Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-08-19 Thread Fraser Tweedale 
On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote:
> On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> > On 19.7.2016 12:05, Jan Cholasta wrote:
> > > On 19.7.2016 11:54, Fraser Tweedale wrote:
> > > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
> > > > > Hi,
> > > > > 
> > > > > On 15.7.2016 07:05, Fraser Tweedale wrote:
> > > > > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
> > > > > > > The attached patch is a work in progress for
> > > > > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
> > > > > > > 
> > > > > > > I am sharing now to make the approach clear and solicit feedback.
> > > > > > > 
> > > > > > > It has been tested for server install, replica install (with and
> > > > > > > without CA) and CA-replica install (all hosts running 
> > > > > > > master+patch).
> > > > > > > 
> > > > > > > Migration from earlier versions and server/replica/CA install on a
> > > > > > > CA-less deployment are not yet tested; these will be tested over
> > > > > > > coming days and patch will be tweaked as necessary.
> > > > > > > 
> > > > > > > Commit message has a fair bit to say so I won't repeat here but 
> > > > > > > let
> > > > > > > me know your questions and comments.
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > Fraser
> > > > > > > 
> > > > > > It does help to attach the patch, of course ^_^
> > > > > 
> > > > > IMO explicit is better than implicit, so instead of introducing
> > > > > additional
> > > > > magic around --subject, I would rather add a new separate option for
> > > > > specifying the CA subject name (I think --ca-subject, for consistency
> > > > > with
> > > > > --ca-signing-algorithm).
> > > > > 
> > > > The current situation - the --subject argument which specifies the
> > > > not the subject but the subject base, is confusing enough (to say
> > > > nothing of the limitations that give rise to the RFE).
> > > > 
> > > > Retaining --subject for specifying the subject base and adding
> > > > --ca-subject for specifying the *actual* subject DN gets us over the
> > > > line in terms of the RFE, but does not make the installer less
> > > > confusing.  This is why I made --subject accept the full subject DN,
> > > > with provisions to retain existing behaviour.
> > > > 
> > > > IMO if we want to have separate arguments for subject DN and subject
> > > > base (I am not against it), let's bite the bullet and name arguments
> > > > accordingly.  --subject should be used to specify full Subject DN,
> > > > --subject-base (or similar) for specifying subject base.
> > > 
> > > IMHO --ca-subject is better than --subject, because it is more explicit
> > > whose subject name that is (the CA's). I agree that --subject should be
> > > deprecated and replaced with --subject-base.
> > > 
> > > > 
> > > > (I intentionally defer discussion of specific behaviour if one, none
> > > > or both are specified; let's resolve the question or renaming /
> > > > changing meaning of arguments first).
> > > > 
> > > > 
> > > > > By specifying the option you would override the default 
> > > > > "CN=Certificate
> > > > > Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
> > > > > additional validation would be done to make sure the subject name 
> > > > > meets
> > > > > Dogtag's expectations. Actually, it might make sense to always do the
> > > > > additional validation, to be able to print a warning that if a
> > > > > Dogtag-incompatible subject name is used, it won't be possible to
> > > > > change the
> > > > > CA cert chaining from externally signed to self-signed later.
> > > > > 
> > > > > Honza
> > 
> > Bump, any update on this?
> > 
> I have an updated patch that fixes some issues Sebastian encountered
> in testing, but I've not yet tackled the main change requested by
> Honza (in brief: adding --ca-subject for specifying that, adding
> --subject-base for specifying that, and deprecating --subject;
> Sebastian, see discussion above and feel free to give your
> thoughts).  I expect I'll get back onto this work within the next
> few days.
> 
Update: I've got an updated version of patch almost ready for
review, but I'm still ironing out some wrinkles in replica
installation.

Expect to be able to send it Monday or Tuesday for review.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-08-15 Thread Fraser Tweedale 
On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> On 19.7.2016 12:05, Jan Cholasta wrote:
> > On 19.7.2016 11:54, Fraser Tweedale wrote:
> > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
> > > > Hi,
> > > > 
> > > > On 15.7.2016 07:05, Fraser Tweedale wrote:
> > > > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
> > > > > > The attached patch is a work in progress for
> > > > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
> > > > > > 
> > > > > > I am sharing now to make the approach clear and solicit feedback.
> > > > > > 
> > > > > > It has been tested for server install, replica install (with and
> > > > > > without CA) and CA-replica install (all hosts running master+patch).
> > > > > > 
> > > > > > Migration from earlier versions and server/replica/CA install on a
> > > > > > CA-less deployment are not yet tested; these will be tested over
> > > > > > coming days and patch will be tweaked as necessary.
> > > > > > 
> > > > > > Commit message has a fair bit to say so I won't repeat here but let
> > > > > > me know your questions and comments.
> > > > > > 
> > > > > > Thanks,
> > > > > > Fraser
> > > > > > 
> > > > > It does help to attach the patch, of course ^_^
> > > > 
> > > > IMO explicit is better than implicit, so instead of introducing
> > > > additional
> > > > magic around --subject, I would rather add a new separate option for
> > > > specifying the CA subject name (I think --ca-subject, for consistency
> > > > with
> > > > --ca-signing-algorithm).
> > > > 
> > > The current situation - the --subject argument which specifies the
> > > not the subject but the subject base, is confusing enough (to say
> > > nothing of the limitations that give rise to the RFE).
> > > 
> > > Retaining --subject for specifying the subject base and adding
> > > --ca-subject for specifying the *actual* subject DN gets us over the
> > > line in terms of the RFE, but does not make the installer less
> > > confusing.  This is why I made --subject accept the full subject DN,
> > > with provisions to retain existing behaviour.
> > > 
> > > IMO if we want to have separate arguments for subject DN and subject
> > > base (I am not against it), let's bite the bullet and name arguments
> > > accordingly.  --subject should be used to specify full Subject DN,
> > > --subject-base (or similar) for specifying subject base.
> > 
> > IMHO --ca-subject is better than --subject, because it is more explicit
> > whose subject name that is (the CA's). I agree that --subject should be
> > deprecated and replaced with --subject-base.
> > 
> > > 
> > > (I intentionally defer discussion of specific behaviour if one, none
> > > or both are specified; let's resolve the question or renaming /
> > > changing meaning of arguments first).
> > > 
> > > 
> > > > By specifying the option you would override the default "CN=Certificate
> > > > Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
> > > > additional validation would be done to make sure the subject name meets
> > > > Dogtag's expectations. Actually, it might make sense to always do the
> > > > additional validation, to be able to print a warning that if a
> > > > Dogtag-incompatible subject name is used, it won't be possible to
> > > > change the
> > > > CA cert chaining from externally signed to self-signed later.
> > > > 
> > > > Honza
> 
> Bump, any update on this?
> 
I have an updated patch that fixes some issues Sebastian encountered
in testing, but I've not yet tackled the main change requested by
Honza (in brief: adding --ca-subject for specifying that, adding
--subject-base for specifying that, and deprecating --subject;
Sebastian, see discussion above and feel free to give your
thoughts).  I expect I'll get back onto this work within the next
few days.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-08-15 Thread Jan Cholasta 

On 19.7.2016 12:05, Jan Cholasta wrote:

On 19.7.2016 11:54, Fraser Tweedale wrote:

On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:

Hi,

On 15.7.2016 07:05, Fraser Tweedale wrote:

On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:

The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).

I am sharing now to make the approach clear and solicit feedback.

It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).

Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.

Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.

Thanks,
Fraser


It does help to attach the patch, of course ^_^


IMO explicit is better than implicit, so instead of introducing
additional
magic around --subject, I would rather add a new separate option for
specifying the CA subject name (I think --ca-subject, for consistency
with
--ca-signing-algorithm).


The current situation - the --subject argument which specifies the
not the subject but the subject base, is confusing enough (to say
nothing of the limitations that give rise to the RFE).

Retaining --subject for specifying the subject base and adding
--ca-subject for specifying the *actual* subject DN gets us over the
line in terms of the RFE, but does not make the installer less
confusing.  This is why I made --subject accept the full subject DN,
with provisions to retain existing behaviour.

IMO if we want to have separate arguments for subject DN and subject
base (I am not against it), let's bite the bullet and name arguments
accordingly.  --subject should be used to specify full Subject DN,
--subject-base (or similar) for specifying subject base.


IMHO --ca-subject is better than --subject, because it is more explicit
whose subject name that is (the CA's). I agree that --subject should be
deprecated and replaced with --subject-base.



(I intentionally defer discussion of specific behaviour if one, none
or both are specified; let's resolve the question or renaming /
changing meaning of arguments first).



By specifying the option you would override the default "CN=Certificate
Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
additional validation would be done to make sure the subject name meets
Dogtag's expectations. Actually, it might make sense to always do the
additional validation, to be able to print a warning that if a
Dogtag-incompatible subject name is used, it won't be possible to
change the
CA cert chaining from externally signed to self-signed later.

Honza


Bump, any update on this?

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-07-19 Thread Jan Cholasta 

On 19.7.2016 11:54, Fraser Tweedale wrote:

On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:

Hi,

On 15.7.2016 07:05, Fraser Tweedale wrote:

On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:

The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).

I am sharing now to make the approach clear and solicit feedback.

It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).

Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.

Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.

Thanks,
Fraser


It does help to attach the patch, of course ^_^


IMO explicit is better than implicit, so instead of introducing additional
magic around --subject, I would rather add a new separate option for
specifying the CA subject name (I think --ca-subject, for consistency with
--ca-signing-algorithm).


The current situation - the --subject argument which specifies the
not the subject but the subject base, is confusing enough (to say
nothing of the limitations that give rise to the RFE).

Retaining --subject for specifying the subject base and adding
--ca-subject for specifying the *actual* subject DN gets us over the
line in terms of the RFE, but does not make the installer less
confusing.  This is why I made --subject accept the full subject DN,
with provisions to retain existing behaviour.

IMO if we want to have separate arguments for subject DN and subject
base (I am not against it), let's bite the bullet and name arguments
accordingly.  --subject should be used to specify full Subject DN,
--subject-base (or similar) for specifying subject base.


IMHO --ca-subject is better than --subject, because it is more explicit 
whose subject name that is (the CA's). I agree that --subject should be 
deprecated and replaced with --subject-base.




(I intentionally defer discussion of specific behaviour if one, none
or both are specified; let's resolve the question or renaming /
changing meaning of arguments first).



By specifying the option you would override the default "CN=Certificate
Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
additional validation would be done to make sure the subject name meets
Dogtag's expectations. Actually, it might make sense to always do the
additional validation, to be able to print a warning that if a
Dogtag-incompatible subject name is used, it won't be possible to change the
CA cert chaining from externally signed to self-signed later.

Honza

--
Jan Cholasta



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-07-19 Thread Fraser Tweedale 
On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
> Hi,
> 
> On 15.7.2016 07:05, Fraser Tweedale wrote:
> > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
> > > The attached patch is a work in progress for
> > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
> > > 
> > > I am sharing now to make the approach clear and solicit feedback.
> > > 
> > > It has been tested for server install, replica install (with and
> > > without CA) and CA-replica install (all hosts running master+patch).
> > > 
> > > Migration from earlier versions and server/replica/CA install on a
> > > CA-less deployment are not yet tested; these will be tested over
> > > coming days and patch will be tweaked as necessary.
> > > 
> > > Commit message has a fair bit to say so I won't repeat here but let
> > > me know your questions and comments.
> > > 
> > > Thanks,
> > > Fraser
> > > 
> > It does help to attach the patch, of course ^_^
> 
> IMO explicit is better than implicit, so instead of introducing additional
> magic around --subject, I would rather add a new separate option for
> specifying the CA subject name (I think --ca-subject, for consistency with
> --ca-signing-algorithm).
> 
The current situation - the --subject argument which specifies the
not the subject but the subject base, is confusing enough (to say
nothing of the limitations that give rise to the RFE).

Retaining --subject for specifying the subject base and adding
--ca-subject for specifying the *actual* subject DN gets us over the
line in terms of the RFE, but does not make the installer less
confusing.  This is why I made --subject accept the full subject DN,
with provisions to retain existing behaviour.

IMO if we want to have separate arguments for subject DN and subject
base (I am not against it), let's bite the bullet and name arguments
accordingly.  --subject should be used to specify full Subject DN,
--subject-base (or similar) for specifying subject base.

(I intentionally defer discussion of specific behaviour if one, none
or both are specified; let's resolve the question or renaming /
changing meaning of arguments first).


> By specifying the option you would override the default "CN=Certificate
> Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
> additional validation would be done to make sure the subject name meets
> Dogtag's expectations. Actually, it might make sense to always do the
> additional validation, to be able to print a warning that if a
> Dogtag-incompatible subject name is used, it won't be possible to change the
> CA cert chaining from externally signed to self-signed later.
> 
> Honza
> 
> -- 
> Jan Cholasta

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-07-19 Thread Jan Cholasta 

Hi,

On 15.7.2016 07:05, Fraser Tweedale wrote:

On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:

The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).

I am sharing now to make the approach clear and solicit feedback.

It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).

Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.

Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.

Thanks,
Fraser


It does help to attach the patch, of course ^_^


IMO explicit is better than implicit, so instead of introducing 
additional magic around --subject, I would rather add a new separate 
option for specifying the CA subject name (I think --ca-subject, for 
consistency with --ca-signing-algorithm).


By specifying the option you would override the default "CN=Certificate 
Authority,$SUBJECT_BASE" subject name. If --external-ca was not used, 
additional validation would be done to make sure the subject name meets 
Dogtag's expectations. Actually, it might make sense to always do the 
additional validation, to be able to print a warning that if a 
Dogtag-incompatible subject name is used, it won't be possible to change 
the CA cert chaining from externally signed to self-signed later.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-07-14 Thread Fraser Tweedale 
On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
> The attached patch is a work in progress for
> https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
> 
> I am sharing now to make the approach clear and solicit feedback.
> 
> It has been tested for server install, replica install (with and
> without CA) and CA-replica install (all hosts running master+patch).
> 
> Migration from earlier versions and server/replica/CA install on a
> CA-less deployment are not yet tested; these will be tested over
> coming days and patch will be tweaked as necessary.
> 
> Commit message has a fair bit to say so I won't repeat here but let
> me know your questions and comments.
> 
> Thanks,
> Fraser
>
It does help to attach the patch, of course ^_^
From 74102e13b041cd05396a579f12f26a9f80394ad1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 11 Jul 2016 12:57:11 +1000
Subject: [PATCH] Allow full customisability of IPA CA subject DN

Currently only the "subject base" of the IPA CA subject DN can be
customised via the installer's --subject option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed, hardcoded in many places.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.  The
--subject argument can now be the full DN, and the subject base is
derived from it.  The full rules are as follows:

- If --subject is not given, default to
  "CN=Certificate Authority, O=$REALM" (existing behaviour)

- If --external-ca is used, subject is used as-is.

- If and only if --external-ca is not used, to meet Dogtag's
  expectations, the "most specific" CN AVA encountered shall be the
  most specific RDN (it is moved if necessary); if the subject DN
  does not contain a CN AVA, then "CN=Certificate Authority" is
  appended.

- The subject base is derived from the subject (after processing per
  preceding points) by extracting OU, O, L, ST, C and DC AVAs,
  preserving relative order.  If the resulting DN is empty, it
  defaults to "O=$REALM".

Fixes: https://fedorahosted.org/freeipa/ticket/2614
---
 install/share/certmap.conf.template|  2 +-
 install/tools/ipa-ca-install   | 14 +---
 install/tools/man/ipa-server-install.1 |  2 +-
 ipapython/ipautil.py   | 20 +
 ipaserver/install/ca.py| 20 +
 ipaserver/install/cainstance.py| 35 ++
 ipaserver/install/certs.py |  9 
 ipaserver/install/dsinstance.py| 29 +++--
 ipaserver/install/installutils.py  | 35 +++---
 ipaserver/install/ipa_cacert_manage.py |  9 ++--
 ipaserver/install/krainstance.py   |  9 +---
 ipaserver/install/server/common.py |  4 ++--
 ipaserver/install/server/install.py| 17 ++-
 ipaserver/install/server/replicainstall.py | 27 ---
 14 files changed, 159 insertions(+), 73 deletions(-)

diff --git a/install/share/certmap.conf.template 
b/install/share/certmap.conf.template
index 
e76bf3c653a4f1d130ce8c264a28cac5dc63925c..d59b095faff804eae4cbd2ef984aa8ca3be52946
 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -41,6 +41,6 @@ certmap default default
 #default:InitFn 
 default:DNComps
 default:FilterComps uid
-certmap ipaca   CN=Certificate Authority,$SUBJECT_BASE
+certmap ipaca   $ISSUER_DN
 ipaca:CmapLdapAttr  seeAlso
 ipaca:verifycerton
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 
ed685920cbadb9cd3fc80865afb1610ca42f8b13..8a8adb3984386bb88227d769a8c5132bb121b870
 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -32,7 +32,7 @@ from ipaserver.install import bindinstance, dsinstance, ca
 from ipaserver.install import cainstance, custodiainstance, service
 from ipapython import version
 from ipalib import api
-from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.constants import DOMAIN_LEVEL_0, IPA_CA_CN
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
@@ -160,9 +160,7 @@ def install_replica(safe_options, options, filename):
 conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
 bind_pw=dirman_password)
 
-if config.subject_base is None:
-attrs = conn.get_ipa_config()
-config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
+subject = api.Command.ca_show(IPA_CA_CN)['result']['ipacasubjectdn'][0]
 
 if config.master_host_name is None:
 config.ca_host_name = \
@@ -175,7 +173,7 @@ def

[Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

2016-07-14 Thread Fraser Tweedale 
The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).

I am sharing now to make the approach clear and solicit feedback.

It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).

Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.

Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code