[Freeipa-devel] Re: SoftHSM and certmonger
Alexander Bokovoy via FreeIPA-devel wrote: > Hi Rob, > > I was trying to set up a configuration where certmonger would generate > and track a key in an NSS database with an HSM token. I used SoftHSMv2 > for the token. > > The script roughly describing what I did is attached. You need to put > SELinux in permissive as it would be messing up on certmonger's access. > > On Rawhide it creates a private key in the HSM but unable to store a > public key of the certificate there. Rawhide has p11-kit proxy active > and that complicates things because any NSS db gets p11-kit-proxy.so > PKCS11 module injected via crypto-policy: > > # cat /etc/crypto-policies/back-ends/nss.config > library= > name=Policy > NSS=flags=policyOnly,moduleDB > config="disallow=ALL > allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048" > > > > name=p11-kit-proxy > library=p11-kit-proxy.so > > when p11-kit-proxy.so is injected, it makes all configured PKCS11 > modules available in all NSS databases. Even if my script tries to > insert an explicit PKCS11 module into the database used for a > certificate generation, I can skip that on Rawhide as p11-kit-proxy does > it for me: > > # certutil -d sql:my-token -U > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > uri: > pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 > > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > uri: > pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 > > > slot: SoftHSM slot ID 0x5489b984 > token: HSM > uri: > pkcs11:token=HSM;manufacturer=SoftHSM%20project;serial=396d3e3c5489b984;model=SoftHSM%20v2 > > > slot: SoftHSM slot ID 0x1cf72acc > token: my-token > uri: > pkcs11:token=my-token;manufacturer=SoftHSM%20project;serial=77cb41421cf72acc;model=SoftHSM%20v2 > > > > Anyway, even if I disable this injection with > NSS_IGNORE_SYSTEM_POLICY=1, it doesn't help because the environment > variable has to be specified for certmonger process too. I tried that as > well and it doesn't help, so there seems to be a bug with certmonger's > processing of PKCS11 modules in nss and p11-kit proxying is not really > changing that. > > Certmonger is confused when it doesn't succeed in unlocking a token even > if it is a wrong token: > > # certmonger -S -p /var/run/certmonger.pid -n -d 2 > 2018-08-21 17:42:15 [26673] Changing to root directory. > 2018-08-21 17:42:15 [26673] Obtaining system lock. > 2018-08-21 17:42:15 [26677] Token is named "NSS Generic Crypto > Services", not "NSS Certificate DB", skipping. > 2018-08-21 17:42:15 [26677] Token is named "HSM", not "NSS Certificate > DB", skipping. > 2018-08-21 17:42:15 [26677] Token is named "my-token", not "NSS > Certificate DB", skipping. > 2018-08-21 17:42:15 [26678] Error authenticating to token "HSM". > 2018-08-21 17:42:15 [26679] Error authenticating to cert db. > 2018-08-21 17:42:15 [26679] Error authenticating to cert db. > 2018-08-21 17:42:15 [26679] Error locating certificate. > 2018-08-21 17:42:15 [26680] Token is named "NSS Certificate DB", not > "my-token", skipping. > 2018-08-21 17:42:15 [26680] Token is named "HSM", not "my-token", skipping. > 2018-08-21 17:42:15 [26681] Token is named "NSS Certificate DB", not > "my-token", skipping. > 2018-08-21 17:42:15 [26681] Token is named "NSS Generic Crypto > Services", not "my-token", skipping. > 2018-08-21 17:42:15 [26681] Token is named "HSM", not "my-token", skipping. > 2018-08-21 17:42:15 [26681] Error locating certificate. > 2018-08-21 17:42:17 [26733] Certificate "Local Signing Authority" valid > for 29682906s. > 2018-08-21 17:42:17 [26731] Error authenticating to token "HSM". > 2018-08-21 17:42:20 [26673] No hooks set for pre-save command. > 2018-08-21 17:42:21 [26750] PIN was not needed to auth to key store, > though one was provided. Treating this as an error. > 2018-08-21 17:42:21 [26750] Error shutting down NSS. > > Somehow, it doesn't see my token at all but still manages to store the > private key there. It then leaves the request in a state > NEED_CERTSAVE_PIN: > > # getcert list -i 20180821173352 > Number of certificates and requests being tracked: 4. > Request ID '20180821173352': > status: NEED_CERTSAVE_PIN > stuck: yes > key pair storage: > type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token',pin > set > certificate: > type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token' > > CA: SelfSign > issuer: subject: expires: unknown > pre-save command:
[Freeipa-devel] [freeipa PR#2266][opened] Fix the uninstall test, execute in the nightly runs
URL: https://github.com/freeipa/freeipa/pull/2266
Author: rcritten
Title: #2266: Fix the uninstall test, execute in the nightly runs
Action: opened
PR body:
"""
I'm not sure what changed that caused the test to start failing. We didn't
notice until now because the test wasn't executed in the nightlies.
Rather than only trying to stop dirsrv when it was running just brute-force
always try to shut it down.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2266/head:pr2266
git checkout pr2266
From dbc6ec0fb4ea15368f8989866570418d7d33e73c Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 21 Aug 2018 13:20:01 -0400
Subject: [PATCH 1/2] Fix uninstallation test, use different method to stop
dirsrv
The API may not be initialized so using ds.is_running() may fail.
Call systemctl directly to ensure the dirsrv instance is stopped.
Signed-off-by: Rob Crittenden
---
ipatests/test_integration/test_uninstallation.py | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_uninstallation.py b/ipatests/test_integration/test_uninstallation.py
index ccdf5b3c8a..274f4b3ee2 100644
--- a/ipatests/test_integration/test_uninstallation.py
+++ b/ipatests/test_integration/test_uninstallation.py
@@ -52,10 +52,9 @@ def test_failed_uninstall(self):
# be marked as uninstalled so server cert will still be
# tracked and the instances may remain. This can cause
# subsequent installations to fail so be thorough.
-ds = dsinstance.DsInstance()
-ds_running = ds.is_running()
-if ds_running:
-ds.stop(serverid)
+dashed_domain = self.master.domain.realm.replace(".", '-')
+dirsrv_service = "dirsrv@%s.service" % dashed_domain
+self.master.run_command(['systemctl', 'stop', dirsrv_service])
# Moving it back should allow the uninstall to finish
# successfully.
@@ -66,6 +65,7 @@ def test_failed_uninstall(self):
])
# DS has been marked as uninstalled so force the issue
+ds = dsinstance.DsInstance()
ds.stop_tracking_certificates(serverid)
self.master.run_command([
From 4d99d444b2cc0af3553f173abd651212549d2e2e Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 21 Aug 2018 13:23:27 -0400
Subject: [PATCH 2/2] Add test_uninstallation to nightly testing
Signed-off-by: Rob Crittenden
---
ipatests/prci_definitions/nightly_master.yaml | 12
ipatests/prci_definitions/nightly_rawhide.yaml | 12
2 files changed, 24 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml
index c299e4138a..bfa658fc1c 100644
--- a/ipatests/prci_definitions/nightly_master.yaml
+++ b/ipatests/prci_definitions/nightly_master.yaml
@@ -544,6 +544,18 @@ jobs:
timeout: 7200
topology: *master_1repl
+ fedora-28/test_uninstallation:
+requires: [fedora-28/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-28/build_url}'
+test_suite: test_integration/test_uninstallation.py
+template: *ci-master-f28
+timeout: 7200
+topology: *master_1repl
+
fedora-28/test_topology_TestCASpecificRUVs:
requires: [fedora-28/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
index 7856354ea7..042cff4ad7 100644
--- a/ipatests/prci_definitions/nightly_rawhide.yaml
+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -544,6 +544,18 @@ jobs:
timeout: 7200
topology: *master_1repl
+ fedora-28/test_uninstallation:
+requires: [fedora-28/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-28/build_url}'
+test_suite: test_integration/test_uninstallation.py
+template: *ci-master-frawhide
+timeout: 7200
+topology: *master_1repl
+
fedora-rawhide/test_topology:
requires: [fedora-rawhide/build]
priority: 50
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/SXNWSAIFYV5JX6M4ARYETJIVV3LVBGO5/
[Freeipa-devel] SoftHSM and certmonger
Hi Rob, I was trying to set up a configuration where certmonger would generate and track a key in an NSS database with an HSM token. I used SoftHSMv2 for the token. The script roughly describing what I did is attached. You need to put SELinux in permissive as it would be messing up on certmonger's access. On Rawhide it creates a private key in the HSM but unable to store a public key of the certificate there. Rawhide has p11-kit proxy active and that complicates things because any NSS db gets p11-kit-proxy.so PKCS11 module injected via crypto-policy: # cat /etc/crypto-policies/back-ends/nss.config library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048" name=p11-kit-proxy library=p11-kit-proxy.so when p11-kit-proxy.so is injected, it makes all configured PKCS11 modules available in all NSS databases. Even if my script tries to insert an explicit PKCS11 module into the database used for a certificate generation, I can skip that on Rawhide as p11-kit-proxy does it for me: # certutil -d sql:my-token -U slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=;model=NSS%203 slot: SoftHSM slot ID 0x5489b984 token: HSM uri: pkcs11:token=HSM;manufacturer=SoftHSM%20project;serial=396d3e3c5489b984;model=SoftHSM%20v2 slot: SoftHSM slot ID 0x1cf72acc token: my-token uri: pkcs11:token=my-token;manufacturer=SoftHSM%20project;serial=77cb41421cf72acc;model=SoftHSM%20v2 Anyway, even if I disable this injection with NSS_IGNORE_SYSTEM_POLICY=1, it doesn't help because the environment variable has to be specified for certmonger process too. I tried that as well and it doesn't help, so there seems to be a bug with certmonger's processing of PKCS11 modules in nss and p11-kit proxying is not really changing that. Certmonger is confused when it doesn't succeed in unlocking a token even if it is a wrong token: # certmonger -S -p /var/run/certmonger.pid -n -d 2 2018-08-21 17:42:15 [26673] Changing to root directory. 2018-08-21 17:42:15 [26673] Obtaining system lock. 2018-08-21 17:42:15 [26677] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-08-21 17:42:15 [26677] Token is named "HSM", not "NSS Certificate DB", skipping. 2018-08-21 17:42:15 [26677] Token is named "my-token", not "NSS Certificate DB", skipping. 2018-08-21 17:42:15 [26678] Error authenticating to token "HSM". 2018-08-21 17:42:15 [26679] Error authenticating to cert db. 2018-08-21 17:42:15 [26679] Error authenticating to cert db. 2018-08-21 17:42:15 [26679] Error locating certificate. 2018-08-21 17:42:15 [26680] Token is named "NSS Certificate DB", not "my-token", skipping. 2018-08-21 17:42:15 [26680] Token is named "HSM", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Token is named "NSS Certificate DB", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Token is named "NSS Generic Crypto Services", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Token is named "HSM", not "my-token", skipping. 2018-08-21 17:42:15 [26681] Error locating certificate. 2018-08-21 17:42:17 [26733] Certificate "Local Signing Authority" valid for 29682906s. 2018-08-21 17:42:17 [26731] Error authenticating to token "HSM". 2018-08-21 17:42:20 [26673] No hooks set for pre-save command. 2018-08-21 17:42:21 [26750] PIN was not needed to auth to key store, though one was provided. Treating this as an error. 2018-08-21 17:42:21 [26750] Error shutting down NSS. Somehow, it doesn't see my token at all but still manages to store the private key there. It then leaves the request in a state NEED_CERTSAVE_PIN: # getcert list -i 20180821173352 Number of certificates and requests being tracked: 4. Request ID '20180821173352': status: NEED_CERTSAVE_PIN stuck: yes key pair storage: type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token',pin set certificate: type=NSSDB,location='sql:/root/test-token/my-token',nickname='my-cert',token='my-token' CA: SelfSign issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes If I look at the SoftHSMv2 token directly (via pkcs11-tool), I can see that the key and the cert are both there: # pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --token-label my-token -l
[Freeipa-devel] [freeipa PR#2265][opened] uninstall -v: remove Tracebacks
URL: https://github.com/freeipa/freeipa/pull/2265
Author: flo-renaud
Title: #2265: uninstall -v: remove Tracebacks
Action: opened
PR body:
"""
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1480502
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2265/head:pr2265
git checkout pr2265
From 3597eec2f9d5ba9cca0d64874160b975e32e2184 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Tue, 21 Aug 2018 17:55:45 +0200
Subject: [PATCH] uninstall -v: remove Tracebacks
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1480502
---
ipapython/ipautil.py | 23 ---
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e13cfbdf93..bfe54b2cbc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -491,20 +491,21 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
logger.debug('Starting external process')
logger.debug('args=%s', arg_string)
-def preexec_fn():
-if runas is not None:
-pent = pwd.getpwnam(runas)
+if runas is not None:
+pent = pwd.getpwnam(runas)
-suplementary_gids = [
-grp.getgrnam(sgroup).gr_gid for sgroup in suplementary_groups
-]
+suplementary_gids = [
+grp.getgrnam(sgroup).gr_gid for sgroup in suplementary_groups
+]
-logger.debug('runas=%s (UID %d, GID %s)', runas,
- pent.pw_uid, pent.pw_gid)
-if suplementary_groups:
-for group, gid in zip(suplementary_groups, suplementary_gids):
-logger.debug('suplementary_group=%s (GID %d)', group, gid)
+logger.debug('runas=%s (UID %d, GID %s)', runas,
+ pent.pw_uid, pent.pw_gid)
+if suplementary_groups:
+for group, gid in zip(suplementary_groups, suplementary_gids):
+logger.debug('suplementary_group=%s (GID %d)', group, gid)
+def preexec_fn():
+if runas is not None:
os.setgroups(suplementary_gids)
os.setregid(pent.pw_gid, pent.pw_gid)
os.setreuid(pent.pw_uid, pent.pw_uid)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/OZRDBTJ4DY2F4Q7B2BY5GO626AOMLKLT/
[Freeipa-devel] [freeipa PR#2264][opened] [Backport][ipa-4-7] Replace old login screen logo with new one
URL: https://github.com/freeipa/freeipa/pull/2264
Author: flo-renaud
Title: #2264: [Backport][ipa-4-7] Replace old login screen logo with new one
Action: opened
PR body:
"""
This PR was opened automatically because PR #2255 was pushed to master and
backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2264/head:pr2264
git checkout pr2264
From 11a84d9638248053abb550056629d67538fb0c3f Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk
Date: Thu, 16 Aug 2018 10:20:15 +0200
Subject: [PATCH] Replace old login screen logo with new one
Related: https://pagure.io/freeipa/issue/7362
---
install/ui/images/login-screen-logo.png | Bin 5802 -> 2233 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/install/ui/images/login-screen-logo.png b/install/ui/images/login-screen-logo.png
index 38f948efd770171ed922a80521e7fa576d8a172f..ad90e30c9649586ade4f2ae80f804a1182178e58 100644
GIT binary patch
literal 2233
zcmV;q2uAmbP)s`BP`G34;=A85Y&)jq8-nj#Ja0ma_kf99bfBmV9
z>k~h_-?FV6SuLUSen0k5#@As;1o&0Z{SB9r7e&-Fz$gF_br}eBWOQzQdG-f4h9VCg
zQZ7JQ(4CE_CX{?rn}DdcOeOjLd7-PR|+mCn~R^9*+d>dDVcdgRMRgT^1q(S
zTueyW3|P}Re-f_lkicXo?UkqxJ3F!#yj*bfa;kFDAteIDOFn|(5FzOTBuYMlp%x*j
zHJ~i$=vj<4VagrDPfKp1z6XWMy@{;}5#;N@i{*By9$i1>M;|5Xd$(c{Qsg
zR2X^o`~6rq9+|gSM0vD{iE6XE((_(gaO_@592hLbgo^CwAqSJ3#VgM();j$i)9
z(l^4l85B|$a#sLeUB98Y9R@8x!sH`RNO{Ozsh~t_PO%7s5@68eBN#>z5*8q7$vn905F?j$%WwwM$fqi}?eHq}C6DXN7CFfh!O*c_R~A^I($f%y&%z=5LJM$0Qm?K7QraMSBQKB
z35lRBg6o=c@59v{iuRmO8F^pra)blu$#(+B3_Wwmu#T{@Dz0_H00GuC)c3pbly
zX$20RyD*_JWh1YsLs#@c=G7?h`a^G53$ml@f{fJG~{gpIGOgD@a!;5`z}P5
zQt5dML=o`#Fo^&;sGE^Q}X_Kp>8LR(eg4)uL4)Z|Md+Do-uek)
z)UND_|D3IDrR249m=vG_;|M!xO|goBvwdBsu!g@*=MLLtTC9~|b3G1RZy7yba5~ZYH@3(;+2J2|Xe(_yXR~L}p@0zrpnK}nJ?tb9(b;n600wE2hwcG^JTTD>)4aD?r
zr$(B(S-9*^bg8wTnL4MwY2l){l86^d{n=o-hmyL2xO|DF{gMPItn^P!-7Iz%odiD8
zx%|iFacl9``r=9?9$0EWps&!P_ETD?tL_8gt=RxPW3V<5_{jxh3LuJfdnKUTq84Cx
z%0#FrK5L1+!C)PSt!CSKdWV69~8R7Y8-Ft4DoyBcf_7gydrcFeIsE!haU0M8+
zE3JF2!90$z3Q|&|FP6T#HAeD^t6(prvhc6b;`dgKisA+=`*F-7ypk#rx_7VK=CYJu
zYZUH6qygW)>Ae?~;H~ka)OLf*E1(t-C~k`td*JJ^w>BSm3;p6m0Y4*9xGR?9M3Awn
zdP`^6wccR93G74UJW3S+a}4dSpi~}JMeR;v>c0oX5<%2zDvNeI2@o$bR#mU>47;`@
z*!>#Vc}_+?0^MsTv>!Uhj3w>BlMGy=3&=tqeC!hKhfgM$s1f0lZy(Q?wb%~Z*1R~o
z#!Vhf0>JQ!(DwFmW;`Y!ZiihGA`j67fMFGZ_QN5EA|y;6oa_q(3XdZ8lk^m!{t%Sx
zq@+f>y*+3Iiu|CW*8}0_iIVT>?i8ha3$U#>8HU1$uXYoPjRxx#Tq=)U>TY#J4y2
zKPW={+vCIdh{RjB8I)=1oRA3dZ;uBGk49ZFD%pvzW>wsNzeIV^UG(ceJ*@vo67XyU
zG1Y{zbj!QxrPU9{6ECs9#43s#P!e5)lDg7(-Ij;uZc?z<>UK5wk1YI}wo$;d5ye)6
zi?Lm{>*$EpduAEznq!nQMZQ=c)2kIB``Tn!8CU>AlBAy>Gj^3wHeIz0dWr
zYqubnmdzJOW^^pP{z~boSaApcmsk=+7(o73b}>Zo)@}vX8QeM(To_Wqy?w
zwJX}~P#$z|(UJ$0k}0l^Eb||yfx`8`3kK`>>z!He;M?=PDA_0RSJ?z+LRs^?&4{t8
zU$bp1Z^xs}u@^bsnioJ!-xMxl%cE3#w4dLS`>*h->cxaze*iKyRyB6?=WBnu=*|7g
zvPY!Z)>>eN(brA}VjYyT$nuJ3$eW|F?LInK1J^pPa~@cIuHR9-NPSfB0%{Vj-Z5+eZN7}FANPn!?qqCnsbAt
z)w8i(dw?nZEGG%4EoaYj#+{o%qol@*$W~xnpQ|^4-(h#HAG(8+e!s<~dmp0PnvP`)
zVQHhP=z}4N{cQaxMuumDJqfG}jNk;n^$g1~y*s#r|1$gso00&^!)4Qf0NkvXX
Hu0mjf^jJt!
literal 5802
zcmaJ_XE+?~zm^c92N6ACmFT-V8zoqs)mcPYEEZeX6^n$BMDM+`dh{NmBzlPwElMI<
z5+OuMw2(ORp8xxv^WnT_u4`tV-!u1p|LV+#i7S#kuF76T+r_5FI
zi|ZF!(mxN_@ES0@DaHlw3-?Bls5)aD5!^Z`xGTa00eANE8bT;;>IL{Wu+g*$m5@Z63FS0q{qu+#Puz>RcP0$9ozfDEwe2sfm*zc<3v
zA8O|0@8P823{X+#RwRHg1W*V(oST61MB~5?0;EVO2Z6JXAF9_a43Gm-R!3>PJ
z)iK@(ZW(cqm=j1A#4Rf!E+Hi?CnqP$EeVnU0YQ>L2}v;tIk1!@7zE<}=I!hP
zHi2mV$Jd3W1aQOSv0xz3*Vk9vS4te??Fy7oP*C`zAt@<#fe^#_q498n7#hd>w*mx#
zbMi)F@kk7s`;Q{r5#xhb0$fD;-zlK5|Hz_o|0&!GHuf7APSO`jgV%Km#
zgT~=a5dRbJ|0#?!^TQ&5CI}qH$J^Y~QBR32lgLA`R
zxz$Z=Nc123FT8;PSO<;6!_iI%9f%U(LO~pfbOvjx%gIa0$!mhtH9-;*8dCC-
zvT_i4DH(`_yu73)NbYYg1mom`LZI<~bDjU;DuDi#`)3qT*bC1Pgg5d&!dcTBgW~=x
zWiayJV}bmu-ha5x{~C+D#=mlb7r_AkH1>Zr`tPla>G`w#XKXKwe+D0czL<9Ji?J??
z_;#Iygz2UZMAeM2@ZOpdYdhojd(8Gj^=N(5JY&5WM-3~-H3v{Ai3F=D*poO4$|+J;
zPfbLXWR>fur#X6AU|1pv{C;mWgi(uH?)V5#;%TwgUv}VwX)Cpga7Q*PIf>Z
zU!(y{KTSJuzinsnlYQs;>F@LRB1Or^=f9nnpDzz*(W_CBUSZ06gWo|ZoIXUq>
zge};77)@|OJN-ahb=BD5+RAraS`b-~x}EyNlIo?AwU@Z5_w-^+n?Efl)5CPp$Gmd!
zER)BfN*!Zqaj_?HlPe+{BGX^b0okJDSf!YtA{gDR{a?F5xrle?!*2ihqH
zbh~U3hRu1RTF_Lcw8=S&^n*PAV80ACB)7qF=Q8!~|t8%SnLifIW;#XJ||A7al`RzOF4}(6@-`?N$4FFn%ggsuMP0aYbN21mrO}pVeFdc6Rs1+Dv=)I
z+nNsa1s`Mgiv*^X)!287NoPfp*maTsy(1P8ue01i0haW+^Y>ZNt0r?pE_U7Ob*q?o
z6TD68F~_@Cnt`yhW$0B=di8G2RWMpcSd^_B(kdA{F@bW^j>{JdAn~xs(W3}85{%=4
zzg>O9!SrQ=i<~E{q+c4Ek)#PQ4P7%IJkhlgsKxtH>9jpE7+2BOs(FNL683TYH7HQS
z_~A3FqwOT4{hE*c1AFN1!t3Lo*JEBLWcf(b*svsSbFuhUrz-h)rY?U@O=Gx
z0r7Pldz;NXigiBMH!^WVJ`WE=diMK2hyhmQIp3|8@!Whd%%23oZHX`iqgUTggPuB%
z@<$t6_r(3wv`Atxb$Wp^Jrnczv_q(O+8L!ifVdnT=Z9Pq@T!YER-$U?99*?YqDcfGXpudgJ_se
zlmlJ4b8Kjq6q#!}-%`{74kT2+=)ct~3wgzEQl-`V$SY1tBdp@F(OLBU_hVHhzWCL{
zJGb2C>pmf*KaxJRu2~Kli5taRubzSo`Yid986xcp?s*WCWeeGsDIq~iHKsraJ@r%5?^epyVT>*r6+%wW%2
z%7z5$R(MODwx7CoYtO(%cigm}O@)HhWreGwR)}eD;^&^4zvgq1mf}zi)))daOpC5G
zh+oY!Vi87+)SBkQ;AaN9S)wszsOyuDG>b<#NL~*=Ovfr9H3Y+rk2_DpzwM4
zuMULge2Z@TXv7ULLx0n9f-2`gU%l#fdd7q(Yf&_A1gk=DcRmX(lGFVC$+BvQg
[Freeipa-devel] [freeipa PR#2255][closed] Replace old login screen logo with new one
URL: https://github.com/freeipa/freeipa/pull/2255 Author: serg-cymbaluk Title: #2255: Replace old login screen logo with new one Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2255/head:pr2255 git checkout pr2255 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/QESPQUJ3YOS2BJZZ62SXKUWHUZ3CUERJ/
[Freeipa-devel] [freeipa PR#2258][closed] [Backport][ipa-4-7] Check if user permssions and umask 0022 is set after ipa-restore
URL: https://github.com/freeipa/freeipa/pull/2258 Author: Tiboris Title: #2258: [Backport][ipa-4-7] Check if user permssions and umask 0022 is set after ipa-restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2258/head:pr2258 git checkout pr2258 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/PRXH5VCJNODGBFEVNWVOP2I2WWMQDDHK/
[Freeipa-devel] [freeipa PR#2259][closed] [Backport][ipa-4-6] Check if user permssions and umask 0022 is set after ipa-restore
URL: https://github.com/freeipa/freeipa/pull/2259 Author: mrizwan93 Title: #2259: [Backport][ipa-4-6] Check if user permssions and umask 0022 is set after ipa-restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2259/head:pr2259 git checkout pr2259 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/45WHFNXJI5CMBHLDLWBINOGVSOBPJPEA/
[Freeipa-devel] [freeipa PR#2263][opened] DS replication settings: fix regression with <3.3 master
URL: https://github.com/freeipa/freeipa/pull/2263
Author: flo-renaud
Title: #2263: DS replication settings: fix regression with <3.3 master
Action: opened
PR body:
"""
Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression
when configuring replication with a master < 3.3
Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout,
nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval
attributes, it will return UNWILLING_TO_PERFORM when a mod
operation is performed on the cn=replica entry.
This patch ignores the error and logs a debug msg.
See: https://pagure.io/freeipa/issue/7617
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2263/head:pr2263
git checkout pr2263
From acfc4ac1d393c788e2e70a97b3a03a870d02fb92 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Tue, 21 Aug 2018 11:37:17 +0200
Subject: [PATCH] DS replication settings: fix regression with <3.3 master
Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression
when configuring replication with a master < 3.3
Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout,
nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval
attributes, it will return UNWILLING_TO_PERFORM when a mod
operation is performed on the cn=replica entry.
This patch ignores the error and logs a debug msg.
See: https://pagure.io/freeipa/issue/7617
---
ipaserver/install/replication.py | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 78c4a43cc9..ae48577c4d 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -600,7 +600,18 @@ def finalize_replica_config(self, r_hostname, r_binddn=None,
r_conn.simple_bind(r_binddn, r_bindpw)
else:
r_conn.gssapi_bind()
-self._finalize_replica_settings(r_conn)
+try:
+self._finalize_replica_settings(r_conn)
+except errors.DatabaseError as e:
+# On FreeIPA < 3.3 masters lacking support for the attributes
+# defined in REPLICA_FINAL_SETTINGS,
+# the update will return Unwilling to perform
+# Ignore the error
+if str(e).startswith('Server is unwilling to perform'):
+logger.debug("replication attribute not supported "
+ "on remote master (%s)", e)
+else:
+raise e
r_conn.close()
def setup_chaining_backend(self, conn):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/WYU5XTYYHIVBSEUFFBAGAV47XR2N5G7U/
