5d6962a67c51e7a778af7 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:55:55 +0100 Subject: [PATCH 4/8] Travis CI: a separate script to run test tasks this script is intended only for use in Travis CI and contains configuration of the test run requested: * it can run linter step separately by specifying TASK_TO_RUN="lint" environment variable in .travis.yml. In this case it also runs pep8 checker on the commits in PR. * other steps are run in developer mode in order to skip pylint run and speed up the task * in all cases the CI result log is populated and can be displayed if the job fails --- .travis_run_task.sh | 34 ++ 1 file changed, 34 insertions(+) create mode 100755 .travis_run_task.sh diff --git a/.travis_run_task.sh b/.travis_run_task.sh new file mode 100755 index 000..2163a9b --- /dev/null +++ b/.travis_run_task.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# NOTE: this script is intended to run in Travis CI only +set -ev + +test_set="" +developer_mode_opt="--developer-mode" + +if [[ "$TASK_TO_RUN" == "lint" ]] +then +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]] +then +git diff origin/$TRAVIS_BRANCH -U0 | pep8 --diff &> $PEP8_ERROR_LOG ||: +fi + +# disable developer mode for lint task, otherwise we get an error +developer_mode_opt="" +fi + +if [[ -n "$TESTS_TO_RUN" ]] +then +pushd ipatests +test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null | tr '\n' ' '` +popd +fi + +docker pull $TEST_RUNNER_IMAGE + +ipa-docker-test-runner -l $CI_RESULTS_LOG \ +-c $TEST_RUNNER_CONFIG \ +$developer_mode_opt \ +--container-image $TEST_RUNNER_IMAGE \ +--git-repo $TRAVIS_BUILD_DIR \ +$TASK_TO_RUN $test_set From 549b439956f063350ff8b31cc7829a4e973bc312 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:03:25 +0100 Subject: [PATCH 5/8] Travis: offload test execution to a separate script --- .travis.yml | 17 + 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index 28f481f..8692dd7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,22 +22,7 @@
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology flo-renaud commented: """ @tomaskrizek FYI, the current documentation states that ipa-certupdate must be run after ipa-ca-install (see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/CA-less-to-CA.html). """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268541323 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, hex_str) +os.write(f, passw
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, hex_str) +os.write(f, passw
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates tomaskrizek commented: """ With this fix, more than 100 certificates are displayed and click-able from WebUI overview. However, I'm still getting an error message pop up saying ``` Search result has been truncated: Configured size limit exceeded ``` And there is also this message at the bottom of the page: ``` Query returned more results than the configured size limit. Displaying the first 110 results. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268535538 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#360][opened] x509: use PyASN1 to parse PKCS#7
URL: https://github.com/freeipa/freeipa/pull/360 Author: jcholast Title: #360: x509: use PyASN1 to parse PKCS#7 Action: opened PR body: """ Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a subprocess. https://fedorahosted.org/freeipa/ticket/6550 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/360/head:pr360 git checkout pr360 From e795b5d53d1a58ea1247668e13be9b45e0652298 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 21 Dec 2016 14:05:57 +0100 Subject: [PATCH] x509: use PyASN1 to parse PKCS#7 Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a subprocess. https://fedorahosted.org/freeipa/ticket/6550 --- ipalib/x509.py | 48 +++- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index 851af5a..13327c1 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -42,21 +42,13 @@ import cryptography.x509 from pyasn1.type import univ, char, namedtype, tag from pyasn1.codec.der import decoder, encoder -from pyasn1_modules import rfc2459 +from pyasn1_modules import rfc2315, rfc2459 import six from ipalib import api from ipalib import util from ipalib import errors from ipapython.dn import DN -from ipapython import ipautil - -try: -from ipaplatform.paths import paths -except ImportError: -OPENSSL = '/usr/bin/openssl' -else: -OPENSSL = paths.OPENSSL if six.PY3: unicode = str @@ -160,16 +152,38 @@ def pkcs7_to_pems(data, datatype=PEM): Extract certificates from a PKCS #7 object. Return a ``list`` of X.509 PEM strings. +""" +if datatype == PEM: +match = re.match( +r'-BEGIN PKCS7-(.*?)-END PKCS7-', +data, +re.DOTALL) +if not match: +raise ValueError("not a valid PKCS#7 PEM") -May throw ``ipautil.CalledProcessError`` on invalid data. +data = base64.b64decode(match.group(1)) -""" -cmd = [ -OPENSSL, "pkcs7", "-print_certs", -"-inform", "PEM" if datatype == PEM else "DER", -] -result = ipautil.run(cmd, stdin=data, capture_output=True) -return PEM_REGEX.findall(result.output) +content_info, tail = decoder.decode(data, rfc2315.ContentInfo()) +if tail: +raise ValueError("not a valid PKCS#7 message") + +if content_info['contentType'] != rfc2315.signedData: +raise ValueError("not a PKCS#7 signed data message") + +signed_data, tail = decoder.decode(bytes(content_info['content']), + rfc2315.SignedData()) +if tail: +raise ValueError("not a valid PKCS#7 signed data message") + +result = [] + +for certificate in signed_data['certificates']: +certificate = encoder.encode(certificate) +certificate = base64.b64encode(certificate) +certificate = make_pem(certificate) +result.append(certificate) + +return result def is_self_signed(certificate, datatype=PEM): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, hex_str) +os.write(f, passw
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2bc01ec5b4a91a805912bdada429a91ab08ed196 """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268527981 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][closed] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][+pushed] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][+ack] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs pspacek commented: """ Thanks, ACK! """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268527273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology tomaskrizek commented: """ I've tested the following use cases: - CA-less replica promotion domlvl1: *ldapssl running*; but the following behaviour is present: If `ipa-ca-install` is executed on replica, it finishes. But next `ipa-ca-install`, i.e. on master, will fail with CA did not start after 300 seconds. Relevant parts of pki and dirsrv logs: ``` [21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host vm-058-045.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) --- [21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45 [21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES [21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [21/Dec/2016:12:43:46.667668986 +0100] conn=4 op=0 RESULT err=48 tag=97 nentries=0 etime=0 ``` The same behavior is present when `ipa-ca-install` is first installed on master and then on replica. Basically, the second `ipa-ca-install` will fail. Running `ipa-certupdate` on the second server fixes the issue. This seems to be a separate issue, so I will file a bug for this. - CA-full replica promotion domlvl1: *lpadssl running* - CA-less replica installation domlvl0: *ldapssl running* - CA-full replica installation domlvl0: *ldapssl running* The fix seems to properly start the ldapssl both with CA-less and CA-full, therefore I'd accept this as a proper fix for the issue. Please address the minor improvement I suggested inline. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268520740 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-268509213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][closed] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Author: frasertweedale Title: #298: ipaldap: handle binary encoding option transparently Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/298/head:pr298 git checkout pr298 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ OK, let's just fix all the plugins / other routines that deal with the relevant attributes to explicitly read both `userCertificate` and `userCertificate;binary` and concat the results. I think there is a lot more we could and should do to improve usability w.r.t. these attributes but it will do for now. Closing this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268508499 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs simo5 commented: """ Amended """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268507057 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][synchronized] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 From 038be681136f06be3bc5e6f76ee9a71e201b2d9b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 20 Dec 2016 12:46:33 -0500 Subject: [PATCH] Use the tar Posix option for tarballs This is necessary to be able to successfully build archives in environments controlled by an IPA domain which may have large uidNumbers for user accounts. tar-ustar allows UID/GID numbers only up to 2 million and by default a new IPA installation can assigne UIDs in the billion range. https://fedorahosted.org/freeipa/ticket/6418 Signed-off-by: Simo Sorce --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 3ea5983..e8a4701 100644 --- a/configure.ac +++ b/configure.ac @@ -15,7 +15,7 @@ esac AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar]) +AM_INIT_AUTOMAKE([foreign 1.9 tar-pax]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) AC_PROG_CC_C99 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][synchronized] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Author: jcholast Title: #348: ca: fix ca-find with --pkey-only Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/348/head:pr348 git checkout pr348 From fde228a0e0cffe754c7b420a3a1d87af46f7d995 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 16 Dec 2016 14:19:00 +0100 Subject: [PATCH] ca: fix ca-find with --pkey-only Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail with internal error if --pkey-only is specified, because the code to look up the CA certificate and certificate chain assumes that the ipaCAId attribute is always present in the result. Fix this by not attempting to lookup the certificate / chain at all when --pkey-only is specified. https://fedorahosted.org/freeipa/ticket/6178 --- ipaserver/plugins/ca.py | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 2510a79..f02c144 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -162,7 +162,10 @@ class ca(LDAPObject): def set_certificate_attrs(entry, options, want_cert=True): -ca_id = entry['ipacaid'][0] +try: +ca_id = entry['ipacaid'][0] +except KeyError: +return full = options.get('all', False) want_chain = options.get('chain', False) @@ -192,8 +195,9 @@ class ca_find(LDAPSearch): def execute(self, *keys, **options): ca_enabled_check() result = super(ca_find, self).execute(*keys, **options) -for entry in result['result']: -set_certificate_attrs(entry, options, want_cert=False) +if not options.get('pkey_only', False): +for entry in result['result']: +set_certificate_attrs(entry, options, want_cert=False) return result -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently jcholast commented: """ > If `ipaldap` is a generic LDAP client, it should obey the RFCs and always > transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) > with the `;binary` encoding option, and it should expect to see it when > reading the relevant attributes from the server. No, it should respect whatever is defined on the server, otherwise it's not a generic LDAP client. If the server does something wrong, it has to be fixed there, on the server. The goal of `ipaldap` is not to make buggy or non-LDAPv3 (e.g. AD) servers look like they are LDAPv3-compliant, the goal is to interpret attributes according to the server-defined schema. > IMO `ipaldap` should handle this transparently because it is part of the LDAP > protocol. Nowhere in the RFCs is it mandated that a compliant client cannot request the attributes without the option, nor that it must not accept the attributes without the option in server responses. If this was true, it would have to be fixed in OpenLDAP libs anyway, not in `ipaldap`. > There is no 389DS-specific hack in my proposed change (but I'm curious about > what part of it you feel is). The part where you implicitly add the binary transfer option to attribute names (although not mandated on clients by any RFC) without knowing how the attribute types are defined on the server (although mandated only on attribute types with the certificate syntax by RFC 4523) . > This would also avoid inconsistent handling of relevant attributes between > different plugins, which is the situation we currently have. This is because of historical reasons (the original implementation of `host` and `service` plugins used `userCertificate` instead of `userCertificate;binary`) and will have to stay this way at least until all of the buggy 389 DS / IPA releases go out of support. > But apart from the inconsisency (which is a nusiance) we have a bigger > problem - in several plugins we specifically try to read `userCertificate`, > but a RFC 4522 compliant server (which 389DS is not now, but hopefully one > day will be) will always return `userCertificate;binary`. So, our current > code breaks if/when that happens. Furthermore, other RFC 4522-compliant > programs that correctly use the ;binary transfer encoding option to, e.g. > write certificates to user entries, will cause those certificates to be > unreadable by current IPA plugin code. This is not good enough. We can easily fix the plugins to read from `userCertificate;binary` in addition to `userCertificate`. We have to continue to write to `userCertificate` only though, because of backward compatibility with older servers. > 389DS does not behave correctly; it's treatment of `;binary` is wrong in > several ways, apart from the incorrect attribute syntax for relevant > attributes. Not enforcing `;binary` on attribute types with octet string syntax *is* correct. I was not trying to imply anything else. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268505078 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][opened] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Author: jcholast Title: #359: dogtag: search past the first 100 certificates Action: opened PR body: """ Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/359/head:pr359 git checkout pr359 From 9281047feaf12ae484223a68f15af85b67406033 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 21 Dec 2016 09:55:40 +0100 Subject: [PATCH] dogtag: search past the first 100 certificates Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 --- ipaserver/plugins/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 73c14ed..f5f9ebe 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1914,7 +1914,7 @@ def convert_time(value): url = 'http://%s/ca/rest/certs/search?size=%d' % ( ipautil.format_netloc(self.ca_host, 8080), -options.get('sizelimit', 100)) +options.get('sizelimit', 0x7fff)) opener = urllib.request.build_opener() opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code