[Freeipa-devel] [freeipa PR#786][synchronized] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/786/head:pr786 git checkout pr786 From 5545ef33c21ed593cef2ff042b3b543e0c4b1945 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 15 May 2017 16:36:44 +0200 Subject: [PATCH] ipa-server-install: fix uninstall ipa-server-install --uninstall fails to stop tracking the certificates because it assigns a tuple to the variable nicknames, then tries to call nicknames.append(). This is a regression introduced by 21f4cbf8. Assignment should be done using nicknames = list(self.tracking_reqs) instead. https://pagure.io/freeipa/issue/6950 --- ipaserver/install/dogtaginstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 29c74b6..1fdc3e5 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -319,7 +319,7 @@ def stop_tracking_certificates(self, stop_certmonger=True): services.knownservices.messagebus.start() cmonger.start() -nicknames = self.tracking_reqs +nicknames = list(self.tracking_reqs) if self.server_cert_name is not None: nicknames.append(self.server_cert_name) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#786][edited] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: edited Changed field: body Original value: """ ipa-server-install --uninstall fails to stop tracking the certificates because it assigns a tuple to the variable nicknames, then tries to call nicknames.append(). This is a regression introduced by 92a08266. Assignment should be done using nicknames = list(self.tracking_reqs) instead. https://pagure.io/freeipa/issue/6950 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][comment] Provide useful messages during cert validation
URL: https://github.com/freeipa/freeipa/pull/783 Title: #783: Provide useful messages during cert validation flo-renaud commented: """ Hi @stlaz Thank you for the patch. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/783#issuecomment-301722760 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][+ack] Provide useful messages during cert validation
URL: https://github.com/freeipa/freeipa/pull/783 Title: #783: Provide useful messages during cert validation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#788][opened] ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
URL: https://github.com/freeipa/freeipa/pull/788 Author: flo-renaud Title: #788: ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname Action: opened PR body: """ During ipa-kra-install, the installer prepares a configuration file provided to pkispawn. This configuration file defines pki_security_domain_hostname=(first master) but when we are installing a clone, it should be set to the local hostname instead, see man page pki_default.cfg: pki_security_domain_hostname, pki_security_domain_https_port Location of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. When pki_security_domain_hostname points to the 1st master, and this first master is decommissioned, ipa-kra-install fails on new replicas because pkispawn tries to connect to this (non-existing) host. https://pagure.io/freeipa/issue/6895 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/788/head:pr788 git checkout pr788 From 4a3f1cb7c18e597d4e128b4da1a1676d43411381 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 11 May 2017 14:53:09 +0200 Subject: [PATCH] ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname During ipa-kra-install, the installer prepares a configuration file provided to pkispawn. This configuration file defines pki_security_domain_hostname=(first master) but when we are installing a clone, it should be set to the local hostname instead, see man page pki_default.cfg: pki_security_domain_hostname, pki_security_domain_https_port Location of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. When pki_security_domain_hostname points to the 1st master, and this first master is decommissioned, ipa-kra-install fails on new replicas because pkispawn tries to connect to this (non-existing) host. https://pagure.io/freeipa/issue/6895 --- ipaserver/install/krainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index abb8189..cdd25b9 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -252,7 +252,7 @@ def __spawn_instance(self): os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid) # Security domain registration -config.set("KRA", "pki_security_domain_hostname", self.master_host) +config.set("KRA", "pki_security_domain_hostname", self.fqdn) config.set("KRA", "pki_security_domain_https_port", "443") config.set("KRA", "pki_security_domain_user", self.admin_user) config.set("KRA", "pki_security_domain_password", -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#786][opened] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: opened PR body: """ ipa-server-install --uninstall fails to stop tracking the certificates because it assigns a tuple to the variable nicknames, then tries to call nicknames.append(). This is a regression introduced by 92a08266. Assignment should be done using nicknames = list(self.tracking_reqs) instead. https://pagure.io/freeipa/issue/6950 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/786/head:pr786 git checkout pr786 From f30e99483c5da49f845aa7b5a6430015dd5be250 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 15 May 2017 16:36:44 +0200 Subject: [PATCH] ipa-server-install: fix uninstall ipa-server-install --uninstall fails to stop tracking the certificates because it assigns a tuple to the variable nicknames, then tries to call nicknames.append(). This is a regression introduced by 92a08266. Assignment should be done using nicknames = list(self.tracking_reqs) instead. https://pagure.io/freeipa/issue/6950 --- ipaserver/install/dogtaginstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 29c74b6..1fdc3e5 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -319,7 +319,7 @@ def stop_tracking_certificates(self, stop_certmonger=True): services.knownservices.messagebus.start() cmonger.start() -nicknames = self.tracking_reqs +nicknames = list(self.tracking_reqs) if self.server_cert_name is not None: nicknames.append(self.server_cert_name) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#784][opened] ipa-replica-manage del (dl 0): remove server from defaultServerList
URL: https://github.com/freeipa/freeipa/pull/784 Author: flo-renaud Title: #784: ipa-replica-manage del (dl 0): remove server from defaultServerList Action: opened PR body: """ ipa-replica-manage del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6946 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/784/head:pr784 git checkout pr784 From 8f98b3eb08c2f7994017459c7bb3f9eeb9f50cd2 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 12 May 2017 09:54:40 +0200 Subject: [PATCH] ipa-replica-manage del (dl 0): remove server from defaultServerList ipa-replica-manage del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6946 --- ipaserver/install/replication.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 3cd871e..f3bae53 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1336,12 +1336,12 @@ def replica_cleanup(self, replica, realm, force=False): dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix) ret = self.conn.get_entry(dn) srvlist = ret.single_value.get('defaultServerList', '') -srvlist = srvlist[0].split() +srvlist = srvlist.split() if replica in srvlist: srvlist.remove(replica) attr = ' '.join(srvlist) -mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)] -self.conn.modify_s(dn, mod) +ret['defaultServerList'] = attr +self.conn.update_entry(ret) except errors.NotFound: pass except ldap.NO_SUCH_ATTRIBUTE: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#780][opened] server-del: update defaultServerList in cn=default, ou=profile, $BASE
URL: https://github.com/freeipa/freeipa/pull/780 Author: flo-renaud Title: #780: server-del: update defaultServerList in cn=default,ou=profile,$BASE Action: opened PR body: """ ipa server-del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6943 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/780/head:pr780 git checkout pr780 From 44658742b50f39c9d20475ed0d2344b08c508f8c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 11 May 2017 11:41:23 +0200 Subject: [PATCH] server-del: update defaultServerList in cn=default,ou=profile,$BASE ipa server-del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6943 --- ipaserver/plugins/server.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index b1ee472..04a5ff5 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -608,12 +608,12 @@ def _remove_server_principal_references(self, master): dn = DN(('cn', 'default'), ('ou', 'profile'), env.basedn) ret = conn.get_entry(dn) srvlist = ret.single_value.get('defaultServerList', '') -srvlist = srvlist[0].split() +srvlist = srvlist.split() if master in srvlist: srvlist.remove(master) attr = ' '.join(srvlist) -mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)] -conn.conn.modify_s(str(dn), mod) +ret['defaultServerList'] = attr +conn.update_entry(ret) except (errors.NotFound, ldap.NO_SUCH_ATTRIBUTE, ldap.TYPE_OR_VALUE_EXISTS): pass -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#777][opened] ipa-kra-install manpage: document domain-level 1
URL: https://github.com/freeipa/freeipa/pull/777 Author: flo-renaud Title: #777: ipa-kra-install manpage: document domain-level 1 Action: opened PR body: """ ipa-kra-install man page was missing a specific section for domain level 1. This commits also fixes a wrong option short name (for --log-file) and indents the text corresponding to -p DM_PASSWORD https://pagure.io/freeipa/issue/6922 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/777/head:pr777 git checkout pr777 From b95f451d8530122be917e4988aa2bb94e36c0c05 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 10 May 2017 18:04:52 +0200 Subject: [PATCH] ipa-kra-install manpage: document domain-level 1 ipa-kra-install man page was missing a specific section for domain level 1. This commits also fixes a wrong option short name (for --log-file) and indents the text corresponding to -p DM_PASSWORD https://pagure.io/freeipa/issue/6922 --- install/tools/man/ipa-kra-install.1 | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1 index 0aa9073..51afaac 100644 --- a/install/tools/man/ipa-kra-install.1 +++ b/install/tools/man/ipa-kra-install.1 @@ -16,26 +16,37 @@ .\" .\" Author: Ade Lee <a...@redhat.com> .\" -.TH "ipa-kra-install" "1" "Aug 24 2014" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-kra\-install \- Install a KRA on a server .SH "SYNOPSIS" +.SS "DOMAIN LEVEL 0" +.TP ipa\-kra\-install [\fIOPTION\fR]... [replica_file] +.SS "DOMAIN LEVEL 1" +.TP +ipa\-kra\-install [\fIOPTION\fR]... .SH "DESCRIPTION" Adds a KRA as an IPA\-managed service. This requires that the IPA server is already installed and configured, including a CA. The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault. -ipa\-kra\-install can be run without replica_file to add KRA to the existing CA. +In a domain at domain level 0, ipa\-kra\-install can be run without replica_file to add KRA to the existing CA, or with replica_file to install the KRA service on the replica. ipa\-kra\-install will contact the CA to determine if a KRA has already been installed on another replica, and if so, will exit indicating that a replica_file is required. The replica_file is created using the ipa\-replica\-prepare utility. A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates. +In a domain at domain level 1, ipa\-kra\-install can be used to add KRA to the existing CA, or to install the KRA service on a replica, and does not require any replica file. + KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall. .SH "OPTIONS" +.TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password .TP +\fB\-\-no-host-dns\fR +Do not use DNS for hostname lookup during installation +.TP \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP @@ -45,7 +56,7 @@ Enable debug output when more verbose output is needed \fB\-q\fR, \fB\-\-quiet\fR Output only errors .TP -\fB\-v\fR, \fB\-\-log-file\fR=\fFILE\fR +\fB\-\-log-file\fR=\fRFILE\fR Log to the given file .SH "EXIT STATUS" 0 if the command was successful -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][+ack] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys flo-renaud commented: """ Hi @MartinBasti @martbab thank you for the comment. PR updated with your suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/766#issuecomment-300101597 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][synchronized] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 From 3e5250cfcd003b0bd72ba77fff5c1d03d23ebc89 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 5 May 2017 17:06:09 +0200 Subject: [PATCH] ipa-kra-install: fix check_host_keys ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 --- ipaserver/secrets/kem.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index c1991c6..3363d82 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -72,7 +72,7 @@ def get_key(self, usage, principal): 'princ': principal}) r = conn.search_s(self.keysbase, scope, ldap_filter) if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), principal)) ipa_public_key = r[0][1]['ipaPublicKey'][0] jwk = self._parse_public_key(ipa_public_key) @@ -85,9 +85,8 @@ def check_host_keys(self, host): ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) r = conn.search_s(self.keysbase, scope, ldap_filter) -if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" - "public key for %s" % (len(r), host)) +if not r: +raise ValueError("No public keys were found for %s" % host) return True def _format_public_key(self, key): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][opened] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: opened PR body: """ ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 From 3acd6f06396bf7596f3af53724b3f345bdf562b5 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 5 May 2017 17:06:09 +0200 Subject: [PATCH] ipa-kra-install: fix check_host_keys ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 --- ipaserver/secrets/kem.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index c1991c6..f876b9e 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -72,7 +72,7 @@ def get_key(self, usage, principal): 'princ': principal}) r = conn.search_s(self.keysbase, scope, ldap_filter) if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), principal)) ipa_public_key = r[0][1]['ipaPublicKey'][0] jwk = self._parse_public_key(ipa_public_key) @@ -85,8 +85,8 @@ def check_host_keys(self, host): ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) r = conn.search_s(self.keysbase, scope, ldap_filter) -if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +if len(r) < 1: +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), host)) return True -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#754][opened] ipa-server-install with external CA: fix pkinit cert issuance
URL: https://github.com/freeipa/freeipa/pull/754 Author: flo-renaud Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Action: opened PR body: """ ipa-server-install with external CA fails to issue pkinit certs. This happens because the installer calls krb = krbinstance.KrbInstance(fstore) then krb.enable_ssl() and in this code path self.config_pkinit is set to None, leading to a wrong code path. The fix initializes the required fields of the krbinstance before calling krb.enable_ssl. https://pagure.io/freeipa/issue/6921 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/754/head:pr754 git checkout pr754 From fa9a5107bbdccaa2d7f4788c4a452bc403e336c2 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 3 May 2017 10:21:12 +0200 Subject: [PATCH] ipa-server-install with external CA: fix pkinit cert issuance ipa-server-install with external CA fails to issue pkinit certs. This happens because the installer calls krb = krbinstance.KrbInstance(fstore) then krb.enable_ssl() and in this code path self.config_pkinit is set to None, leading to a wrong code path. The fix initializes the required fields of the krbinstance before calling krb.enable_ssl. https://pagure.io/freeipa/issue/6921 --- ipaserver/install/krbinstance.py| 8 ipaserver/install/server/install.py | 4 2 files changed, 12 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 76ac302..2f14ff5 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -108,6 +108,14 @@ def __init__(self, fstore=None): suffix = ipautil.dn_attribute_property('_suffix') subject_base = ipautil.dn_attribute_property('_subject_base') +def init_info(self, realm_name, host_name, setup_pkinit=False, + subject_base=None): +self.fqdn = host_name +self.realm = realm_name +self.suffix = ipautil.realm_to_suffix(realm_name) +self.subject_base = subject_base +self.config_pkinit = setup_pkinit + def get_realm_suffix(self): return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b360e05..0ce60e9 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -768,6 +768,10 @@ def install(installer): setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) +else: +krb.init_info(realm_name, host_name, + setup_pkinit=not options.no_pkinit, + subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf flo-renaud commented: """ Hi @pvomacka I tested your last update with a new install and with an upgraded instance, and both are functionally OK. Revoked certs do not allow to access IPA Web UI. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298620370 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#751][opened] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Author: flo-renaud Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Action: opened PR body: """ ipa-client-install modifies /etc/krb5.conf and defines the following line: pkinit_anchors = FILE: /etc/ipa/ca.crt The extra space between FILE: and /etc/ipa/ca.crt break pkinit. https://pagure.io/freeipa/issue/6916 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/751/head:pr751 git checkout pr751 From 2348deb90b86b19a826fac683569c94e1ca3561b Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 2 May 2017 10:22:22 +0200 Subject: [PATCH] ipa-client-install: remove extra space in pkinit_anchors definition ipa-client-install modifies /etc/krb5.conf and defines the following line: pkinit_anchors = FILE: /etc/ipa/ca.crt The extra space between FILE: and /etc/ipa/ca.crt break pkinit. https://pagure.io/freeipa/issue/6916 --- ipaclient/install/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 549c9b8..abca692 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -710,7 +710,7 @@ def configure_krb5_conf( kropts.append(krbconf.setOption('default_domain', cli_domain)) kropts.append( -krbconf.setOption('pkinit_anchors', 'FILE: %s' % paths.IPA_CA_CRT)) +krbconf.setOption('pkinit_anchors', 'FILE:%s' % paths.IPA_CA_CRT)) ropts = [{ 'name': cli_realm, 'type': 'subsection', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails flo-renaud commented: """ @stlaz Thank you for the reminder. Commit msg updated with issue 6907 """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297935155 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][synchronized] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 From 4b11def7359308d43bda011a622339156a4b0b43 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 27 Apr 2017 18:20:06 +0200 Subject: [PATCH] vault: piped input for ipa vault-add fails An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://pagure.io/freeipa/issue/6907 --- ipaclient/plugins/vault.py | 37 - 1 file changed, 8 insertions(+), 29 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 3fb4900..f21dc4d 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -21,11 +21,9 @@ import base64 import errno -import getpass import io import json import os -import sys import tempfile from cryptography.fernet import Fernet, InvalidToken @@ -84,29 +82,6 @@ def validated_read(argname, filename, mode='r', encoding=None): MAX_VAULT_DATA_SIZE = 2**20 # = 1 MB -def get_new_password(): -""" -Gets new password from user and verify it. -""" -while True: -password = getpass.getpass('New password: ').decode( -sys.stdin.encoding) -password2 = getpass.getpass('Verify password: ').decode( -sys.stdin.encoding) - -if password == password2: -return password - -print(' ** Passwords do not match! **') - - -def get_existing_password(): -""" -Gets existing password from user. -""" -return getpass.getpass('Password: ').decode(sys.stdin.encoding) - - def generate_symmetric_key(password, salt): """ Generates symmetric key from password and salt. @@ -304,7 +279,8 @@ def forward(self, *args, **options): password = password.rstrip('\n') else: -password = get_new_password() +password = self.api.Backend.textui.prompt_password( +'New password') # generate vault salt options['ipavaultsalt'] = os.urandom(16) @@ -887,9 +863,11 @@ def forward(self, *args, **options): else: if override_password: -password = get_new_password() +password = self.api.Backend.textui.prompt_password( +'New password') else: -password = get_existing_password() +password = self.api.Backend.textui.prompt_password( +'Password', confirm=False) if not override_password: # verify password by retrieving existing data @@ -1112,7 +1090,8 @@ def forward(self, *args, **options): password = password.rstrip('\n') else: -password = get_existing_password() +password = self.api.Backend.textui.prompt_password( +'Password', confirm=False) # generate encryption key from password encryption_key = generate_symmetric_key(password, salt) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][opened] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: opened PR body: """ An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://bugzilla.redhat.com/show_bug.cgi?id=1445358 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 From 35ce0e686bd4cc4d47d945e244bee38ef65cfbf9 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 27 Apr 2017 18:20:06 +0200 Subject: [PATCH] vault: piped input for ipa vault-add fails An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://bugzilla.redhat.com/show_bug.cgi?id=1445358 --- ipaclient/plugins/vault.py | 37 - 1 file changed, 8 insertions(+), 29 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 3fb4900..f21dc4d 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -21,11 +21,9 @@ import base64 import errno -import getpass import io import json import os -import sys import tempfile from cryptography.fernet import Fernet, InvalidToken @@ -84,29 +82,6 @@ def validated_read(argname, filename, mode='r', encoding=None): MAX_VAULT_DATA_SIZE = 2**20 # = 1 MB -def get_new_password(): -""" -Gets new password from user and verify it. -""" -while True: -password = getpass.getpass('New password: ').decode( -sys.stdin.encoding) -password2 = getpass.getpass('Verify password: ').decode( -sys.stdin.encoding) - -if password == password2: -return password - -print(' ** Passwords do not match! **') - - -def get_existing_password(): -""" -Gets existing password from user. -""" -return getpass.getpass('Password: ').decode(sys.stdin.encoding) - - def generate_symmetric_key(password, salt): """ Generates symmetric key from password and salt. @@ -304,7 +279,8 @@ def forward(self, *args, **options): password = password.rstrip('\n') else: -password = get_new_password() +password = self.api.Backend.textui.prompt_password( +'New password') # generate vault salt options['ipavaultsalt'] = os.urandom(16) @@ -887,9 +863,11 @@ def forward(self, *args, **options): else: if override_password: -password = get_new_password() +password = self.api.Backend.textui.prompt_password( +'New password') else: -password = get_existing_password() +password = self.api.Backend.textui.prompt_password( +'Password', confirm=False) if not override_password: # verify password by retrieving existing data @@ -1112,7 +1090,8 @@ def forward(self, *args, **options): password = password.rstrip('\n') else: -password = get_existing_password() +password = self.api.Backend.textui.prompt_password( +'Password', confirm=False) # generate encryption key from password encryption_key = generate_symmetric_key(password, salt) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][opened] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Action: opened PR body: """ … installed During upgrade, the plugin update_tdo_gidnumber is launched in order to add a gidnumber to the Trusted Domain Object. This plugin should not be run when ad trust is not installed, otherwise an error message is displayed. https://pagure.io/freeipa/issue/6881 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#709][comment] Fix s4u2self with adtrust
URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust flo-renaud commented: """ Hi @simo5, I tested webUI authentication with a IPA user and it is working with this patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/709#issuecomment-293309605 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][+ack] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][comment] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username flo-renaud commented: """ Hi @dkupka thank you for the patch, everything works as expected with a single certificate mapped to multiple users. """ See the full comment at https://github.com/freeipa/freeipa/pull/704#issuecomment-292969006 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ @martbab thank you for the suggestion. The new test is available in PR #692 """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291843545 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ Hi @stlaz I fixed the commit message. In contrary to what I told you offline, you need to configure an AD trust with ipa-adtrust-install and ipa trust-add ... in order to reproduce the original issue. My bad... """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291540393 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][edited] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-add: properly handle empty --dom-name option Action: edited Changed field: title Original value: """ idrange-mod: properly handle empty --dom-name option """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][edited] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: edited Changed field: body Original value: """ When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][synchronized] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 From be273e1a9a8f7f3d17029b71054091bc3d44edeb Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 28 Mar 2017 16:02:45 +0200 Subject: [PATCH] idrange-add: properly handle empty --dom-name option When idrange-add is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 --- ipaserver/plugins/idrange.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py index 5b88a6b..c8ea95a 100644 --- a/ipaserver/plugins/idrange.py +++ b/ipaserver/plugins/idrange.py @@ -411,7 +411,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # This needs to stay in options since there is no # ipanttrusteddomainname attribute in LDAP -if 'ipanttrusteddomainname' in options: +if options.get('ipanttrusteddomainname'): if is_set('ipanttrusteddomainsid'): raise errors.ValidationError(name='ID Range setup', error=_('Options dom-sid and dom-name ' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry flo-renaud commented: """ Hi @abbra thank you for the review. PR updated following your comments, and with an upgrade plugin to handle existing trusted domain objects. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-291227659 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 From b75e11502e669cae3a58dd66fe5d0a75e23a6e97 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 21 Mar 2017 17:33:20 +0100 Subject: [PATCH 1/2] ipa-sam: create the gidNumber attribute in the trusted domain entry When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827 --- daemons/ipa-sam/ipa_sam.c | 40 +--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4c1fda5..6a29e8e 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -195,6 +195,7 @@ struct ipasam_privates { char *trust_dn; char *flat_name; struct dom_sid fallback_primary_group; + char *fallback_primary_group_gid_str; char *server_princ; char *client_princ; struct sss_idmap_ctx *idmap_ctx; @@ -2419,6 +2420,9 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, if (entry == NULL || sid == NULL) { smbldap_make_mod(priv2ld(ldap_state), entry, , LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); + smbldap_make_mod(priv2ld(ldap_state), entry, , + LDAP_ATTRIBUTE_GIDNUMBER, + ldap_state->ipasam_privates->fallback_primary_group_gid_str); } if (td->netbios_name != NULL) { @@ -2829,6 +2833,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, { NTSTATUS status; struct dom_sid *u_sid; + struct dom_sid *g_sid; char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; @@ -2884,6 +2889,11 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, } talloc_free(u_sid); + g_sid = _state->ipasam_privates->fallback_primary_group; + if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { + return false; + } + status = get_trust_pwd(user, >trust_auth_incoming, , NULL); if (!NT_STATUS_IS_OK(status)) { return false; @@ -3594,14 +3604,17 @@ static void ipasam_free_private_data(void **vp) static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, struct smbldap_state *ldap_state, struct sss_idmap_ctx *idmap_ctx, - LDAPMessage *dom_entry) + LDAPMessage *dom_entry, + char **fallback_group_gid_str) { char *dn; char *sid; + char *gidnumber; int ret; const char *filter = "objectClass=*"; const char *attr_list[] = { LDAP_ATTRIBUTE_SID, + LDAP_ATTRIBUTE_GIDNUMBER, NULL}; LDAPMessage *result; LDAPMessage *entry; @@ -3648,9 +3661,20 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, talloc_free(sid); return NULL; } + talloc_free(sid); + + gidnumber = get_single_attribute(mem_ctx, ldap_state->ldap_struct, + entry, LDAP_ATTRIBUTE_GIDNUMBER); + if (gidnumber == NULL) { + DEBUG(0, ("Missing mandatory attribute %s.\n", + LDAP_ATTRIBUTE_GIDNUMBER)); + ldap_msgfree(result); + return NULL; + } + + *fallback_group_gid_str = gidnumber; ldap_msgfree(result); - talloc_free(sid); return fallback_group_sid; } @@ -4443,6 +4467,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, char *domain_sid_string = NULL; struct dom_sid *ldap_domain_sid = NULL; struct dom_sid *fallback_group_sid = NULL; + char *fallback_group_gid_str = NULL; LDAPMessage *result = NULL; LDAPMessage *entry = NULL; @@ -4586,7 +4611,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, fallback_group_sid = get_fallback_group_sid(ldap_state, ldap_state->smbldap_state, ldap_state->ipasam_privates->idmap_ctx, - result); + result, + _group_gid_str); if (fallback_group_sid == NULL) { DEBUG(0, ("Cannot find SID of fallback group.\n")); ldap_msgfree(result); @@ -4596,6 +4622,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, fallback_group_sid); talloc_free(fallback_group_sid); + if (fallback_group_gid_st
[Freeipa-devel] [freeipa PR#678][opened] ipa-ca-install man page: Add domain level 1 help
URL: https://github.com/freeipa/freeipa/pull/678 Author: flo-renaud Title: #678: ipa-ca-install man page: Add domain level 1 help Action: opened PR body: """ In domain level 1 ipa-ca-install does not require a replica-file. Update the man page to distinguish the domain level 0 or 1 usage. https://pagure.io/freeipa/issue/5831 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/678/head:pr678 git checkout pr678 From e19e2ba9445249a04f8289a283375324b6a632ed Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 30 Mar 2017 18:23:59 +0200 Subject: [PATCH] ipa-ca-install man page: Add domain level 1 help In domain level 1 ipa-ca-install does not require a replica-file. Update the man page to distinguish the domain level 0 or 1 usage. https://pagure.io/freeipa/issue/5831 --- install/tools/man/ipa-ca-install.1 | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 76ce115..79703a4 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -1,5 +1,5 @@ .\" A man page for ipa-ca-install -.\" Copyright (C) 2011 Red Hat, Inc. +.\" Copyright (C) 2011-2017 Red Hat, Inc. .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by @@ -16,17 +16,24 @@ .\" .\" Author: Rob Crittenden <rcrit...@redhat.com> .\" -.TH "ipa-ca-install" "1" "Jun 17 2011" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-ca\-install \- Install a CA on a server .SH "SYNOPSIS" +.SS "DOMAIN LEVEL 0" +.TP ipa\-ca\-install [\fIOPTION\fR]... [replica_file] +.SS "DOMAIN LEVEL 1" +.TP +ipa\-ca\-install [\fIOPTION\fR]... .SH "DESCRIPTION" Adds a CA as an IPA\-managed service. This requires that the IPA server is already installed and configured. +In a domain at domain level 0, you can run ipa\-ca\-install without replica_file to upgrade from CA-less to CA-full, or with replica_file to install the CA service on the replica. + The replica_file is created using the ipa\-replica\-prepare utility and should be the same one used when originally installing the replica. -Alternatively, you can run ipa\-ca\-install without replica_file to upgrade from CA-less to CA-full. +In a domain at domain level 1, ipa\-ca\-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica, and does not require any replica file. .SH "OPTIONS" \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][edited] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: edited Changed field: body Original value: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry flo-renaud commented: """ I updated the commit message with a different issue number, related to the "Failed to find a unix account" message. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-289891045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 From b000fdfc229917e6cb62ba185ac24522899b3f86 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 21 Mar 2017 17:33:20 +0100 Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain entry When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827 --- daemons/ipa-sam/ipa_sam.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4c1fda5..c483ee4 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, if (entry == NULL || sid == NULL) { smbldap_make_mod(priv2ld(ldap_state), entry, , LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); + smbldap_make_mod(priv2ld(ldap_state), entry, , + LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR); } if (td->netbios_name != NULL) { @@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods) return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX; } +static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, +struct ldapsam_privates *ldap_state, +LDAPMessage *entry, +struct dom_sid **_group_sid); + static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, LDAPMessage *entry, struct ldapsam_privates *ldap_state) { NTSTATUS status; struct dom_sid *u_sid; + struct dom_sid *g_sid; char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; @@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, bool res; char *sid_str; enum idmap_error_code err; + TALLOC_CTX *tmp_ctx; if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION, PDB_SET)) { @@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, } talloc_free(u_sid); + tmp_ctx= talloc_init("init_sam_from_td"); + if (!tmp_ctx) { + return false; + } + + if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, _sid) + != 0) { + talloc_free(tmp_ctx); + return false; + } + + if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { + talloc_free(tmp_ctx); + return false; + } + talloc_free(tmp_ctx); + status = get_trust_pwd(user, >trust_auth_incoming, , NULL); if (!NT_STATUS_IS_OK(status)) { return false; -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][opened] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: opened PR body: """ When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 From b47744c922942426d12b1f5572a89e087bed7a3e Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 28 Mar 2017 16:02:45 +0200 Subject: [PATCH] idrange-mod: properly handle empty --dom-name option When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 --- ipaserver/plugins/idrange.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py index 5b88a6b..c8ea95a 100644 --- a/ipaserver/plugins/idrange.py +++ b/ipaserver/plugins/idrange.py @@ -411,7 +411,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # This needs to stay in options since there is no # ipanttrusteddomainname attribute in LDAP -if 'ipanttrusteddomainname' in options: +if options.get('ipanttrusteddomainname'): if is_set('ipanttrusteddomainsid'): raise errors.ValidationError(name='ID Range setup', error=_('Options dom-sid and dom-name ' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][opened] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Action: opened PR body: """ …dorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 From 256270a2eaaa673ac3479341f8b86fb4f80c7263 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 28 Mar 2017 09:25:31 +0200 Subject: [PATCH] git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 --- .git-commit-template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.git-commit-template b/.git-commit-template index a5671eb..6076f1a 100644 --- a/.git-commit-template +++ b/.git-commit-template @@ -2,4 +2,4 @@ component: Subject Explanation -https://fedorahosted.org/freeipa/ticket/ +https://pagure.io/freeipa/issue/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][comment] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around flo-renaud commented: """ Hi @pvomacka , thank you for the patch, it works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/659#issuecomment-289508460 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][opened] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Author: flo-renaud Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Action: opened PR body: """ dogtag-ipa-ca-renew-agent-submit behaves differently depending on the certificate it needs to renew. For instance, some certificates (such as IPA RA) are the same on all the hosts and the renewal is actually done only on the renewal master. On other nodes, the new cert is downloaded from LDAP. The function is_replicated() is returning the opposite as what it should. If the cert nickname is IPA RA, it should return that the cert is replicated but it doesn't, and this leads to a wrong code path to renew the cert. https://pagure.io/freeipa/issue/6813 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/652/head:pr652 git checkout pr652 From 5dd82ab460e2e54fd1094b7bf97be2e188545f31 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 24 Mar 2017 11:02:33 +0100 Subject: [PATCH] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function dogtag-ipa-ca-renew-agent-submit behaves differently depending on the certificate it needs to renew. For instance, some certificates (such as IPA RA) are the same on all the hosts and the renewal is actually done only on the renewal master. On other nodes, the new cert is downloaded from LDAP. The function is_replicated() is returning the opposite as what it should. If the cert nickname is IPA RA, it should return that the cert is replicated but it doesn't, and this leads to a wrong code path to renew the cert. https://pagure.io/freeipa/issue/6813 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index cc690b8..5782db7 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -119,7 +119,7 @@ def is_renewable(): def is_replicated(): -return not get_nickname() +return bool(get_nickname()) def is_renewal_master(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#635][comment] man ipa-cacert-manage install needs clarification
URL: https://github.com/freeipa/freeipa/pull/635 Title: #635: man ipa-cacert-manage install needs clarification flo-renaud commented: """ Hi @tomaskrizek thank you for the suggestion. PR updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/635#issuecomment-288336324 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#635][synchronized] man ipa-cacert-manage install needs clarification
URL: https://github.com/freeipa/freeipa/pull/635 Author: flo-renaud Title: #635: man ipa-cacert-manage install needs clarification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/635/head:pr635 git checkout pr635 From d20d25c7f9f501d0aade12bce48bab941bbd8f01 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 22 Mar 2017 08:49:39 +0100 Subject: [PATCH] man ipa-cacert-manage install needs clarification The customers are often confused by ipa-cacert-manage install. The man page should make it clear that IPA CA is not modified in any way by this command. https://pagure.io/freeipa/issue/6795 --- install/tools/man/ipa-cacert-manage.1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 4515d7c..128edd8 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -46,6 +46,8 @@ When the IPA CA is not configured, this command is not available. .RS This command can be used to install the certificate contained in \fICERTFILE\fR as an additional CA certificate to IPA. .sp +Important: this does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA. +.sp Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases. .RE .SH "COMMON OPTIONS" -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#635][opened] man ipa-cacert-manage install needs clarification
URL: https://github.com/freeipa/freeipa/pull/635 Author: flo-renaud Title: #635: man ipa-cacert-manage install needs clarification Action: opened PR body: """ The customers are often confused by ipa-cacert-manage install. The man page should make it clear that IPA CA is not modified in any way by this command. https://pagure.io/freeipa/issue/6795 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/635/head:pr635 git checkout pr635 From deec2ac832286f6e1f9c29dcb75021cec4c3823e Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 22 Mar 2017 08:49:39 +0100 Subject: [PATCH] man ipa-cacert-manage install needs clarification The customers are often confused by ipa-cacert-manage install. The man page should make it clear that IPA CA is not modified in any way by this command. https://pagure.io/freeipa/issue/6795 --- install/tools/man/ipa-cacert-manage.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 4515d7c..637cef1 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -44,7 +44,7 @@ When the IPA CA is not configured, this command is not available. \- Install a CA certificate .sp .RS -This command can be used to install the certificate contained in \fICERTFILE\fR as an additional CA certificate to IPA. +This command can be used to install the certificate contained in \fICERTFILE\fR as an additional CA certificate to IPA. Important: this does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA. .sp Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases. .RE -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][opened] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: opened PR body: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 From 4e431ebfcf7a3a03a0a9e30db5db9106c349bdc0 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 21 Mar 2017 17:33:20 +0100 Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain entry When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 --- daemons/ipa-sam/ipa_sam.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4c1fda5..c483ee4 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, if (entry == NULL || sid == NULL) { smbldap_make_mod(priv2ld(ldap_state), entry, , LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); + smbldap_make_mod(priv2ld(ldap_state), entry, , + LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR); } if (td->netbios_name != NULL) { @@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods) return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX; } +static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, +struct ldapsam_privates *ldap_state, +LDAPMessage *entry, +struct dom_sid **_group_sid); + static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, LDAPMessage *entry, struct ldapsam_privates *ldap_state) { NTSTATUS status; struct dom_sid *u_sid; + struct dom_sid *g_sid; char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; @@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, bool res; char *sid_str; enum idmap_error_code err; + TALLOC_CTX *tmp_ctx; if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION, PDB_SET)) { @@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, } talloc_free(u_sid); + tmp_ctx= talloc_init("init_sam_from_td"); + if (!tmp_ctx) { + return false; + } + + if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, _sid) + != 0) { + talloc_free(tmp_ctx); + return false; + } + + if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { + talloc_free(tmp_ctx); + return false; + } + talloc_free(tmp_ctx); + status = get_trust_pwd(user, >trust_auth_incoming, , NULL); if (!NT_STATUS_IS_OK(status)) { return false; -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#560][comment] rpcserver: x509_login: Handle unsuccessful certificate login gracefully
URL: https://github.com/freeipa/freeipa/pull/560 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully flo-renaud commented: """ Hi, the invalid cert login correctly returns 401. """ See the full comment at https://github.com/freeipa/freeipa/pull/560#issuecomment-286688068 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#560][+ack] rpcserver: x509_login: Handle unsuccessful certificate login gracefully
URL: https://github.com/freeipa/freeipa/pull/560 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#576][opened] Installation must publish CA cert in /usr/share/ipa/html/ca.crt
URL: https://github.com/freeipa/freeipa/pull/576 Author: flo-renaud Title: #576: Installation must publish CA cert in /usr/share/ipa/html/ca.crt Action: opened PR body: """ Regression introduced with commit d124e30. ipa-server-install and ipa-replica-install must publish the CA cert in /usr/share/ipa/html/ca.crt, otherwise the web page http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing. https://pagure.io/freeipa/issue/6750 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/576/head:pr576 git checkout pr576 From 9f7be115b616f04c9661362770f8662f450b60bc Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 13 Mar 2017 16:12:46 +0100 Subject: [PATCH] Installation must publish CA cert in /usr/share/ipa/html/ca.crt Regression introduced with commit d124e30. ipa-server-install and ipa-replica-install must publish the CA cert in /usr/share/ipa/html/ca.crt, otherwise the web page http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing. https://pagure.io/freeipa/issue/6750 --- ipaserver/install/httpinstance.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 3e8fb0c..27d0cfe 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -174,6 +174,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) self.step("importing CA certificates from LDAP", self.__import_ca_certs) +self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccaches", self.remove_httpd_ccaches) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) @@ -422,6 +423,11 @@ def __import_ca_certs(self): subject_base=self.subject_base) self.import_ca_certs(db, self.ca_is_configured) +def __publish_ca_cert(self): +ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, + subject_base=self.subject_base) +ca_db.publish_ca_cert(paths.CA_CRT) + def is_kdcproxy_configured(self): """Check if KDC proxy has already been configured in the past""" return os.path.isfile(paths.HTTPD_IPA_KDCPROXY_CONF) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI
URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI flo-renaud commented: """ @HonzaCholasta Sorry, I forgot to ACK. You can push the PR. For the record, Issue [6746](https://pagure.io/freeipa/issue/6746) has been opened for the framework issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-286036301 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI
URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI flo-renaud commented: """ Hi @HonzaCholasta thank you for this patch. There is a minor issue when --certificate is specified multiple times: ``` ipa certmap-match --certificate $CERT1 --certificate $CERT2 ipa: ERROR: invalid 'certificate': must be binary data ``` Otherwise, it works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-285307713 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ @dkupka I added the following explanation in the doc for certmap_match: """ Search for users matching the provided certificate. This command relies on SSSD to retrieve the list of matching users and may return cached data. For more information on purging SSSD cache, please refer to sss_cache documentation. """ """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-285031435 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 From 18fd166aec9da8dda24f0811aae4725a39699b18 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 23 Feb 2017 18:04:47 +0100 Subject: [PATCH] IdM Server: list all Employees with matching Smart Card Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646 --- API.txt | 12 freeipa.spec.in | 2 + ipaserver/plugins/certmap.py | 166 ++- 3 files changed, 179 insertions(+), 1 deletion(-) diff --git a/API.txt b/API.txt index a8f8ff1..ace3101 100644 --- a/API.txt +++ b/API.txt @@ -824,6 +824,16 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: certmap_match/1 +args: 1,3,4 +arg: Bytes('certificate', cli_name='certificate') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: certmapconfig_mod/1 args: 0,8,3 option: Str('addattr*', cli_name='addattr') @@ -6517,6 +6527,8 @@ default: cert_request/1 default: cert_revoke/1 default: cert_show/1 default: cert_status/1 +default: certmap/1 +default: certmap_match/1 default: certmapconfig/1 default: certmapconfig_mod/1 default: certmapconfig_show/1 diff --git a/freeipa.spec.in b/freeipa.spec.in index 5b736b6..cc7422a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -284,6 +284,8 @@ Requires: gzip Requires: oddjob # Require 0.6.0 for the new delegation access control features Requires: gssproxy >= 0.6.0 +# Require 1.15.1 for the certificate identity mapping feature +Requires: sssd-dbus >= 1.15.1 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py index c37eae3..e28b397 100644 --- a/ipaserver/plugins/certmap.py +++ b/ipaserver/plugins/certmap.py @@ -17,9 +17,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import base64 +import dbus import six -from ipalib import api, errors +from ipalib import api, errors, x509 +from ipalib import Bytes +from ipalib.crud import Search +from ipalib.frontend import Object from ipalib.parameters import Bool, DNSNameParam, Flag, Int, Str from ipalib.plugable import Registry from .baseldap import ( @@ -33,6 +38,7 @@ pkey_to_value) from ipalib import _, ngettext from ipalib import output +from ipaserver.plugins.service import validate_certificate if six.PY3: @@ -389,3 +395,161 @@ def execute(self, cn, **options): result=True, value=pkey_to_value(cn, options), ) + + +DBUS_SSSD_NAME = 'org.freedesktop.sssd.infopipe' +DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties' +DBUS_SSSD_USERS_PATH = '/org/freedesktop/sssd/infopipe/Users' +DBUS_SSSD_USERS_IF = 'org.freedesktop.sssd.infopipe.Users' +DBUS_SSSD_USER_IF = 'org.freedesktop.sssd.infopipe.Users.User' + + +class _sssd(object): +""" +Auxiliary class for SSSD infopipe DBus. +""" +def __init__(self, log): +""" +Initialize the Users object and interface. + + :raise RemoteRetrieveError: if DBus error occurs +""" +try: +self.log = log +self._bus = dbus.SystemBus() +self._users_obj = self._bus.get_object( +DBUS_SSSD_NAME, DBUS_SSSD_USERS_PATH) +self._users_iface = dbus.Interface( +self._users_obj, DBUS_SSSD_USERS_IF) +except dbus.DBusException as e: +self.log.error( +'Failed to initialize DBus interface {iface}. DBus ' +'exception is {exc}.'.format(iface=DBUS_SSSD_USERS_IF, exc=e) +) +raise errors.RemoteRetrieveError( +reason=_('Failed to connect to sssd over SystemBus. ' + 'See details in the error_log')) + +def list_users_by_cert(self, cert): +""" +Look for users matching the cert. + +Call Users.ListByCertificate interface and return a dict +with key
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @dkupka As the goal of this command is to return exactly the same list of users as SSSD would consider for authentication, IMHO it is expected that we may have a cached list instead of an up-to-date list of results, because sssd authentication would have the same result. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284775400 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @HonzaCholasta sorry I overlooked the change for count. It's updated now, thank you for the review. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284655430 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 From 409dbe59d7b47806677db679eeb337186aeaa47c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 23 Feb 2017 18:04:47 +0100 Subject: [PATCH] IdM Server: list all Employees with matching Smart Card Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646 --- API.txt | 12 freeipa.spec.in | 2 + ipaserver/plugins/certmap.py | 160 ++- 3 files changed, 173 insertions(+), 1 deletion(-) diff --git a/API.txt b/API.txt index a8f8ff1..ace3101 100644 --- a/API.txt +++ b/API.txt @@ -824,6 +824,16 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: certmap_match/1 +args: 1,3,4 +arg: Bytes('certificate', cli_name='certificate') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: certmapconfig_mod/1 args: 0,8,3 option: Str('addattr*', cli_name='addattr') @@ -6517,6 +6527,8 @@ default: cert_request/1 default: cert_revoke/1 default: cert_show/1 default: cert_status/1 +default: certmap/1 +default: certmap_match/1 default: certmapconfig/1 default: certmapconfig_mod/1 default: certmapconfig_show/1 diff --git a/freeipa.spec.in b/freeipa.spec.in index 5b736b6..cc7422a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -284,6 +284,8 @@ Requires: gzip Requires: oddjob # Require 0.6.0 for the new delegation access control features Requires: gssproxy >= 0.6.0 +# Require 1.15.1 for the certificate identity mapping feature +Requires: sssd-dbus >= 1.15.1 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py index c37eae3..fc26586 100644 --- a/ipaserver/plugins/certmap.py +++ b/ipaserver/plugins/certmap.py @@ -17,9 +17,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import base64 +import dbus import six -from ipalib import api, errors +from ipalib import api, errors, x509 +from ipalib import Bytes +from ipalib.crud import Search +from ipalib.frontend import Object from ipalib.parameters import Bool, DNSNameParam, Flag, Int, Str from ipalib.plugable import Registry from .baseldap import ( @@ -33,6 +38,7 @@ pkey_to_value) from ipalib import _, ngettext from ipalib import output +from ipaserver.plugins.service import validate_certificate if six.PY3: @@ -389,3 +395,155 @@ def execute(self, cn, **options): result=True, value=pkey_to_value(cn, options), ) + + +DBUS_SSSD_NAME = 'org.freedesktop.sssd.infopipe' +DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties' +DBUS_SSSD_USERS_PATH = '/org/freedesktop/sssd/infopipe/Users' +DBUS_SSSD_USERS_IF = 'org.freedesktop.sssd.infopipe.Users' +DBUS_SSSD_USER_IF = 'org.freedesktop.sssd.infopipe.Users.User' + + +class _sssd(object): +""" +Auxiliary class for SSSD infopipe DBus. +""" +def __init__(self, log): +""" +Initialize the Users object and interface. + + :raise RemoteRetrieveError: if DBus error occurs +""" +try: +self.log = log +self._bus = dbus.SystemBus() +self._users_obj = self._bus.get_object( +DBUS_SSSD_NAME, DBUS_SSSD_USERS_PATH) +self._users_iface = dbus.Interface( +self._users_obj, DBUS_SSSD_USERS_IF) +except dbus.DBusException as e: +self.log.error( +'Failed to initialize DBus interface {iface}. DBus ' +'exception is {exc}.'.format(iface=DBUS_SSSD_USERS_IF, exc=e) +) +raise errors.RemoteRetrieveError( +reason=_('Failed to connect to sssd over SystemBus. ' + 'See details in the error_log')) + +def list_users_by_cert(self, cert): +""" +Look for users matching the cert. + +Call Users.ListByCertificate interface and return a dict +with key
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @HonzaCholasta thank you for your comments. Patch rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284487975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 From b3ec9b90d80171bda58dbeded59ae6e400dbc7ec Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 23 Feb 2017 18:04:47 +0100 Subject: [PATCH] IdM Server: list all Employees with matching Smart Card Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646 --- API.txt | 12 freeipa.spec.in | 2 + ipaserver/plugins/certmap.py | 160 ++- 3 files changed, 173 insertions(+), 1 deletion(-) diff --git a/API.txt b/API.txt index a8f8ff1..ace3101 100644 --- a/API.txt +++ b/API.txt @@ -824,6 +824,16 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: certmap_match/1 +args: 1,3,4 +arg: Bytes('certificate', cli_name='certificate') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: certmapconfig_mod/1 args: 0,8,3 option: Str('addattr*', cli_name='addattr') @@ -6517,6 +6527,8 @@ default: cert_request/1 default: cert_revoke/1 default: cert_show/1 default: cert_status/1 +default: certmap/1 +default: certmap_match/1 default: certmapconfig/1 default: certmapconfig_mod/1 default: certmapconfig_show/1 diff --git a/freeipa.spec.in b/freeipa.spec.in index 5b736b6..cc7422a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -284,6 +284,8 @@ Requires: gzip Requires: oddjob # Require 0.6.0 for the new delegation access control features Requires: gssproxy >= 0.6.0 +# Require 1.15.1 for the certificate identity mapping feature +Requires: sssd-dbus >= 1.15.1 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py index c37eae3..f04b3fc 100644 --- a/ipaserver/plugins/certmap.py +++ b/ipaserver/plugins/certmap.py @@ -17,9 +17,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import base64 +import dbus import six -from ipalib import api, errors +from ipalib import api, errors, x509 +from ipalib import Bytes +from ipalib.crud import Search +from ipalib.frontend import Object from ipalib.parameters import Bool, DNSNameParam, Flag, Int, Str from ipalib.plugable import Registry from .baseldap import ( @@ -33,6 +38,7 @@ pkey_to_value) from ipalib import _, ngettext from ipalib import output +from ipaserver.plugins.service import validate_certificate if six.PY3: @@ -389,3 +395,155 @@ def execute(self, cn, **options): result=True, value=pkey_to_value(cn, options), ) + + +DBUS_SSSD_NAME = 'org.freedesktop.sssd.infopipe' +DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties' +DBUS_SSSD_USERS_PATH = '/org/freedesktop/sssd/infopipe/Users' +DBUS_SSSD_USERS_IF = 'org.freedesktop.sssd.infopipe.Users' +DBUS_SSSD_USER_IF = 'org.freedesktop.sssd.infopipe.Users.User' + + +class _sssd(object): +""" +Auxiliary class for SSSD infopipe DBus. +""" +def __init__(self, log): +""" +Initialize the Users object and interface. + + :raise RemoteRetrieveError: if DBus error occurs +""" +try: +self.log = log +self._bus = dbus.SystemBus() +self._users_obj = self._bus.get_object( +DBUS_SSSD_NAME, DBUS_SSSD_USERS_PATH) +self._users_iface = dbus.Interface( +self._users_obj, DBUS_SSSD_USERS_IF) +except dbus.DBusException as e: +self.log.error( +'Failed to initialize DBus interface {iface}. DBus ' +'exception is {exc}.'.format(iface=DBUS_SSSD_USERS_IF, exc=e) +) +raise errors.RemoteRetrieveError( +reason=_('Failed to connect to sssd over SystemBus. ' + 'See details in the error_log')) + +def list_users_by_cert(self, cert): +""" +Look for users matching the cert. + +Call Users.ListByCertificate interface and return a dict +with key
[Freeipa-devel] [freeipa PR#519][+ack] WebUI: add sizelimit:0 to cert-find
URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find
URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find flo-renaud commented: """ Hi @pvomacka , thank you, the fix works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/519#issuecomment-283949286 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ @abbra , Thanks for your comment. Running in permissive mode I did not see any AVC logged in the journal. @HonzaCholasta thanks for the tips re. writing API. I have followed your advice and made certificate a positional argument. The output will look like this: ``` --- 2 users matched --- Domain: DOM-076.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Usernames: user1, user2 Number of entries returned 2 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283642083 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping
URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping flo-renaud commented: """ Hi @pvomacka thank you, LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-283923415 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#536][opened] ipa systemd unit should define Wants=network instead of Requires=network
URL: https://github.com/freeipa/freeipa/pull/536 Author: flo-renaud Title: #536: ipa systemd unit should define Wants=network instead of Requires=network Action: opened PR body: """ The file ipa.service defines Requires=network.target which means that ipa stack will be restarted each time the network stack is restarted. This is not needed, and Wants=network.target will be sufficient. https://fedorahosted.org/freeipa/ticket/6723 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/536/head:pr536 git checkout pr536 From 28c3604dc5715d72f5dbd7e751db4a264ae261dd Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 3 Mar 2017 09:33:39 +0100 Subject: [PATCH] ipa systemd unit should define Wants=network instead of Requires=network The file ipa.service defines Requires=network.target which means that ipa stack will be restarted each time the network stack is restarted. This is not needed, and Wants=network.target will be sufficient. https://fedorahosted.org/freeipa/ticket/6723 --- init/systemd/ipa.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/systemd/ipa.service.in b/init/systemd/ipa.service.in index ceb360c..a872ad1 100644 --- a/init/systemd/ipa.service.in +++ b/init/systemd/ipa.service.in @@ -1,6 +1,6 @@ [Unit] Description=Identity, Policy, Audit -Requires=network.target +Wants=network.target Wants=gssproxy.service After=network.target -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ @abbra , Thanks for your comment. Running in permissive mode I did not see any AVC logged in the journal. @HonzaCholasta thanks for the tips re. writing API. I have followed your advice and made certificate a positional argument. The output will look like this: ``` --- 2 users matched --- Domain: DOM-076.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Usernames: user1, user2 Number of entries returned 2 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283642083 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 From 2bf231a8dbdf5f8e1e0177093bc7559b127fdf7d Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH 1/2] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 14 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 23 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 2 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 - ipaserver/plugins/certmap.py | 391 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 862 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a36d460 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System:
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @simo5 The command must also be able to return matching entries coming from trusted domains, and SSSD is able to handle this part for us. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283265803 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Note: this PR is work in progress. It requires PR#398 Support for Certificate Identity Mapping and sssd patches not pushed yet. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-282993240 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][opened] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: opened PR body: """ Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 From 05f93e155e44aeb00d7af67f02af4e1d5a96bda8 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH 1/2] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 14 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 23 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 2 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 - ipaserver/plugins/certmap.py | 391 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 862 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a36d460 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3
[Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping
URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping flo-renaud commented: """ Hi @pvomacka Thank you for the updated PR. I probably wongly advised you to replace 'usercertificate' with 'certificate' in one extra place where it was not needed, because now the "Certificates" field of the user details page does not display any more the full certificates. My bad... Apart from that, everything works as expected. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-282989454 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy flo-renaud commented: """ @simo5 @abbra I agree but this should be tracked in a separate issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282761362 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf flo-renaud commented: """ Hi @MartinBasti , patch rebased """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-282469593 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][synchronized] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Author: flo-renaud Title: #412: Define template version in certmap.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/412/head:pr412 git checkout pr412 From 62936511fcb167bf82e5e6f5ff6995101003028d Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 23 Jan 2017 18:06:53 +0100 Subject: [PATCH] Define template version in certmap.conf A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the definition of VERSION 2 in certmap.conf.template. ipa-server-upgrade tool compares the template version with the version in certmap.conf. As VERSION is not defined in either file, it concludes that version = 0 for both and does not make a backup of certmap.conf even though it prints that it will. The fix re-defines VERSION in the template and adapts the code because the template has changed (it is using $ISSUER_DN instead of CN=Certificate Authority,$SUBJECT_BASE). The fix also logs an error when a template file is not versioned. https://fedorahosted.org/freeipa/ticket/6354 --- install/share/certmap.conf.template | 4 ipaserver/install/server/upgrade.py | 5 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index d59b095..bf4f4d0 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -1,3 +1,7 @@ +# VERSION 3 - DO NOT REMOVE THIS LINE +# +# This file is managed by IPA and will be overwritten on upgrades. +# # # This file configures how a certificate is mapped to an LDAP entry. See the # documentation for more information on this file. diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 90c2be2..a077c13 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -169,6 +169,9 @@ def upgrade_file(sub_dict, filename, template, add=False): if new < 0: root_logger.error("%s not found." % template) +if new == 0: +root_logger.error("Template %s is not versioned." % template) + if old == 0: # The original file does not have a VERSION entry. This means it's now # managed by IPA, but previously was not. @@ -1558,7 +1561,7 @@ def upgrade_configuration(): subject_base = find_subject_base() if subject_base: -sub_dict['SUBJECT_BASE'] = subject_base +sub_dict['ISSUER_DN'] = 'CN=Certificate Authority,' + subject_base ca = cainstance.CAInstance( api.env.realm, host_name=api.env.host) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][opened] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Author: flo-renaud Title: #508: Fix ipa.service unit re. gssproxy Action: opened PR body: """ ipa.service unit defines Requires=gssproxy. Because of this, during ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit (hence stopping LDAP server and breaking the connection api.Backend.ldap2). Calls using this connection after gssproxy restart fail and ipa-server-upgrade exits on failure. The fix defines Wants=gssproxy to avoid the restart of ipa.service https://fedorahosted.org/freeipa/ticket/6705 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/508/head:pr508 git checkout pr508 From 44748f2fea7a602c3d047a593738274c285e2847 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 24 Feb 2017 22:04:42 +0100 Subject: [PATCH] Fix ipa.service unit re. gssproxy ipa.service unit defines Requires=gssproxy. Because of this, during ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit (hence stopping LDAP server and breaking the connection api.Backend.ldap2). Calls using this connection after gssproxy restart fail and ipa-server-upgrade exits on failure. The fix defines Wants=gssproxy to avoid the restart of ipa.service https://fedorahosted.org/freeipa/ticket/6705 --- init/systemd/ipa.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/systemd/ipa.service.in b/init/systemd/ipa.service.in index 4c924d5..ceb360c 100644 --- a/init/systemd/ipa.service.in +++ b/init/systemd/ipa.service.in @@ -1,7 +1,7 @@ [Unit] Description=Identity, Policy, Audit Requires=network.target -Requires=gssproxy.service +Wants=gssproxy.service After=network.target [Service] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf flo-renaud commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-281931336 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][+ack] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py flo-renaud commented: """ Hi @stlaz , the warning `/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py:316: DeprecationWarning: Certificate serial is deprecated, use serial_number instead. ` is not present anymore. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/496#issuecomment-281928293 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @sumit-bose , I am not able to reproduce this issue: `[root@vm-161 ~]# kinit -k [root@vm-161 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_h6XRpeK Default principal: host/vm-161.example@dom-161.example.com Valid starting Expires Service principal 02/22/2017 21:30:10 02/23/2017 21:30:10 krbtgt/dom-161.example@dom-161.example.com [root@vm-161 ~]# ldapsearch -H ldap://vm-161 '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI -LLL SASL/GSSAPI authentication started SASL username: host/vm-161.example@dom-161.example.com SASL SSF: 56 SASL data security layer installed. dn: cn=rule1,cn=certmaprules,cn=certmap,dc=dom-161,dc=example,dc=com objectClass: ipacertmaprule objectClass: top cn: rule1 description: d1 ipaEnabledFlag: TRUE ` Do you have the ACI "permission:System: Read Certmap Rules" defined on dn: cn=certmaprules,cn=certmap,$BASEDN? It should grant access to ldap:///all """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281795345 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 05f93e155e44aeb00d7af67f02af4e1d5a96bda8 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 14 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 23 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 2 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 - ipaserver/plugins/certmap.py | 391 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 862 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a36d460 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 12234be539d89f7d908ebb942cb3caefc70533a0 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 14 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 23 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 2 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 - ipaserver/plugins/certmap.py | 391 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 862 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a36d460 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 9bc13efb8a30c37e95663eece4d6d9b3bc899d46 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 14 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 23 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 2 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 - ipaserver/plugins/certmap.py | 391 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 862 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a36d460 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 48a5dbb8c68a13a4a95aea3fe5679ddd27639684 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 14 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 24 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 - ipaserver/plugins/certmap.py | 391 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 865 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile"
[Freeipa-devel] [freeipa PR#478][opened] [4.4] Do not configure PKI ajp redirection to use "::1"
URL: https://github.com/freeipa/freeipa/pull/478 Author: flo-renaud Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" Action: opened PR body: """ When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/478/head:pr478 git checkout pr478 From bd406539f48eb9ab9bc84413dcbdddae8422c412 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 17 Feb 2017 15:59:57 +0100 Subject: [PATCH] [4.4] Do not configure PKI ajp redirection to use "::1" When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 --- freeipa.spec.in | 4 ++-- ipaserver/install/cainstance.py | 4 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8a8e3a5..8081a93 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -161,8 +161,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.5-6 -Requires: pki-kra >= 10.3.5-6 +Requires: pki-ca >= 10.3.5-11 +Requires: pki-kra >= 10.3.5-11 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c8c7c28..6bf5917 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -578,10 +578,6 @@ def __spawn_instance(self): config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") -# PKI IPv6 Configuration -config.add_section("Tomcat") -config.set("Tomcat", "pki_ajp_host", "::1") - # Generate configuration file with open(cfg_file, "wb") as f: config.write(f) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ PR updated with the check on domain in certmaprule-add/mod. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-280152942 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From ab4f03f6e85d44160eec148afe83d0549c5f66bb Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 + VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 165 +++- ipaserver/plugins/certmap.py | 396 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 ++ 15 files changed, 866 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile"
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ @HonzaCholasta PR updated according to your comments. Thanks for the detailed review! """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-280034426 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From ca1e31fb4af22450741b6b7a4e9bc6b2c40f49fd Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 165 - ipaserver/plugins/certmap.py | 355 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 825 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile&
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta PR updated with `ipa user-add-certmapdata` using positional arg for CERTMAPDATA """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279796224 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From f26952bee2b45fce6defbb742e563f5d8b561018 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 158 - ipaserver/plugins/certmap.py | 355 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 818 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile&
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From e8a02937c9d44ea209f939a3129b8f176d50cd4a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 158 - ipaserver/plugins/certmap.py | 355 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 818 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile&
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta, PR updated with most of your comments, except the suggestion to use default_from. Please see my answer inline for this one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279689115 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 8e9eeb0619f8a11767a37bce112c3ea6b19f7091 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 152 - ipaserver/plugins/certmap.py | 336 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 794 insertions(+), 12 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile&
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 5a6a88db9a843a0636875fb3b1ee02e40291443a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 152 - ipaserver/plugins/certmap.py | 336 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 794 insertions(+), 12 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile&
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 35263ec9625865eb2e786cbedf412d11d92c73f5 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 17 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 158 - ipaserver/plugins/certmap.py | 336 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 809 insertions(+), 12 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile&
[Freeipa-devel] [freeipa PR#395][synchronized] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Author: flo-renaud Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/395/head:pr395 git checkout pr395 From 9e33ca9cbac1837cf779673e5479f3718ef8e759 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 12 Jan 2017 18:17:15 +0100 Subject: [PATCH] Do not configure PKI ajp redirection to use "::1" When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 --- freeipa.spec.in | 4 ++-- ipaserver/install/cainstance.py | 4 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ba2e294..29d652e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -246,8 +246,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.5-6 -Requires: pki-kra >= 10.3.5-6 +Requires: pki-ca >= 10.3.5-11 +Requires: pki-kra >= 10.3.5-11 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: policycoreutils >= 2.1.12-5 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a73a9c4..1cc74de 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -594,10 +594,6 @@ def __spawn_instance(self): config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") -# PKI IPv6 Configuration -config.add_section("Tomcat") -config.set("Tomcat", "pki_ajp_host", "::1") - # Generate configuration file with open(cfg_file, "w") as f: config.write(f) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" flo-renaud commented: """ Hi, PR updated with dependency on pki 10.3.5-11 (note that this package is currently available in fedora updates-testing only). """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-277734364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#425][opened] ipa-kra-install must create directory if it does not exist
URL: https://github.com/freeipa/freeipa/pull/425 Author: flo-renaud Title: #425: ipa-kra-install must create directory if it does not exist Action: opened PR body: """ ipa-kra-install creates an admin cert file in /root/.dogtag/pki-tomcat/ca_admin.cert but does not check that the parent directory exists. This situation can happen when uninstall + restore has been run. The fix creates the directory if not present. https://fedorahosted.org/freeipa/ticket/6606 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/425/head:pr425 git checkout pr425 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][opened] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Author: flo-renaud Title: #412: Define template version in certmap.conf Action: opened PR body: """ A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the definition of VERSION 2 in certmap.conf.template. ipa-server-upgrade tool compares the template version with the version in certmap.conf. As VERSION is not defined in either file, it concludes that version = 0 for both and does not make a backup of certmap.conf even though it prints that it will. The fix re-defines VERSION in the template and adapts the code because the template has changed (it is using $ISSUER_DN instead of CN=Certificate Authority,$SUBJECT_BASE). The fix also logs an error when a template file is not versioned. https://fedorahosted.org/freeipa/ticket/6354 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/412/head:pr412 git checkout pr412 From 087a4fde9d25ea3d1a3f6156c9ce6e0c411de0dd Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 23 Jan 2017 18:06:53 +0100 Subject: [PATCH] Define template version in certmap.conf A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the definition of VERSION 2 in certmap.conf.template. ipa-server-upgrade tool compares the template version with the version in certmap.conf. As VERSION is not defined in either file, it concludes that version = 0 for both and does not make a backup of certmap.conf even though it prints that it will. The fix re-defines VERSION in the template and adapts the code because the template has changed (it is using $ISSUER_DN instead of CN=Certificate Authority,$SUBJECT_BASE). The fix also logs an error when a template file is not versioned. https://fedorahosted.org/freeipa/ticket/6354 --- install/share/certmap.conf.template | 4 ipaserver/install/server/upgrade.py | 5 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index d59b095..bf4f4d0 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -1,3 +1,7 @@ +# VERSION 3 - DO NOT REMOVE THIS LINE +# +# This file is managed by IPA and will be overwritten on upgrades. +# # # This file configures how a certificate is mapped to an LDAP entry. See the # documentation for more information on this file. diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 068db21..50b09d5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -156,6 +156,9 @@ def upgrade_file(sub_dict, filename, template, add=False): if new < 0: root_logger.error("%s not found." % template) +if new == 0: +root_logger.error("Template %s is not versioned." % template) + if old == 0: # The original file does not have a VERSION entry. This means it's now # managed by IPA, but previously was not. @@ -1562,7 +1565,7 @@ def upgrade_configuration(): subject_base = find_subject_base() if subject_base: -sub_dict['SUBJECT_BASE'] = subject_base +sub_dict['ISSUER_DN'] = 'CN=Certificate Authority,' + subject_base ca = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, host_name=api.env.host) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" flo-renaud commented: """ This PR has been modified to be consistent with PKI fix for [2570](https://fedorahosted.org/pki/ticket/2570). PKI now defines by default the AJP redirection to "localhost", meaning that we do not need any more to override this setting. Upgrade is also handled by PKI. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-274490123 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][synchronized] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Author: flo-renaud Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/395/head:pr395 git checkout pr395 From 143689cac6fd954380c09d55a6ed78114c5d5c18 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 12 Jan 2017 18:17:15 +0100 Subject: [PATCH] Do not configure PKI ajp redirection to use "::1" When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. https://fedorahosted.org/freeipa/ticket/6575 --- ipaserver/install/cainstance.py | 4 1 file changed, 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f933479..77c603a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -595,10 +595,6 @@ def __spawn_instance(self): config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") -# PKI IPv6 Configuration -config.add_section("Tomcat") -config.set("Tomcat", "pki_ajp_host", "::1") - # Generate configuration file with open(cfg_file, "wb") as f: config.write(f) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#405][opened] ipa-restore must stop tracking PKINIT cert in the preparation phase
URL: https://github.com/freeipa/freeipa/pull/405 Author: flo-renaud Title: #405: ipa-restore must stop tracking PKINIT cert in the preparation phase Action: opened PR body: """ ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs. It must also stop tracking the newly introduced PKINIT cert (stored in /var/kerberos/krb5kdc/kdc.crt). Otherwise the restore operation ends up with PKINIT cert tracked twice and uninstallation fails. https://fedorahosted.org/freeipa/ticket/6570 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/405/head:pr405 git checkout pr405 From 121388c4d8f7ce3fd6ba172904bd30564268db58 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 20 Jan 2017 08:33:22 +0100 Subject: [PATCH] ipa-restore must stop tracking PKINIT cert in the preparation phase ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs. It must also stop tracking the newly introduced PKINIT cert (stored in /var/kerberos/krb5kdc/kdc.crt). Otherwise the restore operation ends up with PKINIT cert tracked twice and uninstallation fails. https://fedorahosted.org/freeipa/ticket/6570 --- ipaserver/install/ipa_restore.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 2fae215..89cf9e6 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -41,7 +41,7 @@ from ipaserver.install.replication import (wait_for_task, ReplicationManager, get_cs_replication_manager) from ipaserver.install import installutils -from ipaserver.install import dsinstance, httpinstance, cainstance +from ipaserver.install import dsinstance, httpinstance, cainstance, krbinstance from ipapython import ipaldap import ipapython.errors from ipaplatform.constants import constants @@ -821,6 +821,8 @@ def cert_restore_prepare(self): # When IPA is not installed, DS NSS DB does not exist pass +krbinstance.KrbInstance().stop_tracking_certs() + for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'): filename = os.path.join(paths.IPA_NSSDB_DIR, basename) try: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 65b1b0695ee17e88fab9d6fc0821a6b247b11669 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 9 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 843 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permis
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 068cbf841121bab1df02cbe6200c1e675c48385f Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 7 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 175 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 24 +++ 15 files changed, 846 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permis
[Freeipa-devel] [freeipa PR#398][opened] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: opened PR body: """ See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 3ccb98ac3c4e38d0454e47df1c06ae61a19fb5ee Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt | 16 +- API.txt | 184 VERSION.m4| 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/dsinstance.py | 1 + ipaserver/plugins/baseuser.py | 177 ++- ipaserver/plugins/certmap.py | 345 ++ ipaserver/plugins/stageuser.py| 14 +- ipaserver/plugins/user.py | 23 ++- 13 files changed, 801 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..ec2eeca 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" flo-renaud commented: """ Please wait before merging this PR. @pvoborni Endi suggests 2 possible strategies for the upgrade fix: either in IPA or in PKI. We need to pick one, and depending on the choice modify this PR accordingly. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-272830142 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code