[Freeipa-devel] [bind-dyndb-ldap PR#6][comment] handle termination of syncrepl watcher thread
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread tbordaz commented: """ The patch looks good to me. ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/6#issuecomment-268201031 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 From 94d592d557795cdf05f3fd3679ea7fcc9ed7f153 Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz <lkris...@redhat.com> Date: Fri, 9 Dec 2016 15:04:21 +0100 Subject: [PATCH] Check for conflict entries before raising domain level Checking of conflicts is not only done in topology container as tests showed it can occurs elsewhere https://fedorahosted.org/freeipa/ticket/6534 --- ipaserver/plugins/domainlevel.py | 28 1 file changed, 28 insertions(+) diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py index 42603d7..e1f0251 100644 --- a/ipaserver/plugins/domainlevel.py +++ b/ipaserver/plugins/domainlevel.py @@ -48,6 +48,30 @@ def get_domainlevel_range(master_entry): return DomainLevelRange(0, 0) +def check_conflict_entries(ldap, api, desired_value): +""" +Check if conflict entries exist in topology subtree +""" + +container_dn = DN( +('cn', 'ipa'), +('cn', 'etc'), +api.env.basedn +) +conflict="(nsds5replconflict=*)" +subentry="(|(objectclass=ldapsubentry)(objectclass=*))" +try: +ldap.get_entries( +filter="(& %s %s)" % (conflict, subentry), +base_dn=container_dn, +scope=ldap.SCOPE_SUBTREE) +message = _("Domain Level cannot be raised to {0}, " +"existing replication conflicts have to be resolved." +.format(desired_value)) +raise errors.InvalidDomainLevelError(reason=message) +except errors.NotFound: +pass + def get_master_entries(ldap, api): """ Returns list of LDAPEntries representing IPA masters. @@ -131,6 +155,10 @@ def execute(self, *args, **options): .format(desired_value, master['cn'][0])) raise errors.InvalidDomainLevelError(reason=message) +# Check if conflict entries exist in topology subtree +# should be resolved first +check_conflict_entries(ldap, self.api, desired_value) + current_entry.single_value['ipaDomainLevel'] = desired_value ldap.update_entry(current_entry) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 From 5e544ae0477cda154996b158960006878d1a09dc Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz <lkris...@redhat.com> Date: Fri, 9 Dec 2016 15:04:21 +0100 Subject: [PATCH] Check for conflict entries before raising domain level Checking of conflicts is not only done in topology container as tests showed it can occurs elsewhere https://fedorahosted.org/freeipa/ticket/6534 --- ipaserver/plugins/domainlevel.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py index 42603d7..749dce3 100644 --- a/ipaserver/plugins/domainlevel.py +++ b/ipaserver/plugins/domainlevel.py @@ -48,6 +48,29 @@ def get_domainlevel_range(master_entry): return DomainLevelRange(0, 0) +def check_conflict_entries(ldap, api, desired_value): +""" +Check if conflict entries exist in topology subtree +""" + +container_dn = DN( +('cn', 'ipa'), +('cn', 'etc'), +api.env.basedn +) + +try: +ldap.get_entries( +filter="(&(nsds5replconflict=*)(|(objectclass=ldapsubentry)(objectclass=*)))", +base_dn=container_dn, +scope=ldap.SCOPE_SUBTREE) +message = _("Domain Level cannot be raised to {0}, " +"existing replication conflicts have to be resolved." +.format(desired_value)) +raise errors.InvalidDomainLevelError(reason=message) +except errors.NotFound: +pass + def get_master_entries(ldap, api): """ Returns list of LDAPEntries representing IPA masters. @@ -131,6 +154,9 @@ def execute(self, *args, **options): .format(desired_value, master['cn'][0])) raise errors.InvalidDomainLevelError(reason=message) +# Check if conflict entries exist in topology subtree, should be resolved first +check_conflict_entries(ldap, self.api, desired_value) + current_entry.single_value['ipaDomainLevel'] = desired_value ldap.update_entry(current_entry) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#322][comment] masters DS<1.3.3 do not support bind group
URL: https://github.com/freeipa/freeipa/pull/322 Title: #322: masters DS<1.3.3 do not support bind group tbordaz commented: """ Oppss I missed that thanks for the heads up. PR #319 and #315 are better fixes for this issue. #322 should be discard """ See the full comment at https://github.com/freeipa/freeipa/pull/322#issuecomment-265984866 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#322][opened] masters DS<1.3.3 do not support bind group
URL: https://github.com/freeipa/freeipa/pull/322 Author: tbordaz Title: #322: masters DS<1.3.3 do not support bind group Action: opened PR body: """ Check the instance version before setting nsds5replicabbinddngroup and nsds5replicabinddngroupcheckinterval https://fedorahosted.org/freeipa/ticket/6532 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/322/head:pr322 git checkout pr322 From f7f759a86cf33a1fe5a04f5bc209a934cacc7cea Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Thu, 8 Dec 2016 18:21:03 +0100 Subject: [PATCH] masters DS<1.3.3 do not support bind group Check the instance version before setting nsds5replicabbinddngroup and nsds5replicabinddngroupcheckinterval https://fedorahosted.org/freeipa/ticket/6532 --- ipaserver/install/replication.py | 44 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index ddae08e..2221b5e 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -24,6 +24,7 @@ import datetime import sys import os +import re from random import randint import ldap @@ -441,6 +442,32 @@ def replica_config(self, conn, replica_id, replica_binddn): dn = self.replica_dn() assert isinstance(dn, DN) +support_binddngroup = False +try: +# check that the replica version is > 1.3.3 to support bind group +entry = conn.get_entry(DN(""), attrs_list=['vendorVersion']) +vendor_version = entry.get('vendorVersion')[0] +if vendor_version: +replica_version = re.search('389-Directory/(.+?) .*', vendor_version) +root_logger.info("Replica version: %s" % replica_version.group(1)) +version_num = [int(s) for s in replica_version.group(1).split('.') if s.isdigit()] +if version_num[0] > 1: +support_binddngroup = True +elif version_num[0] == 1: +# version 1.x +if version_num[1] > 3: +support_binddngroup = True +elif version_num[1] == 3: +# version 1.3.x +if version_num[2] >= 3: +support_binddngroup = True +except Exception as e: +root_logger.info("Unable to check replica version: %s" % str(e)) +raise +root_logger.info("Bind DN group support: %s" % support_binddngroup) + + + try: entry = conn.get_entry(dn) managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])} @@ -453,15 +480,16 @@ def replica_config(self, conn, replica_id, replica_binddn): mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn)) -if self.repl_man_group_dn not in binddn_groups: -mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', -self.repl_man_group_dn)) +if support_binddngroup: +if self.repl_man_group_dn not in binddn_groups: +mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', +self.repl_man_group_dn)) -if 'nsds5replicabinddngroupcheckinterval' not in entry: -mod.append( -(ldap.MOD_ADD, - 'nsds5replicabinddngroupcheckinterval', - '60')) +if 'nsds5replicabinddngroupcheckinterval' not in entry: +mod.append( +(ldap.MOD_ADD, + 'nsds5replicabinddngroupcheckinterval', + '60')) if mod: conn.modify_s(dn, mod) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#211][opened] IPA Allows Password Reuse with History value defined when admin reset…
URL: https://github.com/freeipa/freeipa/pull/211 Author: tbordaz Title: #211: IPA Allows Password Reuse with History value defined when admin reset… Action: opened PR body: """ …s the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/211/head:pr211 git checkout pr211 From 95aea810c8b19104a5b71dbd2cb55bf04031b652 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Wed, 19 Oct 2016 15:04:13 +0200 Subject: [PATCH] IPA Allows Password Reuse with History value defined when admin resets the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 22 +- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index cab7b7c..8ee0417 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; switch(data->changetype) { -case IPA_CHANGETYPE_ADMIN: -/* The expiration date needs to be older than the current time - * otherwise the KDC may not immediately register the password - * as expired. The last password change needs to match the - * password expiration otherwise minlife issues will arise. - */ -data->timeNow -= 1; -data->expireTime = data->timeNow; -break; case IPA_CHANGETYPE_NORMAL: /* Find the entry with the password policy */ ret = ipapwd_getPolicy(data->dn, data->target, ); @@ -564,6 +555,18 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } break; + case IPA_CHANGETYPE_ADMIN: +/* The expiration date needs to be older than the current time + * otherwise the KDC may not immediately register the password + * as expired. The last password change needs to match the + * password expiration otherwise minlife issues will arise. + */ +data->timeNow -= 1; +data->expireTime = data->timeNow; + + /* let set the entry password property according to its + * entry password policy + */ case IPA_CHANGETYPE_DSMGR: /* PassSync agents and Directory Manager can administratively * change the password without expiring it. @@ -577,6 +580,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } else { pol.max_pwd_life = tmppol.max_pwd_life; + pol.history_length = tmppol.history_length; } break; default: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code