from:"simo5"

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread simo5

simo5 commented on a pull request

"""
@jcholast we can't enable ssl there as the cert is not available yet, look a 
few lines later:
https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dsinstance.py#L397
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/29#issuecomment-243155959
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread simo5

simo5 commented on a pull request

"""
That said we should probably enable_ssl righ tafter we get the cert and restart 
DS, and not in replicainstall.py

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/29#issuecomment-243156343
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread simo5

simo5 commented on a pull request

"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/29#issuecomment-243174342
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (opened)

2016-09-06 Thread simo5

simo5's pull request #62: "Configure Anonymous PKINIT on server install" was 
opened

PR body:
"""
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

Signed-off-by: Simo Sorce 
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 724e7e845e574ef7e2091256ff49338e685585e5 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

Signed-off-by: Simo Sorce 
---
 client/ipa-client-install|   2 +-
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaplatform/base/paths.py|   3 +-
 ipapython/certmonger.py  |  32 +---
 ipapython/dogtag.py  |   2 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  48 
 ipaserver/install/server/common.py   |   5 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  62 ---
 ipaserver/plugins/dogtag.py  |   1 +
 14 files changed, 254 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
 subject = str(DN(('CN', hostname), subject_base))
 passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
 try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
 subject=subject, dns=[hostname],
 principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policys

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (comment)

2016-09-06 Thread simo5

simo5 commented on a pull request

"""
Note, I haven't looked into the upgrade of an existing server, so just posting 
it here for an initial review, and also for someone to pick it up if I can't 
finish the work on the upgrade path.

@abbra @frasertweedale please take a look
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-245039584
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)

2016-09-06 Thread simo5

simo5's pull request #62: "Configure Anonymous PKINIT on server install" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 32ab40ceae858310c4780504ed1696f30270ade4 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

Signed-off-by: Simo Sorce 
---
 client/ipa-client-install|   2 +-
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaplatform/base/paths.py|   3 +-
 ipapython/certmonger.py  |  32 +---
 ipapython/dogtag.py  |   4 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  49 
 ipaserver/install/server/common.py   |   5 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  64 +---
 ipaserver/plugins/dogtag.py  |   1 +
 14 files changed, 259 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
 subject = str(DN(('CN', hostname), subject_base))
 passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
 try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
 subject=subject, dns=[hostname],
 principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverC

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)

2016-09-06 Thread simo5

simo5's pull request #62: "Configure Anonymous PKINIT on server install" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From b8525fc326bfc6ef57bdfc308fe37bfbe175ca7c Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

Signed-off-by: Simo Sorce 
---
 client/ipa-client-install|   2 +-
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaplatform/base/paths.py|   3 +-
 ipapython/certmonger.py  |  32 +---
 ipapython/dogtag.py  |   4 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  49 
 ipaserver/install/server/common.py   |   5 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   1 +
 14 files changed, 260 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
 subject = str(DN(('CN', hostname), subject_base))
 passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
 try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
 subject=subject, dns=[hostname],
 principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverC

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)

2016-09-06 Thread simo5

simo5's pull request #62: "Configure Anonymous PKINIT on server install" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 255f171fcaa443bac586e38a2f7f30aff676739d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 client/ipa-client-install|   2 +-
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaplatform/base/paths.py|   3 +-
 ipapython/certmonger.py  |  32 +---
 ipapython/dogtag.py  |   4 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  49 
 ipaserver/install/server/common.py   |   5 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   1 +
 14 files changed, 260 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
 subject = str(DN(('CN', hostname), subject_base))
 passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
 try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
 subject=subject, dns=[hostname],
 principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+polic

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)

2016-09-06 Thread simo5

simo5's pull request #62: "Configure Anonymous PKINIT on server install" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 0fdf1369c9402e9df76cd74ca32238eb480a1e4c Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 client/ipa-client-install|   2 +-
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaplatform/base/paths.py|   3 +-
 ipapython/certmonger.py  |  32 +---
 ipapython/dogtag.py  |   4 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  49 
 ipaserver/install/server/common.py   |   5 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   1 +
 14 files changed, 260 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
 subject = str(DN(('CN', hostname), subject_base))
 passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
 try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
 subject=subject, dns=[hostname],
 principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+polic

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)

2016-09-08 Thread simo5

simo5's pull request #62: "Configure Anonymous PKINIT on server install" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 973fe140d2c3a5fb13738fa3381d3cec1c02688d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 client/ipa-client-install|   2 +-
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaplatform/base/paths.py|   3 +-
 ipapython/certmonger.py  |  32 +---
 ipapython/dogtag.py  |   4 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  49 
 ipaserver/install/server/common.py   |   5 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   2 +
 14 files changed, 261 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 6330f1d..30b78ed 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
 subject = str(DN(('CN', hostname), subject_base))
 passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
 try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
 subject=subject, dns=[hostname],
 principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+polic

[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode

2016-10-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/117
Title: #117: Make ipa-replica-install run in interactive mode

simo5 commented:
"""
@stlaz I do not understand the rationale. Ideally the ipa-replica-install 
command gathers all necessary info and ipa-client-install is always run in 
unattended mode.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/117#issuecomment-253868897
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode

2016-10-17 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/117
Title: #117: Make ipa-replica-install run in interactive mode

simo5 commented:
"""
@stlaz, sure, what I meant is that the checking code should be made common and 
run in ipa-repliuca-install, certainly I was not suggesting to just duplicate 
all that code. Perhaps refactoring will just do that.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/117#issuecomment-254207783
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#184][opened] Minor install script fixes

2016-10-24 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/184
Author: simo5
 Title: #184: Minor install script fixes
Action: opened

PR body:
"""
- Use the correct unicode string for an error message, otherwise an
exception will generate another exception about incorrect type,
masking the original error.

- Make sure to pass down the debug flag to ipa-client-install when
the server install is run in debug mode

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/184/head:pr184
git checkout pr184
From 4867f2c571bb103d1c864cff335fb450d6032dc1 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 5 Oct 2016 15:16:30 -0400
Subject: [PATCH] Minor install script fixes

- Use the correct unicode string for an error message, otherwise an
exception will generate another exception about incorrect type,
masking the original error.

- Make sure to pass down the debug flag to ipa-client-install when
the server install is run in debug mode

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py   | 3 ++-
 ipaserver/install/server/install.py | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 9594ab5..7756eaf 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -603,7 +603,8 @@ def _auth_complete(self, response):
 except (TypeError, UnicodeError):
 pass
 if not token:
-raise KerberosError(message="No valid Negotiate header in server response")
+raise KerberosError(
+message=u"No valid Negotiate header in server response")
 token = self._sec_context.step(token=token)
 if self._sec_context.complete:
 self._sec_context = None
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 0015a8c..2ddc7cc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -896,6 +896,8 @@ def install(installer):
 args.append("--no-sshd")
 if options.mkhomedir:
 args.append("--mkhomedir")
+if options.debug:
+args.append("--debug")
 run(args, redirect_output=True)
 print()
 except Exception:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#184][synchronized] Minor install script fixes

2016-10-24 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/184
Author: simo5
 Title: #184: Minor install script fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/184/head:pr184
git checkout pr184
From 68db42a636314be935a519b14ae51b2084e96c7b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 5 Oct 2016 15:16:30 -0400
Subject: [PATCH 1/2] Fix error message encoding

- Use the correct unicode string for an error message, otherwise an
exception will generate another exception about incorrect type,
masking the original error.

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 9594ab5..7756eaf 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -603,7 +603,8 @@ def _auth_complete(self, response):
 except (TypeError, UnicodeError):
 pass
 if not token:
-raise KerberosError(message="No valid Negotiate header in server response")
+raise KerberosError(
+message=u"No valid Negotiate header in server response")
 token = self._sec_context.step(token=token)
 if self._sec_context.complete:
 self._sec_context = None

From 934f25186aec92d73715286b278adf9b86042a0c Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 24 Oct 2016 13:06:10 -0400
Subject: [PATCH 2/2] Fix install scripts debugging

- Make sure to pass down the debug flag to ipa-client-install when
the server install is run in debug mode

Signed-off-by: Simo Sorce 
---
 ipaserver/install/server/install.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 0015a8c..2ddc7cc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -896,6 +896,8 @@ def install(installer):
 args.append("--no-sshd")
 if options.mkhomedir:
 args.append("--mkhomedir")
+if options.debug:
+args.append("--debug")
 run(args, redirect_output=True)
 print()
 except Exception:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][opened] Support DAL version 5 and version 6

2016-11-01 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/205
Author: simo5
 Title: #205: Support DAL version 5 and version 6
Action: opened

PR body:
"""
Should fix bz#1389866
(untested)
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/205/head:pr205
git checkout pr205
From 9f71b4e01b9ef3040817437790c4756d31d3f404 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 15:13:14 -0400
Subject: [PATCH] Support DAL version 5 and version 6

See bz#1389866

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.c | 45 +
 1 file changed, 45 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..3d3365d 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,7 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
 KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
 0,  /* minor version number */
@@ -667,3 +668,47 @@ kdb_vftabl kdb_function_table = {
 ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
 };
 
+#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+kdb_vftabl kdb_function_table = {
+KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
+0,  /* minor version number */
+ipadb_init_library, /* init_library */
+ipadb_fini_library, /* fini_library */
+ipadb_init_module,  /* init_module */
+ipadb_fini_module,  /* fini_module */
+ipadb_create,   /* create */
+NULL,   /* destroy */
+ipadb_get_age,  /* get_age */
+NULL,   /* lock */
+NULL,   /* unlock */
+ipadb_get_principal,/* get_principal */
+ipadb_put_principal,/* put_principal */
+ipadb_delete_principal, /* delete_principal */
+NULL,   /* rename_principal */
+ipadb_iterate,  /* iterate */
+ipadb_create_pwd_policy,/* create_policy */
+ipadb_get_pwd_policy,   /* get_policy */
+ipadb_put_pwd_policy,   /* put_policy */
+ipadb_iterate_pwd_policy,   /* iter_policy */
+ipadb_delete_pwd_policy,/* delete_policy */
+ipadb_fetch_master_key, /* fetch_master_key */
+NULL,   /* fetch_master_key_list */
+ipadb_store_master_key_list,/* store_master_key_list */
+NULL,   /* dbe_search_enctype */
+ipadb_change_pwd,   /* change_pwd */
+NULL,   /* promote_db */
+NULL,   /* decrypt_key_data */
+NULL,   /* encrypt_key_data */
+ipadb_sign_authdata,/* sign_authdata */
+ipadb_check_transited_realms,   /* check_transited_realms */
+ipadb_check_policy_as,  /* check_policy_as */
+NULL,   /* check_policy_tgs */
+ipadb_audit_as_req, /* audit_as_req */
+NULL,   /* refresh_config */
+ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
+};
+
+#else
+#error unsupported DAL major version
+#endif
+
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][opened] Properly handle multiple cookies in rpcclient

2016-11-01 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: opened

PR body:
"""
The current code does not give a list of cookies, but a concatenated string 
separated by a comma. This is a format the Cookie class does not understand. 
msg.getheaders returns the wanted format.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
From 2433c2b315e1526e9f8431c577625bf115673480 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 14:59:12 -0400
Subject: [PATCH] Properly handle multiple cookies in rpcclient

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7756eaf..b5f7e6f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -719,7 +719,7 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.getheader('Set-Cookie'))
+self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
 return SSLTransport.parse_response(self, response)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6

2016-11-02 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/205
Author: simo5
 Title: #205: Support DAL version 5 and version 6
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/205/head:pr205
git checkout pr205
From 1f0822b21eb3daa0c769d3377fc841d7ce8aaccc Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 15:13:14 -0400
Subject: [PATCH] Support DAL version 5 and version 6

See bz#1389866

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.c | 102 --
 1 file changed, 63 insertions(+), 39 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..e96353f 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
-KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
-0,  /* minor version number */
-ipadb_init_library, /* init_library */
-ipadb_fini_library, /* fini_library */
-ipadb_init_module,  /* init_module */
-ipadb_fini_module,  /* fini_module */
-ipadb_create,   /* create */
-NULL,   /* destroy */
-ipadb_get_age,  /* get_age */
-NULL,   /* lock */
-NULL,   /* unlock */
-ipadb_get_principal,/* get_principal */
-ipadb_free_principal,   /* free_principal */
-ipadb_put_principal,/* put_principal */
-ipadb_delete_principal, /* delete_principal */
-ipadb_iterate,  /* iterate */
-ipadb_create_pwd_policy,/* create_policy */
-ipadb_get_pwd_policy,   /* get_policy */
-ipadb_put_pwd_policy,   /* put_policy */
-ipadb_iterate_pwd_policy,   /* iter_policy */
-ipadb_delete_pwd_policy,/* delete_policy */
-ipadb_free_pwd_policy,  /* free_policy */
-ipadb_alloc,/* alloc */
-ipadb_free, /* free */
-ipadb_fetch_master_key, /* fetch_master_key */
-NULL,   /* fetch_master_key_list */
-ipadb_store_master_key_list,/* store_master_key_list */
-NULL,   /* dbe_search_enctype */
-ipadb_change_pwd,   /* change_pwd */
-NULL,   /* promote_db */
-NULL,   /* decrypt_key_data */
-NULL,   /* encrypt_key_data */
-ipadb_sign_authdata,/* sign_authdata */
-ipadb_check_transited_realms,   /* check_transited_realms */
-ipadb_check_policy_as,  /* check_policy_as */
-NULL,   /* check_policy_tgs */
-ipadb_audit_as_req, /* audit_as_req */
-NULL,   /* refresh_config */
-ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.free_principal = ipadb_free_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.free_policy = ipadb_free_pwd_policy,
+.alloc = ipadb_alloc,
+.free = ipadb_free,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+.audit_as_req = ipadb_audit_as_req,
+.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
 
+#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.put_principal

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

2016-11-02 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

simo5 commented:
"""
Updated
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-257820109
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

2016-11-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

simo5 commented:
"""
On Mon, 2016-11-07 at 08:11 -0800, Tomas Krizek wrote:
> NACK
> 
> `ipa-server-install` will fail at:
> ```
> Configuring kadmin
>   [1/2]: starting kadmin 
>   [2/2]: configuring kadmin to start on boot
> Done configuring kadmin.
> ipa.ipapython.install.cli.install_tool(Server): ERRORCA did not start in 
> 300.0s
> ipa.ipapython.install.cli.install_tool(Server): ERRORThe 
> ipa-server-install command failed
> ```
> From `/var/log/pki/pki-tomcat/ca/debug`, it seems PKI can't authenticate 
> towards LDAP:
> ```
> [07/Nov/2016:16:42:11][localhost-startStop-1]: SSL handshake happened
> Could not connect to LDAP server host vm-059.abc.idm.lab.eng.brq.redhat.com 
> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
> ```
> 

I've seen this error recently too, but it is unrelated, re-installed on
F25 and it went away.
I think there is some issue with dogtag in some conditions when you
re-install, although I could not figure what it is.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-258880929
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

2016-11-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

simo5 commented:
"""
Sure, but I do not see how a change in the KDC DAL, can affect PKI connecting 
to LDAP.
Does this problem go away if you remove the patch and re-build/install on the 
same machine ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-258894858
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][+ack] Support DAL version 5 and version 6

2016-11-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

2016-11-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

simo5 commented:
"""
I just verified I reproduce your error in my tree without the patch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-258937044
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

2016-11-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

simo5 commented:
"""
There was no upstream ticket when I created the commit :-)
I'll add.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-259221154
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6

2016-11-08 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/205
Author: simo5
 Title: #205: Support DAL version 5 and version 6
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/205/head:pr205
git checkout pr205
From bad5cad79ac9d639333706f073e8b0a2556f10d7 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 15:13:14 -0400
Subject: [PATCH] Support DAL version 5 and version 6

https://fedorahosted.org/freeipa/ticket/6466

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.c | 102 --
 1 file changed, 63 insertions(+), 39 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..e96353f 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
-KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
-0,  /* minor version number */
-ipadb_init_library, /* init_library */
-ipadb_fini_library, /* fini_library */
-ipadb_init_module,  /* init_module */
-ipadb_fini_module,  /* fini_module */
-ipadb_create,   /* create */
-NULL,   /* destroy */
-ipadb_get_age,  /* get_age */
-NULL,   /* lock */
-NULL,   /* unlock */
-ipadb_get_principal,/* get_principal */
-ipadb_free_principal,   /* free_principal */
-ipadb_put_principal,/* put_principal */
-ipadb_delete_principal, /* delete_principal */
-ipadb_iterate,  /* iterate */
-ipadb_create_pwd_policy,/* create_policy */
-ipadb_get_pwd_policy,   /* get_policy */
-ipadb_put_pwd_policy,   /* put_policy */
-ipadb_iterate_pwd_policy,   /* iter_policy */
-ipadb_delete_pwd_policy,/* delete_policy */
-ipadb_free_pwd_policy,  /* free_policy */
-ipadb_alloc,/* alloc */
-ipadb_free, /* free */
-ipadb_fetch_master_key, /* fetch_master_key */
-NULL,   /* fetch_master_key_list */
-ipadb_store_master_key_list,/* store_master_key_list */
-NULL,   /* dbe_search_enctype */
-ipadb_change_pwd,   /* change_pwd */
-NULL,   /* promote_db */
-NULL,   /* decrypt_key_data */
-NULL,   /* encrypt_key_data */
-ipadb_sign_authdata,/* sign_authdata */
-ipadb_check_transited_realms,   /* check_transited_realms */
-ipadb_check_policy_as,  /* check_policy_as */
-NULL,   /* check_policy_tgs */
-ipadb_audit_as_req, /* audit_as_req */
-NULL,   /* refresh_config */
-ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.free_principal = ipadb_free_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.free_policy = ipadb_free_pwd_policy,
+.alloc = ipadb_alloc,
+.free = ipadb_free,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+.audit_as_req = ipadb_audit_as_req,
+.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
 
+#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal

[Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins

2016-11-11 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/187
Title: #187: Register entry points of Custodia plugins

simo5 commented:
"""
Forgot the reasons, I was probably not thinking about PEP8 back then.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/187#issuecomment-259963079
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-11-21 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@splashx you would have to manually configure each KDC and give them certs, it 
is doable.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-261950279
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-11-28 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@splashx we are starting to pollute this PR here now. Please provide KDC logs 
on the user's mailing list and let's proceed there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-263401055
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-01 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

simo5 commented:
"""
This new patch should fix it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-264299396
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient

2016-12-01 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
From 25f0224a76c1dd1942fcaef2b3a606ab21d6c805 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 14:59:12 -0400
Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd13251..dc63dc3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.getheader('Set-Cookie'))
+self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
 return SSLTransport.parse_response(self, response)
 
 

From 0c6581b72d2af1bf45a88428b86e54d5dac4fc9e Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 30 Sep 2016 16:17:31 -0400
Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib.

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dc63dc3..63ca87c 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,12 +699,19 @@ def store_session_cookie(self, cookie_header):
 
 principal = getattr(context, 'principal', None)
 request_url = getattr(context, 'request_url', None)
-root_logger.debug("received Set-Cookie '%s'", cookie_header)
+root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), cookie_header)
+
+if not isinstance(cookie_header, list):
+cookie_header = [cookie_header]
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+for cookie in cookie_header:
+session_cookie = \
+Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME,
+request_url)
+if session_cookie is not None:
+break
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-01 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@abbra this code needs rebase and I need it as dependency for solving ticket 
#5959, did you do any work on this ? If not I'll rebase tomorrow.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-264299816
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-02 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
Should I push your branch over my PR ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-264407366
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-02 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
On Fri, 2016-12-02 at 02:18 -0800, Alexander Bokovoy wrote:
> Up to you. We can either resync yours or switch over to mine. I need to merge 
> updater changes too before submitting it upstream, though.

I'll rebase for now, when it is time for the additional work, we can
decide if we are better opening a new PR or continue with this one.

SImo.

-- 
Simo Sorce * Red Hat, Inc * New York


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-264424678
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-02 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 25c94d10b85f351be11d1a61d5c94ec03b9f8dc6 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipalib/install/certmonger.py |  35 ++---
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/krbinstance.py |  43 +--
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   2 +
 13 files changed, 263 insertions(+), 45 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-02 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 690d44d0f14225c8b0f1cb77c241ab2f267717e2 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  42 +--
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 270 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-02 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From f627124a167142161dcdd4504c104b149beb65a2 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  43 +--
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 271 insertions(+), 53 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-02 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From d0139ed393cc59c71a0dfd6ec55d25ea5490c6f9 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  47 +---
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  65 +---
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 271 insertions(+), 57 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-06 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 1efbefb055c0d3245f86e0182031b6be13869b47 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  47 +---
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  82 
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 281 insertions(+), 64 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-06 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
Rebased on latest master
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265201018
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-06 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 5a793773c9a2fb1f24161220f1f306372c036b6b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  47 +---
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  26 ---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  83 
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 282 insertions(+), 64 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-06 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
Rebasing this code is becoming a little difficult, @frasertweedale can you take 
a look and confirm the changes in cert.py are ok ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265206007
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-06 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Yeah going through those right now
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265234514
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

simo5 commented:
"""
Yes, getting there, be patient, I discovered other stuff as I fixed pylint per 
single patch :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-265406741
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

simo5 commented:
"""
Sorry I thought this PR was the priv sep one, I have fixes for this, pushing in 
a moment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-265407701
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient

2016-12-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
From df541c3c1bef0cfdfc0c6c412218eeb69ef0affd Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 14:59:12 -0400
Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd13251..dc63dc3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.getheader('Set-Cookie'))
+self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
 return SSLTransport.parse_response(self, response)
 
 

From 5fe6cac8e2a006d8c2b11fab6fd7a5dbeebdcce7 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 30 Sep 2016 16:17:31 -0400
Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib.

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dc63dc3..bd25e6f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,12 +699,20 @@ def store_session_cookie(self, cookie_header):
 
 principal = getattr(context, 'principal', None)
 request_url = getattr(context, 'request_url', None)
-root_logger.debug("received Set-Cookie '%s'", cookie_header)
+root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header),
+  cookie_header)
+
+if not isinstance(cookie_header, list):
+cookie_header = [cookie_header]
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+for cookie in cookie_header:
+session_cookie = \
+Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME,
+request_url)
+if session_cookie is not None:
+break
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Updated branch, hopefully lint will be happy.
While there I discovered dcerpc.py ws using the HTTP keytab, after discussing 
with @abbra we decided to just remove such use for now and see later if we need 
any changes. The use was rare and in the importnat cases we have already a 
better option in the code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265410793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Note: this PR also depends on and includes commits from #206
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 27e72f6512147a91e575b0ba0e6006cc7b185902 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  47 +---
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  77 +++
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 272 insertions(+), 63 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 7bab75c3bdd59b16879c0f48f7293deb495666d9 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  52 +
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  19 +
 ipaserver/plugins/cert.py|  80 +++-
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 293 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@martbab your concerns should be addressed in this revision
I also started adding upgrade code, but it is still not fully tested.
In the process I locally get 2 pylint errors about the hostname property used 
on 2 out of 3 Principal() objects in cert.py, I am sorta baffled at why that 
is, but it is late here, so I decided to push the code and see if anyone has an 
idea.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265598252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient

2016-12-08 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
From 9f44fac9f07b727711809bbae0d27ebd149a855a Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 14:59:12 -0400
Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd13251..dc63dc3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.getheader('Set-Cookie'))
+self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
 return SSLTransport.parse_response(self, response)
 
 

From 8bb4abb782a7e1e20332969a9f1a72dfc5187582 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 30 Sep 2016 16:17:31 -0400
Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib.

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dc63dc3..bd25e6f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,12 +699,20 @@ def store_session_cookie(self, cookie_header):
 
 principal = getattr(context, 'principal', None)
 request_url = getattr(context, 'request_url', None)
-root_logger.debug("received Set-Cookie '%s'", cookie_header)
+root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header),
+  cookie_header)
+
+if not isinstance(cookie_header, list):
+cookie_header = [cookie_header]
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+for cookie in cookie_header:
+session_cookie = \
+Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME,
+request_url)
+if session_cookie is not None:
+break
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
@pspacek I added workflows to the Design page, please verify
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

simo5 commented:
"""
@stiaz, SHA-1 DOES NOT add entropy at all, you need the right number of bits in 
INPUT for whatever trasformation you use.
@mbasti-rh in what way FIPS is incompatible with base64 encoding ?
@stiaz, spaces may cause issues in some places where passwords are stored in 
files or passed (annoyingly) as shell arguments, soit is safer to avoid them in 
the final output, and given the way the code deal with space that would also 
simplify the random generator and avoid the bias on 1st and last charcter of 
the password.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

simo5 commented:
"""
@stlaz SHA-1 DOES NOT add entropy at all, you need the right number of bits in 
INPUT for whatever trasformation you use.
@mbasti-rh in what way FIPS is incompatible with base64 encoding ?
@stlaz  spaces may cause issues in some places where passwords are stored in 
files or passed (annoyingly) as shell arguments, soit is safer to avoid them in 
the final output, and given the way the code deal with space that would also 
simplify the random generator and avoid the bias on 1st and last charcter of 
the password.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

simo5 commented:
"""
We may need a max length argument if we are dealing with some stuff that has 
issues with more then max length caracters ... In that case we can warn (or 
raise, we'll have to decide) not enough entropy will be available is max length 
is not sufficient to hold the desired entropy.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265762543
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@martbab sometimes you are blind to your own code ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265795306
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@abbra I have an idea of what it might be
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265795485
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 641691caf4ed92cec0bd076f3245c9456b8e9445 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  52 +
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  20 +
 ipaserver/plugins/cert.py|  80 +++-
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 294 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 13caff83b412cbc68073908f7a35214b9789f5e7 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  53 +
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  20 +
 ipaserver/plugins/cert.py|  81 +++-
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 296 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

2016-12-08 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/314
Author: simo5
 Title: #314: RFC: privilege separation for ipa framework code
Action: edited

 Changed field: body
Original value:
"""
As part of the External Authentication work this PR implements the privilege 
separation portion of the design available here: 
https://www.freeipa.org/page/V4/External_Authentication and implements tickets: 
https://fedorahosted.org/freeipa/ticket/5959 and 
https://fedorahosted.org/freeipa/ticket/4189

The update process from an old server has not been implemented yet, so this is 
just an RFC request at this stage. Please look at the code and let me know if 
you notice any major issue with it so we can correct mistakes early.

This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi 
and gssproxy, which are not released/accepted upstream yet (all PRs filed, and 
will be available soon).
In order to allow trying the code, I made two copr repos with the necessary 
changes available here:
- https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
- https://copr.fedorainfracloud.org/coprs/simo/gssproxy/

I tested a new install and both gssapi as well as password authentication work 
(via command line and web browser). I have not tested OTP authentication yet.

There are 2 fundamental changes in this code:
- the session handling code has been dropped in favor of deferring session 
handling to mod_auth_gssapi, simplifying the code greatly. As part of this 
change we stop using memcached.
- the framework configuration is changed to work as a different user from the 
Apache framework and depends on gssproxy in order to be able to access 
necessary credentials. (Apache itself is also using gssproxy and does not have 
direct access to the HTTP keytab.)
  This required two changes in the form-based authentication workflow:
  * The armor cache is obtained via anonymous pkinit as we do not have access 
anymore to the HTTP keytab. This means this PR depends on #62 (until it is 
accepted commits from that PR are in this PR)
  * The actual authentication is done via a loopback HTTP request to apache 
after we obtain a TGT, this is done in order to obtain a session cookie from 
mod_auth_gssapi as well as to be able to immediately discard the TGT and just 
keep the HTTP ticket instead.

@jcholast @pvoborni Please provide comments on the framework changes.
@rcritten @abbra do you have ideas on how to deal with dropping a service 
(memcached) on upgrade ?
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From ab5bf9168c5d76f69527429092a31f676d4b3e23 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  63 
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  36 +
 ipaserver/plugins/cert.py|  86 -
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 327 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-09 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 5b287769a8bae661d05d20c041047c89a582056b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  63 
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  35 +
 ipaserver/plugins/cert.py|  86 -
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 326 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-09 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From eba8fa467c3bd8a9b4378edd0c4d14a1e616cebb Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  62 +++
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  35 +
 ipaserver/plugins/cert.py|  86 -
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 325 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-12 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From dcda82da3ca6f6adac0f09d00df2aec3cc660817 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  62 +++
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  35 +
 ipaserver/plugins/cert.py|  86 -
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 325 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5

[Freeipa-devel] [freeipa PR#335][opened] Add compatibility code to retrieve headers

2016-12-14 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/335
Author: simo5
 Title: #335: Add compatibility code to retrieve headers
Action: opened

PR body:
"""
The recent fixes for getting cookies from headers broken python3.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/335/head:pr335
git checkout pr335
From a118d6f3dcd31102e0f5e5b6a0c962b811290bfb Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 14 Dec 2016 06:20:15 -0500
Subject: [PATCH] Add compatibility code to retrieve headers

Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.

https://fedorahosted.org/freeipa/ticket/6558

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd25e6f..921f5cb 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -729,7 +729,11 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
+if six.PY2:
+header = response.msg.getheaders('Set-Cookie')
+else:
+header = response.msg.get_all('Set-Cookie')
+self.store_session_cookie(header)
 return SSLTransport.parse_response(self, response)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#345][comment] ipa-kdb: search for password policies globally

2016-12-16 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/345
Title: #345: ipa-kdb: search for password policies globally

simo5 commented:
"""
I know this is already closed but NACK.
The problem here is in searching "base"
this means ending up serhing also in things like slapi-nis.
We need to change the code to search in cn=REALM, and, if that fails, search 
again in cn=accounts.

I do not know if we should revert or just patch on top.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/345#issuecomment-267571798
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#353][opened] [RFE] Pwdpolicy

2016-12-19 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/353
Author: simo5
 Title: #353: [RFE] Pwdpolicy
Action: opened

PR body:
"""
Untested but I am seeking feedback on the actual approach.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/353/head:pr353
git checkout pr353
From 32fd38be7f2d975feea1d98bf74568492e09e9b0 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 16 Dec 2016 07:12:45 -0500
Subject: [PATCH 1/2] Add code to retrieve results from multiple bases

Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.h|  10 
 daemons/ipa-kdb/ipa_kdb_common.c | 103 +++
 2 files changed, 113 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1fdb409..e1f46c6 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -174,6 +174,16 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
 int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
  LDAPDerefRes **results);
 
+struct ipadb_multires;
+krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r);
+void ipadb_multires_free(struct ipadb_multires *r);
+LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r);
+krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
+   char **basedns, int scope,
+   char *filter, char **attrs,
+   struct ipadb_multires **res,
+   bool any);
+
 /* PRINCIPALS FUNCTIONS */
 krb5_error_code ipadb_get_principal(krb5_context kcontext,
 krb5_const_principal search_for,
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 7438f35..32bcf5c 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -610,3 +610,106 @@ int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
 ldap_controls_free(ctrls);
 return ret;
 }
+
+struct ipadb_multires {
+LDAP *lcontext;
+LDAPMessage **res;
+LDAPMessage *next;
+ssize_t cursor;
+size_t count;
+};
+
+krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r)
+{
+*r = malloc(sizeof(struct ipadb_multires));
+if (!*r) return ENOMEM;
+(*r)->lcontext = lcontext;
+(*r)->res = NULL;
+(*r)->next = NULL;
+(*r)->cursor = -1;
+(*r)->count = 0;
+
+return 0;
+}
+
+void ipadb_multires_free(struct ipadb_multires *r)
+{
+for (int i = 0; i < r->count; i++) {
+ldap_msgfree(r->res[i]);
+}
+free(r);
+}
+
+LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r)
+{
+if (r->count == 0) return NULL;
+
+if (r->next) {
+r->next = ldap_next_entry(r->lcontext, r->next);
+}
+if (r->next == NULL) {
+if (r->cursor >= r->count - 1) {
+return NULL;
+}
+r->cursor++;
+r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]);
+}
+
+return r->next;
+}
+
+krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
+   char **basedns, int scope,
+   char *filter, char **attrs,
+   struct ipadb_multires **res,
+   bool any)
+{
+int ret;
+
+ret = ipadb_multires_init(ipactx->lcontext, res);
+if (ret != 0) return ret;
+
+ret = ipadb_check_connection(ipactx);
+if (ret != 0)
+return ipadb_simple_ldap_to_kerr(ret);
+
+for (int b = 0; basedns[b]; b++) {
+LDAPMessage *r;
+ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
+filter, attrs, 0, NULL, NULL,
+&std_timeout, LDAP_NO_LIMIT, &r);
+
+/* first test if we need to retry to connect */
+if (ret != 0 &&
+ipadb_need_retry(ipactx, ret)) {
+ldap_msgfree(r);
+ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
+filter, attrs, 0, NULL, NULL,
+&std_timeout, LDAP_NO_LIMIT, &r);
+}
+
+if (ret != 0) break;
+
+if (ldap_count_entries(ipactx->lcontext, r) > 0) {
+void *tmp = realloc((*res)->res, (((*res)->count + 1) *
+sizeof(LDAPMessage *)));
+if (tmp == NULL) {
+ret = ENOMEM;
+break;
+

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-19 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I think this code is ready to be included.
I am still playing with a minor change in mod_auth_gssapi, but that can also go 
in later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-267997245
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#358][opened] Use the tar Posix option for tarballs

2016-12-20 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/358
Author: simo5
 Title: #358: Use the tar Posix option for tarballs
Action: opened

PR body:
"""
This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.

https://fedorahosted.org/freeipa/ticket/6418

Signed-off-by: Simo Sorce 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/358/head:pr358
git checkout pr358
From 7de8f35af79f1a3a767b88418d5ad0a01d4bbc99 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 20 Dec 2016 12:46:33 -0500
Subject: [PATCH] Use the tar Posix option for tarballs

This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.

https://fedorahosted.org/freeipa/ticket/6418

Signed-off-by: Simo Sorce 
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 3ea5983..e8a4701 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,7 +15,7 @@ esac
 
 AC_CONFIG_HEADERS([config.h])
 
-AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar])
+AM_INIT_AUTOMAKE([foreign 1.9 tar-pax])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
 
 AC_PROG_CC_C99
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#358][synchronized] Use the tar Posix option for tarballs

2016-12-21 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/358
Author: simo5
 Title: #358: Use the tar Posix option for tarballs
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/358/head:pr358
git checkout pr358
From 038be681136f06be3bc5e6f76ee9a71e201b2d9b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 20 Dec 2016 12:46:33 -0500
Subject: [PATCH] Use the tar Posix option for tarballs

This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.

tar-ustar allows UID/GID numbers only up to 2 million and by default a
new IPA installation can assigne UIDs in the billion range.

https://fedorahosted.org/freeipa/ticket/6418

Signed-off-by: Simo Sorce 
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 3ea5983..e8a4701 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,7 +15,7 @@ esac
 
 AC_CONFIG_HEADERS([config.h])
 
-AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar])
+AM_INIT_AUTOMAKE([foreign 1.9 tar-pax])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
 
 AC_PROG_CC_C99
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs

2016-12-21 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/358
Title: #358: Use the tar Posix option for tarballs

simo5 commented:
"""
Amended
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/358#issuecomment-268507057
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-03 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Why is dogtag-ipa-renew-agent-submit part of the certmonger package ?
And how do we fix it now ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270163719
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-04 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Rebased on master and fixed a couple minor lint issues
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270394337
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-05 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I switched all endpoints to use GSSAPI (and transparently use a session cookie 
once one transation is successful), so there may be some parts of the code a 
bit surprised about it, do you have apache logs to chare that show the problem 
? (enabling ipa debug would probably help too)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270654342
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#381][comment] disable hostname canonicalization by Kerberos library

2017-01-11 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/381
Title: #381: disable hostname canonicalization by Kerberos library

simo5 commented:
"""
@martbab this change actually improves security by avoiding a DNS lookup that 
could be manipulated by an attacker, however it also means some setups may 
break, because they depend on canonicalization to actually get the correct 
name, and should be documented in release notes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/381#issuecomment-271875472
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-12 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Thanks @HonzaCholasta I already fixed the service thing but didn't push as I 
started getting another error on install, buit before I fix that I am working 
on releasing gssproxy where wer are hitting another heisenbug just in the 
testing suite (works as expected when installed).
On the ldapi error I have seen it too during development, for a period I was 
getting it every time once on install ie:
install, play, uninstall, install, Error!, uninstall, install, play ...
So I had to install - uninstall - reinstall for each test, but it had 
disappeared for a while.
It seem some uninstall snag to me, if I can find some info on why it occurs 
I'll open a bug (or fix it if it is due to my code changes).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272171891
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-19 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I cannot get a replica install to fail like your did, can you post some logs ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273891819
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-23 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The latest rebase installs a replica correctly here, haven't got to fix ca-less 
yet, but everything else should be ready to go.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274577459
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
abbra, we should also change how spec deps work
I asked @rharwood to add a provides that is the dal version number
we should stop having a dep on the krb5 major version number and instead have a 
dependecy on this provide
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274806881
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
Also I know you can use ifdefs to avoid copy&pasting large parts of the 
structure initialization but I would prefer 3 separate full inits based only on 
ifdefs on the DAL version numbers.
in pseudo:
if v5:
  vtable = { ... }
elif v6.0:
  vtable = { ... }
elid v6.1:
  vtable = { ... }
else:
  error!

Those tables cannot change so using ifdefs in them can only risk to introduce 
bugs in one of the versions rather than help reduce code duplication.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274808126
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
Doesn't kdb.h also export a MINOR version to test against ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274823821
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
I checked and can't find it ... facepalm

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274826331
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok, with this latest push I can install servers and replicas both with CA and 
CA-less.
I cannot reproduce the failure @HonzaCholasta sees, so from my side I am done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274832504
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#353][synchronized] [RFE] Pwdpolicy

2017-01-25 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/353
Author: simo5
 Title: #353: [RFE] Pwdpolicy
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/353/head:pr353
git checkout pr353
From a7213592a0b643a63dbdc8bff5bae08f30448b7b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 16 Dec 2016 07:12:45 -0500
Subject: [PATCH 1/2] Add code to retrieve results from multiple bases

Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.h|  10 
 daemons/ipa-kdb/ipa_kdb_common.c | 103 +++
 2 files changed, 113 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1fdb409..e1f46c6 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -174,6 +174,16 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
 int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
  LDAPDerefRes **results);
 
+struct ipadb_multires;
+krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r);
+void ipadb_multires_free(struct ipadb_multires *r);
+LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r);
+krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
+   char **basedns, int scope,
+   char *filter, char **attrs,
+   struct ipadb_multires **res,
+   bool any);
+
 /* PRINCIPALS FUNCTIONS */
 krb5_error_code ipadb_get_principal(krb5_context kcontext,
 krb5_const_principal search_for,
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 7438f35..5995efe 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -610,3 +610,106 @@ int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
 ldap_controls_free(ctrls);
 return ret;
 }
+
+struct ipadb_multires {
+LDAP *lcontext;
+LDAPMessage **res;
+LDAPMessage *next;
+ssize_t cursor;
+ssize_t count;
+};
+
+krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r)
+{
+*r = malloc(sizeof(struct ipadb_multires));
+if (!*r) return ENOMEM;
+(*r)->lcontext = lcontext;
+(*r)->res = NULL;
+(*r)->next = NULL;
+(*r)->cursor = -1;
+(*r)->count = 0;
+
+return 0;
+}
+
+void ipadb_multires_free(struct ipadb_multires *r)
+{
+for (int i = 0; i < r->count; i++) {
+ldap_msgfree(r->res[i]);
+}
+free(r);
+}
+
+LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r)
+{
+if (r->count == 0) return NULL;
+
+if (r->next) {
+r->next = ldap_next_entry(r->lcontext, r->next);
+}
+if (r->next == NULL) {
+if (r->cursor >= r->count - 1) {
+return NULL;
+}
+r->cursor++;
+r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]);
+}
+
+return r->next;
+}
+
+krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
+   char **basedns, int scope,
+   char *filter, char **attrs,
+   struct ipadb_multires **res,
+   bool any)
+{
+int ret;
+
+ret = ipadb_multires_init(ipactx->lcontext, res);
+if (ret != 0) return ret;
+
+ret = ipadb_check_connection(ipactx);
+if (ret != 0)
+return ipadb_simple_ldap_to_kerr(ret);
+
+for (int b = 0; basedns[b]; b++) {
+LDAPMessage *r;
+ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
+filter, attrs, 0, NULL, NULL,
+&std_timeout, LDAP_NO_LIMIT, &r);
+
+/* first test if we need to retry to connect */
+if (ret != 0 &&
+ipadb_need_retry(ipactx, ret)) {
+ldap_msgfree(r);
+ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
+filter, attrs, 0, NULL, NULL,
+&std_timeout, LDAP_NO_LIMIT, &r);
+}
+
+if (ret != 0) break;
+
+if (ldap_count_entries(ipactx->lcontext, r) > 0) {
+void *tmp = realloc((*res)->res, (((*res)->count + 1) *
+sizeof(LDAPMessage *)));
+if (tmp == NULL) {
+ret = ENOMEM;
+break;
+}
+(*res)->res = tmp;
+(*res)->res[(*res)->count] = r;
+

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-25 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok reproduced, it is not clar how to me yet, but at some point ca.crt get 
zeroed out and that's why the ldap command fails, investigating
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275101642
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy

2017-01-25 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/353
Title: #353: [RFE] Pwdpolicy

simo5 commented:
"""
I found two subtle bugs that cause the install failure, with the rebased 
patches install completes correctly for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/353#issuecomment-275106444
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-25 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
With this last rebase I can install again both ca and ca-less without issues.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275168299
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-31 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The correct packages are now in updates-testing in Fedora 25, pick from there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276340645
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
@frozencemetery Should we provide krb5-kdb-version-devel from krb5-devel ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-277949768
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I think I know what is going on here, can you add an actual test to the 
testsuite that checks this ?
I will fix my PR to not cause this deadlock, I've reproduce it here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278635045
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py

I haven't figured out exactly what happens in change_password, I see from logs 
sent from @martbab that the kinit as the user alice is performed, but apache 
see only admin connections.

I suspect that the issue is in ipalib/rpc.py in create_connection, where 
apply_session_cookie() is called, but can't be sure.
I need a way to repro these tests locally to confirm.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py

I haven't figured out exactly what happens in change_password, I see from logs 
sent from @martbab that the kinit as the user alice is performed, but apache 
see only admin connections.

I suspect that the issue is in ipalib/rpc.py in create_connection, where 
apply_session_cookie() is called, but can't be sure.
I need a way to repro these tests locally to confirm.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-10 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
So I am not sure what is going on here, after fiddling with the failing tests 
to print out what was going on, they suddenly started working (and a 3 other 
started failing).
It is not clear to me what is going on, but it may be unclean environment too.. 
after running testes a few times for example I found out my user KRB5CCNAME 
environment variable had been changed (this is not ok it's a bug in the tests 
and will make things unreliable).
Anyway after a full rebuild and reinstall I was not able to go back to a state 
where I could reproduce the issues in caacl tests.
I rebased the patchset on latest master and pushed it, let's see what CI says.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278981716
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-13 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
@HonzaCholasta push it before we break it again! :-)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][+ack] ipa-kdb: support KDB DAL version 6.1

2017-02-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, 
it makes no sense to keep them separate as in eahc patch I add respecively to 
connect() and disconnect() arguments that are use in ipatest/util.py

As for resetting session_cookie, when principal change, I am all for it, except 
we do not record the principal in the rpc context ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
We actually record the principal, change the patch to destroy session_cookie in 
create_connection if the principal is different.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok split the last stuff in 3 commits.
I remove the use of private ccache for a few reasons:
1. touches environment variables.
2. will unconditionally remove a ccache even when passed in, so it may end up 
removing the wrong thing
3. private_ccache is used in dcerpc code and I do not want to change semantics 
and risk breaking tat code path
4. This fix is much smaller and removes one more yield, which is not a bad 
thing as it makes the code easier to read.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
For some commits I was sure what ticket to use, for some I was not, so I 
elected not to put a specific ticket in there. If you have a good idea of what 
ticket (of the External Authentication project) to apply to specific commits 
let me know and I can amend commit messages.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-14 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Done
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

1 2 3 >

1 - 100 of 217 matches

Mail list logo