Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. ACK with condition that you apply attached fixups. Since token that is passed by 'ipa otptoken-sync' command is not a full DN, we need to support both cases, when DN and just a name is passed. Attached patch fixes this. Applied. ACK. This should be committed first one. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On 06/26/2014 01:01 PM, Alexander Bokovoy wrote: On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. ACK with condition that you apply attached fixups. Since token that is passed by 'ipa otptoken-sync' command is not a full DN, we need to support both cases, when DN and just a name is passed. Attached patch fixes this. Applied. ACK. This should be committed first one. Pushed to master. I just added link to https://fedorahosted.org/freeipa/ticket/4218 to the patch description. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. ACK with condition that you apply attached fixups. Since token that is passed by 'ipa otptoken-sync' command is not a full DN, we need to support both cases, when DN and just a name is passed. Attached patch fixes this. -- / Alexander Bokovoy From ac31c6c6ce0b7bc163696968e07e8dd3c75accef Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 25 Jun 2014 13:17:08 +0300 Subject: [PATCH 9/9] fixup! Add /session/token_sync POST support --- ipaserver/rpcserver.py | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 39134af..33d03e2 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -1165,8 +1165,12 @@ class sync_token(Backend, HTTP_Status): sr.setComponentByName('firstCode', data['first_code']) sr.setComponentByName('secondCode', data['second_code']) if 'token' in data: -token_dn = DN((self.api.Object.otptoken.primary_key.name, data['token']), - self.api.env.container_otp, self.api.env.basedn) +try: +token_dn = DN(data['token']) +except ValueError: +token_dn = DN((self.api.Object.otptoken.primary_key.name, data['token']), + self.api.env.container_otp, self.api.env.basedn) + sr.setComponentByName('tokenDN', str(token_dn)) rc = ldap.controls.RequestControl(sr.OID, True, encoder.encode(sr)) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. ACK with condition that you apply attached fixups. Since token that is passed by 'ipa otptoken-sync' command is not a full DN, we need to support both cases, when DN and just a name is passed. Attached patch fixes this. Applied. Nathaniel From a044f461b5233bd93417f7fd7acdd8e158a67fb8 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 28 May 2014 11:38:40 -0400 Subject: [PATCH] Add /session/token_sync POST support This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. --- install/conf/ipa.conf | 8 ++- ipaserver/plugins/ldap2.py | 14 -- ipaserver/plugins/xmlserver.py | 3 +- ipaserver/rpcserver.py | 110 +++-- 4 files changed, 126 insertions(+), 9 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index f4dac9827bd0251463aade5854fd522e4306e468..7eede73efc559967925d2bbfeee54e1e2efd3e21 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 15 - DO NOT REMOVE THIS LINE +# VERSION 16 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -103,6 +103,12 @@ KrbConstrainedDelegationLock ipa Allow from all /Location +Location /ipa/session/sync_token + Satisfy Any + Order Deny,Allow + Allow from all +/Location + # This is where we redirect on failed auth Alias /ipa/errors /usr/share/ipa/html diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index cfcec7c803215459cad2c08adae26a44099f2982..888f085b9f251bc933bc15c24a14b4107d4d4784 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -93,7 +93,7 @@ class ldap2(LDAPClient, CrudBackend): def create_connection(self, ccache=None, bind_dn=None, bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, -debug_level=0, autobind=False): +debug_level=0, autobind=False, serverctrls=None, clientctrls=None): Connect to LDAP server. @@ -151,16 +151,22 @@ class ldap2(LDAPClient, CrudBackend): context=krbV.default_context()).principal().name os.environ['KRB5CCNAME'] = ccache -conn.sasl_interactive_bind_s(None, SASL_GSSAPI) +conn.sasl_interactive_bind_s(None, SASL_GSSAPI, + serverctrls=serverctrls, + clientctrls=clientctrls) setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl if autobind: pent = pwd.getpwuid(os.geteuid()) auth_tokens = _ldap.sasl.external(pent.pw_name) -conn.sasl_interactive_bind_s(None, auth_tokens) +conn.sasl_interactive_bind_s(None, auth_tokens, + serverctrls=serverctrls, + clientctrls=clientctrls) else: -conn.simple_bind_s(bind_dn, bind_pw) +conn.simple_bind_s(bind_dn, bind_pw, + serverctrls=serverctrls, + clientctrls=clientctrls) return conn diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py index 8d96262cf52f04620aeb5223002f4794e18cc0de..7460ead69a12fbe1b4613908f62787f3d26a1cde 100644 --- a/ipaserver/plugins/xmlserver.py +++ b/ipaserver/plugins/xmlserver.py @@ -25,7 +25,7 @@ Loads WSGI server plugins. from ipalib import api if 'in_server' in api.env and api.env.in_server is True: -from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, xmlserver_session +from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password,
Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. Nathaniel From 000eaaccaa3bff59138674f4144303107bda37af Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 28 May 2014 11:38:40 -0400 Subject: [PATCH] Add /session/token_sync POST support This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. --- install/conf/ipa.conf | 8 +++- ipaserver/plugins/ldap2.py | 14 -- ipaserver/plugins/xmlserver.py | 3 +- ipaserver/rpcserver.py | 106 +++-- 4 files changed, 122 insertions(+), 9 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index f4dac9827bd0251463aade5854fd522e4306e468..7eede73efc559967925d2bbfeee54e1e2efd3e21 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 15 - DO NOT REMOVE THIS LINE +# VERSION 16 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -103,6 +103,12 @@ KrbConstrainedDelegationLock ipa Allow from all /Location +Location /ipa/session/sync_token + Satisfy Any + Order Deny,Allow + Allow from all +/Location + # This is where we redirect on failed auth Alias /ipa/errors /usr/share/ipa/html diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index cfcec7c803215459cad2c08adae26a44099f2982..888f085b9f251bc933bc15c24a14b4107d4d4784 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -93,7 +93,7 @@ class ldap2(LDAPClient, CrudBackend): def create_connection(self, ccache=None, bind_dn=None, bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, -debug_level=0, autobind=False): +debug_level=0, autobind=False, serverctrls=None, clientctrls=None): Connect to LDAP server. @@ -151,16 +151,22 @@ class ldap2(LDAPClient, CrudBackend): context=krbV.default_context()).principal().name os.environ['KRB5CCNAME'] = ccache -conn.sasl_interactive_bind_s(None, SASL_GSSAPI) +conn.sasl_interactive_bind_s(None, SASL_GSSAPI, + serverctrls=serverctrls, + clientctrls=clientctrls) setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl if autobind: pent = pwd.getpwuid(os.geteuid()) auth_tokens = _ldap.sasl.external(pent.pw_name) -conn.sasl_interactive_bind_s(None, auth_tokens) +conn.sasl_interactive_bind_s(None, auth_tokens, + serverctrls=serverctrls, + clientctrls=clientctrls) else: -conn.simple_bind_s(bind_dn, bind_pw) +conn.simple_bind_s(bind_dn, bind_pw, + serverctrls=serverctrls, + clientctrls=clientctrls) return conn diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py index 8d96262cf52f04620aeb5223002f4794e18cc0de..7460ead69a12fbe1b4613908f62787f3d26a1cde 100644 --- a/ipaserver/plugins/xmlserver.py +++ b/ipaserver/plugins/xmlserver.py @@ -25,7 +25,7 @@ Loads WSGI server plugins. from ipalib import api if 'in_server' in api.env and api.env.in_server is True: -from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, xmlserver_session +from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session api.register(wsgi_dispatch) api.register(xmlserver) api.register(jsonserver_kerb) @@ -33,4 +33,5 @@ if 'in_server' in api.env and api.env.in_server is True: api.register(login_kerberos) api.register(login_password) api.register(change_password) +api.register(sync_token)
[Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. From 95c8b1fb47192ecc75a66817f922f7191aad1ebc Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 28 May 2014 11:38:40 -0400 Subject: [PATCH] Add /session/token_sync POST support This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. --- install/conf/ipa.conf | 6 +++ ipaserver/plugins/ldap2.py | 14 -- ipaserver/plugins/xmlserver.py | 3 +- ipaserver/rpcserver.py | 106 +++-- 4 files changed, 121 insertions(+), 8 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index f4dac9827bd0251463aade5854fd522e4306e468..9a6abcc66846046dcc547b439928f5796218a69b 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -103,6 +103,12 @@ KrbConstrainedDelegationLock ipa Allow from all /Location +Location /ipa/session/sync_token + Satisfy Any + Order Deny,Allow + Allow from all +/Location + # This is where we redirect on failed auth Alias /ipa/errors /usr/share/ipa/html diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index aa9a001c6c64d5e8e94316ab2f736993ce6903ee..07ece8e5bc8fc70d8c09464ed636c5085ed07371 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -93,7 +93,7 @@ class ldap2(LDAPClient, CrudBackend): def create_connection(self, ccache=None, bind_dn=None, bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, -debug_level=0, autobind=False): +debug_level=0, autobind=False, serverctrls=None, clientctrls=None): Connect to LDAP server. @@ -151,16 +151,22 @@ class ldap2(LDAPClient, CrudBackend): context=krbV.default_context()).principal().name os.environ['KRB5CCNAME'] = ccache -conn.sasl_interactive_bind_s(None, SASL_GSSAPI) +conn.sasl_interactive_bind_s(None, SASL_GSSAPI, + serverctrls=serverctrls, + clientctrls=clientctrls) setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl if autobind: pent = pwd.getpwuid(os.geteuid()) auth_tokens = _ldap.sasl.external(pent.pw_name) -conn.sasl_interactive_bind_s(None, auth_tokens) +conn.sasl_interactive_bind_s(None, auth_tokens, + serverctrls=serverctrls, + clientctrls=clientctrls) else: -conn.simple_bind_s(bind_dn, bind_pw) +conn.simple_bind_s(bind_dn, bind_pw, + serverctrls=serverctrls, + clientctrls=clientctrls) return conn diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py index 8d96262cf52f04620aeb5223002f4794e18cc0de..7460ead69a12fbe1b4613908f62787f3d26a1cde 100644 --- a/ipaserver/plugins/xmlserver.py +++ b/ipaserver/plugins/xmlserver.py @@ -25,7 +25,7 @@ Loads WSGI server plugins. from ipalib import api if 'in_server' in api.env and api.env.in_server is True: -from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, xmlserver_session +from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session api.register(wsgi_dispatch) api.register(xmlserver) api.register(jsonserver_kerb) @@ -33,4 +33,5 @@ if 'in_server' in api.env and api.env.in_server is True: api.register(login_kerberos) api.register(login_password) api.register(change_password) +api.register(sync_token) api.register(xmlserver_session) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index edce2365464f71e2a073e13b309bf12bc25cf510..404f86802a8527314e9af09dd604f7ebd039d9fb 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -30,6 +30,10 @@ import datetime import urlparse import json +import ldap.controls +from pyasn1.type import univ, namedtype