[Freeipa-devel] [PATCH] 0088 Fix ipa winsync plugin
When the plugin was adjusted to not use LDAP_DEPRECATED it was broken and DNs where generated withouth the RDN attribute name part. Simo. -- Simo Sorce * Red Hat, Inc * New York From 0fa84cf2ac08115da42418da917c056afcb9eedc Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 25 Feb 2011 13:11:34 -0500 Subject: [PATCH 3/8] Unbreak the ipa winsync plugin. Fix RDN construction. Fixes: https://fedorahosted.org/freeipa/ticket/1015 --- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c|2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 2c0f4d1d2438420a95950cb72bded9288e3abf79..b98a34d1fdefd454e1c1eb600513176a39892b26 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -403,7 +403,7 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, return; } -ldap_rdn2str(ldn[0], rdn, LDAP_DN_FORMAT_UFN); +ldap_rdn2str(ldn[0], rdn, LDAP_DN_FORMAT_LDAPV3); *new_dn_string = slapi_ch_smprintf(%s,%s, rdn, slapi_sdn_get_dn(ds_suffix)); ldap_dnfree(ldn); ldap_memfree(rdn); -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0091 Make wrappers for sasl binds
Sasl gssapi binds were done w/o a wrapper, this caused sasl binds to behave differently in some cases ad __lateinit() was never called on them. Unify sasl binds in ipaldap.py This is needed in conjuction with patch 0092 to fix managing replicas with krb credentials Simo. -- Simo Sorce * Red Hat, Inc * New York From 470af639c121fdef65768f09a2db6d56bcd9d33e Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 25 Feb 2011 18:37:45 -0500 Subject: [PATCH 6/8] Use wrapper for sasl gssapi binds so it behaves like other binds By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022 --- install/tools/ipa-replica-manage |2 +- ipaserver/install/replication.py | 12 +--- ipaserver/install/service.py |3 +-- ipaserver/ipaldap.py |8 ++-- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 19ff1f904fff0966d3ef0534366f787b7aa244db..931b13921b3a3bf4a340a7f301d325a487333497 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -142,7 +142,7 @@ def list_masters(realm, host, replica, dirman_passwd, verbose): if dirman_passwd: conn.do_simple_bind(bindpw=dirman_passwd) else: -conn.sasl_interactive_bind_s('', ipaldap.sasl_auth) +conn.do_sasl_gssapi_bind() dn = 'cn=masters,cn=ipa,cn=etc,%s' % util.realm_to_suffix(realm) entries = conn.search_s(dn, ldap.SCOPE_ONELEVEL) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 86a42b16b4f0820c0ceb10b726fc37664913edba..0a8a65e0562b774366f5e1ff7b1c4fa920f98059 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -39,8 +39,6 @@ TIMEOUT = 120 IPA_REPLICA = 1 WINSYNC = 2 -SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI') - def check_replication_plugin(): Confirm that the 389-ds replication is installed. @@ -64,7 +62,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd): if dirman_passwd: conn.do_simple_bind(bindpw=dirman_passwd) else: -conn.sasl_interactive_bind_s('', SASL_AUTH) +conn.do_sasl_gssapi_bind() entry = conn.search_s('cn=IPA Version Replication,cn=plugins,cn=config', ldap.SCOPE_BASE, 'objectclass=*') if entry[0].getValue('nsslapd-pluginenabled') == 'off': conn.modify_s(entry[0].dn, [(ldap.MOD_REPLACE, 'nsslapd-pluginenabled', 'on')]) @@ -90,7 +88,7 @@ class ReplicationManager: if dirman_passwd: self.conn.do_simple_bind(bindpw=dirman_passwd) else: -self.conn.sasl_interactive_bind_s('', SASL_AUTH) +self.conn.do_sasl_gssapi_bind() self.repl_man_passwd = dirman_passwd @@ -605,7 +603,7 @@ class ReplicationManager: if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) else: -r_conn.sasl_interactive_bind_s('', SASL_AUTH) +r_conn.do_sasl_gssapi_bind() #Setup the first half l_id = self._get_replica_id(self.conn, r_conn) @@ -684,7 +682,7 @@ class ReplicationManager: if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) else: -r_conn.sasl_interactive_bind_s('', SASL_AUTH) +r_conn.do_sasl_gssapi_bind() # First off make sure servers are in sync so that both KDCs # have all princiapls and their passwords and can release @@ -714,7 +712,7 @@ class ReplicationManager: if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) else: -r_conn.sasl_interactive_bind_s('', SASL_AUTH) +r_conn.do_sasl_gssapi_bind() # Allow krb principals to act as replicas self.setup_krb_princs_as_replica_binddns(self.conn, r_conn) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 1235eaffd93e8e199773349b6d9b0ed68121ac7b..adb77b358859988fa49ca710d0638117cfcbfc4f 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -31,7 +31,6 @@ import datetime from ipaserver.install import installutils CACERT = /etc/ipa/ca.crt -SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI') SERVICE_LIST = { 'KDC':('krb5kdc', 10), @@ -297,7 +296,7 @@ class Service: if dm_password: conn.do_simple_bind(bindpw=dm_password) else: -conn.sasl_interactive_bind_s('', SASL_AUTH) +conn.do_sasl_gssapi_bind_() except Exception, e: logging.debug(Could not connect to the Directory
[Freeipa-devel] [PATCH] 0092 Fix replica management with krb credentials
If no bind password is provided it is not possible to create the basic replication user. Creating this user is not necessary for winsync agreements or to create new replica connections that use gssapi auth so make it optional if krb credentials are used. Simo. -- Simo Sorce * Red Hat, Inc * New York From 8c7678a59094fba99e4f1b22c7193f8a94e31fa1 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 25 Feb 2011 18:23:10 -0500 Subject: [PATCH 7/8] Fix replica setup using replication admin kerberos credentials Fixes: https://fedorahosted.org/freeipa/ticket/1022 --- install/share/replica-acis.ldif |5 + ipaserver/install/replication.py |3 ++- 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index a2f4cc22b9d58e06efeb0a984ac17096d24ba121..baa6216166eb3c661f771b8ef8346e7ee685f4f2 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -1,5 +1,10 @@ # Replica administration +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci replica admins read access; allow (read, search, compare) groupdn = ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX;) + dn: cn=$SUFFIX,cn=mapping tree,cn=config changetype: modify add: aci diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 0a8a65e0562b774366f5e1ff7b1c4fa920f98059..516878cbf53fe7b1b34a066360ae634d99efde8c 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -592,7 +592,8 @@ class ReplicationManager: return self.wait_for_repl_init(conn, dn) def basic_replication_setup(self, conn, replica_id, repldn, replpw): -self.add_replication_manager(conn, repldn, replpw) +if replpw is not None: +self.add_replication_manager(conn, repldn, replpw) self.replica_config(conn, replica_id, repldn) self.setup_changelog(conn) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0093, WAS: Re: Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 17:04:10 -0500 Simo Sorce sso...@redhat.com wrote: On Fri, 25 Feb 2011 15:19:25 -0500 Simo Sorce sso...@redhat.com wrote: On Fri, 25 Feb 2011 14:49:27 -0500 Adam Young ayo...@redhat.com wrote: 2011-02-24 20:46:06,851 DEBUG stderr= 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be canonicalized when creating default server principal name ah no sorry this is the error, kinit failing ... now on why this happens ... Simo. Ok this happens becaue /etc/hosts doesn't have an entry for the hostname and DNS doesn't still resolve it (chicken/egg) Please open a ticket, the fix is to pass the principal name as argument of the kinit command so that it doesn't have to go thorugh name resolution to understand what name to use. The attached patch should fix nsupdates on machines configured like this one. Simo. -- Simo Sorce * Red Hat, Inc * New York From 0fd4928241c3ff8aa0ff91c6a4f8f9fa0a049e82 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 25 Feb 2011 17:05:12 -0500 Subject: [PATCH 8/8] Fix kinit invocation in ipa-client-install --- ipa-client/ipa-install/ipa-client-install |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 4b9bd29c6c08c9b1b7eb9364d14197e7a4c240bc..a6c3a7c61e99c1857137f47c9bb38399576d59ab 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -544,6 +544,7 @@ CCACHE_FILE = /etc/ipa/.dns_ccache def update_dns(server, hostname): ip = resolve_ipaddress(server) +princ = 'host/%s' % hostname sub_dict = dict(HOSTNAME=hostname, IPADDRESS=ip, @@ -569,7 +570,7 @@ def update_dns(server, hostname): update_fd.close() try: -ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab'], +ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', princ], env={'KRB5CCNAME':CCACHE_FILE}) except CalledProcessError, e: print sys.stderr, Failed to obtain host TGT. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel