Re: [Freeipa-devel] KDC proxy URI records

2017-04-28 Thread Christian Heimes
On 2017-04-27 14:00, Martin Bašti wrote:
> 
> 
> On 26.04.2017 20:41, Simo Sorce wrote:
>> On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
>>> On 25.04.2017 16:57, Martin Bašti wrote:
 Hello all,

 I'm going to implement automatic URI records for kdc proxy and I'd
 like to clarify if following URI records are the right one.


 _kerberos-adm.example.com. IN URI  0
 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

 _krb5kdc.example.com. IN URI  0
 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

 _kpasswd.example.com. IN URI  0
 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;


 I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
 servers are masters, please confirm.


 Sources:

 https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

 https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt




 Thank you

>>> I found out that wiki page differs from the RFC draft and from the
>>> source in git
>>>
>>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
>>>
>>>
>>> And I'm not sure if _kerberos-adm should be included as we don't really
>>> support kadmin.
>> We shouldn't.
>>
>> Simo.
>>
> 
> I would like to discuss consequences of adding kdc URI records:
> 
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
> SRV in KRB5 client implementation. Are we ok with such a big change?

Update: It's correct that URI records have a higher priority than SRV
records. A client with URI discovery support will never check SRV
records when it is able to retrieve URI records. For newer clients we
have to include TCP and UDP URI records, too.

I did some testing. MIT KRB5 prefers UDP/TCP over MSKKDP for records
with same priority. That fact is not stated in the RFC. I'm writing a
mail to Nathaniel and Simo to discuss the matter.

Christian

-- 
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-28 Thread Martin Bašti



On 28.04.2017 09:32, Martin Kosek wrote:

On 04/27/2017 04:16 PM, Simo Sorce wrote:

On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:

On 04/27/2017 02:19 PM, Christian Heimes wrote:

On 2017-04-27 14:00, Martin Bašti wrote:

I would like to discuss consequences of adding kdc URI records:

1. basically all ipa clients enrolled using autodiscovery will
use
kdcproxy instead of KDC on port 88, because URI takes precedence
over
SRV in KRB5 client implementation. Are we ok with such a big
change?

Does the client also prefer KKDCP if you give the Kerberos 88/UDP
and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?


2. probably client installer must be updated because currently
with
CA-full installation it is not working.

ipa-client-install (with autodiscovery) failed on kinit, see
KRB5_TRACE
bellow that it refuses self signed certificate

Actually it is not a self-sigend EE certificate. The validation
message
is bogus because FreeIPA TLS configuration is slightly buggy. We
send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an
untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function
ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a
TGT and
then installs the trust anchor in the global trust store. It should
be
enough to reverse the order and inject the trust anchor first.

Christian


By reading this, even if we do the change in client install, I'd
rather
not generate the DNS records in 4.5.1 release and rather make sure
that
everything works during 4.6 development.

I agree. My original assumption why I suggested this RFE was that it would be
very contained change and only used only by clients that do not have classic
Kerberos ports available. Given how much it influences rest of the framework,
we indeed should not push on it in a bugfix release.


The reason is that there might also be something else not working and
it
is better to time test it + the fix would not fix older clients.

If anybody wants to use/try it, then the records can be created
manually.



We need to ix clients regardless, o someone enabling it will find the
same issues.

Right. Can someone please file the ticket so that it can be triaged later?


ticket is here https://pagure.io/freeipa/issue/6906



Thanks,
Martin


--
Martin Bašti
Software Engineer
Red Hat Czech

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-28 Thread Martin Kosek
On 04/27/2017 04:16 PM, Simo Sorce wrote:
> On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:
>> On 04/27/2017 02:19 PM, Christian Heimes wrote:
>>> On 2017-04-27 14:00, Martin Bašti wrote:
 I would like to discuss consequences of adding kdc URI records:

 1. basically all ipa clients enrolled using autodiscovery will
 use
 kdcproxy instead of KDC on port 88, because URI takes precedence
 over
 SRV in KRB5 client implementation. Are we ok with such a big
 change?
>>>
>>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP
>>> and
>>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
>>>
 2. probably client installer must be updated because currently
 with
 CA-full installation it is not working.

 ipa-client-install (with autodiscovery) failed on kinit, see
 KRB5_TRACE
 bellow that it refuses self signed certificate
>>>
>>> Actually it is not a self-sigend EE certificate. The validation
>>> message
>>> is bogus because FreeIPA TLS configuration is slightly buggy. We
>>> send
>>> the trust anchor (root CA) although a server should not include its
>>> trust anchor in its ServerHello message. OpenSSL detects an
>>> untrusted
>>> root CA in the ServerHello peer chain and emits the message.
>>>
>>> If I read the 600 lines (!) function
>>> ipaclient.install.client._install
>>> correctly, then ipa-client-install first attempts to negotiate a
>>> TGT and
>>> then installs the trust anchor in the global trust store. It should
>>> be
>>> enough to reverse the order and inject the trust anchor first.
>>>
>>> Christian
>>>
>>
>> By reading this, even if we do the change in client install, I'd
>> rather 
>> not generate the DNS records in 4.5.1 release and rather make sure
>> that 
>> everything works during 4.6 development.

I agree. My original assumption why I suggested this RFE was that it would be
very contained change and only used only by clients that do not have classic
Kerberos ports available. Given how much it influences rest of the framework,
we indeed should not push on it in a bugfix release.

>> The reason is that there might also be something else not working and
>> it 
>> is better to time test it + the fix would not fix older clients.
>>
>> If anybody wants to use/try it, then the records can be created
>> manually.
> 
> 
> 
> We need to ix clients regardless, o someone enabling it will find the
> same issues.

Right. Can someone please file the ticket so that it can be triaged later?


Thanks,
Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Christian Heimes
On 2017-04-27 16:16, Martin Bašti wrote:
> 
> 
> On 27.04.2017 14:19, Christian Heimes wrote:
>> On 2017-04-27 14:00, Martin Bašti wrote:
>>> I would like to discuss consequences of adding kdc URI records:
>>>
>>> 1. basically all ipa clients enrolled using autodiscovery will use
>>> kdcproxy instead of KDC on port 88, because URI takes precedence over
>>> SRV in KRB5 client implementation. Are we ok with such a big change?
>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
> 
> It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues
> with clients.
Small correction: Kerberos should prefer UDP over TCP.

Christian

-- 
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Simo Sorce
On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:
> On 04/27/2017 02:19 PM, Christian Heimes wrote:
> > On 2017-04-27 14:00, Martin Bašti wrote:
> > > I would like to discuss consequences of adding kdc URI records:
> > > 
> > > 1. basically all ipa clients enrolled using autodiscovery will
> > > use
> > > kdcproxy instead of KDC on port 88, because URI takes precedence
> > > over
> > > SRV in KRB5 client implementation. Are we ok with such a big
> > > change?
> > 
> > Does the client also prefer KKDCP if you give the Kerberos 88/UDP
> > and
> > 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
> > 
> > > 2. probably client installer must be updated because currently
> > > with
> > > CA-full installation it is not working.
> > > 
> > > ipa-client-install (with autodiscovery) failed on kinit, see
> > > KRB5_TRACE
> > > bellow that it refuses self signed certificate
> > 
> > Actually it is not a self-sigend EE certificate. The validation
> > message
> > is bogus because FreeIPA TLS configuration is slightly buggy. We
> > send
> > the trust anchor (root CA) although a server should not include its
> > trust anchor in its ServerHello message. OpenSSL detects an
> > untrusted
> > root CA in the ServerHello peer chain and emits the message.
> > 
> > If I read the 600 lines (!) function
> > ipaclient.install.client._install
> > correctly, then ipa-client-install first attempts to negotiate a
> > TGT and
> > then installs the trust anchor in the global trust store. It should
> > be
> > enough to reverse the order and inject the trust anchor first.
> > 
> > Christian
> > 
> 
> By reading this, even if we do the change in client install, I'd
> rather 
> not generate the DNS records in 4.5.1 release and rather make sure
> that 
> everything works during 4.6 development.
> 
> The reason is that there might also be something else not working and
> it 
> is better to time test it + the fix would not fix older clients.
> 
> If anybody wants to use/try it, then the records can be created
> manually.



We need to ix clients regardless, o someone enabling it will find the
same issues.

Simo.


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Martin Bašti



On 27.04.2017 14:19, Christian Heimes wrote:

On 2017-04-27 14:00, Martin Bašti wrote:

I would like to discuss consequences of adding kdc URI records:

1. basically all ipa clients enrolled using autodiscovery will use
kdcproxy instead of KDC on port 88, because URI takes precedence over
SRV in KRB5 client implementation. Are we ok with such a big change?

Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?


It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues 
with clients.





2. probably client installer must be updated because currently with
CA-full installation it is not working.

ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
bellow that it refuses self signed certificate

Actually it is not a self-sigend EE certificate. The validation message
is bogus because FreeIPA TLS configuration is slightly buggy. We send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.


Most likely, I haven't checked deeper



Christian




--
Martin Bašti
Software Engineer
Red Hat Czech

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Petr Vobornik

On 04/27/2017 02:19 PM, Christian Heimes wrote:

On 2017-04-27 14:00, Martin Bašti wrote:

I would like to discuss consequences of adding kdc URI records:

1. basically all ipa clients enrolled using autodiscovery will use
kdcproxy instead of KDC on port 88, because URI takes precedence over
SRV in KRB5 client implementation. Are we ok with such a big change?


Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?


2. probably client installer must be updated because currently with
CA-full installation it is not working.

ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
bellow that it refuses self signed certificate


Actually it is not a self-sigend EE certificate. The validation message
is bogus because FreeIPA TLS configuration is slightly buggy. We send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.

Christian



By reading this, even if we do the change in client install, I'd rather 
not generate the DNS records in 4.5.1 release and rather make sure that 
everything works during 4.6 development.


The reason is that there might also be something else not working and it 
is better to time test it + the fix would not fix older clients.


If anybody wants to use/try it, then the records can be created manually.
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Christian Heimes
On 2017-04-27 14:00, Martin Bašti wrote:
> I would like to discuss consequences of adding kdc URI records:
> 
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
> SRV in KRB5 client implementation. Are we ok with such a big change?

Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?

> 2. probably client installer must be updated because currently with
> CA-full installation it is not working.
> 
> ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
> bellow that it refuses self signed certificate

Actually it is not a self-sigend EE certificate. The validation message
is bogus because FreeIPA TLS configuration is slightly buggy. We send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.

Christian


-- 
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Martin Bašti



On 26.04.2017 20:41, Simo Sorce wrote:

On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:

On 25.04.2017 16:57, Martin Bašti wrote:

Hello all,

I'm going to implement automatic URI records for kdc proxy and I'd
like to clarify if following URI records are the right one.


_kerberos-adm.example.com. IN URI  0
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

_krb5kdc.example.com. IN URI  0
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

_kpasswd.example.com. IN URI  0
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;


I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
servers are masters, please confirm.


Sources:

https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt



Thank you


I found out that wiki page differs from the RFC draft and from the
source in git

There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"


And I'm not sure if _kerberos-adm should be included as we don't really
support kadmin.

We shouldn't.

Simo.



I would like to discuss consequences of adding kdc URI records:

1. basically all ipa clients enrolled using autodiscovery will use 
kdcproxy instead of KDC on port 88, because URI takes precedence over 
SRV in KRB5 client implementation. Are we ok with such a big change?


2. probably client installer must be updated because currently with 
CA-full installation it is not working.


ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE 
bellow that it refuses self signed certificate



Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: master.ipa.test
BaseDN: dc=ipa,dc=test

Continue to configure the system with these values? [no]: y
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.test:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TEST
Issuer:  CN=Certificate Authority,O=IPA.TEST
Valid From:  2017-04-27 11:02:28
Valid Until: 2037-04-27 11:02:28

Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TEST
trying https://master.ipa.test/ipa/json
Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json'
Major (851968): Unspecified GSS failure.  Minor code may provide more 
information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST'
The ipa-client-install command failed. See 
/var/log/ipaclient-install.log for more information


[root@client1 ~]# KRB5_TRACE=/dev/stderr kinit admin
[25690] 1493293387.746616: Getting initial credentials for ad...@ipa.test
[25690] 1493293387.750307: Sending request (164 bytes) to IPA.TEST
[25690] 1493293387.751468: Resolving hostname master.ipa.test
[25690] 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST, 
CN=Certificate Authority): 19 (self signed certificate in certificate chain)
[25690] 1493293387.765680: TLS error: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed

[25690] 1493293387.765807: HTTPS error sending to https 192.168.138.101:443
[25690] 1493293387.766873: Terminating TCP connection to https 
192.168.138.101:443
kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial 
credentials



IMHO we have to update krb5.conf or add IPA CA cert to trusted 
certificates, I'm afraid that URI records may break already installed 
clients (when updated to krb5-workstation), I have to test it.


--
Martin Bašti
Software Engineer
Red Hat Czech

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-26 Thread Simo Sorce
On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
> 
> On 25.04.2017 16:57, Martin Bašti wrote:
> > Hello all,
> >
> > I'm going to implement automatic URI records for kdc proxy and I'd 
> > like to clarify if following URI records are the right one.
> >
> >
> > _kerberos-adm.example.com. IN URI  0 
> > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
> >
> > _krb5kdc.example.com. IN URI  0 
> > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
> >
> > _kpasswd.example.com. IN URI  0 
> > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
> >
> >
> > I assume we want to use "kkdcp" and "https", and "M" flag as all IPA 
> > servers are masters, please confirm.
> >
> >
> > Sources:
> >
> > https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery
> >
> > https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt
> >  
> >
> >
> >
> > Thank you
> >
> 
> I found out that wiki page differs from the RFC draft and from the 
> source in git
> 
> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
> 
> 
> And I'm not sure if _kerberos-adm should be included as we don't really 
> support kadmin.

We shouldn't.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

2017-04-26 Thread Martin Bašti



On 25.04.2017 16:57, Martin Bašti wrote:

Hello all,

I'm going to implement automatic URI records for kdc proxy and I'd 
like to clarify if following URI records are the right one.



_kerberos-adm.example.com. IN URI  0 
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;


_krb5kdc.example.com. IN URI  0 
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;


_kpasswd.example.com. IN URI  0 
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;



I assume we want to use "kkdcp" and "https", and "M" flag as all IPA 
servers are masters, please confirm.



Sources:

https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt 




Thank you



I found out that wiki page differs from the RFC draft and from the 
source in git


There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"


And I'm not sure if _kerberos-adm should be included as we don't really 
support kadmin.


--
Martin Bašti
Software Engineer
Red Hat Czech

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code