[Freeipa-devel] [freeipa PR#960][closed] tests: Add LDAP URI to ldappasswd explicitelly

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/960
Author: davidkupka
 Title: #960: tests: Add LDAP URI to ldappasswd explicitelly
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/960/head:pr960
git checkout pr960
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1153][opened] [Backport][ipa-4-5] tests: Add LDAP URI to ldappasswd explicitelly

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1153
Author: tomaskrizek
 Title: #1153: [Backport][ipa-4-5] tests: Add LDAP URI to ldappasswd 
explicitelly
Action: opened

PR body:
"""
This PR was opened automatically because PR #960 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1153/head:pr1153
git checkout pr1153
From 6cc610504c33dba2fba4fce85fd117118bcd2ceb Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitly

Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/pytest_plugins/integration/tasks.py | 3 ++-
 ipatests/util.py | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index ba7e1058c3..52da1c956b 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -1314,7 +1314,8 @@ def ldappasswd_user_change(user, oldpw, newpw, master):
 basedn = master.domain.basedn
 
 userdn = "uid={},{},{}".format(user, container_user, basedn)
+master_ldap_uri = "ldap://{}".format(master.external_hostname)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', master_ldap_uri]
 master.run_command(args)
diff --git a/ipatests/util.py b/ipatests/util.py
index 4379c302d0..bafc590630 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -732,7 +732,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1154][opened] [Backport][ipa-4-6] tests: Add LDAP URI to ldappasswd explicitelly

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1154
Author: tomaskrizek
 Title: #1154: [Backport][ipa-4-6] tests: Add LDAP URI to ldappasswd 
explicitelly
Action: opened

PR body:
"""
This PR was opened automatically because PR #960 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1154/head:pr1154
git checkout pr1154
From 571ed7c8bf3aa42fcbc1f4345222f27a44d5005e Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitly

Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/pytest_plugins/integration/tasks.py | 3 ++-
 ipatests/util.py | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index 2229b2918c..4bb7dd4669 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -1326,9 +1326,10 @@ def ldappasswd_user_change(user, oldpw, newpw, master):
 basedn = master.domain.basedn
 
 userdn = "uid={},{},{}".format(user, container_user, basedn)
+master_ldap_uri = "ldap://{}".format(master.external_hostname)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', master_ldap_uri]
 master.run_command(args)
 
 
diff --git a/ipatests/util.py b/ipatests/util.py
index 74c5dbc4c2..bc33a14970 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -750,7 +750,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1152][opened] [Backport][ipa-4-6] Less confusing message for PKINIT configuration during install

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1152
Author: tomaskrizek
 Title: #1152: [Backport][ipa-4-6] Less confusing message for PKINIT 
configuration during install
Action: opened

PR body:
"""
This PR was opened automatically because PR #1131 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1152/head:pr1152
git checkout pr1152
From 6c0cc849a24855594b7efdb655f42e5d952c48c1 Mon Sep 17 00:00:00 2001
From: Aleksei Slaikovskii 
Date: Wed, 4 Oct 2017 12:39:02 +0200
Subject: [PATCH] Less confusing message for PKINIT configuration during
 install

The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.

https://pagure.io/freeipa/issue/7179
---
 ipaserver/install/krbinstance.py | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 30d8fc1a3c..104761b28a 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -502,8 +502,17 @@ def issue_ipa_ca_signed_pkinit_certs(self):
 self._install_pkinit_ca_bundle()
 self.pkinit_enable()
 except RuntimeError as e:
-logger.error("PKINIT certificate request failed: %s", e)
-logger.error("Failed to configure PKINIT")
+logger.warning("PKINIT certificate request failed: %s", e)
+logger.warning("Failed to configure PKINIT")
+
+self.print_msg("Full PKINIT configuration did not succeed")
+self.print_msg(
+"The setup will only install bits "
+"essential to the server functionality")
+self.print_msg(
+"You can enable PKINIT after the "
+"setup completed using 'ipa-pkinit-manage'")
+
 self.stop_tracking_certs()
 self.issue_selfsigned_pkinit_certs()
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1131][closed] Less confusing message for PKINIT configuration during install

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1131
Author: slaykovsky
 Title: #1131: Less confusing message for PKINIT configuration during install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1131/head:pr1131
git checkout pr1131
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP

[Antonia Stevens via FreeIPA-devel]

Ultimately it would be really nice to use certmonger in such a way that
any/all servers registered would be able to get a LE cert for any number of
principals or possibly even using LE certs for all servers but I think
that's beyond my scope right now (and should not use bash).

- Antonia
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1151][opened] [ipa-4-5] WebUI: Fix calling undefined method during reset passwords

[pvomacka via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1151
Author: pvomacka
 Title: #1151: [ipa-4-5] WebUI: Fix calling undefined method during reset 
passwords
Action: opened

PR body:
"""
When calling reset password the whoami command is not called in batch
command, therefore the result is different then in calling
during reset password operation. That needs to be handled to properly
set entity_show method which needs to be called after to gather
data about logged in entity.

https://pagure.io/freeipa/issue/7175

**PUSH ONLY TO ipa-4-5 BRANCH - IT IS BACKPORT**
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1151/head:pr1151
git checkout pr1151
From 30150ca0818e46d5121acf8e42b5f1862091544d Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 6 Sep 2017 15:19:58 +0200
Subject: [PATCH 1/2] WebUI: remove unused parameter from get_whoami_command

The batch param is not used anywhere therefore we can remove it.

https://pagure.io/freeipa/issue/7175
---
 install/ui/src/freeipa/ipa.js | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 2538001c94..3920b8eb0a 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -191,7 +191,7 @@ var IPA = function () {
 }
 }));
 
-batch.add_command(that.get_whoami_command(true));
+batch.add_command(that.get_whoami_command());
 
 batch.add_command(rpc.command({
 method: 'env',
@@ -259,10 +259,8 @@ var IPA = function () {
 /**
  * Prepares `user-find --whoami` command
  * @protected
- * @param {boolean} batch - Specifies if it will be used as single command or
- *  in a batch.
  */
-that.get_whoami_command = function(batch) {
+that.get_whoami_command = function() {
 return rpc.command({
 method: 'whoami',
 on_success: function(data, text_status, xhr) {

From 1a05bd60706922cfa083dc97f87db8e4b390c1d6 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 6 Sep 2017 15:20:07 +0200
Subject: [PATCH 2/2] WebUI: Fix calling undefined method during reset
 passwords

When calling reset password the whoami command is not called in batch
command, therefore the result is different then in calling
during reset password operation. That needs to be handled to properly
set entity_show method which needs to be called after to gather
data about logged in entity.

https://pagure.io/freeipa/issue/7175
---
 install/ui/src/freeipa/ipa.js | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 3920b8eb0a..138ca031b8 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -264,18 +264,19 @@ var IPA = function () {
 return rpc.command({
 method: 'whoami',
 on_success: function(data, text_status, xhr) {
-that.whoami.metadata = data;
+that.whoami.metadata = data.result || data;
+var wa_data = that.whoami.metadata;
 
 rpc.command({
-method: data.details || data.command,
-args: data.arguments,
+method: wa_data.details || wa_data.command,
+args: wa_data.arguments,
 options: function() {
-var options = data.options || [];
+var options = wa_data.options || [];
 $.extend(options, {all: true});
 return options;
 }(),
 on_success: function(data, text_status, xhr) {
-that.whoami.data = false ? data.result[0] : data.result.result;
+that.whoami.data = data.result.result;
 var entity = that.whoami.metadata.object;
 
 if (entity === 'user') {
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1149][closed] [Backport][ipa-4-5] ipa-kdb: reinit trusted domain data for enterprise principals

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1149
Author: tomaskrizek
 Title: #1149: [Backport][ipa-4-5] ipa-kdb: reinit trusted domain data for 
enterprise principals
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1149/head:pr1149
git checkout pr1149
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1150][closed] [Backport][ipa-4-6] ipa-kdb: reinit trusted domain data for enterprise principals

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1150
Author: tomaskrizek
 Title: #1150: [Backport][ipa-4-6] ipa-kdb: reinit trusted domain data for 
enterprise principals
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1150/head:pr1150
git checkout pr1150
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP

[Rob Crittenden via FreeIPA-devel]

Antonia Stevens via FreeIPA-devel wrote:

Thanks for the feedback Rob,

I've updated she scripts with your suggestions except for using
certmonger which is probably more work, I've created GitHub issue for
refactoring using certmonger.


Awesome. I wonder if we should link to this on the freeipa wiki. There 
is quite a lot of interest in LE certs and being able to handle renewal, 
even if via a cronjob, makes if far easier to use.


cheers

rob



- Antonia



On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden > wrote:

Antonia Stevens via FreeIPA-devel wrote:

Hi,

Thought I should introduce myself and post a link to some recent
work
which might be relevant for some of you.

My name is Antonia Stevens and I'm a DevOps Engineer and long time
FreeIPA user.

We recently had a need to get proper certs for IPA servers in
AWS which
means they have multiple IPs/DNS Names/Principals, since I could not
find anything I hacked together a couple of bash scripts to make
it a
bit easier.

https://github.com/antevens/letsencrypt-freeipa


Thanks for all the great work and depending on my schedule I
might try
to contribute a bit more going forward.


This looks very cool. I haven't executed it yet but from reading the
scripts here are a few ideas/suggestions.

- it may be better to get the kerberos realm from /etc/ipa/default.conf
- I have the feeling this requires at least IPA v4.5.0. Probably
worthwhile to document which version(s) are known to work
- A cronjob wouldn't be necessary if certmonger was used to do the
renewal. The script would need to be modified to work as a
certmonger CA but then it could handle restarting the services, etc.

rob




___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1150][opened] [Backport][ipa-4-6] ipa-kdb: reinit trusted domain data for enterprise principals

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1150
Author: tomaskrizek
 Title: #1150: [Backport][ipa-4-6] ipa-kdb: reinit trusted domain data for 
enterprise principals
Action: opened

PR body:
"""
This PR was opened automatically because PR #1115 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1150/head:pr1150
git checkout pr1150
From 47622b8d79e1a75179ee14567c686b90265cc4cd Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 27 Sep 2017 14:17:49 +0200
Subject: [PATCH] ipa-kdb: reinit trusted domain data for enterprise principals

While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 82c857430b..b27612258b 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1259,6 +1259,17 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
  realm,
  upn->length - (realm - upn->data),
  _realm);
+if (kerr == KRB5_KDB_NOENTRY) {
+/* try to refresh trusted domain data and try again */
+kerr = ipadb_reinit_mspac(ipactx, false);
+if (kerr != 0) {
+kerr = KRB5_KDB_NOENTRY;
+goto done;
+}
+kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
+  upn->length - (realm - upn->data),
+  _realm);
+}
 if (kerr == 0) {
 kentry = calloc(1, sizeof(krb5_db_entry));
 if (!kentry) {
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1149][opened] [Backport][ipa-4-5] ipa-kdb: reinit trusted domain data for enterprise principals

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1149
Author: tomaskrizek
 Title: #1149: [Backport][ipa-4-5] ipa-kdb: reinit trusted domain data for 
enterprise principals
Action: opened

PR body:
"""
This PR was opened automatically because PR #1115 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1149/head:pr1149
git checkout pr1149
From b964861192c6ee56a46d8c5d081591ddbe802320 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 27 Sep 2017 14:17:49 +0200
Subject: [PATCH] ipa-kdb: reinit trusted domain data for enterprise principals

While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 82c857430b..b27612258b 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1259,6 +1259,17 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
  realm,
  upn->length - (realm - upn->data),
  _realm);
+if (kerr == KRB5_KDB_NOENTRY) {
+/* try to refresh trusted domain data and try again */
+kerr = ipadb_reinit_mspac(ipactx, false);
+if (kerr != 0) {
+kerr = KRB5_KDB_NOENTRY;
+goto done;
+}
+kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
+  upn->length - (realm - upn->data),
+  _realm);
+}
 if (kerr == 0) {
 kentry = calloc(1, sizeof(krb5_db_entry));
 if (!kentry) {
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org