[Freeipa-devel] Re: SoftHSM and certmonger
Alexander Bokovoy via FreeIPA-devel wrote: > Hi Rob, > > I was trying to set up a configuration where certmonger would generate > and track a key in an NSS database with an HSM token. I used SoftHSMv2 > for the token. > > The script roughly describing what I did is attached. You need to put > SELinux in permissive as it would be messing up on certmonger's access. > > On Rawhide it creates a private key in the HSM but unable to store a > public key of the certificate there. Rawhide has p11-kit proxy active > and that complicates things because any NSS db gets p11-kit-proxy.so > PKCS11 module injected via crypto-policy: > > # cat /etc/crypto-policies/back-ends/nss.config > library= > name=Policy > NSS=flags=policyOnly,moduleDB > config="disallow=ALL > allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048" > > > > name=p11-kit-proxy > library=p11-kit-proxy.so > > when p11-kit-proxy.so is injected, it makes all configured PKCS11 > modules available in all NSS databases. Even if my script tries to > insert an explicit PKCS11 module into the database used for a > certificate generation, I can skip that on Rawhide as p11-kit-proxy does > it for me: > > # certutil -d sql:my-token -U > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > uri: > pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 > > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > uri: > pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 > > > slot: SoftHSM slot ID 0x5489b984 > token: HSM > uri: > pkcs11:token=HSM;manufacturer=SoftHSM%20project;serial=396d3e3c5489b984;model=SoftHSM%20v2 > > > slot: SoftHSM slot ID 0x1cf72acc > token: my-token > uri: > pkcs11:token=my-token;manufacturer=SoftHSM%20project;serial=77cb41421cf72acc;model=SoftHSM%20v2 > > > > Anyway, even if I disable this injection with > NSS_IGNORE_SYSTEM_POLICY=1, it doesn't help because the environment > variable has to be specified for certmonger process too. I tried that as > well and it doesn't help, so there seems to be a bug with certmonger's > processing of PKCS11 modules in nss and p11-kit proxying is not really > changing that. > > Certmonger is confused when it doesn't succeed in unlocking a token even > if it is a wrong token: > > # certmonger -S -p /var/run/certmonger.pid -n -d 2 > 2018-08-21 17:42:15 [26673] Changing to root directory. > 2018-08-21 17:42:15 [26673] Obtaining system lock. > 2018-08-21 17:42:15 [26677] Token is named "NSS Generic Crypto > Services", not "NSS Certificate DB", skipping. > 2018-08-21 17:42:15 [26677] Token is named "HSM", not "NSS Certificate > DB", skipping. > 2018-08-21 17:42:15 [26677] Token is named "my-token", not "NSS > Certificate DB", skipping. > 2018-08-21 17:42:15 [26678] Error authenticating to token "HSM". > 2018-08-21 17:42:15 [26679] Error authenticating to cert db. > 2018-08-21 17:42:15 [26679] Error authenticating to cert db. > 2018-08-21 17:42:15 [26679] Error locating certificate. > 2018-08-21 17:42:15 [26680] Token is named "NSS Certificate DB", not > "my-token", skipping. > 2018-08-21 17:42:15 [26680] Token is named "HSM", not "my-token", skipping. > 2018-08-21 17:42:15 [26681] Token is named "NSS Certificate DB", not > "my-token", skipping. > 2018-08-21 17:42:15 [26681] Token is named "NSS Generic Crypto > Services", not "my-token", skipping. > 2018-08-21 17:42:15 [26681] Token is named "HSM", not "my-token", skipping. > 2018-08-21 17:42:15 [26681] Error locating certificate. > 2018-08-21 17:42:17 [26733] Certificate "Local Signing Authority" valid > for 29682906s. > 2018-08-21 17:42:17 [26731] Error authenticating to token "HSM". > 2018-08-21 17:42:20 [26673] No hooks set for pre-save command. > 2018-08-21 17:42:21 [26750] PIN was not needed to auth to key store, > though one was provided. Treating this as an error. > 2018-08-21 17:42:21 [26750] Error shutting down NSS. > > Somehow, it doesn't see my token at all but still manages to store the > private key there. It then leaves the request in a state > NEED_CERTSAVE_PIN: > > # getcert list -i 20180821173352 > Number of certificates and requests being tracked: 4. > Request ID '20180821173352': > status: NEED_CERTSAVE_PIN > stuck: yes > key pair storage: > type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token',pin > set > certificate: > type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token' > > CA: SelfSign > issuer: subject: expires: unknown > pre-save command:
[Freeipa-devel] [freeipa PR#2266][opened] Fix the uninstall test, execute in the nightly runs
URL: https://github.com/freeipa/freeipa/pull/2266 Author: rcritten Title: #2266: Fix the uninstall test, execute in the nightly runs Action: opened PR body: """ I'm not sure what changed that caused the test to start failing. We didn't notice until now because the test wasn't executed in the nightlies. Rather than only trying to stop dirsrv when it was running just brute-force always try to shut it down. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2266/head:pr2266 git checkout pr2266 From dbc6ec0fb4ea15368f8989866570418d7d33e73c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 21 Aug 2018 13:20:01 -0400 Subject: [PATCH 1/2] Fix uninstallation test, use different method to stop dirsrv The API may not be initialized so using ds.is_running() may fail. Call systemctl directly to ensure the dirsrv instance is stopped. Signed-off-by: Rob Crittenden --- ipatests/test_integration/test_uninstallation.py | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipatests/test_integration/test_uninstallation.py b/ipatests/test_integration/test_uninstallation.py index ccdf5b3c8a..274f4b3ee2 100644 --- a/ipatests/test_integration/test_uninstallation.py +++ b/ipatests/test_integration/test_uninstallation.py @@ -52,10 +52,9 @@ def test_failed_uninstall(self): # be marked as uninstalled so server cert will still be # tracked and the instances may remain. This can cause # subsequent installations to fail so be thorough. -ds = dsinstance.DsInstance() -ds_running = ds.is_running() -if ds_running: -ds.stop(serverid) +dashed_domain = self.master.domain.realm.replace(".", '-') +dirsrv_service = "dirsrv@%s.service" % dashed_domain +self.master.run_command(['systemctl', 'stop', dirsrv_service]) # Moving it back should allow the uninstall to finish # successfully. @@ -66,6 +65,7 @@ def test_failed_uninstall(self): ]) # DS has been marked as uninstalled so force the issue +ds = dsinstance.DsInstance() ds.stop_tracking_certificates(serverid) self.master.run_command([ From 4d99d444b2cc0af3553f173abd651212549d2e2e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 21 Aug 2018 13:23:27 -0400 Subject: [PATCH 2/2] Add test_uninstallation to nightly testing Signed-off-by: Rob Crittenden --- ipatests/prci_definitions/nightly_master.yaml | 12 ipatests/prci_definitions/nightly_rawhide.yaml | 12 2 files changed, 24 insertions(+) diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml index c299e4138a..bfa658fc1c 100644 --- a/ipatests/prci_definitions/nightly_master.yaml +++ b/ipatests/prci_definitions/nightly_master.yaml @@ -544,6 +544,18 @@ jobs: timeout: 7200 topology: *master_1repl + fedora-28/test_uninstallation: +requires: [fedora-28/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-28/build_url}' +test_suite: test_integration/test_uninstallation.py +template: *ci-master-f28 +timeout: 7200 +topology: *master_1repl + fedora-28/test_topology_TestCASpecificRUVs: requires: [fedora-28/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml index 7856354ea7..042cff4ad7 100644 --- a/ipatests/prci_definitions/nightly_rawhide.yaml +++ b/ipatests/prci_definitions/nightly_rawhide.yaml @@ -544,6 +544,18 @@ jobs: timeout: 7200 topology: *master_1repl + fedora-28/test_uninstallation: +requires: [fedora-28/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-28/build_url}' +test_suite: test_integration/test_uninstallation.py +template: *ci-master-frawhide +timeout: 7200 +topology: *master_1repl + fedora-rawhide/test_topology: requires: [fedora-rawhide/build] priority: 50 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/SXNWSAIFYV5JX6M4ARYETJIVV3LVBGO5/
[Freeipa-devel] SoftHSM and certmonger
Hi Rob, I was trying to set up a configuration where certmonger would generate and track a key in an NSS database with an HSM token. I used SoftHSMv2 for the token. The script roughly describing what I did is attached. You need to put SELinux in permissive as it would be messing up on certmonger's access. On Rawhide it creates a private key in the HSM but unable to store a public key of the certificate there. Rawhide has p11-kit proxy active and that complicates things because any NSS db gets p11-kit-proxy.so PKCS11 module injected via crypto-policy: # cat /etc/crypto-policies/back-ends/nss.config library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048" name=p11-kit-proxy library=p11-kit-proxy.so when p11-kit-proxy.so is injected, it makes all configured PKCS11 modules available in all NSS databases. Even if my script tries to insert an explicit PKCS11 module into the database used for a certificate generation, I can skip that on Rawhide as p11-kit-proxy does it for me: # certutil -d sql:my-token -U slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 slot: SoftHSM slot ID 0x5489b984 token: HSM uri: pkcs11:token=HSM;manufacturer=SoftHSM%20project;serial=396d3e3c5489b984;model=SoftHSM%20v2 slot: SoftHSM slot ID 0x1cf72acc token: my-token uri: pkcs11:token=my-token;manufacturer=SoftHSM%20project;serial=77cb41421cf72acc;model=SoftHSM%20v2 Anyway, even if I disable this injection with NSS_IGNORE_SYSTEM_POLICY=1, it doesn't help because the environment variable has to be specified for certmonger process too. I tried that as well and it doesn't help, so there seems to be a bug with certmonger's processing of PKCS11 modules in nss and p11-kit proxying is not really changing that. Certmonger is confused when it doesn't succeed in unlocking a token even if it is a wrong token: # certmonger -S -p /var/run/certmonger.pid -n -d 2 2018-08-21 17:42:15 [26673] Changing to root directory. 2018-08-21 17:42:15 [26673] Obtaining system lock. 2018-08-21 17:42:15 [26677] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-08-21 17:42:15 [26677] Token is named "HSM", not "NSS Certificate DB", skipping. 2018-08-21 17:42:15 [26677] Token is named "my-token", not "NSS Certificate DB", skipping. 2018-08-21 17:42:15 [26678] Error authenticating to token "HSM". 2018-08-21 17:42:15 [26679] Error authenticating to cert db. 2018-08-21 17:42:15 [26679] Error authenticating to cert db. 2018-08-21 17:42:15 [26679] Error locating certificate. 2018-08-21 17:42:15 [26680] Token is named "NSS Certificate DB", not "my-token", skipping. 2018-08-21 17:42:15 [26680] Token is named "HSM", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Token is named "NSS Certificate DB", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Token is named "NSS Generic Crypto Services", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Token is named "HSM", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Error locating certificate. 2018-08-21 17:42:17 [26733] Certificate "Local Signing Authority" valid for 29682906s. 2018-08-21 17:42:17 [26731] Error authenticating to token "HSM". 2018-08-21 17:42:20 [26673] No hooks set for pre-save command. 2018-08-21 17:42:21 [26750] PIN was not needed to auth to key store, though one was provided. Treating this as an error. 2018-08-21 17:42:21 [26750] Error shutting down NSS. Somehow, it doesn't see my token at all but still manages to store the private key there. It then leaves the request in a state NEED_CERTSAVE_PIN: # getcert list -i 20180821173352 Number of certificates and requests being tracked: 4. Request ID '20180821173352': status: NEED_CERTSAVE_PIN stuck: yes key pair storage: type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token',pin set certificate: type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token' CA: SelfSign issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes If I look at the SoftHSMv2 token directly (via pkcs11-tool), I can see that the key and the cert are both there: # pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --token-label my-token -l -p
[Freeipa-devel] [freeipa PR#2265][opened] uninstall -v: remove Tracebacks
URL: https://github.com/freeipa/freeipa/pull/2265 Author: flo-renaud Title: #2265: uninstall -v: remove Tracebacks Action: opened PR body: """ ipa-server-install --uninstall -v -U prints Traceback in its log file. This issue happens because it calls subprocess.Popen with close_fds=True (which closes all file descriptors in the child process) but it is trying to use the file logger in the child process (preexec_fn is called in the child just before the child is executed). The fix is using the logger only in the parent process. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1480502 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2265/head:pr2265 git checkout pr2265 From 3597eec2f9d5ba9cca0d64874160b975e32e2184 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 21 Aug 2018 17:55:45 +0200 Subject: [PATCH] uninstall -v: remove Tracebacks ipa-server-install --uninstall -v -U prints Traceback in its log file. This issue happens because it calls subprocess.Popen with close_fds=True (which closes all file descriptors in the child process) but it is trying to use the file logger in the child process (preexec_fn is called in the child just before the child is executed). The fix is using the logger only in the parent process. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1480502 --- ipapython/ipautil.py | 23 --- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e13cfbdf93..bfe54b2cbc 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -491,20 +491,21 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, logger.debug('Starting external process') logger.debug('args=%s', arg_string) -def preexec_fn(): -if runas is not None: -pent = pwd.getpwnam(runas) +if runas is not None: +pent = pwd.getpwnam(runas) -suplementary_gids = [ -grp.getgrnam(sgroup).gr_gid for sgroup in suplementary_groups -] +suplementary_gids = [ +grp.getgrnam(sgroup).gr_gid for sgroup in suplementary_groups +] -logger.debug('runas=%s (UID %d, GID %s)', runas, - pent.pw_uid, pent.pw_gid) -if suplementary_groups: -for group, gid in zip(suplementary_groups, suplementary_gids): -logger.debug('suplementary_group=%s (GID %d)', group, gid) +logger.debug('runas=%s (UID %d, GID %s)', runas, + pent.pw_uid, pent.pw_gid) +if suplementary_groups: +for group, gid in zip(suplementary_groups, suplementary_gids): +logger.debug('suplementary_group=%s (GID %d)', group, gid) +def preexec_fn(): +if runas is not None: os.setgroups(suplementary_gids) os.setregid(pent.pw_gid, pent.pw_gid) os.setreuid(pent.pw_uid, pent.pw_uid) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/OZRDBTJ4DY2F4Q7B2BY5GO626AOMLKLT/
[Freeipa-devel] [freeipa PR#2264][opened] [Backport][ipa-4-7] Replace old login screen logo with new one
URL: https://github.com/freeipa/freeipa/pull/2264 Author: flo-renaud Title: #2264: [Backport][ipa-4-7] Replace old login screen logo with new one Action: opened PR body: """ This PR was opened automatically because PR #2255 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2264/head:pr2264 git checkout pr2264 From 11a84d9638248053abb550056629d67538fb0c3f Mon Sep 17 00:00:00 2001 From: Serhii Tsymbaliuk Date: Thu, 16 Aug 2018 10:20:15 +0200 Subject: [PATCH] Replace old login screen logo with new one Related: https://pagure.io/freeipa/issue/7362 --- install/ui/images/login-screen-logo.png | Bin 5802 -> 2233 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/install/ui/images/login-screen-logo.png b/install/ui/images/login-screen-logo.png index 38f948efd770171ed922a80521e7fa576d8a172f..ad90e30c9649586ade4f2ae80f804a1182178e58 100644 GIT binary patch literal 2233 zcmV;q2uAmbP)s`BP`G34;=A85Y&)jq8-nj#Ja0ma_kf99bfBmV9 z>k~h_-?FV6SuLUSen0k5#@As;1o&0Z{SB9r7e&-Fz$gF_br}eBWOQzQdG-f4h9VCg zQZ7JQ(4CE_CX{?rn}DdcOeOjLd7-PR&P4|+mCn~R&Yz^9*+d>dDVcdgRMRgT^1q(S zTueyW3|P}Re-f_lkicXo?UkqxJ3F!#yj*bfa;kFDAteIDOFn|(5FzOTBuYMlp%x*j zHJ~i$&K6g9i;=vj<4VagrDPfKp1z6XWMy@{;}5#;N@i{*By9$i1>M;|5Xd$(c{Qsg zR2X^o`~6rq9+|gSM0vD{iE6XE((_(gaO_&La@592hLbgo^CwAqSJ3#VgM();j$i)9 z(l^4l85B|$a#sLeUB98Y9R@8x!sH`RNO{Ozsh~t_PO%7s5@68eBN#>z5*8q7$vn905F?j$%WwwM$fqi}?eHq}C6DXN7CFfh!O*c_R~A^I($f%y&%z=5LJM$0Qm?K7QraMSBQKB z35lRBg6o=c@59v{iuRmO8F^pra)blu$#(+B3_Wwmu#T{@Dz0_H00GuC&Yu)c3pbly zX$20RyD*_JWh1YsLs#&i3z4S@c=G7?h`a^G53$ml@f{fJG~{gpIGOgD@a!;5`z}P5 zQt5dML=o`#Fo^&;sGE&WMYtt^Q}X_Kp>8LR(eg4)uL4)Z|Md+Do-uek) z)UND_|D3IDrR249m&QL=vG_;|M!xO|goBvwdBsu!g@*=MLLtTC9~|b3G1RZy7yba5~ZYH@3(;+2J2|Xe(_yXR~L}p@0zrpnK}nJ?tb9(b;n600wE2hwcG^JTTD>)4aD?r zr$(B(S-9*^bg8wTnL4MwY2l){l86^d{n=o-hmyL2xO|DF{gMPItn^P!-7Iz%odiD8 zx%|iFacl9``r=9?9$0EWps&!P_ETD?tL_8gt=RxPW3V<5_{jxh3LuJfdnKUTq84Cx z%0#FrK5L1+!C)PSt&YVM!CSKdWV69~8R7Y8-Ft4DoyBcf_7gydrcFeIsE!haU0M8+ zE3JF2!90$z3Q|&|FP6T#HAeD^t6(prvhc6b;`dgKisA+=`*F-7ypk#rx_7VK=CYJu zYZUH6qygW)>Ae?~;H~ka)OLf*E1(t-C~k`td*JJ^w>BSm3;p6m0Y4*9xGR?9M3Awn zdP`^6wccR93G74UJW3S+a}4dSpi~}JMeR;v>c0oX5<%2zDvNeI2@o$bR#mU>47;`@ z*!>#Vc}_+?0^MsTv>!Uhj3w>BlMGy=3&=tqeC!hKhfgM$s1f0lZy(Q?wb%~Z*1R~o z#!Vhf0>JQ!(DwFmW;`Y!ZiihGA`j67fMFGZ_QN5EA|y;6oa_q(3XdZ8lk^m!{t%Sx zq@+f>y*+3Iiu|CW*8}0_iIVT>?i8ha3$U#>8HU1$uXYoPjRxx#Tq=)U&Z>TY#J4y2 zKPW={+vCIdh{RjB8I)=1oRA3dZ;uBGk49ZFD%pvzW>wsNzeIV^UG(ceJ*@vo67XyU zG1Y{zbj!QxrPU9{6ECs9#43s#P!e5)lDg7(-Ij;uZc?z<>UK5wk1YI}wo$;d5ye)6 zi?Lm{>*$EpduAEznq&uqlDYy!nQMZQ=c)2kIB``Tn!8CU>AlBAy>Gj^3wHeIz0dWr zYqubnmdzJOW^^pP{z~boSaApcmsk=+7(o73b}>Zo)@}vX8QeM&VemgnR(To_Wqy?w zwJX}~P#$z|(UJ$0k}0l^Eb||yfx`8`3kK`>>z!He;M?=PDA_0RSJ?z+LRs^?&4{t8 zU$bp1Z^xs}u@^bsnioJ!-xMxl%cE3#w4dLS`>*h->cxaze*iKyRyB6?=WBnu=*|7g zvPY!Z)>>eN&W(brA}VjYyT$nuJ3$eW|F?LInK1J^pPa~@cIuHR9-NPSfB0%&L{Vj-Z5+eZN7}FANPn!?qqCnsbAt z)w8i(dw?nZEGG%4EoaYj#+{o%qol@*$W~xnpQ|^4-(h#HAG(8+e!s<~dmp0PnvP`) zVQHhP=z}4N{cQaxMuumDJqfG}jNk;n^$g1~y*s#r|1$gso00&^!)4Qf0NkvXX Hu0mjf^jJt! literal 5802 zcmaJ_XE+?~zm^c92N6ACmFT-V8zoqs)mcPYEEZeX6^n$BMDM+`dh{NmBzlPwElMI< z5+OuMw2(ORp8xxv^WnT_u4`tV-!u1p|LV+#i7S#kuF76T+r_5FI zi|ZF!(mxN_@ES0@DaHlw3-?Bls5)aD5!^Z`xGTa00eANE8bT;;>IL{Wu+g*$m5@Z63FS0q{qu+#Puz>RcP0$9ozfDEwe2sfm*zc<3v zA8O|0@8P823{X+#RwRHg1W*V(oST61MB~5&CBR?0;EVO2Z6JXAF9_a43Gm-R!3>PJ z)iK@(ZW(cqm=j1A#4Rf!E+Hi?CnqP$EeVnU0YQ>L2}v;tIk1!@7zE<}&jGmb=I!hP zHi2mV$Jd3W1aQOSv0xz3*Vk9vS4te??Fy7oP*C`zAt@<#fe^#_q498n7#hd>w*mx# zbMi)F@kk7s`;Q{r5#xhb0$fD;-zlK5|Hz_o|0&Z&!GHuf7APSO`jgV%Km&vSABsZ# zgT~=a5dRbJ|0#?!^TQ&5CI}qH$J^Y~QBR32lgLA`R zxz$Z&xDDV=Nc123FT8;PSO<;6!_iI%9f%U(LO~pfbOvjx%gIa0$!mhtH9-;*8dCC- zvT_i4DH(`_yu73)NbYYg1mom`LZI<~bDjU;DuDi#`)3qT*bC1Pgg5d&!dcTBgW~=x zWiayJV}bmu-ha5x{~C+D#=mlb7r_AkH1>Zr`tPla>G`w#XKXKwe+D0czL<9Ji?J?? z_;#Iygz2UZMAeM2@ZOpdYdhojd(8Gj^=N(5JY&5WM-3~-H3v{Ai3F=D*poO4$|+J; zPfbLXWR&P2Gx1>fur#X6AU|1pv{C;mWgi(uH?)V5#;%TwgUv}VwX)Cpga7Q*PIf>Z zU!(y{KTSJuzinsnlYQs;>F@LRB1Or^=f9nnpDzz&cJ3L*(W_CBUSZ06gWo&Xr|ZoIXUq> zge};77)@|OJN-ahb=BD5+RAraS`b-~x}EyNlIo?AwU@Z5_w-^+n?Efl)5CPp$Gmd! zER)BfN*!Zqaj_?HlPe+{BGX^b0okJDSf!YtA{gDR{a?F5xrle?!*2ihqH zbh~U3hRu1RTF_Lcw8=S&^n*PAV80ACB)7qF=Q8!~|t8%SnLifIW;#XJ||&p;A7al`RzOF4}(6@-`?N$4FFn%ggsuMP0aYbN21mrO}pVeFdc6Rs1+Dv=)I z+nNsa1s`Mgiv*^X)!287NoPfp*maTsy(1P8ue01i0haW+^Y>ZNt0r?pE_U7Ob*q?o z6TD68F~_@Cnt`yhW$0B=di8G2RWMpcSd^_B(kdA{F@bW^j>{JdAn~xs(W3}85{%=4 zzg>O9!SrQ=i<~E{q+c4Ek)#PQ4P7%IJkhlgsKxtH>9jpE7+2BOs(FNL683TYH7HQS z_~A3FqwOT4{hE*c1AFN1!t3Lo*JEBLWcf&zNSGJ(b*svsSbFuhUrz-h)rY?U@O=Gx z0r7Pldz;NXigiBMH!^WVJ`WE=diMK2hyhmQIp3|8@!Whd%%23oZHX`iqgUTggPuB% z@<$t6_r(3wv`Atxb$Wp^Jrnczv_q(O+8L&NE!ifVdnT=Z9Pq@T!YER-$U?99*?YqDcfGXpudgJ_se zlmlJ4b8Kjq6q#!}-%`{74kT2+=)ct~3wgzEQl-`V$SY1tBdp@F(OLBU_hVHhzWCL{ zJGb2C>pmf*KaxJRu2~Kli5taRubzSo`Yid986xcp?s&U9Fw*WCWeeGsDIq~iHKsraJ@r%5?^epyVT>*r6+%wW%2 z%7z5$R(MODwx7CoYtO(%cigm}O@)HhWreGwR)}eD;^&^4zvgq1mf}zi)))daOpC5G zh+oY!Vi87&F1ISt+)SBkQ;AaN9S)
[Freeipa-devel] [freeipa PR#2255][closed] Replace old login screen logo with new one
URL: https://github.com/freeipa/freeipa/pull/2255 Author: serg-cymbaluk Title: #2255: Replace old login screen logo with new one Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2255/head:pr2255 git checkout pr2255 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/QESPQUJ3YOS2BJZZ62SXKUWHUZ3CUERJ/
[Freeipa-devel] [freeipa PR#2258][closed] [Backport][ipa-4-7] Check if user permssions and umask 0022 is set after ipa-restore
URL: https://github.com/freeipa/freeipa/pull/2258 Author: Tiboris Title: #2258: [Backport][ipa-4-7] Check if user permssions and umask 0022 is set after ipa-restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2258/head:pr2258 git checkout pr2258 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/PRXH5VCJNODGBFEVNWVOP2I2WWMQDDHK/
[Freeipa-devel] [freeipa PR#2259][closed] [Backport][ipa-4-6] Check if user permssions and umask 0022 is set after ipa-restore
URL: https://github.com/freeipa/freeipa/pull/2259 Author: mrizwan93 Title: #2259: [Backport][ipa-4-6] Check if user permssions and umask 0022 is set after ipa-restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2259/head:pr2259 git checkout pr2259 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/45WHFNXJI5CMBHLDLWBINOGVSOBPJPEA/
[Freeipa-devel] [freeipa PR#2263][opened] DS replication settings: fix regression with <3.3 master
URL: https://github.com/freeipa/freeipa/pull/2263 Author: flo-renaud Title: #2263: DS replication settings: fix regression with <3.3 master Action: opened PR body: """ Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression when configuring replication with a master < 3.3 Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout, nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval attributes, it will return UNWILLING_TO_PERFORM when a mod operation is performed on the cn=replica entry. This patch ignores the error and logs a debug msg. See: https://pagure.io/freeipa/issue/7617 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2263/head:pr2263 git checkout pr2263 From acfc4ac1d393c788e2e70a97b3a03a870d02fb92 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 21 Aug 2018 11:37:17 +0200 Subject: [PATCH] DS replication settings: fix regression with <3.3 master Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression when configuring replication with a master < 3.3 Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout, nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval attributes, it will return UNWILLING_TO_PERFORM when a mod operation is performed on the cn=replica entry. This patch ignores the error and logs a debug msg. See: https://pagure.io/freeipa/issue/7617 --- ipaserver/install/replication.py | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 78c4a43cc9..ae48577c4d 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -600,7 +600,18 @@ def finalize_replica_config(self, r_hostname, r_binddn=None, r_conn.simple_bind(r_binddn, r_bindpw) else: r_conn.gssapi_bind() -self._finalize_replica_settings(r_conn) +try: +self._finalize_replica_settings(r_conn) +except errors.DatabaseError as e: +# On FreeIPA < 3.3 masters lacking support for the attributes +# defined in REPLICA_FINAL_SETTINGS, +# the update will return Unwilling to perform +# Ignore the error +if str(e).startswith('Server is unwilling to perform'): +logger.debug("replication attribute not supported " + "on remote master (%s)", e) +else: +raise e r_conn.close() def setup_chaining_backend(self, conn): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/WYU5XTYYHIVBSEUFFBAGAV47XR2N5G7U/