[Freeipa-devel] [freeipa PR#496][opened] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Author: stlaz Title: #496: Use newer Certificate.serial_number in krainstance.py Action: opened PR body: """ This bit was missed in https://github.com/freeipa/freeipa/pull/458 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/496/head:pr496 git checkout pr496 From 4b50f00b0f34bf03970a08edcf06c20e2f1cce95 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 15 Feb 2017 18:10:09 +0100 Subject: [PATCH] Use newer Certificate.serial_number in krainstance.py --- ipaserver/install/krainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index ec38801..e2bd22e 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -313,7 +313,7 @@ def __create_kra_agent(self): usertype=["undefined"], userCertificate=[cert_data], description=['2;%s;%s;%s' % ( -cert.serial, +cert.serial_number, DN(self.subject), DN(('CN', 'IPA RA'), self.subject_base))]) conn.add_entry(entry) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade stlaz commented: """ I see where this is going, added the ticket to the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281912763 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][synchronized] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Author: stlaz Title: #495: Fix ipa-server-upgrade Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/495/head:pr495 git checkout pr495 From 499ce6c6ef6f921f0be875780cee7ca5f70b6414 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Feb 2017 12:38:19 +0100 Subject: [PATCH] Fix ipa-server-upgrade Running ipa-server-upgrade would fail to stop ipa_memcached if it's already uninstalled. https://fedorahosted.org/freeipa/ticket/5959 --- ipaserver/install/server/upgrade.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 26f6b8f..e5d9de4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -83,7 +83,8 @@ def uninstall_ipa_memcached(): """ ipa_memcached = service.SimpleServiceInstance('ipa_memcached') -ipa_memcached.uninstall() +if ipa_memcached.is_configured(): +ipa_memcached.uninstall() def backup_file(filename, ext): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade HonzaCholasta commented: """ @MartinBasti, https://fedorahosted.org/freeipa/ticket/5959. """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281905518 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Requiring simultaneous authentication to Linux resources
On Wed, Feb 22, 2017 at 10:00:04AM -0500, Simo Sorce wrote: > On Wed, 2017-02-22 at 10:59 +, Oucema Bellagha wrote: > > I want to figure out a solution which allow user"a" to authenticate to > > a host only when user"b" is accessing the host for security reasons. > > > > > > Easy explanation: authenticate to hostx needs (user a + user b) > > > > > > I'm brainstorming some ideas using Yubikey or ssh-keys.. Is there any > > application which allow us to access a host only when 2 users are > > present cause putty doesn't have this feature which can be a step to > > solve this problem .. > > > > > > Or in applying some specified rules in IPA itself ? > > As explained, there is no such concept in Unix/Linux to start with, but > maybe you mean that you want to check credentials of 2 different users > to allow privileged login, like root login ? > If this is the use case, it could be an interesting application for clevis. > Or is this something else ? > > It'd be nice if you can describe precisely what actions and results you > expect to see. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @sumit-bose , I am not able to reproduce this issue: `[root@vm-161 ~]# kinit -k [root@vm-161 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_h6XRpeK Default principal: host/vm-161.example@dom-161.example.com Valid starting Expires Service principal 02/22/2017 21:30:10 02/23/2017 21:30:10 krbtgt/dom-161.example@dom-161.example.com [root@vm-161 ~]# ldapsearch -H ldap://vm-161 '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI -LLL SASL/GSSAPI authentication started SASL username: host/vm-161.example@dom-161.example.com SASL SSF: 56 SASL data security layer installed. dn: cn=rule1,cn=certmaprules,cn=certmap,dc=dom-161,dc=example,dc=com objectClass: ipacertmaprule objectClass: top cn: rule1 description: d1 ipaEnabledFlag: TRUE ` Do you have the ACI "permission:System: Read Certmap Rules" defined on dn: cn=certmaprules,cn=certmap,$BASEDN? It should grant access to ldap:///all """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281795345 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping sumit-bose commented: """ It looks like the ACis on the latest version do not allow hosts to access the rules. When I do 'kinit -k' on the IPA server or a client and call ldapsearch -H ldap://ipa-server.ipa.devel '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI I do not get any results. When I call 'kinit admin' and use the same ldapsearch I get my rule returned. Can you confirm this or is my test system broken? """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281788601 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran >into a minor issue. >Some C99 types like uint8_t were not defined and I had to >include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` The latest version is a small improvement; but there are still problems/small issues because this PR was created with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults tiran commented: """ It's probably easier to always define options like ```'ldap_uri``` but use ```None``` as default. ``` cd .; ./makeaci --validate ./makeaci: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module named backports_abc ./makeaci: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module named rnc2rng Traceback (most recent call last): File "./makeaci", line 134, in main(options) File "./makeaci", line 107, in main api.finalize() File "/freeipa/ipalib/plugable.py", line 747, in finalize self._get(plugin) File "/freeipa/ipalib/plugable.py", line 776, in _get instance = self.__instances[plugin] = plugin(self) File "/freeipa/ipaserver/plugins/ldap2.py", line 72, in __init__ ldap_uri = api.env.ldap_uri AttributeError: 'Env' object has no attribute 'ldap_uri' Exception AttributeError: "'ldap2' object has no attribute 'id'" in ignored make: *** [acilint] Error 1 Makefile:1108: recipe for target 'acilint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281760358 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ @MartinBasti I have rebased the branch and added wheel + placeholder building to make check. The pylint violations have disappeared. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281759354 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 4adaffb04e8fea15feb661611e2eaef71c9b6fd8 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/5] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 6 +++--- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index a35d18f..9595c9d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,11 +9,9 @@ if WITH_IPATESTS endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython - -SUBDIRS = asn1 util client contrib po \ +SUBDIRS = asn1 util client contrib po pypi \ $(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS) - MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ @@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 9ee281a..ebdd358 100644 --- a/configure.ac +++ b/configure.ac @@ -484,6 +484,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy package for FreeIPA's ipaclient. + diff --
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ LGTM, please rebase and I will test it. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281749499 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade MartinBasti commented: """ Does this belong to any ticket which caused this regression? """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281748907 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][closed] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][+pushed] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/af998c4d30175fb3ecc148e1b3a7aca03ef9239a https://fedorahosted.org/freeipa/changeset/6c0baa6208c2bf97b5ed7ea6e9836963dced64b0 https://fedorahosted.org/freeipa/changeset/ce3baf28ce81458e1c5bf57188858d3d120ec3dd https://fedorahosted.org/freeipa/changeset/8bac62b7f5d01ceb20388599e8549b1b222f283e """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-281747015 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][+ack] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ First set of fixes to comments arrived, throwing it to Travis. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281710491 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Requiring simultaneous authentication to Linux resources
On Wed, 2017-02-22 at 10:59 +, Oucema Bellagha wrote: > I want to figure out a solution which allow user"a" to authenticate to > a host only when user"b" is accessing the host for security reasons. > > > Easy explanation: authenticate to hostx needs (user a + user b) > > > I'm brainstorming some ideas using Yubikey or ssh-keys.. Is there any > application which allow us to access a host only when 2 users are > present cause putty doesn't have this feature which can be a step to > solve this problem .. > > > Or in applying some specified rules in IPA itself ? As explained, there is no such concept in Unix/Linux to start with, but maybe you mean that you want to check credentials of 2 different users to allow privileged login, like root login ? Or is this something else ? It'd be nice if you can describe precisely what actions and results you expect to see. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ Also I added section to FreeIPA wiki: http://www.freeipa.org/page/V4/Build_system_refactoring#Packager_-_client_only_build """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281692728 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ @pvoborni should the fix go also into 4-4 branch? see https://fedorahosted.org/freeipa/ticket/6673#comment:3 """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-281691344 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build pvoborni commented: """ #364 was pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281690828 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][closed] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][+rejected] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-281690573 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][+pushed] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][closed] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/70554938d4f9ba5b347cd4bc8001428e905198e4 https://fedorahosted.org/freeipa/changeset/41d7ae54fafc6deb602e1a990eaec37c6ae4880b https://fedorahosted.org/freeipa/changeset/20c1eb9844223d892da47da1ea10662d37953ff8 https://fedorahosted.org/freeipa/changeset/2747f2ad782c7640ecc6949098f0d43411182255 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281689932 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][closed] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][+pushed] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (22/02/17 06:16), Simo Sorce wrote: >So this is the reasoning and why I am approving this PR and not #494. > >When you build all components, including server bits, tests are installed, >therefore when we build just client bits tets that are relevant to client bits >also need to be installed for consistency. > >Any switch should default to the same behavior regardless of whether server >build is enabled. It is confusing if the --with[out]-[ipa]tests switch changes >default based on a different switch passed to configure. > >As far as I understand this PR maintains the same default for either server or >client only builds, so it gets my approval. > Neither of python packages which I mention in #494 package unit test in fedora. So there is not a reason to package them by default for client only build. And integration tests require server therefore must not be installed by default with client-only build. Result: This PR has wrong default for instalation of ipatests with client-only build. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281687875 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 01:52), Tomas Krizek wrote: >@lslebodn My bad, there was some leftover stuff that `git clean -dfx` didn't >clear for some reason. > >Nevertheless, this does work and allows a client only, as well as installing >tests with `--with-tests` option. The mock build when run with >`--without=server` does install less dependencies. > >But I'm not acking, because of the controversy with the `--with-tests` option >(see #364). > @tomaskrizek FYI `rpmbuild` accepts also parameter `--without server` but it is not simple to pass it through `make rpms` and it would not check minimal dependencies in spec file. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281686378 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#490][synchronized] [WIP] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 From 940c715bcf57fa59255166fbc12ccad06f3f0db0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 2 Jan 2017 13:53:18 +0100 Subject: [PATCH] certdb: use certutil and match_hostname for cert verification Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. --- freeipa.spec.in | 16 +-- ipalib/x509.py | 71 --- ipapython/certdb.py | 80 - ipasetup.py.in | 2 +- 4 files changed, 94 insertions(+), 75 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5c835ca..2cde0da 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -129,8 +129,8 @@ BuildRequires: python-cffi %if 0%{?with_lint} BuildRequires: samba-python BuildRequires: python-setuptools -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python-cryptography >= 1.6 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -165,8 +165,8 @@ BuildRequires: python2-jinja2 # FIXME: this depedency is missing - server will not work #BuildRequires: python3-samba BuildRequires: python3-setuptools -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python3-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -592,7 +592,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 1.4 +Requires: python-cryptography >= 1.6 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -642,7 +642,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -717,7 +717,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography >= 1.4 +Requires: python2-cryptography >= 1.6 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -751,7 +751,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, diff --git a/ipalib/x509.py b/ipalib/x509.py index f65cf81..dbcbb59 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -35,6 +35,7 @@ import binascii import datetime import ipaddress +import ssl import base64 import re @@ -49,6 +50,7 @@ from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython.dnsutil import DNSName if six.PY3: unicode = str @@ -406,6 +408,27 @@ def process_othernames(gns): yield gn +def _pyasn1_get_san_general_names(cert): +tbs = decoder.decode( +cert.tbs_certificate_bytes, +asn1Spec=rfc2459.TBSCertificate() +)[0] +OID_SAN = univ.ObjectIdentifier('2.5.29.17') +# One would expect KeyError or empty iterable when the key ('extensions' +# in this particular case) is not pressent in the certificate but pyasn1 +# returns None here +extensions = tbs['extensions'] or [] +gns = [] +for ext in extensions: +if ext['extnID'] == OID_SAN: +der = decoder.decode( +ext['extnValue'], asn1Spec=univ.OctetString())[0] +gns = decoder.decode(der, asn1Spec=rfc2459.SubjectAltName())[0] +break + +return gns + + def get_san_general_names(cert): """ Return SAN general names from a python-cryptography @@ -430,22 +453,7 @@ def get_san_general_names(cert): and should go away. """ -tbs = decoder.decode( -cert.tbs_certificate_bytes, -asn1Spec=rfc2459.TBSCertificate() -)[0] -OID_SAN = univ.ObjectIdentifier('2.5.29.17') -# One would expect KeyError or empty iterable when the key ('extensions' -# in this particular case) is not press
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server simo5 commented: """ So this is the reasoning and why I am approving this PR and not #494. When you build all components, including server bits, tests are installed, therefore when we build just client bits tets that are relevant to client bits also need to be installed for consistency. Any switch should default to the same behavior regardless of whether server build is enabled. It is confusing if the --with[out]-[ipa]tests switch changes default based on a different switch passed to configure. As far as I understand this PR maintains the same default for either server or client only builds, so it gets my approval. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281680804 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][+ack] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow
URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow HonzaCholasta commented: """ Thank you. LGTM, but please squash the fixup commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/434#issuecomment-281679144 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 03:24), Christian Heimes wrote: >python-requests is a bad example because it suffers from the same issue as IPA. > >A better example is any other modern Python project like cryptography. It runs >tests with installed files, not in-tree files. > hmm; I probably missed something. ``` sh$ rpm -ql rpm -ql python3-cryptography | grep test /usr/share/doc/python3-cryptography/docs/development/test-vectors.rst ``` ``` sh$ wget --content-disposition https://github.com/pyca/cryptography/archive/1.7.2.tar.gz 2017-02-22 14:10:00 (9.86 MB/s) - ‘cryptography-1.7.2.tar.gz’ saved [27131190] sh$ tar -xzf cryptography-1.7.2.tar.gz sh$ find cryptography-1.7.2/ -name "*test*" cryptography-1.7.2/vectors/cryptography_vectors/keywrap/kwtestvectors cryptography-1.7.2/vectors/cryptography_vectors/hashes/whirlpool/iso-test-vectors.txt cryptography-1.7.2/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem cryptography-1.7.2/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem cryptography-1.7.2/vectors/cryptography_vectors/asymmetric/DER_Serialization/testrsa.der cryptography-1.7.2/tests cryptography-1.7.2/tests/test_x509_revokedcertbuilder.py cryptography-1.7.2/tests/test_x509_ext.py cryptography-1.7.2/tests/test_x509_crlbuilder.py cryptography-1.7.2/tests/test_x509.py cryptography-1.7.2/tests/test_warnings.py cryptography-1.7.2/tests/test_utils.py cryptography-1.7.2/tests/test_interfaces.py cryptography-1.7.2/tests/test_fernet.py cryptography-1.7.2/tests/test_cryptography_utils.py cryptography-1.7.2/tests/hypothesis/test_padding.py cryptography-1.7.2/tests/hypothesis/test_fernet.py cryptography-1.7.2/tests/hazmat/primitives/twofactor/test_totp.py cryptography-1.7.2/tests/hazmat/primitives/twofactor/test_hotp.py cryptography-1.7.2/tests/hazmat/primitives/test_x963kdf.py cryptography-1.7.2/tests/hazmat/primitives/test_x963_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_serialization.py cryptography-1.7.2/tests/hazmat/primitives/test_seed.py cryptography-1.7.2/tests/hazmat/primitives/test_scrypt.py cryptography-1.7.2/tests/hazmat/primitives/test_rsa.py cryptography-1.7.2/tests/hazmat/primitives/test_pbkdf2hmac_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_pbkdf2hmac.py cryptography-1.7.2/tests/hazmat/primitives/test_padding.py cryptography-1.7.2/tests/hazmat/primitives/test_keywrap.py cryptography-1.7.2/tests/hazmat/primitives/test_kbkdf_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_kbkdf.py cryptography-1.7.2/tests/hazmat/primitives/test_idea.py cryptography-1.7.2/tests/hazmat/primitives/test_hmac_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_hmac.py cryptography-1.7.2/tests/hazmat/primitives/test_hkdf_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_hkdf.py cryptography-1.7.2/tests/hazmat/primitives/test_hashes.py cryptography-1.7.2/tests/hazmat/primitives/test_hash_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_ec.py cryptography-1.7.2/tests/hazmat/primitives/test_dsa.py cryptography-1.7.2/tests/hazmat/primitives/test_dh.py cryptography-1.7.2/tests/hazmat/primitives/test_constant_time.py cryptography-1.7.2/tests/hazmat/primitives/test_concatkdf.py cryptography-1.7.2/tests/hazmat/primitives/test_cmac.py cryptography-1.7.2/tests/hazmat/primitives/test_ciphers.py cryptography-1.7.2/tests/hazmat/primitives/test_cast5.py cryptography-1.7.2/tests/hazmat/primitives/test_camellia.py cryptography-1.7.2/tests/hazmat/primitives/test_blowfish.py cryptography-1.7.2/tests/hazmat/primitives/test_block.py cryptography-1.7.2/tests/hazmat/primitives/test_asym_utils.py cryptography-1.7.2/tests/hazmat/primitives/test_arc4.py cryptography-1.7.2/tests/hazmat/primitives/test_aes.py cryptography-1.7.2/tests/hazmat/primitives/test_3des.py cryptography-1.7.2/tests/hazmat/bindings/test_openssl.py cryptography-1.7.2/tests/hazmat/bindings/test_commoncrypto.py cryptography-1.7.2/tests/hazmat/backends/test_openssl.py cryptography-1.7.2/tests/hazmat/backends/test_multibackend.py cryptography-1.7.2/tests/hazmat/backends/test_commoncrypto.py cryptography-1.7.2/tests/hazmat/backends/test_backendinit.py cryptography-1.7.2/tests/conftest.py cryptography-1.7.2/docs/development/test-vectors.rst ``` and unit test are exeuted as part of rpm-build. ``` http://pkgs.fedoraproject.org/cgit/rpms/python-cryptography.git/tree/python-cryptography.spec#n133 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281666168 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: > On 02/22/2017 12:28 AM, Fraser Tweedale wrote: > > On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: > >> On 02/21/2017 04:24 PM, Tomas Krizek wrote: > >>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: > Standa Laznicka wrote: > > Hello, > > > > Since we're trying to make FreeIPA work in FIPS we got to the point > > where we need to do something with MD5 fingerprints in the cert plugin. > > Eventually we came to a realization that it'd be best to get rid of them > > as a whole. These are counted by the framework and are not stored > > anywhere. Note that alongside with these fingerprints SHA1 fingerprints > > are also counted and those are there to stay. > > > > The question for this ML is, then - is it OK to remove these or would > > you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > > grandpa and I think it should go. > I based the values displayed on what certutil displayed at the time (7 > years ago). I don't know that anyone uses these fingerprints. The > OpenSSL equivalent doesn't include them by default. > > You may be able to deprecate fingerprints altogether. > > rob > >>> I think it's useful to display the certificate's fingerprint. I'm in > >>> favor of removing md5 and adding sha256 instead. > >>> > >> Rob, thank you for sharing the information of where the cert fingerprints > >> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays > >> SHA-256 and SHA1 fingerprints for certificates so I propose going that way > >> too. > >> > > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should > > also make no API stability guarantee w.r.t. the fingerprint > > attributes, i.e. to allow us to move to newer digests in future (and > > remove broken/no-longer-secure ones). We should advise that if a > > customer has a hard requirement on a particular digest that they > > should compute it themselves from the certificate. > > > > Cheers, > > Fraser > What is the motivation to remove SHA-1? Are there any attacks besides > theoretical ones on SHA-1? > > Do other libraries already deprecate SHA-1? > Come to think of it, I was thinking about SHA-1 signatures (which are completely forbidden in the public PKI nowadays). But for fingerprints it is not so bad (for now). Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 02/22/2017 12:28 AM, Fraser Tweedale wrote: > On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: > Hello, > > Since we're trying to make FreeIPA work in FIPS we got to the point > where we need to do something with MD5 fingerprints in the cert plugin. > Eventually we came to a realization that it'd be best to get rid of them > as a whole. These are counted by the framework and are not stored > anywhere. Note that alongside with these fingerprints SHA1 fingerprints > are also counted and those are there to stay. > > The question for this ML is, then - is it OK to remove these or would > you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob >>> I think it's useful to display the certificate's fingerprint. I'm in >>> favor of removing md5 and adding sha256 instead. >>> >> Rob, thank you for sharing the information of where the cert fingerprints >> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays >> SHA-256 and SHA1 fingerprints for certificates so I propose going that way >> too. >> > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should > also make no API stability guarantee w.r.t. the fingerprint > attributes, i.e. to allow us to move to newer digests in future (and > remove broken/no-longer-secure ones). We should advise that if a > customer has a hard requirement on a particular digest that they > should compute it themselves from the certificate. > > Cheers, > Fraser What is the motivation to remove SHA-1? Are there any attacks besides theoretical ones on SHA-1? Do other libraries already deprecate SHA-1? -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Besides what I wrote in inline comments, we need to get rid of `/var/lib/ipa/radb` now that it's unused. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281655830 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 02/22/2017 12:28 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored anywhere. Note that alongside with these fingerprints SHA1 fingerprints are also counted and those are there to stay. The question for this ML is, then - is it OK to remove these or would you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead. Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate. Cheers, Fraser That's something I would like but am not sure whether we can just go ahead and do. I, personally, wouldn't mind it. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ I have added a basic integration tests for the built-in AD trust installation, you can run them on 3 machines (master + 2 replicas) by running ```bash # ipa-run-tests --verbose /usr/lib/python2.7/site-packages/ipatests/test_integration/test_installation.py -k TestADTrustInstall ``` and having a properly configured test config. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-281651733 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 From befb5e97602d1e523157b503d33a3ca8f8f84a9d Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 3 Feb 2017 17:14:20 +0100 Subject: [PATCH 01/16] allow for more flexibility when requesting service keytab The service installers can now override the methods for cleaning up stale keytabs and changing file ownership of the newly acquired keytabs. The default actions should be usable by most installers without specific overriding. https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/service.py | 41 ++--- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index b9d1ffc..80bb4bb 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -540,22 +540,35 @@ def _add_service_principal(self): except errors.DuplicateEntry: pass +def clean_previous_keytab(self, keytab=None): +if keytab is None: +keytab = self.keytab + +self.fstore.backup_file(keytab) +try: +os.unlink(keytab) +except OSError: +pass + +def set_keytab_owner(self, keytab=None, owner=None): +if keytab is None: +keytab = self.keytab +if owner is None: +owner = self.service_user + +pent = pwd.getpwnam(owner) +os.chown(keytab, pent.pw_uid, pent.pw_gid) + def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): """ -backup and remove old service keytab (if present) and fetch a new one -using ipa-getkeytab. This assumes that the service principal is already -created in LDAP. By default GSSAPI authentication is used unless: +retrieve service keytab using ipa-getkeytab. This assumes that the +service principal is already created in LDAP. By default GSSAPI +authentication is used unless: * LDAPI socket is used and effective process UID is 0, then autobind is used by EXTERNAL SASL mech * self.dm_password is not none, then DM credentials are used to fetch keytab """ -self.fstore.backup_file(keytab) -try: -os.unlink(keytab) -except OSError: -pass - args = [paths.IPA_GETKEYTAB, '-k', keytab, '-p', principal, @@ -576,17 +589,15 @@ def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): ipautil.run(args, nolog=nolog) def _request_service_keytab(self): -if any(attr is None for attr in (self.principal, self.keytab, - self.service_user)): +if any(attr is None for attr in (self.principal, self.keytab)): raise NotImplementedError( "service must have defined principal " -"name, keytab, and username") +"name and keytab") self._add_service_principal() +self.clean_previous_keytab() self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - -pent = pwd.getpwnam(self.keytab_user) -os.chown(self.keytab, pent.pw_uid, pent.pw_gid) +self.set_keytab_owner() class SimpleServiceInstance(Service): From 54a7975465e965efc677e5e6efde2be239ac25d3 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 17 Feb 2017 14:31:55 +0100 Subject: [PATCH 02/16] Make request_service_keytab into a public method a cosmetic change: we had private method comprising of calls to public ones, which did not make much sense in our case https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/dsinstance.py | 6 +++--- ipaserver/install/httpinstance.py | 2 +- ipaserver/install/service.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 9172b65..bf80ae0 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -393,7 +393,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.__common_setup(enable_ssl=(not self.promote)) self.step("restarting directory server", self.__restart_instance) -self.step("creating DS keytab", self._request_service_keytab) +self.step("creating DS keytab", self.request_service_keytab) if self.promote: if self.pkcs12_info: self.step("configuring TLS for DS instance", self.__enable_ssl) @@ -1221,8 +1221,8 @@ def __set_domain_level(self): if self.domainlevel is not None: self._ldap_mod("domainlevel.ldif",
[Freeipa-devel] [freeipa PR#468][+ack] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ I have also noticed that the ccache is not created there, strange. However I think it is better to explicitly specify file-based ccache anyway just to be one the safe side. Otherwise everything seems to work as expected, even `ipa-restore to live server` scenario. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-281650232 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 03:24), Christian Heimes wrote: >python-requests is a bad example because it suffers from the same issue as IPA. > >A better example is any other modern Python project like cryptography. It runs >tests with installed files, not in-tree files. > I check few other quite new projects which were written by RH python guys. https://admin.fedoraproject.org/pkgdb/package/rpms/devassistant/ https://admin.fedoraproject.org/pkgdb/package/rpms/python-pytest-multihost/ They run unit tests as part of build process and unit tests are not installed. But maybe I was not just lucky enough to find modern Python project. Anyway `ipatests` are installed by default with freeipa. If you want to use non-defalt option for client-only build then it is possible to install `ipatests` as well. Thank you for your comments. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281649262 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade tiran commented: """ Looks totally reasonable. I checked, ```SimpleServiceInstance('ipa_memcached')``` does not raise an exception if systemd has no service file for IPA memcached at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281648585 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][+ack] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][opened] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Author: stlaz Title: #495: Fix ipa-server-upgrade Action: opened PR body: """ I was to eager to ACK https://github.com/freeipa/freeipa/pull/471. Running ipa-server-upgrade would fail to stop ipa_memcached if it's already uninstalled. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/495/head:pr495 git checkout pr495 From e032aa24e4a4a16376909d60b204b48911e1a92a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Feb 2017 12:38:19 +0100 Subject: [PATCH] Fix ipa-server-upgrade Running ipa-server-upgrade would fail to stop ipa_memcached if it's already uninstalled. --- ipaserver/install/server/upgrade.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 26f6b8f..e5d9de4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -83,7 +83,8 @@ def uninstall_ipa_memcached(): """ ipa_memcached = service.SimpleServiceInstance('ipa_memcached') -ipa_memcached.uninstall() +if ipa_memcached.is_configured(): +ipa_memcached.uninstall() def backup_file(filename, ext): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ python-requests is a bad example because it suffers from the same issue as IPA. A better example is any other modern Python project like cryptography. It runs tests with installed files, not in-tree files. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281642853 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran >into a minor issue. >Some C99 types like uint8_t were not defined and I had to >include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` >By the way I'm just going to ignore your snidely and snarky comment. No problem. I am going to forget that my proposal for compromise was ignored for 12 days. The latest version is a small improvement; but there are still problems/small issues because this PR was created with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 03:04), Christian Heimes wrote: >You are aware that your example code checks the wrong code? It is testing >in-tree sources, not the actual sources that get packaged and installed. > Yes, because unit tests are not usually installed with package. e.g. `rpm -ql python3-requests | grep tests` and unit tests are executed as part of build http://pkgs.fedoraproject.org/cgit/rpms/python-requests.git/tree/python-requests.spec#n158 And I know that your use-case is different. Therefore there is a configure time option `--with-ipatests` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281639897 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ You are aware that your example code checks the wrong code? It is testing in-tree sources, not the actual sources that get packaged and installed. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281638202 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Requiring simultaneous authentication to Linux resources
I want to figure out a solution which allow user"a" to authenticate to a host only when user"b" is accessing the host for security reasons. Easy explanation: authenticate to hostx needs (user a + user b) I'm brainstorming some ideas using Yubikey or ssh-keys.. Is there any application which allow us to access a host only when 2 users are present cause putty doesn't have this feature which can be a step to solve this problem .. Or in applying some specified rules in IPA itself ? Thanks, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:51), Christian Heimes wrote: >You assumption is incorrect. ```ipatests``` does not depend on >```ipaserver```, >https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L61 > >``` >install_requires=[ >"cryptography", >"dnspython", >"gssapi", >"ipaclient", >"ipalib", >"ipaplatform", >"ipapython", >"nose", >"polib", >"pyldap", >"pytest", >"pytest_multihost", >"python-nss", >"six", >], >``` > >Only some subcomponents of ```ipatests``` do depend on the ```ipaserver``` >package or a running server for integration tests, >https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L77 > >``` >extras_require={ >"integration": ["dbus-python", "pyyaml", "ipaserver"], >"ipaserver": ["ipaserver"], >"webui": ["selenium", "pyyaml", "ipaserver"], >"xmlrpc": ["ipaserver"], >} >``` > Packagers can run unit tests in-tree. And that's a usual way how packagers run unit tests. e.g. ``` PYTHONPATH=$PWD/ \ $PYTHON ./ipatests/ipa-run-tests -vvv --tb=native \ $PWD/ipatests/test_ipaclient/ \ $PWD/ipatests/test_ipalib \ $PWD/ipatests/test_ipapython \ $PWD/ipatests/test_util.py \ $PWD/ipatests/util.py ``` Tox is a special case. Therefore installation of tests is disabled for `--disable-server` But for tox it is possible to overrride it. e.g. `./configure --disable-server --with-tests` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281636358 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-281635160 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ You assumption is incorrect. ```ipatests``` does not depend on ```ipaserver```, https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L61 ``` install_requires=[ "cryptography", "dnspython", "gssapi", "ipaclient", "ipalib", "ipaplatform", "ipapython", "nose", "polib", "pyldap", "pytest", "pytest_multihost", "python-nss", "six", ], ``` Only some subcomponents of ```ipatests``` do depend on the ```ipaserver``` package or a running server for integration tests, https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L77 ``` extras_require={ "integration": ["dbus-python", "pyyaml", "ipaserver"], "ipaserver": ["ipaserver"], "webui": ["selenium", "pyyaml", "ipaserver"], "xmlrpc": ["ipaserver"], } ``` Regarding pylint and jsl, neither of the components should be a build requirement. But that's off-topic for this PR. Please discuss the matter in https://fedorahosted.org/freeipa/ticket/6604 . """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281635162 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-281635086 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:09), Christian Heimes wrote: >There are two reasons we decided on ```--without-ipatests```: > >* ```--with-tests``` / ```--without-tests``` is technically not correct. We >still compile C tests. The flag is about the component ```ipatests```, so >let's call it ```--without-ipatests```. >* ```--with-ipatests``` / ```--without-ipatests``` is only relevant for >downstream packaging to make the life of a packager a bit easier. FreeIPA is >an upstream first project. The default settings for configure should be >convenient and user-friendly for upstream developers and users. > `without-tests` was changed to `without-ipatests` freeip-4.4 has a weird build system and all downstream packages had to do many tricks/workaround to install it an package. The intention of build-refactoring was to make packaging as simple as possible. The purpose of client only build https://fedorahosted.org/freeipa/ticket/6517 Is to allow package just client parts on distriutions which does not have systemd or they do not want to depend on systemd. Because ipa-client install just configure sssd, certmonger which still can be compiled without systemd support. So the `--disable-server` must disable all parts which requires anything with server dependencies. Therefore it disable js-lint, pylint and installation of ipatest. There is a still possiblility to enable them with client-only build. e.g. `./configure --disable-server --with-ipatests --enable-pylint` >The final decision has been made. > The decission was made that there will be `--without-ipatests` for tox use-case. Becasue tox use-case is not a client only build. Therefore explicit enabling `ipatests` is required for tox use-case. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281633229 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
On 22.2.2017 11:28, Sumit Bose wrote: On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote: On 02/22/2017 12:43 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: Hi, related to the Certificate Identity Mapping feature, a new CLI will be needed to find all the users matching a given certificate. I propose to provide this as: ipa certmaptest --certificate --- 2 users matched --- Matched user login: test1 Matched user login: test2 Number of entries returned 2 Please provide any comments, suggestions on the CLI or the output. Thanks, Flo. Thanks Flo for sharing it. I don't like the command name. It is not self explanatory. It says it is testing something, it is not clear what and the actual result is users who match the map configuration or have the cert in their user's entry. Better would be: $ ipa certmap-match --certificate How about `ipa certmap-find-user ...'? Doesn't get more obvious than that, IMO. Was thinking about that as well but I think that the command might, in future, return also something else then user object, e.g. ID override. No, since the ID override is related to a user the user should be returned not the override. "user" in IPA means IPA user, so there will be a difference between IPA users and external users, which I think was Petr's point. I agree with him that certmap-find-user is not the right name for the command, because it suggests that it returns only IPA users. bye, Sumit Pasting user story to give context if somebody is not familiar with it: """ As a Security Officer, I want to present IdM Server with an Employee Smart Card certificate and list all Employees with a matching role account, so that I can validate the configuration is correct Note: In FreeIPA 4.4, user-find --certificate can already find users linked with a certificate blob Acceptance criteria: * I can perform the administrative task both via IdM Web UI and CLI * When asking IdM for the information, I should always receive the same list that would be matched in client authentication workflows (by SSSD) * The list of users should include both users linked via standard certificate blob and other generically mapped users """ -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:23), Christian Heimes wrote: >tiran requested changes on this pull request. > >see comments > >> -CFLAGS="$bck_cflags" >- >-LIBPDB_NAME="" >-AC_CHECK_LIB([samba-passdb], >- [make_pdb_method], >- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1], >- [LIBPDB_NAME="pdb"], >- [$SAMBA40EXTRA_LIBPATH]) >- >-if test "x$LIB_PDB_NAME" = "xpdb" ; then >- AC_CHECK_LIB([$LIBPDB_NAME], >- [make_pdb_method], >- [HAVE_LIBPDB=1], >- [AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have >make_pdb_method])], >- [$SAMBA40EXTRA_LIBPATH]) >+AC_MSG_CHECKING($(basename $PYTHON) module setuptools ) > >Please put this in a separate PR. This is not related to --disable-server. > refactoring/cleaning is requred for minimising dependencies before split. Otherwise git log would be confusing. >+AM_CONDITIONAL([ENABLE_SERVER], [test x"$enable_server" = xyes]) >+if test x"$enable_server" = xyes; then >+m4_include([server.m4]) >+fi >+ >+AC_ARG_WITH([tests], >+[AC_HELP_STRING([--with-tests], > >NACK, ```without-ipatests``` > already changed. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281631097 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:16), Christian Heimes wrote: >NACK on 42fb9b1c > >* Either use ```--with-ipaplatform=redhat``` on CentOS >* Or implement a proper way to fill ipaplatfrom from ```/etc/os-relase``` >value ```ID_LIKE```, >https://www.freedesktop.org/software/systemd/man/os-release.html > ID_LIKE is multivalue on centos; it cannot be used. ``` sh# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/"; BUG_REPORT_URL="https://bugs.centos.org/"; CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" ``` >Either way, this should be handled by a separate PR and not mixed with >client-only builds. > The purpose of client only build is to make life of packars simpler. This patch improves UX so it need to be part of this PR. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281630224 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote: > On 02/22/2017 12:43 AM, Fraser Tweedale wrote: > > On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: > > > On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: > > > > Hi, > > > > > > > > related to the Certificate Identity Mapping feature, a new CLI will be > > > > needed to find all the users matching a given certificate. > > > > > > > > I propose to provide this as: > > > > > > > > ipa certmaptest --certificate > > > > --- > > > > 2 users matched > > > > --- > > > > Matched user login: test1 > > > > Matched user login: test2 > > > > > > > > Number of entries returned 2 > > > > > > > > > > > > > > > > Please provide any comments, suggestions on the CLI or the output. > > > > Thanks, > > > > Flo. > > > > > > > > > > Thanks Flo for sharing it. > > > > > > I don't like the command name. It is not self explanatory. It says it is > > > testing something, it is not clear what and the actual result is users who > > > match the map configuration or have the cert in their user's entry. > > > > > > Better would be: > > > $ ipa certmap-match --certificate > > > > > How about `ipa certmap-find-user ...'? Doesn't get more obvious > > than that, IMO. > > Was thinking about that as well but I think that the command might, in > future, return also something else then user object, e.g. ID override. No, since the ID override is related to a user the user should be returned not the override. bye, Sumit > > > > > > > > > Pasting user story to give context if somebody is not familiar with it: > > > """ > > > As a Security Officer, I want to present IdM Server with an Employee Smart > > > Card certificate and list all Employees with a matching role account, so > > > that I can validate the configuration is correct > > > > > > Note: In FreeIPA 4.4, user-find --certificate can already find users > > > linked > > > with a certificate blob > > > > > > Acceptance criteria: > > > * I can perform the administrative task both via IdM Web UI and CLI > > > * When asking IdM for the information, I should always receive the same > > > list > > > that would be matched in client authentication workflows (by SSSD) > > > * The list of users should include both users linked via standard > > > certificate blob and other generically mapped users > > > """ > > > -- > > > Petr Vobornik > > > > > > Associate Manager, Engineering, Identity Management > > > Red Hat, Inc. > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][synchronized] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 From b4e0d5ed62bfdb09e1a329e35a15e8cb138026ab Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:08 +0100 Subject: [PATCH 01/14] CONFIGURE: Decrease dependency on libini_config libini_config is used only in ipa-getkeytab and it uses only functions from libini_config-1.1 sh$ objdump -p /usr/sbin/ipa-getkeytab | grep INI_CONFIG 0x00acdc20 0x00 04 INI_CONFIG_1.1.0 There is not any reason ho have dependency for higher version and lower dependency will allow to build client only on older distributions. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 44dc11b..246803f 100644 --- a/configure.ac +++ b/configure.ac @@ -265,7 +265,7 @@ AC_SUBST(LIBINTL_LIBS) dnl --- dnl - Check for libini_config dnl --- -PKG_CHECK_MODULES([INI], [ini_config >= 1.2.0]) +PKG_CHECK_MODULES([INI], [ini_config >= 1.1.0]) dnl --- dnl - Check for systemd directories From be1e3f5b8764e03355a45b52a6fb0df9c0b408d8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:20 +0100 Subject: [PATCH 02/14] CONFIGURE: Properly detect libpopt on el7 libpopt added pkg-config file in 1.16 but there are still distributions which has older version of library (el6, el7). And new features from libpopt are not used anywhere. Configure should try to detect as much as possible and users should not use workarounds with explicitely enabled variables as parameters e.g. ./configure POPT_LIBS="-lpopt " --- configure.ac | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 246803f..0a23fd2 100644 --- a/configure.ac +++ b/configure.ac @@ -235,7 +235,13 @@ PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.13.90]) dnl --- dnl - Check for POPT dnl --- -PKG_CHECK_MODULES([POPT], [popt]) +POPT_LIBS= +PKG_CHECK_MODULES([POPT], [popt], [], +[AC_CHECK_HEADER([popt.h], [], [AC_MSG_ERROR([popt.h not found])]) + AC_CHECK_LIB([popt], [poptGetContext], [POPT_LIBS="-lpopt"]) + AC_SUBST(POPT_LIBS) +] +) dnl --- dnl - Check for SASL From 811080737684c2e1fcab425616ec0a6f7d5a2dee Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:25 +0100 Subject: [PATCH 03/14] CONFIGURE: Improve detection of xmlrpc_c flags The pkg-config files for xmlrpc_c libraries are shipped just in fedora/rhel due to downstream patch. Debian does not have pkg-config files for xmlrpc_c. Therefore we need to fallback to older method of detection XMLRPC_*FLAGS which was reverted by the commit 1e0143c159134337a00a91d4ae64e614f72da62e --- configure.ac | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0a23fd2..821ae21 100644 --- a/configure.ac +++ b/configure.ac @@ -251,7 +251,20 @@ PKG_CHECK_MODULES([SASL], [libsasl2]) dnl --- dnl - Check for XMLRPC-C dnl --- -PKG_CHECK_MODULES([XMLRPC], [xmlrpc xmlrpc_client xmlrpc_util]) +PKG_CHECK_MODULES([XMLRPC], [xmlrpc xmlrpc_client xmlrpc_util], [], + [try_xmlrpc_fallback=true]) +if test x"$try_xmlrpc_fallback" = xtrue; then +XMLRPC_LIBS= +AC_CHECK_HEADER([xmlrpc-c/base.h], [], +[AC_MSG_ERROR([xmlrpc-c/base.h not found])]) + +AC_CHECK_LIB([xmlrpc_client], [xmlrpc_client_init2], + [XMLRPC_LIBS="-lxmlrpc -lxmlrpc_client -lxmlrpc_util"]) +if test "x$XMLRPC_LIBS" = "x" ; then +AC_MSG_ERROR([xmlrpc-c not found]) +fi +AC_SUBST(XMLRPC_LIBS) +fi dnl --- dnl - Check for libintl From 34ebfdef2ca8578a6345de508c7dda1ce9c46ae8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:31 +0100 Subject: [PATCH 04/14] CONFIGURE: Remove manual detection of libintl The gettext provided macro AM_GNU_GETTEXT checks for required header file "libintl.h" and also provide variable with linker flags LTLIBINTL. The detection is more robus an platform independent. It can also detect situation when gettext is not part of glibc and external library is required. This pa
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ NACK on 42fb9b1c * Either use ```--with-ipaplatform=redhat``` on CentOS * Or implement a proper way to fill ipaplatfrom from ```/etc/os-relase``` value ```ID_LIKE```, https://www.freedesktop.org/software/systemd/man/os-release.html Either way, this should be handled by a separate PR and not mixed with client-only builds. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281627091 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ There are two reasons we decided on ```--without-ipatests```: * ```--with-tests``` / ```--without-tests``` is technically not correct. We still compile C tests. The flag is about the component ```ipatests```, so let's call it ```--without-ipatests```. * ```--with-ipatests``` / ```--without-ipatests``` is only relevant for downstream packaging to make the life of a packager a bit easier. FreeIPA is an upstream first project. The default settings for configure should be convenient and user-friendly for upstream developers and users. The final decision has been made. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281625456 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 01:43), Christian Heimes wrote: >NACK on aece4c3c > >We compromised on ```--without-ipatests``` with installation of ipatests >defaulting to true. The compromose was already ACKed by @simo5 > Default is true; because --enable-server has default value true. So NACK should not count. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281623863 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tomaskrizek commented: """ The PR works and the `--without-ipatests` option omits the ipatests directory. However, #494 doesn't install extra dependencies with `mock --without=server`. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281621714 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tomaskrizek commented: """ @lslebodn My bad, there was some leftover stuff that `git clean -dfx` didn't clear for some reason. Nevertheless, this does work and allows a client only, as well as installing tests with `--with-tests` option. The mock build when run with `--without=server` does install less dependencies. But I'm not acking, because of the controversy with the `--with-tests` option (see #364). """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281621335 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ NACK on aece4c3c We compromised on ```--without-ipatests``` with installation of ipatests defaulting to true. The compromose was already ACKed by @simo5 """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281619180 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client
URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 From bc9fdf7306e1ba2cf70f812dadbf65e33b629f6d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 17 Feb 2017 11:25:17 +0100 Subject: [PATCH] vault: cache the transport certificate on client Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as in-memory for the lifetime of the API object. https://fedorahosted.org/freeipa/ticket/6652 --- ipaclient/plugins/vault.py | 157 +++ ipaclient/remote_plugins/__init__.py | 3 +- ipaclient/remote_plugins/schema.py | 12 +-- ipalib/constants.py | 14 4 files changed, 139 insertions(+), 47 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 9efb1f1..1de5cc2 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -20,29 +20,41 @@ from __future__ import print_function import base64 +import errno import getpass import io import json import os import sys +import tempfile from cryptography.fernet import Fernet, InvalidToken from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.serialization import load_pem_public_key,\ load_pem_private_key import nss.nss as nss +import six from ipaclient.frontend import MethodOverride +from ipalib import x509 +from ipalib.constants import USER_CACHE_PATH from ipalib.frontend import Local, Method, Object from ipalib.util import classproperty from ipalib import api, errors from ipalib import Bytes, Flag, Str from ipalib.plugable import Registry from ipalib import _ +from ipapython.dnsutil import DNSName +from ipapython.ipa_log_manager import log_mgr + +logger = log_mgr.get_logger(__name__) + +TRANSPORT_CERT_CACHE_PATH = ( +os.path.join(USER_CACHE_PATH, 'ipa', 'kra-transport-certs')) def validated_read(argname, filename, mode='r', encoding=None): @@ -568,6 +580,111 @@ def forward(self, *args, **options): return response +class _TransportCertInvalid(Exception): +def __init__(self, exc_info): +self.exc_info = exc_info + + +_transport_cert_cache = {} + + +class ModVaultData(Local): +def _do_internal(self, mechanism, session_key, transport_cert_der, + *args, **options): +nss_transport_cert = nss.Certificate(transport_cert_der) + +# wrap session key with transport certificate +# pylint: disable=no-member +public_key = nss_transport_cert.subject_public_key_info.public_key +# pylint: enable=no-member +wrapped_session_key = nss.pub_wrap_sym_key(mechanism, + public_key, + session_key) + +options['session_key'] = wrapped_session_key.data + +name = self.name + '_internal' +try: +return self.api.Command[name](*args, **options) +except errors.NotFound: +raise +except (errors.InternalError, +errors.ExecutionError, +errors.GenericError): +raise _TransportCertInvalid(sys.exc_info()) + +def internal(self, mechanism, session_key, *args, **options): +""" +Calls the internal counterpart of the command. +""" +domain = self.api.env.domain +dirname = TRANSPORT_CERT_CACHE_PATH +basename = DNSName(domain).ToASCII() + '.pem' +filename = os.path.join(dirname, basename) + +# get transport cert from cache +transport_cert_der = _transport_cert_cache.get(domain) +if transport_cert_der is None: +try: +try: +transport_cert = x509.load_certificate_from_file(filename) +except EnvironmentError as e: +if e.errno != errno.ENOENT: +raise +else: +transport_cert_der = transport_cert.public_bytes( +serialization.Encoding.DER) +except Exception: +logger.warning("Failed to load %s: %s", filename, + exc_info=True) + +# try call with the cached transport cert, uncache it if unsuccessful +if transport_cert_der is not None: +try: +return self._do_internal(mechanism, + session_key, + transpor
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Thank you. I see errors reported by pylint ``` * Module ipaserver.install.installutils ipaserver/install/installutils.py:1209: [E1101(no-member), store_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1221: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1224: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281614386 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] FreeIPA and wildcard certificates
On 02/20/2017 06:03 AM, Fraser Tweedale wrote: > On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote: >> On 02/10/2017 10:37 AM, Fraser Tweedale wrote: >>> On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: >>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: On ke, 08 helmi 2017, Martin Kosek wrote: > Hi Fraser and the list, > > I recently was in a conversation about integrating OpenShift with > FreeIPA. One > of the gaps was around generating a wildcard certificate by FreeIPA > that will > be used in the default OpenShift router for applications that do not > deploy own > certificates [1]. > > Is there any way that FreeIPA can generate it? I was thinking that > uploading > some custom certificate profile in FreeIPA may let us get such > certificate... > Or is the the only way we can add it by adding a new RFE in FreeIPA, > tracked in > [2]? Yes, we need a new RFE. There are checks in IPA that prevent wildcard certificates to be issued: - we ensure subject 'cn' of the certificate matches a Kerberos principal specified in the request - we validate that host object exists in IPA when the Kerberos principal is host/... We could lift off these two limitations for 'cn=*,$suffix' but there is still a need to apply proper ACLs when issuing the cert -- e.g. some object has to be used for performing access rights check. The wildcard certificate does not need to be stored anywhere in the tree, but a check still needs to be done. For example, for Kerberos PKINIT certificate which is issued to KDC we don't store public certificate in LDAP either but we do two checks: - a special KDC certificate profile is used to issue the cert - a special hostname check is done so that only IPA masters are able to request this certificate For the wildcard certificate I think we could have following: - use a separate profile for the wildcard, associated with a sub-CA - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that actual certificate ignores requested CN. - a special check to be done so that only wildcard-based subject alternative names can be added to a wildcard certificate request - all Kerberos principal / hostname checks are skipped. - actual ACL check is done by CA ACL. >>> Issuing wildcard certs is a deprecated practice[1]. I am not >>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in >>> general) but I'd like to have a discussion with them about how >>> they're currently dealing with certs and whether a different >>> direction other than wildcard certs is feasible. Martin, who should >>> I reach out to? Feel free to copy them into this discussion. >> >> Right now, I am talking to a Solution Architect, i.e. someone who is >> building >> GAed solutions, not developers. This is not something we would change >> short-term anyway, this is how current OpenShift v2 or v3 behaves, >> despite the RFC. >> >> While I understand why having certificate *.lab.example.com and using it >> for my >> lab machines is a bad idea and increases the attack vector, I do not see >> it >> that way for OpenShift. There, applications get URL like >> ".myopenshift.test" and all is routed by one entity, the >> OpenShift >> broker. So the key.cert is on one location, just serving different names >> that >> are provisioned with OpenShift. >> >> I can understand that issuing a new certificate for every application >> provisioned by OpenShift and then renewing it complicates the design >> significantly. I am trying to be creative and see if current OpenShift >> could >> leverage FreeIPA CA and issue the broker cert, with current profile >> capabilities or with small change. >> > I believe OpenShift supports per-application certificates (i.e. when > app developers/maintainers supply their own cert for a custom > domain). So it might be possible in v2 or v3 to provision a cert > for every app. Right, it supports this. But then issuing the certificate and renewal is a responsibility of app developer, AFAIK. I do not think if OpenShift has all the needed hooks to do this automatically and call certmonger for example. TLDR; adding a support of certmonger and issuing a certificate f
[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing HonzaCholasta commented: """ The trust plugin and other trust bits are optional. The cert plugin, which depends on `pyhbac`, is *not* optional, so you can't apply the same logic to it. An acceptable compromise would be to skip the cert plugin entirely if `pyhbac` is not available: ```python try: import pyhbac except ImportError: raise errors.SkipPluginModule(reason=_('pyhbac is not installed')) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281612799 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#485][closed] Fix session logout
URL: https://github.com/freeipa/freeipa/pull/485 Author: simo5 Title: #485: Fix session logout Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/485/head:pr485 git checkout pr485 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#485][+pushed] Fix session logout
URL: https://github.com/freeipa/freeipa/pull/485 Title: #485: Fix session logout Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#485][comment] Fix session logout
URL: https://github.com/freeipa/freeipa/pull/485 Title: #485: Fix session logout martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/908d2eaba46f5f123b49af400a8b696545c62b54 """ See the full comment at https://github.com/freeipa/freeipa/pull/485#issuecomment-281612684 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ BTW I tested client-only build on fedora24, fedora25, fedora rawhide, epel7, debian stable, debian testing, debian unstable """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281611039 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 00:59), Tomas Krizek wrote: >I'm not able to run autoreconf, it fails with the following error: > >``` >configure.ac:447: error: required file 'init/tmpfilesd/Makefile.in' not found >asn1/Makefile.am: installing './depcomp' >parallel-tests: installing './test-driver' >autoreconf: automake failed with exit status: 1 >``` I cannot see such file in git :-( ``` sh$ git clean -fdx sh$ ls init/ ipa-dnskeysyncd ipa-ods-exporter Makefile.am systemd ``` and it isn't in configure either ``` sh$ grep "/tmpfilesd" configure.ac *.m4 sh$ $echo $? 1 ``` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281610715 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
On 02/22/2017 12:43 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: Hi, related to the Certificate Identity Mapping feature, a new CLI will be needed to find all the users matching a given certificate. I propose to provide this as: ipa certmaptest --certificate --- 2 users matched --- Matched user login: test1 Matched user login: test2 Number of entries returned 2 Please provide any comments, suggestions on the CLI or the output. Thanks, Flo. Thanks Flo for sharing it. I don't like the command name. It is not self explanatory. It says it is testing something, it is not clear what and the actual result is users who match the map configuration or have the cert in their user's entry. Better would be: $ ipa certmap-match --certificate How about `ipa certmap-find-user ...'? Doesn't get more obvious than that, IMO. Was thinking about that as well but I think that the command might, in future, return also something else then user object, e.g. ID override. Pasting user story to give context if somebody is not familiar with it: """ As a Security Officer, I want to present IdM Server with an Employee Smart Card certificate and list all Employees with a matching role account, so that I can validate the configuration is correct Note: In FreeIPA 4.4, user-find --certificate can already find users linked with a certificate blob Acceptance criteria: * I can perform the administrative task both via IdM Web UI and CLI * When asking IdM for the information, I should always receive the same list that would be matched in client authentication workflows (by SSSD) * The list of users should include both users linked via standard certificate blob and other generically mapped users """ -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran >into a minor issue. >Some C99 types like uint8_t were not defined and I had to >include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` >By the way I'm just going to ignore your snidely and snarky comment. No problem. I am going to forget that my proposal for compromise was ignored for 12 days. The latest version is a small improvement; but there are still problems small issues because this PR was not create with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tomaskrizek commented: """ I'm not able to run autoreconf, it fails with the following error: ``` configure.ac:447: error: required file 'init/tmpfilesd/Makefile.in' not found asn1/Makefile.am: installing './depcomp' parallel-tests: installing './test-driver' autoreconf: automake failed with exit status: 1 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281608826 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran >into a minor issue. >Some C99 types like uint8_t were not defined and I had to >include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` >By the way I'm just going to ignore your snidely and snarky comment. No problem. I am going to forget that my proposal for compromise was ignored for 12 days. The latest version is a small improvement; but there are still problems small issues because this PR was not create with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][opened] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: opened PR body: """ How to test: * autoreconf -if * ./configure --disable-server * make srpms * mock --rebuild dist/rpms/freeipa-4.4.90.*.src.rpm --resultdir . * mock --rebuild dist/rpms/freeipa-4.4.90.*.src.rpm --resultdir . --without=server """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 From b4e0d5ed62bfdb09e1a329e35a15e8cb138026ab Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:08 +0100 Subject: [PATCH 01/14] CONFIGURE: Decrease dependency on libini_config libini_config is used only in ipa-getkeytab and it uses only functions from libini_config-1.1 sh$ objdump -p /usr/sbin/ipa-getkeytab | grep INI_CONFIG 0x00acdc20 0x00 04 INI_CONFIG_1.1.0 There is not any reason ho have dependency for higher version and lower dependency will allow to build client only on older distributions. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 44dc11b..246803f 100644 --- a/configure.ac +++ b/configure.ac @@ -265,7 +265,7 @@ AC_SUBST(LIBINTL_LIBS) dnl --- dnl - Check for libini_config dnl --- -PKG_CHECK_MODULES([INI], [ini_config >= 1.2.0]) +PKG_CHECK_MODULES([INI], [ini_config >= 1.1.0]) dnl --- dnl - Check for systemd directories From be1e3f5b8764e03355a45b52a6fb0df9c0b408d8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:20 +0100 Subject: [PATCH 02/14] CONFIGURE: Properly detect libpopt on el7 libpopt added pkg-config file in 1.16 but there are still distributions which has older version of library (el6, el7). And new features from libpopt are not used anywhere. Configure should try to detect as much as possible and users should not use workarounds with explicitely enabled variables as parameters e.g. ./configure POPT_LIBS="-lpopt " --- configure.ac | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 246803f..0a23fd2 100644 --- a/configure.ac +++ b/configure.ac @@ -235,7 +235,13 @@ PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.13.90]) dnl --- dnl - Check for POPT dnl --- -PKG_CHECK_MODULES([POPT], [popt]) +POPT_LIBS= +PKG_CHECK_MODULES([POPT], [popt], [], +[AC_CHECK_HEADER([popt.h], [], [AC_MSG_ERROR([popt.h not found])]) + AC_CHECK_LIB([popt], [poptGetContext], [POPT_LIBS="-lpopt"]) + AC_SUBST(POPT_LIBS) +] +) dnl --- dnl - Check for SASL From 811080737684c2e1fcab425616ec0a6f7d5a2dee Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:25 +0100 Subject: [PATCH 03/14] CONFIGURE: Improve detection of xmlrpc_c flags The pkg-config files for xmlrpc_c libraries are shipped just in fedora/rhel due to downstream patch. Debian does not have pkg-config files for xmlrpc_c. Therefore we need to fallback to older method of detection XMLRPC_*FLAGS which was reverted by the commit 1e0143c159134337a00a91d4ae64e614f72da62e --- configure.ac | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0a23fd2..821ae21 100644 --- a/configure.ac +++ b/configure.ac @@ -251,7 +251,20 @@ PKG_CHECK_MODULES([SASL], [libsasl2]) dnl --- dnl - Check for XMLRPC-C dnl --- -PKG_CHECK_MODULES([XMLRPC], [xmlrpc xmlrpc_client xmlrpc_util]) +PKG_CHECK_MODULES([XMLRPC], [xmlrpc xmlrpc_client xmlrpc_util], [], + [try_xmlrpc_fallback=true]) +if test x"$try_xmlrpc_fallback" = xtrue; then +XMLRPC_LIBS= +AC_CHECK_HEADER([xmlrpc-c/base.h], [], +[AC_MSG_ERROR([xmlrpc-c/base.h not found])]) + +AC_CHECK_LIB([xmlrpc_client], [xmlrpc_client_init2], + [XMLRPC_LIBS="-lxmlrpc -lxmlrpc_client -lxmlrpc_util"]) +if test "x$XMLRPC_LIBS" = "x" ; then +AC_MSG_ERROR([xmlrpc-c not found]) +fi +AC_SUBST(XMLRPC_LIBS) +fi dnl --- dnl - Check for libintl From 34ebfdef2ca8578a6345de508c7dda1ce9c46ae8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 22 Feb 2017 09:39:31 +0100 Subject: [PATCH 04/14] CONFIGURE: Remove manual detection of libintl The gettext provided macro AM_GNU_GETTEXT checks for required h
[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ @HonzaCholasta FreeIPA has conditional imports for SSSD modules in several places, e.g. in the trust plugin. 96f614e closes the gap and applies the same technique to the last unconditional import from SSSD. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281604493 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ OK, you got ```with_wheels``` in ```freeipa.spec.in``` now. ```with_wheels``` is more logical than ```with_pypi``` because wheels have more uses than just PyPI upload. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281600990 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 1d3e58c133fc00c6bd07c1018c9ab0e1ca4e0889 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/4] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 4 +++- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 9 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index 30ad9bb..a6faa11 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ @@ -206,6 +206,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 44dc11b..f48ba14 100644 --- a/configure.ac +++ b/configure.ac @@ -577,6 +577,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy package f
[Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults HonzaCholasta commented: """ Sure. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281597461 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults tiran commented: """ Can you add a comment to explain the order of checks and assignments? Without explanation, it's going to confuse the next poor developer. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281597346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][closed] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Author: HonzaCholasta Title: #301: scripts, tests: explicitly set confdir in the rest of server code Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/301/head:pr301 git checkout pr301 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][+pushed] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fe6f2b6f6effcf9f3c58e1e3f6d0874609c10c25 """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281596634 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code tiran commented: """ My philosophy is: _Don't fix it it it ain't broken._ """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281596691 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code tiran commented: """ My philosophy is: _Don't fix it it it ain't broken._ """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281596691 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code