[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355
Author: frasertweedale
Title: #355: Set up DS TLS on replica in CA-less topology
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/355/head:pr355
git checkout pr355
From 9e2e1fb71a6ef34cab56206346dc193305d71d82 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 20 Dec 2016 23:29:22 +1000
Subject: [PATCH] Set up DS TLS on replica in CA-less topology
Fixes: https://fedorahosted.org/freeipa/ticket/6226
---
ipaserver/install/dsinstance.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index bcfcb05..2ac1041 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
self.step("creating DS keytab", self._request_service_keytab)
if self.promote:
-if self.ca_is_configured:
+if self.pkcs12_info:
+self.step("configuring ssl for ds instance", self.__enable_ssl)
+else:
self.step("retrieving DS Certificate", self.__get_ds_cert)
self.step("restarting directory server", self.__restart_instance)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ This change is working for me, including having the expected behaviour for WebUI. @tomaskrizek please provide steps to reproduce your WebUI behaviour. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268710308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355
Author: frasertweedale
Title: #355: Set up DS TLS on replica in CA-less topology
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/355/head:pr355
git checkout pr355
From 34ca89d344c623432dfec1bb04f4776cd9546eb6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 20 Dec 2016 23:29:22 +1000
Subject: [PATCH] Set up DS TLS on replica in CA-less topology
Fixes: https://fedorahosted.org/freeipa/ticket/6226
---
ipaserver/install/dsinstance.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index bcfcb05..2ac1041 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
self.step("creating DS keytab", self._request_service_keytab)
if self.promote:
-if self.ca_is_configured:
+if self.pkcs12_info:
+self.step("configuring ssl for ds instance", self.__enable_ssl)
+else:
self.step("retrieving DS Certificate", self.__get_ds_cert)
self.step("restarting directory server", self.__restart_instance)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ I would like to review this as well, so removing ACK to prevent pushing this to master """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-268577216 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][-ack] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ Works for me, server installation including DNSSEC worked fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-268575899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][+ack] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ > @tomaskrizek FYI, the current documentation states that ipa-certupdate must > be run after ipa-ca-install (see > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/CA-less-to-CA.html). Bad UX, please open a RFE ticket for ipa-ca-install to execute certupdate automatically when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268561239 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][closed] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/bdbb1c34a2f5ef864cd3a943dcd047cde20de681 """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268560529 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][+pushed] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][+ack] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][opened] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361
Author: martbab
Title: #361: This PR implements a number of improvements for our Travis CI:
Action: opened
PR body:
"""
* split out the test runner part into a standalone script, .travis.yml should
now only define test matrix, set environment variables and process output
after failure
* mark the project as Python one, implement support for running builds using
different python version (future-proofing against incoming Python2/3 CI) and
cache job dependencies
* use separate job for pep8/linters. This shaves off ca 6-8 minutes from
overall build time. You should get CI results in 26 min compared to previous
33 min
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/361/head:pr361
git checkout pr361
From a59ecbc489393ad9d509bd4718ffb87e3197c355 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 20 Dec 2016 10:11:20 +0100
Subject: [PATCH 1/8] Bump up ipa-docker-test-runner version
---
.travis.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.travis.yml b/.travis.yml
index e870213..c32c5d7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,7 +18,7 @@ before_install:
- pip install pep8
- >
pip3 install
- git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0
+ git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1
script:
- >
From ab0c72c08bf222c3903c6681d562284169aa2f02 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 20 Dec 2016 15:47:31 +0100
Subject: [PATCH 2/8] travis: mark FreeIPA as python project
---
.travis.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.travis.yml b/.travis.yml
index c32c5d7..2855bf2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,4 @@
+language: python
services:
- docker
From 0a8de3a9758459c1aab64fa475771694e3c869ff Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 20 Dec 2016 16:01:00 +0100
Subject: [PATCH 3/8] Put the commands informing and displaying build logs on
single line
This prevents Travis log collector to add separate expansion marks to
the echo output and the actuall log output.
---
.travis.yml | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 2855bf2..28f481f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,7 +39,5 @@ script:
--git-repo ${TRAVIS_BUILD_DIR}
run-tests $test_set
after_failure:
- - echo "Test runner output:"
- - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log
- - echo "PEP-8 errors:"
- - cat pep8_errors.log
+- echo "Test runner output:"; tail -n 5000 ci_results_${TRAVIS_BRANCH}.log
+- echo "PEP-8 errors:"; cat pep8_errors.log
From 8172ea91f1e23cfe16e5d6962a67c51e7a778af7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 20 Dec 2016 15:55:55 +0100
Subject: [PATCH 4/8] Travis CI: a separate script to run test tasks
this script is intended only for use in Travis CI and contains
configuration of the test run requested:
* it can run linter step separately by specifying TASK_TO_RUN="lint"
environment variable in .travis.yml. In this case it also runs
pep8 checker on the commits in PR.
* other steps are run in developer mode in order to skip pylint run
and speed up the task
* in all cases the CI result log is populated and can be displayed
if the job fails
---
.travis_run_task.sh | 34 ++
1 file changed, 34 insertions(+)
create mode 100755 .travis_run_task.sh
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
new file mode 100755
index 000..2163a9b
--- /dev/null
+++ b/.travis_run_task.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# NOTE: this script is intended to run in Travis CI only
+set -ev
+
+test_set=""
+developer_mode_opt="--developer-mode"
+
+if [[ "$TASK_TO_RUN" == "lint" ]]
+then
+if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]
+then
+git diff origin/$TRAVIS_BRANCH -U0 | pep8 --diff &> $PEP8_ERROR_LOG ||:
+fi
+
+# disable developer mode for lint task, otherwise we get an error
+developer_mode_opt=""
+fi
+
+if [[ -n "$TESTS_TO_RUN" ]]
+then
+pushd ipatests
+test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null | tr '\n' ' '`
+popd
+fi
+
+docker pull $TEST_RUNNER_IMAGE
+
+ipa-docker-test-runner -l $CI_RESULTS_LOG \
+-c $TEST_RUNNER_CONFIG \
+$developer_mode_opt \
+--container-image $TEST_RUNNER_IMAGE \
+--git-repo $TRAVIS_BUILD_DIR \
+$TASK_TO_RUN $test_set
From 549b439956f063350ff8b31cc7829a4e973bc312 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 20 Dec 2016 16:03:25 +0100
Subject: [PATCH 5/8] Travis: offload test execution to a separate script
---
.travis.yml | 17 +
1 file changed, 1 insertion(+), 16 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 28f481f..8692dd7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,22 +22,7 @@
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology flo-renaud commented: """ @tomaskrizek FYI, the current documentation states that ipa-certupdate must be run after ipa-ca-install (see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/CA-less-to-CA.html). """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268541323 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
Title: #317: Unify password generation across FreeIPA
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Tue, 6 Dec 2016 09:05:42 +0100
Subject: [PATCH 1/2] Unify password generation across FreeIPA
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/certs.py | 8 ++--
ipaserver/install/dogtaginstance.py| 3 +--
ipaserver/install/dsinstance.py| 5 +
ipaserver/install/httpinstance.py | 5 ++---
ipaserver/install/server/replicainstall.py | 3 +--
ipaserver/secrets/store.py | 2 +-
6 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 45602ba..198c43d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@
import xml.dom.minidom
import pwd
import base64
-from hashlib import sha1
import fcntl
import time
import datetime
@@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None):
perms |= stat.S_IWUSR
os.chmod(fname, perms)
-def gen_password(self):
-return sha1(ipautil.ipa_generate_password()).hexdigest()
-
def run_certutil(self, args, stdin=None, **kwargs):
return self.nssdb.run_certutil(args, stdin, **kwargs)
@@ -177,7 +173,7 @@ def create_noise_file(self):
if ipautil.file_exists(self.noise_fname):
os.remove(self.noise_fname)
f = open(self.noise_fname, "w")
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
self.set_perms(self.noise_fname)
def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None):
if passwd is not None:
f.write("%s\n" % passwd)
else:
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
f.close()
self.set_perms(self.passwd_fname)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..dc4b5b0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
#
import base64
-import binascii
import ldap
import os
import shutil
@@ -428,7 +427,7 @@ def __add_admin_to_group(self, group):
def setup_admin(self):
self.admin_user = "admin-%s" % self.fqdn
-self.admin_password = binascii.hexlify(os.urandom(16))
+self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1be5ac7..09708dc 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -506,7 +506,7 @@ def __setup_sub_dict(self):
idrange_size = None
self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
- RANDOM_PASSWORD=self.generate_random(),
+ RANDOM_PASSWORD=ipautil.ipa_generate_password(),
SUFFIX=self.suffix,
REALM=self.realm, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -773,9 +773,6 @@ def __host_nis_groups(self):
def __add_enrollment_module(self):
self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
-def generate_random(self):
-return ipautil.ipa_generate_password()
-
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 15c3107..9fdb5a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
from __future__ import print_function
-import binascii
import os
import os.path
import pwd
@@ -314,9 +313,9 @@ def create_cert_db(self):
ipautil.backup_file(nss_path)
# Create the password file for this db
-hex_str = binascii.hexlify(os.urandom(10))
+password = ipautil.ipa_generate_password(pwd_len=15)
f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, hex_str)
+os.write(f, passw
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
Title: #317: Unify password generation across FreeIPA
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Tue, 6 Dec 2016 09:05:42 +0100
Subject: [PATCH 1/2] Unify password generation across FreeIPA
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/certs.py | 8 ++--
ipaserver/install/dogtaginstance.py| 3 +--
ipaserver/install/dsinstance.py| 5 +
ipaserver/install/httpinstance.py | 5 ++---
ipaserver/install/server/replicainstall.py | 3 +--
ipaserver/secrets/store.py | 2 +-
6 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 45602ba..198c43d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@
import xml.dom.minidom
import pwd
import base64
-from hashlib import sha1
import fcntl
import time
import datetime
@@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None):
perms |= stat.S_IWUSR
os.chmod(fname, perms)
-def gen_password(self):
-return sha1(ipautil.ipa_generate_password()).hexdigest()
-
def run_certutil(self, args, stdin=None, **kwargs):
return self.nssdb.run_certutil(args, stdin, **kwargs)
@@ -177,7 +173,7 @@ def create_noise_file(self):
if ipautil.file_exists(self.noise_fname):
os.remove(self.noise_fname)
f = open(self.noise_fname, "w")
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
self.set_perms(self.noise_fname)
def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None):
if passwd is not None:
f.write("%s\n" % passwd)
else:
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
f.close()
self.set_perms(self.passwd_fname)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..dc4b5b0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
#
import base64
-import binascii
import ldap
import os
import shutil
@@ -428,7 +427,7 @@ def __add_admin_to_group(self, group):
def setup_admin(self):
self.admin_user = "admin-%s" % self.fqdn
-self.admin_password = binascii.hexlify(os.urandom(16))
+self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1be5ac7..09708dc 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -506,7 +506,7 @@ def __setup_sub_dict(self):
idrange_size = None
self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
- RANDOM_PASSWORD=self.generate_random(),
+ RANDOM_PASSWORD=ipautil.ipa_generate_password(),
SUFFIX=self.suffix,
REALM=self.realm, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -773,9 +773,6 @@ def __host_nis_groups(self):
def __add_enrollment_module(self):
self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
-def generate_random(self):
-return ipautil.ipa_generate_password()
-
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 15c3107..9fdb5a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
from __future__ import print_function
-import binascii
import os
import os.path
import pwd
@@ -314,9 +313,9 @@ def create_cert_db(self):
ipautil.backup_file(nss_path)
# Create the password file for this db
-hex_str = binascii.hexlify(os.urandom(10))
+password = ipautil.ipa_generate_password(pwd_len=15)
f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, hex_str)
+os.write(f, passw
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates tomaskrizek commented: """ With this fix, more than 100 certificates are displayed and click-able from WebUI overview. However, I'm still getting an error message pop up saying ``` Search result has been truncated: Configured size limit exceeded ``` And there is also this message at the bottom of the page: ``` Query returned more results than the configured size limit. Displaying the first 110 results. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268535538 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#360][opened] x509: use PyASN1 to parse PKCS#7
URL: https://github.com/freeipa/freeipa/pull/360
Author: jcholast
Title: #360: x509: use PyASN1 to parse PKCS#7
Action: opened
PR body:
"""
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/360/head:pr360
git checkout pr360
From e795b5d53d1a58ea1247668e13be9b45e0652298 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 21 Dec 2016 14:05:57 +0100
Subject: [PATCH] x509: use PyASN1 to parse PKCS#7
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
---
ipalib/x509.py | 48 +++-
1 file changed, 31 insertions(+), 17 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 851af5a..13327c1 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -42,21 +42,13 @@
import cryptography.x509
from pyasn1.type import univ, char, namedtype, tag
from pyasn1.codec.der import decoder, encoder
-from pyasn1_modules import rfc2459
+from pyasn1_modules import rfc2315, rfc2459
import six
from ipalib import api
from ipalib import util
from ipalib import errors
from ipapython.dn import DN
-from ipapython import ipautil
-
-try:
-from ipaplatform.paths import paths
-except ImportError:
-OPENSSL = '/usr/bin/openssl'
-else:
-OPENSSL = paths.OPENSSL
if six.PY3:
unicode = str
@@ -160,16 +152,38 @@ def pkcs7_to_pems(data, datatype=PEM):
Extract certificates from a PKCS #7 object.
Return a ``list`` of X.509 PEM strings.
+"""
+if datatype == PEM:
+match = re.match(
+r'-BEGIN PKCS7-(.*?)-END PKCS7-',
+data,
+re.DOTALL)
+if not match:
+raise ValueError("not a valid PKCS#7 PEM")
-May throw ``ipautil.CalledProcessError`` on invalid data.
+data = base64.b64decode(match.group(1))
-"""
-cmd = [
-OPENSSL, "pkcs7", "-print_certs",
-"-inform", "PEM" if datatype == PEM else "DER",
-]
-result = ipautil.run(cmd, stdin=data, capture_output=True)
-return PEM_REGEX.findall(result.output)
+content_info, tail = decoder.decode(data, rfc2315.ContentInfo())
+if tail:
+raise ValueError("not a valid PKCS#7 message")
+
+if content_info['contentType'] != rfc2315.signedData:
+raise ValueError("not a PKCS#7 signed data message")
+
+signed_data, tail = decoder.decode(bytes(content_info['content']),
+ rfc2315.SignedData())
+if tail:
+raise ValueError("not a valid PKCS#7 signed data message")
+
+result = []
+
+for certificate in signed_data['certificates']:
+certificate = encoder.encode(certificate)
+certificate = base64.b64encode(certificate)
+certificate = make_pem(certificate)
+result.append(certificate)
+
+return result
def is_self_signed(certificate, datatype=PEM):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
Title: #317: Unify password generation across FreeIPA
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Tue, 6 Dec 2016 09:05:42 +0100
Subject: [PATCH 1/2] Unify password generation across FreeIPA
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/certs.py | 8 ++--
ipaserver/install/dogtaginstance.py| 3 +--
ipaserver/install/dsinstance.py| 5 +
ipaserver/install/httpinstance.py | 5 ++---
ipaserver/install/server/replicainstall.py | 3 +--
ipaserver/secrets/store.py | 2 +-
6 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 45602ba..198c43d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@
import xml.dom.minidom
import pwd
import base64
-from hashlib import sha1
import fcntl
import time
import datetime
@@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None):
perms |= stat.S_IWUSR
os.chmod(fname, perms)
-def gen_password(self):
-return sha1(ipautil.ipa_generate_password()).hexdigest()
-
def run_certutil(self, args, stdin=None, **kwargs):
return self.nssdb.run_certutil(args, stdin, **kwargs)
@@ -177,7 +173,7 @@ def create_noise_file(self):
if ipautil.file_exists(self.noise_fname):
os.remove(self.noise_fname)
f = open(self.noise_fname, "w")
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
self.set_perms(self.noise_fname)
def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None):
if passwd is not None:
f.write("%s\n" % passwd)
else:
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
f.close()
self.set_perms(self.passwd_fname)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..dc4b5b0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
#
import base64
-import binascii
import ldap
import os
import shutil
@@ -428,7 +427,7 @@ def __add_admin_to_group(self, group):
def setup_admin(self):
self.admin_user = "admin-%s" % self.fqdn
-self.admin_password = binascii.hexlify(os.urandom(16))
+self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1be5ac7..09708dc 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -506,7 +506,7 @@ def __setup_sub_dict(self):
idrange_size = None
self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
- RANDOM_PASSWORD=self.generate_random(),
+ RANDOM_PASSWORD=ipautil.ipa_generate_password(),
SUFFIX=self.suffix,
REALM=self.realm, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -773,9 +773,6 @@ def __host_nis_groups(self):
def __add_enrollment_module(self):
self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
-def generate_random(self):
-return ipautil.ipa_generate_password()
-
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 15c3107..9fdb5a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
from __future__ import print_function
-import binascii
import os
import os.path
import pwd
@@ -314,9 +313,9 @@ def create_cert_db(self):
ipautil.backup_file(nss_path)
# Create the password file for this db
-hex_str = binascii.hexlify(os.urandom(10))
+password = ipautil.ipa_generate_password(pwd_len=15)
f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, hex_str)
+os.write(f, passw
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2bc01ec5b4a91a805912bdada429a91ab08ed196 """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268527981 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][closed] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][+pushed] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][+ack] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs pspacek commented: """ Thanks, ACK! """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268527273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology tomaskrizek commented: """ I've tested the following use cases: - CA-less replica promotion domlvl1: *ldapssl running*; but the following behaviour is present: If `ipa-ca-install` is executed on replica, it finishes. But next `ipa-ca-install`, i.e. on master, will fail with CA did not start after 300 seconds. Relevant parts of pki and dirsrv logs: ``` [21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host vm-058-045.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) --- [21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45 [21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES [21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [21/Dec/2016:12:43:46.667668986 +0100] conn=4 op=0 RESULT err=48 tag=97 nentries=0 etime=0 ``` The same behavior is present when `ipa-ca-install` is first installed on master and then on replica. Basically, the second `ipa-ca-install` will fail. Running `ipa-certupdate` on the second server fixes the issue. This seems to be a separate issue, so I will file a bug for this. - CA-full replica promotion domlvl1: *lpadssl running* - CA-less replica installation domlvl0: *ldapssl running* - CA-full replica installation domlvl0: *ldapssl running* The fix seems to properly start the ldapssl both with CA-less and CA-full, therefore I'd accept this as a proper fix for the issue. Please address the minor improvement I suggested inline. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268520740 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-268509213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][closed] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Author: frasertweedale Title: #298: ipaldap: handle binary encoding option transparently Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/298/head:pr298 git checkout pr298 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ OK, let's just fix all the plugins / other routines that deal with the relevant attributes to explicitly read both `userCertificate` and `userCertificate;binary` and concat the results. I think there is a lot more we could and should do to improve usability w.r.t. these attributes but it will do for now. Closing this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268508499 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs simo5 commented: """ Amended """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268507057 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][synchronized] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 From 038be681136f06be3bc5e6f76ee9a71e201b2d9b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 20 Dec 2016 12:46:33 -0500 Subject: [PATCH] Use the tar Posix option for tarballs This is necessary to be able to successfully build archives in environments controlled by an IPA domain which may have large uidNumbers for user accounts. tar-ustar allows UID/GID numbers only up to 2 million and by default a new IPA installation can assigne UIDs in the billion range. https://fedorahosted.org/freeipa/ticket/6418 Signed-off-by: Simo Sorce --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 3ea5983..e8a4701 100644 --- a/configure.ac +++ b/configure.ac @@ -15,7 +15,7 @@ esac AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar]) +AM_INIT_AUTOMAKE([foreign 1.9 tar-pax]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) AC_PROG_CC_C99 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][synchronized] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348
Author: jcholast
Title: #348: ca: fix ca-find with --pkey-only
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/348/head:pr348
git checkout pr348
From fde228a0e0cffe754c7b420a3a1d87af46f7d995 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Fri, 16 Dec 2016 14:19:00 +0100
Subject: [PATCH] ca: fix ca-find with --pkey-only
Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
---
ipaserver/plugins/ca.py | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 2510a79..f02c144 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -162,7 +162,10 @@ class ca(LDAPObject):
def set_certificate_attrs(entry, options, want_cert=True):
-ca_id = entry['ipacaid'][0]
+try:
+ca_id = entry['ipacaid'][0]
+except KeyError:
+return
full = options.get('all', False)
want_chain = options.get('chain', False)
@@ -192,8 +195,9 @@ class ca_find(LDAPSearch):
def execute(self, *keys, **options):
ca_enabled_check()
result = super(ca_find, self).execute(*keys, **options)
-for entry in result['result']:
-set_certificate_attrs(entry, options, want_cert=False)
+if not options.get('pkey_only', False):
+for entry in result['result']:
+set_certificate_attrs(entry, options, want_cert=False)
return result
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently jcholast commented: """ > If `ipaldap` is a generic LDAP client, it should obey the RFCs and always > transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) > with the `;binary` encoding option, and it should expect to see it when > reading the relevant attributes from the server. No, it should respect whatever is defined on the server, otherwise it's not a generic LDAP client. If the server does something wrong, it has to be fixed there, on the server. The goal of `ipaldap` is not to make buggy or non-LDAPv3 (e.g. AD) servers look like they are LDAPv3-compliant, the goal is to interpret attributes according to the server-defined schema. > IMO `ipaldap` should handle this transparently because it is part of the LDAP > protocol. Nowhere in the RFCs is it mandated that a compliant client cannot request the attributes without the option, nor that it must not accept the attributes without the option in server responses. If this was true, it would have to be fixed in OpenLDAP libs anyway, not in `ipaldap`. > There is no 389DS-specific hack in my proposed change (but I'm curious about > what part of it you feel is). The part where you implicitly add the binary transfer option to attribute names (although not mandated on clients by any RFC) without knowing how the attribute types are defined on the server (although mandated only on attribute types with the certificate syntax by RFC 4523) . > This would also avoid inconsistent handling of relevant attributes between > different plugins, which is the situation we currently have. This is because of historical reasons (the original implementation of `host` and `service` plugins used `userCertificate` instead of `userCertificate;binary`) and will have to stay this way at least until all of the buggy 389 DS / IPA releases go out of support. > But apart from the inconsisency (which is a nusiance) we have a bigger > problem - in several plugins we specifically try to read `userCertificate`, > but a RFC 4522 compliant server (which 389DS is not now, but hopefully one > day will be) will always return `userCertificate;binary`. So, our current > code breaks if/when that happens. Furthermore, other RFC 4522-compliant > programs that correctly use the ;binary transfer encoding option to, e.g. > write certificates to user entries, will cause those certificates to be > unreadable by current IPA plugin code. This is not good enough. We can easily fix the plugins to read from `userCertificate;binary` in addition to `userCertificate`. We have to continue to write to `userCertificate` only though, because of backward compatibility with older servers. > 389DS does not behave correctly; it's treatment of `;binary` is wrong in > several ways, apart from the incorrect attribute syntax for relevant > attributes. Not enforcing `;binary` on attribute types with octet string syntax *is* correct. I was not trying to imply anything else. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268505078 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][opened] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359
Author: jcholast
Title: #359: dogtag: search past the first 100 certificates
Action: opened
PR body:
"""
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/359/head:pr359
git checkout pr359
From 9281047feaf12ae484223a68f15af85b67406033 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 21 Dec 2016 09:55:40 +0100
Subject: [PATCH] dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
---
ipaserver/plugins/dogtag.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 73c14ed..f5f9ebe 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1914,7 +1914,7 @@ def convert_time(value):
url = 'http://%s/ca/rest/certs/search?size=%d' % (
ipautil.format_netloc(self.ca_host, 8080),
-options.get('sizelimit', 100))
+options.get('sizelimit', 0x7fff))
opener = urllib.request.build_opener()
opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
