[Freeipa-devel] [freeipa PR#374][comment] pytest: set rules to find test files and functions
URL: https://github.com/freeipa/freeipa/pull/374 Title: #374: pytest: set rules to find test files and functions tiran commented: """ Reproducer: * clone my tox branch https://github.com/tiran/freeipa/tree/tox * run ```tox -e py27``` ``` $ tox -e py27 py27 create: /home/heimes/redhat/freeipa/.tox/py27 py27 installdeps: ipaclient, ipatests ['/home/heimes/redhat/freeipa/.tox-install.sh', '/home/heimes/redhat/freeipa/.tox/py27/bin/python', '/home/heimes/redhat/freeipa/.tox/py27/lib/python2.7/site-packages', 'ipaclient', 'ipatests'] py27 installed: cffi==1.9.1,configparser==3.5.0,cryptography==1.7.1,custodia==0.2.0,decorator==4.0.10,dnspython==1.15.0,enum34==1.1.6,gssapi==1.2.0,idna==2.2,ipaclient==4.4.90.dev201701051932+gitadb0120,ipaddress==1.0.17,ipalib==4.4.90.dev201701051932+gitadb0120,ipapython==4.4.90.dev201701051932+gitadb0120,ipatests==4.4.90.dev201701051932+gitadb0120,jwcrypto==0.4.0,netaddr==0.7.18,netifaces==0.10.5,nose==1.3.7,polib==1.0.8,py==1.4.32,pyasn1==0.1.9,pyasn1-modules==0.0.8,pycparser==2.17,pyldap==2.4.25.1,pytest==3.0.5,pytest-multihost==1.1,python-nss==1.0.1,python-yubico==1.3.2,pyusb==1.0.0,qrcode==5.3,requests==2.12.4,six==1.10.0 py27 runtests: PYTHONHASHSEED='3237466879' py27 runtests: commands[0] | ipa-run-tests test_ipapython test_ipalib test_pkcs10 --ignore=test_ipalib/test_rpc.py === test session starts platform linux2 -- Python 2.7.12, pytest-3.0.5, py-1.4.32, pluggy-0.4.0 rootdir: /home/heimes/redhat, inifile: tox.ini plugins: multihost-1.1 collected 0 items === no tests ran in 0.12 seconds === ERROR: InvocationError: '/home/heimes/redhat/freeipa/.tox/py27/bin/ipa-run-tests test_ipapython test_ipalib test_pkcs10 --ignore=test_ipalib/test_rpc.py' _ summary __ ERROR: py27: commands failed ``` * edit ```ipatests/conftest.py``` and enable ```python_files``` on line 47 * run ```tox -e py27``` again ``` === test session starts platform linux2 -- Python 2.7.12, pytest-3.0.5, py-1.4.32, pluggy-0.4.0 rootdir: /home/heimes/redhat, inifile: tox.ini plugins: multihost-1.1 collected 406 items test_ipapython/test_cookie.py test_ipapython/test_dn.py ... test_ipapython/test_ipautil.py .. test_ipapython/test_ipavalidate.py .. test_ipapython/test_kerberos.py .. test_ipapython/test_keyring.py .. test_ipapython/test_ssh.py ... test_ipalib/test_aci.py ... test_ipalib/test_backend.py test_ipalib/test_base.py ... test_ipalib/test_capabilities.py . test_ipalib/test_cli.py ... test_ipalib/test_config.py ... test_ipalib/test_crud.py ... test_ipalib/test_errors.py ... test_ipalib/test_frontend.py test_ipalib/test_messages.py test_ipalib/test_output.py ... test_ipalib/test_parameters.py . test_ipalib/test_plugable.py test_ipalib/test_text.py . test_ipalib/test_x509.py ... test_pkcs10/test_pkcs10.py . == pytest-warning summary == ... == 406 passed, 59 pytest-warnings in 2.04 seconds _ summary py27: commands succeeded congratulations :) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/374#issuecomment-270962079 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping
On 12/16/2016 09:34 AM, Florence Blanc-Renaud wrote: On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote: Hi, I have started a feature description for the Certificate Identity Mapping at the following location: http://www.freeipa.org/page/V4/Certificate_Identity_Mapping This is a first step, focusing on the interface we would like to provide. It still contains open questions, some of which are linked to the corresponding design on SSSD side: https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities Comments, concerns and suggestions are welcome. Thanks! Flo. Hi, the design page for Certificate Identity Mapping [1] has been updated with a schema proposal and an example of configuration data. Please share your comments, concerns, suggestions before January 7, so that we can finalize the API and start the implementation. Thanks, Flo. [1] http://www.freeipa.org/page/V4/Certificate_Identity_Mapping Hi, thanks for all the comments provided so far. The design page [1] has been updated and I hope that it reflects the current state of discussions: - removed configuration options that did not seem useful - shortened the feature name to certmap-xx - added the notion of priority in the cert map rules As always, comments are welcome. Flo [1] http://www.freeipa.org/page/V4/Certificate_Identity_Mapping -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][closed] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][+pushed] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/35ba724de90b270773d91596de310291df745df0 """ See the full comment at https://github.com/freeipa/freeipa/pull/334#issuecomment-270888978 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][+ack] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method mbasti-rh commented: """ bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/334#issuecomment-270888152 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From 298e1a136c6a430e8deaa558a946ba51874ffd95 Mon Sep 17 00:00:00 2001 From: Ganna KaihorodovaDate: Mon, 10 Oct 2016 14:00:51 +0200 Subject: [PATCH 1/3] Unaccessible variable self.attrs in Tracker In tracker, 'self.attrs' variable is created and filled in track_create method. Some objects are not created but still require access to this variable. Created 'self.attrs' variable in init https://fedorahosted.org/freeipa/ticket/6125 --- ipatests/test_xmlrpc/tracker/base.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index a2b7406..aa88e6b 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -76,6 +76,7 @@ def __init__(self, default_version=None): self.api = api self.default_version = default_version or API_VERSION self._dn = None +self.attrs = {} self.exists = False From 0e319e3a3fc927ee7bc465461b266b9a2b533c8b Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH 2/3] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 38 +++- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..81943c5 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,23 +61,45 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError( +"Invalid first name provided: {!r}".format(givenname) +) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: {!r}".format(sn)) + super(StageUserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.kwargs = kwargs def make_create_command(self, options=None): -""" Make function that creates a staged user using stageuser-add """ +""" Make function that creates a staged user using stageuser-add +with all set of attributes and with minimal values, +where uid is not specified """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ From cab565d629f83e60bbec261ddeb379d5c1f8d2c6 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 12 Dec 2016 14:11:52 +0100 Subject: [PATCH 3/3] Stage User: Test to create stage user with minimal values Test to create stage user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..e630171 100644 ---
[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 From 298e1a136c6a430e8deaa558a946ba51874ffd95 Mon Sep 17 00:00:00 2001 From: Ganna KaihorodovaDate: Mon, 10 Oct 2016 14:00:51 +0200 Subject: [PATCH 1/3] Unaccessible variable self.attrs in Tracker In tracker, 'self.attrs' variable is created and filled in track_create method. Some objects are not created but still require access to this variable. Created 'self.attrs' variable in init https://fedorahosted.org/freeipa/ticket/6125 --- ipatests/test_xmlrpc/tracker/base.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index a2b7406..aa88e6b 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -76,6 +76,7 @@ def __init__(self, default_version=None): self.api = api self.default_version = default_version or API_VERSION self._dn = None +self.attrs = {} self.exists = False From 239ce30184b29af67a674cbc2cf0bec402212f05 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Thu, 8 Dec 2016 15:06:36 +0100 Subject: [PATCH 2/3] User Tracker: creation of user with minimal values Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage. Also provide check for non-empty unicode string for attributes required in init method https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/tracker/user_plugin.py | 42 + 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 4485fd9..29b3177 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -62,22 +62,42 @@ class UserTracker(KerberosAliasMixin, Tracker): primary_keys = {u'uid', u'dn'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError( +"Invalid first name provided: {!r}".format(givenname) +) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: {!r}".format(sn)) + super(UserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn) self.kwargs = kwargs -def make_create_command(self): -""" Make function that crates a user using user-add """ -return self.make_command( -'user_add', self.uid, -givenname=self.givenname, -sn=self.sn, **self.kwargs -) +def make_create_command(self, force=None): + +""" Make function that creates a user using user-add +with all set of attributes and with minimal values, +where uid is not specified """ + +if self.uid is not None: +return self.make_command( +'user_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'user_add', givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self, no_preserve=True, preserve=False): """ Make function that deletes a user using user-del """ From 7205d9feba68ba3dbe183b64f6d28833b258ddd2 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Thu, 8 Dec 2016 15:08:41 +0100 Subject: [PATCH 3/3] User Tracker: Test to create user with minimal values Test to create user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/test_user_plugin.py | 13 + 1 file changed, 13 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578..b90363e 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -79,6 +79,13 @@ @pytest.fixture(scope='class') +def user_min(request): +""" User tracker fixture for testing
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values gkaihorodova commented: """ Yes, the intention was to have repr() of the given string , so I'll use ''{!r} instead of '{}', and apply that change to #210 also. Thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-270871478 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping
On Fri, Jan 06, 2017 at 08:40:31AM +0100, Jan Cholasta wrote: > On 5.1.2017 13:15, Sumit Bose wrote: > > On Mon, Jan 02, 2017 at 08:06:04AM +0100, Jan Cholasta wrote: > > > On 19.12.2016 12:13, Sumit Bose wrote: > > > > On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote: > > > > > I agree with *almost* everything Sumit said. See my inline comments > > > > > below. > > > > > > > > > > On 16.12.2016 11:53, Sumit Bose wrote: > > > > > > On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud > > > > > > wrote: > > > > > > > Hi, > > > > > > > > > > > > > > I have started a feature description for the Certificate Identity > > > > > > > Mapping at > > > > > > > the following location: > > > > > > > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping > > > > > > > > > > > > > > This is a first step, focusing on the interface we would like to > > > > > > > provide. It > > > > > > > still contains open questions, some of which are linked to the > > > > > > > corresponding > > > > > > > design on SSSD side: > > > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities > > > > > > > > > > > > > > Comments, concerns and suggestions are welcome. Thanks! > > > > > > > > > > > > Hi Flo, > > > > > > > > > > > > thank you very much for setting up the page. > > > > > > > > > > > > My comments are mostly about the commands. > > > > > > > > > > > > certmappingconfig-mod: > > > > > > > > > > > > * --enable=Boolean: if this option is 'False' SSSD will basically > > > > > > show > > > > > > the current behavior and just look up the certificates directly. > > > > > > But I > > > > > > wonder if the option is needed at all because not adding any > > > > > > mapping > > > > > > rules would have the same effect. > > > > > > > > > > > > What is the scope here, only the IPA domain, or all trusted > > > > > > domains as > > > > > > well? If it is for trusted domains as well will the > > > > > > certmappingrule-* > > > > > > commands and user-{add/remove}-certmapping return an error? > > > > > > > > > > > > So, in general I see an overlap with the mapping rules and I > > > > > > think it > > > > > > would be clearer to drop this option and do the lookups according > > > > > > to > > > > > > the mapping rules. > > > > > > > > > > > > * --prompt-username=Boolean: the description implies that this > > > > > > option is > > > > > > synonymous to 1:1 mapping, but it is not. On Linux authentication > > > > > > in > > > > > > most cases use a user name either by directly asking (e.g. > > > > > > /bin/login) > > > > > > or using the current user name (e.g. sudo). So, according to its > > > > > > name > > > > > > it would only control if gdm is allowed to ask for an (optional) > > > > > > user > > > > > > name. > > > > > > > > > > > > If the option is renamed to e.g. --force-1-to-1-mapping to really > > > > > > enforce a 1:1 mapping then it would make sense to derived to gdm > > > > > > behavior. I.e. if 1:1 mapping is enforce it makes no sense for > > > > > > gdm to > > > > > > ask for a user name and if it is not enforced then it makes sense > > > > > > to > > > > > > offer and optional user name input field. > > > > > > > > > > > > * --enable-username-mismatch=Boolean: I think this option can be > > > > > > dropped. My test so far show that if a non-matching hint is given > > > > > > on a > > > > > > Windows client authentication fails. > > > > > > > > > > > > * --alternate-attribute=STRING: I think this option isn't needed as > > > > > > well. For IPA server-side we should decide on an attribute name > > > > > > and > > > > > > add it to the schema for user objects. On the client side the > > > > > > attribute name can be taken from the mapping rule.A > > > > > > > > > > > > > > > > > > certmappingrule.*: > > > > > > > > > > > > * ISSUERDN: it looks like you want to use issuerName here. In > > > > > > certificateRecord it it used with LDAP ordering and I would prefer > > > > > > LDAP ordering at all points where we have a choice. Unfortunately > > > > > > in the > > > > > > issuer-subject mapping AD dictates X.500 ordering. > > > > > > > > > > LDAP ordering should indeed be preferred, as it is used everywhere > > > > > else in > > > > > IPA. We can convert to/from X.500 ordering where necessary, when > > > > > possible. > > > > > > > > > > > > > > > > > * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute > > > > > > in > > > > > > the example? My intention in the SSSD design-page was to specify > > > > > > the > > > > > > domain (as in DNS domain/IPA domain/trusted domain) where the > > > > > > matching > > > > > > user should be searched. Different domains might certificates from > > > > > > different issuers and some domains might not even use > > > > > > certificates.
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
On Fri, Jan 06, 2017 at 08:50:14AM +0100, Jan Cholasta wrote: > On 5.1.2017 10:39, Sumit Bose wrote: > > On Mon, Jan 02, 2017 at 09:18:47AM +0100, Jan Cholasta wrote: > > > On 18.10.2016 07:34, Jan Cholasta wrote: > > > > On 17.10.2016 16:50, Rob Crittenden wrote: > > > > > Jan Cholasta wrote: > > > > > > Hi, > > > > > > > > > > > > On 13.10.2016 18:52, Sumit Bose wrote: > > > > > > > = Issuer specific matching = > > > > > > > Although the MIT Kerberos rules allow to select the issuer of a > > > > > > > certificate there are use cases where a more specific selection is > > > > > > > needed. E.g. if there are some default matching rules for all > > > > > > > issuers > > > > > > > and some other issuer specific rules where the default rules > > > > > > > should > > > > > > > not apply. To make this possible with the above scheme the default > > > > > > > rules must have an clause which matches all but the > > > > > > > issuer > > > > > > > with the specific rules. Writing regular-expressions to not match > > > > > > > a > > > > > > > specific string or a list of strings is at least error-prone if > > > > > > > not > > > > > > > impossible. > > > > > > > > > > > > > > To make it easier to define issuer specific rules and default > > > > > > > rules at > > > > > > > the same time and optional issuer string can be added to the rule > > > > > > > to > > > > > > > indicate that for the given issuer only those rules should be > > > > > > > considered. Given the use-case I think it is acceptable to require > > > > > > > that the full issuer must be specified here in LDAP order (see > > > > > > > below) > > > > > > > and case-sensitive matching is used. > > > > > > > > > > > > This could also be solved by adding priority to rules - if two rules > > > > > > match, the one with higher priority (the issuer specific rule) is > > > > > > preferred over the one with lower priority (the default rule). IMO > > > > > > this > > > > > > is better than an optional issuer string as it offers greater > > > > > > flexibility. > > > > > > > > > > The use cases I've seen haven't had to do with priority, though that > > > > > would be a nice enhancement, but with only allowing certificates > > > > > issued > > > > > by a specific CA to be allowed (this is pretty common in web servers). > > > > > Being able to say "only do the matching on certificates issued by foo" > > > > > is valuable. > > > > > > > > Sure, I'm not suggesting that matching by issuer should be removed, only > > > > that rule precedence should not be determined by the issuer field > > > > setting. > > > > > > > > > > Bump. Sumit, what is your opinion on this? > > > > I'm fine with an optional(?) priority as well. Since priorities are > > already used in the pwpolicies this should be already known to the > > experienced admin. I guess we just have stick with "A lower value > > indicates a higher priority" to not confuse users. That's why I think > > that the priority should be optional here and a missing value indicates > > the lowest priority (default rules). > > In pwpolicy and sudorule, the priority is required and has to be unique. > Maybe we should do this for certificate mapping rules as well? I think there is no requirement that only a single rule should match hence I think the priority here must not be unique. > > > > > Are you thinking of using the CoS scheme here as well would a priority > > attribute be sufficient because we do not want to reference internal > > objects in the mapping rules? > > I'm not sure how CoS would be helpful here, I think a simple interger > attribute would be perfectly sufficient. I agree. bye, Sumit > > > > > bye, > > Sumit > > > > > > > > -- > > > Jan Cholasta > > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#375][comment] Fix used before assignment bug in host_port_open()
URL: https://github.com/freeipa/freeipa/pull/375 Title: #375: Fix used before assignment bug in host_port_open() mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/deaad95247fa9624bef0108bf3813f358fb17ee5 """ See the full comment at https://github.com/freeipa/freeipa/pull/375#issuecomment-270861373 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#375][+pushed] Fix used before assignment bug in host_port_open()
URL: https://github.com/freeipa/freeipa/pull/375 Title: #375: Fix used before assignment bug in host_port_open() Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#375][closed] Fix used before assignment bug in host_port_open()
URL: https://github.com/freeipa/freeipa/pull/375 Author: tiran Title: #375: Fix used before assignment bug in host_port_open() Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/375/head:pr375 git checkout pr375 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 - ipalib/util.py | 97 + 4 files changed, 115 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 - ipalib/util.py | 97 + 4 files changed, 115 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#376][opened] client install: correctly report all failures
URL: https://github.com/freeipa/freeipa/pull/376 Author: HonzaCholasta Title: #376: client install: correctly report all failures Action: opened PR body: """ In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/376/head:pr376 git checkout pr376 From d64d4d1206df7618816e3a1f9e79b167d22f1f4d Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Tue, 3 Jan 2017 07:43:12 +0100 Subject: [PATCH] client install: correctly report all failures In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 --- ipaclient/install/client.py | 25 + 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 60a5c18..dbe8fb0 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2715,13 +2715,13 @@ def _install(options): except errors.PublicError as e2: root_logger.warning( "Second connect with delegate=True also failed: %s", e2) -root_logger.error( -"Cannot connect to the IPA server RPC interface: %s", e2) -return CLIENT_INSTALL_ERROR +raise ScriptError( +"Cannot connect to the IPA server RPC interface: %s" % e2, +rval=CLIENT_INSTALL_ERROR) except errors.PublicError as e: -root_logger.error( -"Cannot connect to the server due to generic error: %s", e) -return CLIENT_INSTALL_ERROR +raise ScriptError( +"Cannot connect to the server due to generic error: %s" % e, +rval=CLIENT_INSTALL_ERROR) # Use the RPC directly so older servers are supported try: @@ -2744,8 +2744,9 @@ def _install(options): try: create_ipa_nssdb() except ipautil.CalledProcessError as e: -root_logger.error("Failed to create IPA NSS database: %s", e) -return CLIENT_INSTALL_ERROR +raise ScriptError( +"Failed to create IPA NSS database: %s" % e, +rval=CLIENT_INSTALL_ERROR) # Get CA certificates from the certificate store try: @@ -2768,9 +2769,9 @@ def _install(options): try: ipa_db.add_cert(cert, nickname, trust_flags) except CalledProcessError as e: -root_logger.error( -"Failed to add %s to the IPA NSS database.", nickname) -return CLIENT_INSTALL_ERROR +raise ScriptError( +"Failed to add %s to the IPA NSS database." % nickname, +rval=CLIENT_INSTALL_ERROR) # Add the CA certificates to the platform-dependant systemwide CA store tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) @@ -2874,7 +2875,7 @@ def _install(options): cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__]) if retcode: -return CLIENT_INSTALL_ERROR +raise ScriptError(rval=CLIENT_INSTALL_ERROR) if conf: root_logger.info( "%s configured using configuration file(s) %s", -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8db5b277a079fdfe5efbd7d49311f14489cee0e8 https://fedorahosted.org/freeipa/changeset/fb7c111ac13510609e2cba14ecf88cd2ed291a4b """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-270855325 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][+pushed] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][closed] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ I don't see any merge conflicts and the rebase was automatic so I don't see why, but ok. Just note that ipatool may be confused with me commiting @pspacek's commit as he was the author of the main code and I put it to work with the rest of IPA. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-270853592 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From 5398133a228d57e10d94268b73faad24ababe777 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 02b03d4..414a716 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index a0fdc4a..89315b6 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -508,7 +508,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -775,9 +775,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b7ce857..e8c706e 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, hex_str) +
[Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
Hi comrades, I have written up the high-level details of the FreeIPA->Dogtag GSS-API authentication design. The goal is improve security by removing an egregious privilege separation violation: the RA Agent cert. There is a fair bit of work still to do on the Dogtag side but things are shaping up there and it's time to work out the IPA aspects. The design is at: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication Right now, I need feedback about the Domain Level aspects: whether it is the right approach, whether there are mechanisms to perform update steps (specifically: LDAP updates and/or api calls) alongside a DL bump, or if there aren't, how to deal with that (implement such a mechanism, make admins do extra steps, ???). Of course, any other general or specific feedback is welcome. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code