[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)
simo5 commented on a pull request """ @jcholast we can't enable ssl there as the cert is not available yet, look a few lines later: https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dsinstance.py#L397 """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243155959 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)
simo5 commented on a pull request """ That said we should probably enable_ssl righ tafter we get the cert and restart DS, and not in replicainstall.py """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243156343 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)
simo5 commented on a pull request """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243174342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (opened)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was opened PR body: """ Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce """ See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 724e7e845e574ef7e2091256ff49338e685585e5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 2 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 48 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 62 --- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 254 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policys
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (comment)
simo5 commented on a pull request """ Note, I haven't looked into the upgrade of an existing server, so just posting it here for an initial review, and also for someone to pick it up if I can't finish the work on the upgrade path. @abbra @frasertweedale please take a look """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-245039584 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 32ab40ceae858310c4780504ed1696f30270ade4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 64 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 259 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverC
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From b8525fc326bfc6ef57bdfc308fe37bfbe175ca7c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 260 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverC
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 255f171fcaa443bac586e38a2f7f30aff676739d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 260 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +polic
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 0fdf1369c9402e9df76cd74ca32238eb480a1e4c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 260 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +polic
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 973fe140d2c3a5fb13738fa3381d3cec1c02688d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 2 + 14 files changed, 261 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 6330f1d..30b78ed 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +polic
[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode
URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode simo5 commented: """ @stlaz I do not understand the rationale. Ideally the ipa-replica-install command gathers all necessary info and ipa-client-install is always run in unattended mode. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-253868897 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode
URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode simo5 commented: """ @stlaz, sure, what I meant is that the checking code should be made common and run in ipa-repliuca-install, certainly I was not suggesting to just duplicate all that code. Perhaps refactoring will just do that. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-254207783 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#184][opened] Minor install script fixes
URL: https://github.com/freeipa/freeipa/pull/184 Author: simo5 Title: #184: Minor install script fixes Action: opened PR body: """ - Use the correct unicode string for an error message, otherwise an exception will generate another exception about incorrect type, masking the original error. - Make sure to pass down the debug flag to ipa-client-install when the server install is run in debug mode """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/184/head:pr184 git checkout pr184 From 4867f2c571bb103d1c864cff335fb450d6032dc1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 5 Oct 2016 15:16:30 -0400 Subject: [PATCH] Minor install script fixes - Use the correct unicode string for an error message, otherwise an exception will generate another exception about incorrect type, masking the original error. - Make sure to pass down the debug flag to ipa-client-install when the server install is run in debug mode Signed-off-by: Simo Sorce --- ipalib/rpc.py | 3 ++- ipaserver/install/server/install.py | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 9594ab5..7756eaf 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -603,7 +603,8 @@ def _auth_complete(self, response): except (TypeError, UnicodeError): pass if not token: -raise KerberosError(message="No valid Negotiate header in server response") +raise KerberosError( +message=u"No valid Negotiate header in server response") token = self._sec_context.step(token=token) if self._sec_context.complete: self._sec_context = None diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 0015a8c..2ddc7cc 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -896,6 +896,8 @@ def install(installer): args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") +if options.debug: +args.append("--debug") run(args, redirect_output=True) print() except Exception: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#184][synchronized] Minor install script fixes
URL: https://github.com/freeipa/freeipa/pull/184 Author: simo5 Title: #184: Minor install script fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/184/head:pr184 git checkout pr184 From 68db42a636314be935a519b14ae51b2084e96c7b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 5 Oct 2016 15:16:30 -0400 Subject: [PATCH 1/2] Fix error message encoding - Use the correct unicode string for an error message, otherwise an exception will generate another exception about incorrect type, masking the original error. Signed-off-by: Simo Sorce --- ipalib/rpc.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 9594ab5..7756eaf 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -603,7 +603,8 @@ def _auth_complete(self, response): except (TypeError, UnicodeError): pass if not token: -raise KerberosError(message="No valid Negotiate header in server response") +raise KerberosError( +message=u"No valid Negotiate header in server response") token = self._sec_context.step(token=token) if self._sec_context.complete: self._sec_context = None From 934f25186aec92d73715286b278adf9b86042a0c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Oct 2016 13:06:10 -0400 Subject: [PATCH 2/2] Fix install scripts debugging - Make sure to pass down the debug flag to ipa-client-install when the server install is run in debug mode Signed-off-by: Simo Sorce --- ipaserver/install/server/install.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 0015a8c..2ddc7cc 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -896,6 +896,8 @@ def install(installer): args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") +if options.debug: +args.append("--debug") run(args, redirect_output=True) print() except Exception: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][opened] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: opened PR body: """ Should fix bz#1389866 (untested) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 From 9f71b4e01b9ef3040817437790c4756d31d3f404 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 15:13:14 -0400 Subject: [PATCH] Support DAL version 5 and version 6 See bz#1389866 Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.c | 45 + 1 file changed, 45 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index fbcb03b..3d3365d 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -625,6 +625,7 @@ static void ipadb_free(krb5_context context, void *ptr) /* KDB Virtual Table */ +#if KRB5_KDB_DAL_MAJOR_VERSION == 5 kdb_vftabl kdb_function_table = { KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */ 0, /* minor version number */ @@ -667,3 +668,47 @@ kdb_vftabl kdb_function_table = { ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */ }; +#elif KRB5_KDB_DAL_MAJOR_VERSION == 6 +kdb_vftabl kdb_function_table = { +KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */ +0, /* minor version number */ +ipadb_init_library, /* init_library */ +ipadb_fini_library, /* fini_library */ +ipadb_init_module, /* init_module */ +ipadb_fini_module, /* fini_module */ +ipadb_create, /* create */ +NULL, /* destroy */ +ipadb_get_age, /* get_age */ +NULL, /* lock */ +NULL, /* unlock */ +ipadb_get_principal,/* get_principal */ +ipadb_put_principal,/* put_principal */ +ipadb_delete_principal, /* delete_principal */ +NULL, /* rename_principal */ +ipadb_iterate, /* iterate */ +ipadb_create_pwd_policy,/* create_policy */ +ipadb_get_pwd_policy, /* get_policy */ +ipadb_put_pwd_policy, /* put_policy */ +ipadb_iterate_pwd_policy, /* iter_policy */ +ipadb_delete_pwd_policy,/* delete_policy */ +ipadb_fetch_master_key, /* fetch_master_key */ +NULL, /* fetch_master_key_list */ +ipadb_store_master_key_list,/* store_master_key_list */ +NULL, /* dbe_search_enctype */ +ipadb_change_pwd, /* change_pwd */ +NULL, /* promote_db */ +NULL, /* decrypt_key_data */ +NULL, /* encrypt_key_data */ +ipadb_sign_authdata,/* sign_authdata */ +ipadb_check_transited_realms, /* check_transited_realms */ +ipadb_check_policy_as, /* check_policy_as */ +NULL, /* check_policy_tgs */ +ipadb_audit_as_req, /* audit_as_req */ +NULL, /* refresh_config */ +ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */ +}; + +#else +#error unsupported DAL major version +#endif + -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][opened] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: opened PR body: """ The current code does not give a list of cookies, but a concatenated string separated by a comma. This is a format the Cookie class does not understand. msg.getheaders returns the wanted format. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 From 2433c2b315e1526e9f8431c577625bf115673480 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 14:59:12 -0400 Subject: [PATCH] Properly handle multiple cookies in rpcclient Signed-off-by: Simo Sorce --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 7756eaf..b5f7e6f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -719,7 +719,7 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.getheader('Set-Cookie')) +self.store_session_cookie(response.msg.getheaders('Set-Cookie')) return SSLTransport.parse_response(self, response) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 From 1f0822b21eb3daa0c769d3377fc841d7ce8aaccc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 15:13:14 -0400 Subject: [PATCH] Support DAL version 5 and version 6 See bz#1389866 Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.c | 102 -- 1 file changed, 63 insertions(+), 39 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index fbcb03b..e96353f 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr) /* KDB Virtual Table */ +#if KRB5_KDB_DAL_MAJOR_VERSION == 5 kdb_vftabl kdb_function_table = { -KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */ -0, /* minor version number */ -ipadb_init_library, /* init_library */ -ipadb_fini_library, /* fini_library */ -ipadb_init_module, /* init_module */ -ipadb_fini_module, /* fini_module */ -ipadb_create, /* create */ -NULL, /* destroy */ -ipadb_get_age, /* get_age */ -NULL, /* lock */ -NULL, /* unlock */ -ipadb_get_principal,/* get_principal */ -ipadb_free_principal, /* free_principal */ -ipadb_put_principal,/* put_principal */ -ipadb_delete_principal, /* delete_principal */ -ipadb_iterate, /* iterate */ -ipadb_create_pwd_policy,/* create_policy */ -ipadb_get_pwd_policy, /* get_policy */ -ipadb_put_pwd_policy, /* put_policy */ -ipadb_iterate_pwd_policy, /* iter_policy */ -ipadb_delete_pwd_policy,/* delete_policy */ -ipadb_free_pwd_policy, /* free_policy */ -ipadb_alloc,/* alloc */ -ipadb_free, /* free */ -ipadb_fetch_master_key, /* fetch_master_key */ -NULL, /* fetch_master_key_list */ -ipadb_store_master_key_list,/* store_master_key_list */ -NULL, /* dbe_search_enctype */ -ipadb_change_pwd, /* change_pwd */ -NULL, /* promote_db */ -NULL, /* decrypt_key_data */ -NULL, /* encrypt_key_data */ -ipadb_sign_authdata,/* sign_authdata */ -ipadb_check_transited_realms, /* check_transited_realms */ -ipadb_check_policy_as, /* check_policy_as */ -NULL, /* check_policy_tgs */ -ipadb_audit_as_req, /* audit_as_req */ -NULL, /* refresh_config */ -ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */ +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal = ipadb_get_principal, +.free_principal = ipadb_free_principal, +.put_principal = ipadb_put_principal, +.delete_principal = ipadb_delete_principal, +.iterate = ipadb_iterate, +.create_policy = ipadb_create_pwd_policy, +.get_policy = ipadb_get_pwd_policy, +.put_policy = ipadb_put_pwd_policy, +.iter_policy = ipadb_iterate_pwd_policy, +.delete_policy = ipadb_delete_pwd_policy, +.free_policy = ipadb_free_pwd_policy, +.alloc = ipadb_alloc, +.free = ipadb_free, +.fetch_master_key = ipadb_fetch_master_key, +.store_master_key_list = ipadb_store_master_key_list, +.change_pwd = ipadb_change_pwd, +.sign_authdata = ipadb_sign_authdata, +.check_transited_realms = ipadb_check_transited_realms, +.check_policy_as = ipadb_check_policy_as, +.audit_as_req = ipadb_audit_as_req, +.check_allowed_to_delegate = ipadb_check_allowed_to_delegate }; +#elif KRB5_KDB_DAL_MAJOR_VERSION == 6 +kdb_vftabl kdb_function_table = { +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal = ipadb_get_principal, +.put_principal
[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ Updated """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-257820109 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ On Mon, 2016-11-07 at 08:11 -0800, Tomas Krizek wrote: > NACK > > `ipa-server-install` will fail at: > ``` > Configuring kadmin > [1/2]: starting kadmin > [2/2]: configuring kadmin to start on boot > Done configuring kadmin. > ipa.ipapython.install.cli.install_tool(Server): ERRORCA did not start in > 300.0s > ipa.ipapython.install.cli.install_tool(Server): ERRORThe > ipa-server-install command failed > ``` > From `/var/log/pki/pki-tomcat/ca/debug`, it seems PKI can't authenticate > towards LDAP: > ``` > [07/Nov/2016:16:42:11][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host vm-059.abc.idm.lab.eng.brq.redhat.com > port 636 Error netscape.ldap.LDAPException: Authentication failed (48) > ``` > I've seen this error recently too, but it is unrelated, re-installed on F25 and it went away. I think there is some issue with dogtag in some conditions when you re-install, although I could not figure what it is. Simo. -- Simo Sorce * Red Hat, Inc * New York """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258880929 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ Sure, but I do not see how a change in the KDC DAL, can affect PKI connecting to LDAP. Does this problem go away if you remove the patch and re-build/install on the same machine ? """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258894858 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][+ack] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ I just verified I reproduce your error in my tree without the patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258937044 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ There was no upstream ticket when I created the commit :-) I'll add. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-259221154 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 From bad5cad79ac9d639333706f073e8b0a2556f10d7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 15:13:14 -0400 Subject: [PATCH] Support DAL version 5 and version 6 https://fedorahosted.org/freeipa/ticket/6466 Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.c | 102 -- 1 file changed, 63 insertions(+), 39 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index fbcb03b..e96353f 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr) /* KDB Virtual Table */ +#if KRB5_KDB_DAL_MAJOR_VERSION == 5 kdb_vftabl kdb_function_table = { -KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */ -0, /* minor version number */ -ipadb_init_library, /* init_library */ -ipadb_fini_library, /* fini_library */ -ipadb_init_module, /* init_module */ -ipadb_fini_module, /* fini_module */ -ipadb_create, /* create */ -NULL, /* destroy */ -ipadb_get_age, /* get_age */ -NULL, /* lock */ -NULL, /* unlock */ -ipadb_get_principal,/* get_principal */ -ipadb_free_principal, /* free_principal */ -ipadb_put_principal,/* put_principal */ -ipadb_delete_principal, /* delete_principal */ -ipadb_iterate, /* iterate */ -ipadb_create_pwd_policy,/* create_policy */ -ipadb_get_pwd_policy, /* get_policy */ -ipadb_put_pwd_policy, /* put_policy */ -ipadb_iterate_pwd_policy, /* iter_policy */ -ipadb_delete_pwd_policy,/* delete_policy */ -ipadb_free_pwd_policy, /* free_policy */ -ipadb_alloc,/* alloc */ -ipadb_free, /* free */ -ipadb_fetch_master_key, /* fetch_master_key */ -NULL, /* fetch_master_key_list */ -ipadb_store_master_key_list,/* store_master_key_list */ -NULL, /* dbe_search_enctype */ -ipadb_change_pwd, /* change_pwd */ -NULL, /* promote_db */ -NULL, /* decrypt_key_data */ -NULL, /* encrypt_key_data */ -ipadb_sign_authdata,/* sign_authdata */ -ipadb_check_transited_realms, /* check_transited_realms */ -ipadb_check_policy_as, /* check_policy_as */ -NULL, /* check_policy_tgs */ -ipadb_audit_as_req, /* audit_as_req */ -NULL, /* refresh_config */ -ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */ +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal = ipadb_get_principal, +.free_principal = ipadb_free_principal, +.put_principal = ipadb_put_principal, +.delete_principal = ipadb_delete_principal, +.iterate = ipadb_iterate, +.create_policy = ipadb_create_pwd_policy, +.get_policy = ipadb_get_pwd_policy, +.put_policy = ipadb_put_pwd_policy, +.iter_policy = ipadb_iterate_pwd_policy, +.delete_policy = ipadb_delete_pwd_policy, +.free_policy = ipadb_free_pwd_policy, +.alloc = ipadb_alloc, +.free = ipadb_free, +.fetch_master_key = ipadb_fetch_master_key, +.store_master_key_list = ipadb_store_master_key_list, +.change_pwd = ipadb_change_pwd, +.sign_authdata = ipadb_sign_authdata, +.check_transited_realms = ipadb_check_transited_realms, +.check_policy_as = ipadb_check_policy_as, +.audit_as_req = ipadb_audit_as_req, +.check_allowed_to_delegate = ipadb_check_allowed_to_delegate }; +#elif KRB5_KDB_DAL_MAJOR_VERSION == 6 +kdb_vftabl kdb_function_table = { +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal
[Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins
URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins simo5 commented: """ Forgot the reasons, I was probably not thinking about PEP8 back then. """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-259963079 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @splashx you would have to manually configure each KDC and give them certs, it is doable. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-261950279 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @splashx we are starting to pollute this PR here now. Please provide KDC logs on the user's mailing list and let's proceed there. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263401055 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient simo5 commented: """ This new patch should fix it. """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-264299396 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 From 25f0224a76c1dd1942fcaef2b3a606ab21d6c805 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 14:59:12 -0400 Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient Signed-off-by: Simo Sorce --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index bd13251..dc63dc3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.getheader('Set-Cookie')) +self.store_session_cookie(response.msg.getheaders('Set-Cookie')) return SSLTransport.parse_response(self, response) From 0c6581b72d2af1bf45a88428b86e54d5dac4fc9e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 30 Sep 2016 16:17:31 -0400 Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib. Signed-off-by: Simo Sorce --- ipalib/rpc.py | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index dc63dc3..63ca87c 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -699,12 +699,19 @@ def store_session_cookie(self, cookie_header): principal = getattr(context, 'principal', None) request_url = getattr(context, 'request_url', None) -root_logger.debug("received Set-Cookie '%s'", cookie_header) +root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), cookie_header) + +if not isinstance(cookie_header, list): +cookie_header = [cookie_header] # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +for cookie in cookie_header: +session_cookie = \ +Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME, +request_url) +if session_cookie is not None: +break except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @abbra this code needs rebase and I need it as dependency for solving ticket #5959, did you do any work on this ? If not I'll rebase tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264299816 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ Should I push your branch over my PR ? """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264407366 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ On Fri, 2016-12-02 at 02:18 -0800, Alexander Bokovoy wrote: > Up to you. We can either resync yours or switch over to mine. I need to merge > updater changes too before submitting it upstream, though. I'll rebase for now, when it is time for the additional work, we can decide if we are better opening a new PR or continue with this one. SImo. -- Simo Sorce * Red Hat, Inc * New York """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264424678 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 25c94d10b85f351be11d1a61d5c94ec03b9f8dc6 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipalib/install/certmonger.py | 35 ++--- ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 43 +-- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 2 + 13 files changed, 263 insertions(+), 45 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 690d44d0f14225c8b0f1cb77c241ab2f267717e2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 42 +-- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 2 + 17 files changed, 270 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From f627124a167142161dcdd4504c104b149beb65a2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 43 +-- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 2 + 17 files changed, 271 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From d0139ed393cc59c71a0dfd6ec55d25ea5490c6f9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 47 +--- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 2 + 17 files changed, 271 insertions(+), 57 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 1efbefb055c0d3245f86e0182031b6be13869b47 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 47 +--- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 82 ipaserver/plugins/dogtag.py | 2 + 17 files changed, 281 insertions(+), 64 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ Rebased on latest master """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265201018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 5a793773c9a2fb1f24161220f1f306372c036b6b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 47 +--- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 83 ipaserver/plugins/dogtag.py | 2 + 17 files changed, 282 insertions(+), 64 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ Rebasing this code is becoming a little difficult, @frasertweedale can you take a look and confirm the changes in cert.py are ok ? """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265206007 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Yeah going through those right now """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265234514 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient simo5 commented: """ Yes, getting there, be patient, I discovered other stuff as I fixed pylint per single patch :) """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265406741 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient simo5 commented: """ Sorry I thought this PR was the priv sep one, I have fixes for this, pushing in a moment. """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265407701 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 From df541c3c1bef0cfdfc0c6c412218eeb69ef0affd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 14:59:12 -0400 Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient Signed-off-by: Simo Sorce --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index bd13251..dc63dc3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.getheader('Set-Cookie')) +self.store_session_cookie(response.msg.getheaders('Set-Cookie')) return SSLTransport.parse_response(self, response) From 5fe6cac8e2a006d8c2b11fab6fd7a5dbeebdcce7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 30 Sep 2016 16:17:31 -0400 Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib. Signed-off-by: Simo Sorce --- ipalib/rpc.py | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index dc63dc3..bd25e6f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -699,12 +699,20 @@ def store_session_cookie(self, cookie_header): principal = getattr(context, 'principal', None) request_url = getattr(context, 'request_url', None) -root_logger.debug("received Set-Cookie '%s'", cookie_header) +root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), + cookie_header) + +if not isinstance(cookie_header, list): +cookie_header = [cookie_header] # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +for cookie in cookie_header: +session_cookie = \ +Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME, +request_url) +if session_cookie is not None: +break except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Updated branch, hopefully lint will be happy. While there I discovered dcerpc.py ws using the HTTP keytab, after discussing with @abbra we decided to just remove such use for now and see later if we need any changes. The use was rare and in the importnat cases we have already a better option in the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265410793 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Note: this PR also depends on and includes commits from #206 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 27e72f6512147a91e575b0ba0e6006cc7b185902 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 47 +--- ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 77 +++ ipaserver/plugins/dogtag.py | 2 + 17 files changed, 272 insertions(+), 63 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 7bab75c3bdd59b16879c0f48f7293deb495666d9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 52 + ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 19 + ipaserver/plugins/cert.py| 80 +++- ipaserver/plugins/dogtag.py | 2 + 18 files changed, 293 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @martbab your concerns should be addressed in this revision I also started adding upgrade code, but it is still not fully tested. In the process I locally get 2 pylint errors about the hostname property used on 2 out of 3 Principal() objects in cert.py, I am sorta baffled at why that is, but it is late here, so I decided to push the code and see if anyone has an idea. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265598252 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 From 9f44fac9f07b727711809bbae0d27ebd149a855a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 14:59:12 -0400 Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient Signed-off-by: Simo Sorce --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index bd13251..dc63dc3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.getheader('Set-Cookie')) +self.store_session_cookie(response.msg.getheaders('Set-Cookie')) return SSLTransport.parse_response(self, response) From 8bb4abb782a7e1e20332969a9f1a72dfc5187582 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 30 Sep 2016 16:17:31 -0400 Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib. Signed-off-by: Simo Sorce --- ipalib/rpc.py | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index dc63dc3..bd25e6f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -699,12 +699,20 @@ def store_session_cookie(self, cookie_header): principal = getattr(context, 'principal', None) request_url = getattr(context, 'request_url', None) -root_logger.debug("received Set-Cookie '%s'", cookie_header) +root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), + cookie_header) + +if not isinstance(cookie_header, list): +cookie_header = [cookie_header] # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +for cookie in cookie_header: +session_cookie = \ +Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME, +request_url) +if session_cookie is not None: +break except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @pspacek I added workflows to the Design page, please verify """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ @stiaz, SHA-1 DOES NOT add entropy at all, you need the right number of bits in INPUT for whatever trasformation you use. @mbasti-rh in what way FIPS is incompatible with base64 encoding ? @stiaz, spaces may cause issues in some places where passwords are stored in files or passed (annoyingly) as shell arguments, soit is safer to avoid them in the final output, and given the way the code deal with space that would also simplify the random generator and avoid the bias on 1st and last charcter of the password. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ @stlaz SHA-1 DOES NOT add entropy at all, you need the right number of bits in INPUT for whatever trasformation you use. @mbasti-rh in what way FIPS is incompatible with base64 encoding ? @stlaz spaces may cause issues in some places where passwords are stored in files or passed (annoyingly) as shell arguments, soit is safer to avoid them in the final output, and given the way the code deal with space that would also simplify the random generator and avoid the bias on 1st and last charcter of the password. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ We may need a max length argument if we are dealing with some stuff that has issues with more then max length caracters ... In that case we can warn (or raise, we'll have to decide) not enough entropy will be available is max length is not sufficient to hold the desired entropy. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265762543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @martbab sometimes you are blind to your own code ... """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265795306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @abbra I have an idea of what it might be """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265795485 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 641691caf4ed92cec0bd076f3245c9456b8e9445 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 52 + ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 20 + ipaserver/plugins/cert.py| 80 +++- ipaserver/plugins/dogtag.py | 2 + 18 files changed, 294 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 13caff83b412cbc68073908f7a35214b9789f5e7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 53 + ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 20 + ipaserver/plugins/cert.py| 81 +++- ipaserver/plugins/dogtag.py | 2 + 18 files changed, 296 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: edited Changed field: body Original value: """ As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). In order to allow trying the code, I made two copr repos with the necessary changes available here: - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. There are 2 fundamental changes in this code: - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) This required two changes in the form-based authentication workflow: * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. @jcholast @pvoborni Please provide comments on the framework changes. @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From ab5bf9168c5d76f69527429092a31f676d4b3e23 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 63 ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 36 + ipaserver/plugins/cert.py| 86 - ipaserver/plugins/dogtag.py | 2 + 18 files changed, 327 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 5b287769a8bae661d05d20c041047c89a582056b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 63 ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 35 + ipaserver/plugins/cert.py| 86 - ipaserver/plugins/dogtag.py | 2 + 18 files changed, 326 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From eba8fa467c3bd8a9b4378edd0c4d14a1e616cebb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 62 +++ ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 35 + ipaserver/plugins/cert.py| 86 - ipaserver/plugins/dogtag.py | 2 + 18 files changed, 325 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From dcda82da3ca6f6adac0f09d00df2aec3cc660817 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 62 +++ ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 35 + ipaserver/plugins/cert.py| 86 - ipaserver/plugins/dogtag.py | 2 + 18 files changed, 325 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5
[Freeipa-devel] [freeipa PR#335][opened] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Author: simo5 Title: #335: Add compatibility code to retrieve headers Action: opened PR body: """ The recent fixes for getting cookies from headers broken python3. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/335/head:pr335 git checkout pr335 From a118d6f3dcd31102e0f5e5b6a0c962b811290bfb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 14 Dec 2016 06:20:15 -0500 Subject: [PATCH] Add compatibility code to retrieve headers Python3 removed the getheaders() function and replaced it with a get_all() one. Add compat code. https://fedorahosted.org/freeipa/ticket/6558 Signed-off-by: Simo Sorce --- ipalib/rpc.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index bd25e6f..921f5cb 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -729,7 +729,11 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.msg.getheaders('Set-Cookie')) +if six.PY2: +header = response.msg.getheaders('Set-Cookie') +else: +header = response.msg.get_all('Set-Cookie') +self.store_session_cookie(header) return SSLTransport.parse_response(self, response) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#345][comment] ipa-kdb: search for password policies globally
URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally simo5 commented: """ I know this is already closed but NACK. The problem here is in searching "base" this means ending up serhing also in things like slapi-nis. We need to change the code to search in cn=REALM, and, if that fails, search again in cn=accounts. I do not know if we should revert or just patch on top. """ See the full comment at https://github.com/freeipa/freeipa/pull/345#issuecomment-267571798 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#353][opened] [RFE] Pwdpolicy
URL: https://github.com/freeipa/freeipa/pull/353 Author: simo5 Title: #353: [RFE] Pwdpolicy Action: opened PR body: """ Untested but I am seeking feedback on the actual approach. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/353/head:pr353 git checkout pr353 From 32fd38be7f2d975feea1d98bf74568492e09e9b0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 16 Dec 2016 07:12:45 -0500 Subject: [PATCH 1/2] Add code to retrieve results from multiple bases Internally performs multiple seraches as needed based on the basedn strings passed in and whether the caller indicated that any result is ok or all results are needed. Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.h| 10 daemons/ipa-kdb/ipa_kdb_common.c | 103 +++ 2 files changed, 113 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 1fdb409..e1f46c6 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -174,6 +174,16 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, LDAPDerefRes **results); +struct ipadb_multires; +krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r); +void ipadb_multires_free(struct ipadb_multires *r); +LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r); +krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx, + char **basedns, int scope, + char *filter, char **attrs, + struct ipadb_multires **res, + bool any); + /* PRINCIPALS FUNCTIONS */ krb5_error_code ipadb_get_principal(krb5_context kcontext, krb5_const_principal search_for, diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 7438f35..32bcf5c 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -610,3 +610,106 @@ int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, ldap_controls_free(ctrls); return ret; } + +struct ipadb_multires { +LDAP *lcontext; +LDAPMessage **res; +LDAPMessage *next; +ssize_t cursor; +size_t count; +}; + +krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r) +{ +*r = malloc(sizeof(struct ipadb_multires)); +if (!*r) return ENOMEM; +(*r)->lcontext = lcontext; +(*r)->res = NULL; +(*r)->next = NULL; +(*r)->cursor = -1; +(*r)->count = 0; + +return 0; +} + +void ipadb_multires_free(struct ipadb_multires *r) +{ +for (int i = 0; i < r->count; i++) { +ldap_msgfree(r->res[i]); +} +free(r); +} + +LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r) +{ +if (r->count == 0) return NULL; + +if (r->next) { +r->next = ldap_next_entry(r->lcontext, r->next); +} +if (r->next == NULL) { +if (r->cursor >= r->count - 1) { +return NULL; +} +r->cursor++; +r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]); +} + +return r->next; +} + +krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx, + char **basedns, int scope, + char *filter, char **attrs, + struct ipadb_multires **res, + bool any) +{ +int ret; + +ret = ipadb_multires_init(ipactx->lcontext, res); +if (ret != 0) return ret; + +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + +for (int b = 0; basedns[b]; b++) { +LDAPMessage *r; +ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope, +filter, attrs, 0, NULL, NULL, +&std_timeout, LDAP_NO_LIMIT, &r); + +/* first test if we need to retry to connect */ +if (ret != 0 && +ipadb_need_retry(ipactx, ret)) { +ldap_msgfree(r); +ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope, +filter, attrs, 0, NULL, NULL, +&std_timeout, LDAP_NO_LIMIT, &r); +} + +if (ret != 0) break; + +if (ldap_count_entries(ipactx->lcontext, r) > 0) { +void *tmp = realloc((*res)->res, (((*res)->count + 1) * +sizeof(LDAPMessage *))); +if (tmp == NULL) { +ret = ENOMEM; +break; +
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I think this code is ready to be included. I am still playing with a minor change in mod_auth_gssapi, but that can also go in later. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-267997245 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][opened] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: opened PR body: """ This is necessary to be able to successfully build archives in environments controlled by an IPA domain which may have large uidNumbers for user accounts. https://fedorahosted.org/freeipa/ticket/6418 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 From 7de8f35af79f1a3a767b88418d5ad0a01d4bbc99 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 20 Dec 2016 12:46:33 -0500 Subject: [PATCH] Use the tar Posix option for tarballs This is necessary to be able to successfully build archives in environments controlled by an IPA domain which may have large uidNumbers for user accounts. https://fedorahosted.org/freeipa/ticket/6418 Signed-off-by: Simo Sorce --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 3ea5983..e8a4701 100644 --- a/configure.ac +++ b/configure.ac @@ -15,7 +15,7 @@ esac AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar]) +AM_INIT_AUTOMAKE([foreign 1.9 tar-pax]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) AC_PROG_CC_C99 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][synchronized] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 From 038be681136f06be3bc5e6f76ee9a71e201b2d9b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 20 Dec 2016 12:46:33 -0500 Subject: [PATCH] Use the tar Posix option for tarballs This is necessary to be able to successfully build archives in environments controlled by an IPA domain which may have large uidNumbers for user accounts. tar-ustar allows UID/GID numbers only up to 2 million and by default a new IPA installation can assigne UIDs in the billion range. https://fedorahosted.org/freeipa/ticket/6418 Signed-off-by: Simo Sorce --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 3ea5983..e8a4701 100644 --- a/configure.ac +++ b/configure.ac @@ -15,7 +15,7 @@ esac AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar]) +AM_INIT_AUTOMAKE([foreign 1.9 tar-pax]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) AC_PROG_CC_C99 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs
URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs simo5 commented: """ Amended """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268507057 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Why is dogtag-ipa-renew-agent-submit part of the certmonger package ? And how do we fix it now ? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270163719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Rebased on master and fixed a couple minor lint issues """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270394337 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I switched all endpoints to use GSSAPI (and transparently use a session cookie once one transation is successful), so there may be some parts of the code a bit surprised about it, do you have apache logs to chare that show the problem ? (enabling ipa debug would probably help too) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270654342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#381][comment] disable hostname canonicalization by Kerberos library
URL: https://github.com/freeipa/freeipa/pull/381 Title: #381: disable hostname canonicalization by Kerberos library simo5 commented: """ @martbab this change actually improves security by avoiding a DNS lookup that could be manipulated by an attacker, however it also means some setups may break, because they depend on canonicalization to actually get the correct name, and should be documented in release notes. """ See the full comment at https://github.com/freeipa/freeipa/pull/381#issuecomment-271875472 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Thanks @HonzaCholasta I already fixed the service thing but didn't push as I started getting another error on install, buit before I fix that I am working on releasing gssproxy where wer are hitting another heisenbug just in the testing suite (works as expected when installed). On the ldapi error I have seen it too during development, for a period I was getting it every time once on install ie: install, play, uninstall, install, Error!, uninstall, install, play ... So I had to install - uninstall - reinstall for each test, but it had disappeared for a while. It seem some uninstall snag to me, if I can find some info on why it occurs I'll open a bug (or fix it if it is due to my code changes). """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-272171891 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I cannot get a replica install to fail like your did, can you post some logs ? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273891819 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The latest rebase installs a replica correctly here, haven't got to fix ca-less yet, but everything else should be ready to go. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-274577459 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 simo5 commented: """ abbra, we should also change how spec deps work I asked @rharwood to add a provides that is the dal version number we should stop having a dep on the krb5 major version number and instead have a dependecy on this provide """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-274806881 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 simo5 commented: """ Also I know you can use ifdefs to avoid copy&pasting large parts of the structure initialization but I would prefer 3 separate full inits based only on ifdefs on the DAL version numbers. in pseudo: if v5: vtable = { ... } elif v6.0: vtable = { ... } elid v6.1: vtable = { ... } else: error! Those tables cannot change so using ifdefs in them can only risk to introduce bugs in one of the versions rather than help reduce code duplication. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-274808126 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 simo5 commented: """ Doesn't kdb.h also export a MINOR version to test against ? """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-274823821 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 simo5 commented: """ I checked and can't find it ... facepalm """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-274826331 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok, with this latest push I can install servers and replicas both with CA and CA-less. I cannot reproduce the failure @HonzaCholasta sees, so from my side I am done. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-274832504 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#353][synchronized] [RFE] Pwdpolicy
URL: https://github.com/freeipa/freeipa/pull/353 Author: simo5 Title: #353: [RFE] Pwdpolicy Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/353/head:pr353 git checkout pr353 From a7213592a0b643a63dbdc8bff5bae08f30448b7b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 16 Dec 2016 07:12:45 -0500 Subject: [PATCH 1/2] Add code to retrieve results from multiple bases Internally performs multiple seraches as needed based on the basedn strings passed in and whether the caller indicated that any result is ok or all results are needed. Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.h| 10 daemons/ipa-kdb/ipa_kdb_common.c | 103 +++ 2 files changed, 113 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 1fdb409..e1f46c6 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -174,6 +174,16 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, LDAPDerefRes **results); +struct ipadb_multires; +krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r); +void ipadb_multires_free(struct ipadb_multires *r); +LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r); +krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx, + char **basedns, int scope, + char *filter, char **attrs, + struct ipadb_multires **res, + bool any); + /* PRINCIPALS FUNCTIONS */ krb5_error_code ipadb_get_principal(krb5_context kcontext, krb5_const_principal search_for, diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 7438f35..5995efe 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -610,3 +610,106 @@ int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, ldap_controls_free(ctrls); return ret; } + +struct ipadb_multires { +LDAP *lcontext; +LDAPMessage **res; +LDAPMessage *next; +ssize_t cursor; +ssize_t count; +}; + +krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r) +{ +*r = malloc(sizeof(struct ipadb_multires)); +if (!*r) return ENOMEM; +(*r)->lcontext = lcontext; +(*r)->res = NULL; +(*r)->next = NULL; +(*r)->cursor = -1; +(*r)->count = 0; + +return 0; +} + +void ipadb_multires_free(struct ipadb_multires *r) +{ +for (int i = 0; i < r->count; i++) { +ldap_msgfree(r->res[i]); +} +free(r); +} + +LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r) +{ +if (r->count == 0) return NULL; + +if (r->next) { +r->next = ldap_next_entry(r->lcontext, r->next); +} +if (r->next == NULL) { +if (r->cursor >= r->count - 1) { +return NULL; +} +r->cursor++; +r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]); +} + +return r->next; +} + +krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx, + char **basedns, int scope, + char *filter, char **attrs, + struct ipadb_multires **res, + bool any) +{ +int ret; + +ret = ipadb_multires_init(ipactx->lcontext, res); +if (ret != 0) return ret; + +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + +for (int b = 0; basedns[b]; b++) { +LDAPMessage *r; +ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope, +filter, attrs, 0, NULL, NULL, +&std_timeout, LDAP_NO_LIMIT, &r); + +/* first test if we need to retry to connect */ +if (ret != 0 && +ipadb_need_retry(ipactx, ret)) { +ldap_msgfree(r); +ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope, +filter, attrs, 0, NULL, NULL, +&std_timeout, LDAP_NO_LIMIT, &r); +} + +if (ret != 0) break; + +if (ldap_count_entries(ipactx->lcontext, r) > 0) { +void *tmp = realloc((*res)->res, (((*res)->count + 1) * +sizeof(LDAPMessage *))); +if (tmp == NULL) { +ret = ENOMEM; +break; +} +(*res)->res = tmp; +(*res)->res[(*res)->count] = r; +
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok reproduced, it is not clar how to me yet, but at some point ca.crt get zeroed out and that's why the ldap command fails, investigating """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275101642 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy
URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy simo5 commented: """ I found two subtle bugs that cause the install failure, with the rebased patches install completes correctly for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/353#issuecomment-275106444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ With this last rebase I can install again both ca and ca-less without issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275168299 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The correct packages are now in updates-testing in Fedora 25, pick from there. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-276340645 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 simo5 commented: """ @frozencemetery Should we provide krb5-kdb-version-devel from krb5-devel ? """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-277949768 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I think I know what is going on here, can you add an actual test to the testsuite that checks this ? I will fix my PR to not cause this deadlock, I've reproduce it here. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278635045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py I haven't figured out exactly what happens in change_password, I see from logs sent from @martbab that the kinit as the user alice is performed, but apache see only admin connections. I suspect that the issue is in ipalib/rpc.py in create_connection, where apply_session_cookie() is called, but can't be sure. I need a way to repro these tests locally to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py I haven't figured out exactly what happens in change_password, I see from logs sent from @martbab that the kinit as the user alice is performed, but apache see only admin connections. I suspect that the issue is in ipalib/rpc.py in create_connection, where apply_session_cookie() is called, but can't be sure. I need a way to repro these tests locally to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ So I am not sure what is going on here, after fiddling with the failing tests to print out what was going on, they suddenly started working (and a 3 other started failing). It is not clear to me what is going on, but it may be unclean environment too.. after running testes a few times for example I found out my user KRB5CCNAME environment variable had been changed (this is not ok it's a bug in the tests and will make things unreliable). Anyway after a full rebuild and reinstall I was not able to go back to a state where I could reproduce the issues in caacl tests. I rebased the patchset on latest master and pushed it, let's see what CI says. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278981716 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @HonzaCholasta push it before we break it again! :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][+ack] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, it makes no sense to keep them separate as in eahc patch I add respecively to connect() and disconnect() arguments that are use in ipatest/util.py As for resetting session_cookie, when principal change, I am all for it, except we do not record the principal in the rpc context ... """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ We actually record the principal, change the patch to destroy session_cookie in create_connection if the principal is different. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok split the last stuff in 3 commits. I remove the use of private ccache for a few reasons: 1. touches environment variables. 2. will unconditionally remove a ccache even when passed in, so it may end up removing the wrong thing 3. private_ccache is used in dcerpc code and I do not want to change semantics and risk breaking tat code path 4. This fix is much smaller and removes one more yield, which is not a bad thing as it makes the code easier to read. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ For some commits I was sure what ticket to use, for some I was not, so I elected not to put a specific ticket in there. If you have a good idea of what ticket (of the External Authentication project) to apply to specific commits let me know and I can amend commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code