Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Correction made, patch attached. except OSError, e: raise RuntimeError(Creating temporary directory failed: %s % str(e)) binu0O8DRrbr8.bin Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
On 2/21/11 11:18 AM, JR Aquino jr.aqu...@citrix.com wrote: On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Correction made, patch attached. except OSError, e: raise RuntimeError(Creating temporary directory failed: %s % str(e)) In the spirt of consistency, I have corrected a section further down where sys.exit is called instead of raising the exception. I have also broken out the removal of the temp files in a finally clause. Please review, and confirm that it meets with your approval. binAWXH3UqnwJ.bin Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino jr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelený jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan binRzo02LE4jS.bin Description: freeipa-jraquino-0018-2-Use-TLS-for-ipadiscovery-during-ipa-client-inst.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino jr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelený jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
On 2/17/11 9:46 AM, Jan Zeleny jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelený jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 binAmi8FXfTBQ.bin Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
