[Freeipa-devel] [PATCH] 0021 Increase number of 'getent passwd attempts' to 10
Hi, https://fedorahosted.org/freeipa/ticket/1774 -- / Alexander Bokovoy From 6603e5af84c03dbabdd3de8a681a8d9d9b89013d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 11 Oct 2011 10:22:16 +0300 Subject: [PATCH] Increase number of 'getent passwd attempts' to 10 During ipa-client-install SSSD is not always started up properly for some reason, things like getent passwd admin do not work. This is particulary true for large setups where admin is included in a large set of groups. https://fedorahosted.org/freeipa/ticket/1774 --- ipa-client/ipa-install/ipa-client-install |8 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee643de537d97180b7c04811fa800b71b36ca16f..969dc9b0faa5e131f1e9199325bdf2350157ab8a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1124,10 +1124,10 @@ def install(options, env, fstore, statestore): if not options.on_master: n = 0 found = False -# Loop for up to 5 seconds to see if nss is working properly. -# It can sometimes take a few seconds to connect to the remote -# provider. -while n 5 and not found: +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: try: ipautil.run([getent, passwd, admin]) found = True -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 From 486650c26ae8773b09a2e32e4c12461cbedf3f07 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 11 Oct 2011 10:26:21 +0200 Subject: [PATCH] Improve default user/group object class validation When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 --- ipalib/plugins/config.py | 22 ++ ipaserver/plugins/ldap2.py |5 - 2 files changed, 26 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 7ef6265536672720bea05947f727767e5b5efa3d..48326a8babd2de8a15dbcbcb93d8ee99be567754 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.errors import ValidationError +# 389-ds attributes that should be skipped in attribute checks +OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof', +'memberindirect', 'memberofindirect',) + __doc__ = _( Manage the IPA configuration @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: +checked_attrs.append(self.api.Object[obj].uuid_attribute) +for obj_attr in self.api.Object[obj].default_attributes: +if obj_attr in OPERATIONAL_ATTRIBUTES: +continue +if obj_attr not in new_allowed_attrs: +raise errors.ValidationError(name=attr, +error=_('%s default attribute %s would not be allowed!') \ +% (obj, obj_attr)) + return dn api.register(config_mod) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index fddfe0f5af8a56f0066aa95ef4e5647b27f00dc4..382cc5760be09ba1633e258342a73adb931f70d4 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -43,6 +43,7 @@ from ldap.controls import LDAPControl # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN +from ipalib import _ import krbV @@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder): else: return None -def get_allowed_attributes(self, objectclasses): +def get_allowed_attributes(self, objectclasses, raise_on_unknown=False): if not self.schema: self.get_schema() allowed_attributes = [] @@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder): obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) if obj is not None: allowed_attributes += obj.must + obj.may +elif raise_on_unknown: +raise errors.NotFound(reason=_('objectclass %s not found') % oc) return [unicode(a).lower() for a in list(set(allowed_attributes))] def get_single_value(self, attr): -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 024 Added missing fields to password policy page
https://fedorahosted.org/freeipa/ticket/1944 (2.1.3 Release) No editable fields exist for maxfail, failinterval lockouttime and priority in password policy page. -- Petr Vobornik From 9ae5eca65de34c02fe0c3baae6eb27e2fa8fe346 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 11 Oct 2011 10:24:48 +0200 Subject: [PATCH] Added missing fields to password policy page https://fedorahosted.org/freeipa/ticket/1944 No editable fields exist for maxfail, failinterval lockouttime and priority in password policy page. --- install/ui/policy.js | 12 ++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/install/ui/policy.js b/install/ui/policy.js index ac9eb20f71d0e6765aaa069fbae27304018511a4..af9e3b85952ec26c36c399e6d5f1b301c34c15a2 100644 --- a/install/ui/policy.js +++ b/install/ui/policy.js @@ -39,8 +39,16 @@ IPA.entity_factories.pwpolicy = function() { name: 'cn', other_entity: 'group' }, -'krbmaxpwdlife','krbminpwdlife','krbpwdhistorylength', -'krbpwdmindiffchars','krbpwdminlength'] +'krbmaxpwdlife', +'krbminpwdlife', +'krbpwdhistorylength', +'krbpwdmindiffchars', +'krbpwdminlength', +'krbpwdmaxfailure', +'krbpwdfailurecountinterval', +'krbpwdlockoutduration', +'cospriority' +] }]}). standard_association_facets(). adder_dialog({ -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0023 Improve hbactest
Hi, two improvements for hbactest command: 1. Include indirect membership for users and hosts 2. Append FreeIPA default domain to hosts in hbactest request if they are not fully qualified ones. Fixes https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949 Two patches in the same commit because they affect the same code and otherwise would have created dependency between the patches anyway. -- / Alexander Bokovoy From 09ccb28ab1f6fb5c5d2ee41b583125e95bd23a62 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 11 Oct 2011 11:25:24 +0300 Subject: [PATCH] Include indirect membership and canonicalize hosts during HBAC rules testing When users and hosts are included into groups indirectly, make sure that during HBAC test e fill in all indirect groups properly into an HBAC request. Also, if hosts provided for test are not specified fully, canonicalize them using IPA domain. This makes possible following requests: ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd Request to evaluate: user name foobar groups [hbacusers,ipausers] service name sshd groups [] targethost name vm-101.ipa.local groups [] srchost name vm-101.ipa.local groups [] Fixes: https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949 --- ipalib/plugins/hbactest.py | 30 +++--- 1 files changed, 23 insertions(+), 7 deletions(-) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 75442451ca91783718942f78738170f399ef8ca9..9b33dafa4424c2919732dd9e5161806b31fc5568 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -204,6 +204,14 @@ class hbactest(Command): ), ) +def canonicalize(self, host): + +Canonicalize the host name -- add default IPA domain if that is missing + +if host.find('.') == -1: +return u'%s.%s' % (host, self.env.domain) +return host + def execute(self, *args, **options): # First receive all needed information: # 1. HBAC rules (whether enabled or disabled) @@ -264,7 +272,11 @@ class hbactest(Command): if options['user'] != u'all': try: request.user.name = options['user'] -request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group'] +search_result = self.api.Command.user_show(request.user.name)['result'] +groups = search_result['memberof_group'] +if 'memberofindirect_group' in search_result: +groups += search_result['memberofindirect_group'] +request.user.groups = sorted(set(groups)) except: pass @@ -278,19 +290,23 @@ class hbactest(Command): if options['sourcehost'] != u'all': try: -request.srchost.name = options['sourcehost'] +request.srchost.name = self.canonicalize(options['sourcehost']) srchost_result = self.api.Command.host_show(request.srchost.name)['result'] -srchost_groups = srchost_result['memberof_hostgroup'] -request.srchost.groups = sorted(set(srchost_groups)) +groups = srchost_result['memberof_hostgroup'] +if 'memberofindirect_hostgroup' in srchost_result: +groups += search_result['memberofindirect_hostgroup'] +request.srchost.groups = sorted(set(groups)) except: pass if options['targethost'] != u'all': try: -request.targethost.name = options['targethost'] +request.targethost.name = self.canonicalize(options['targethost']) tgthost_result = self.api.Command.host_show(request.targethost.name)['result'] -tgthost_groups = tgthost_result['memberof_hostgroup'] -request.targethost.groups = sorted(set(tgthost_groups)) +groups = tgthost_result['memberof_hostgroup'] +if 'memberofindirect_hostgroup' in tgthost_result: +groups += search_result['memberofindirect_hostgroup'] +request.targethost.groups = sorted(set(groups)) except: pass -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Increase number of 'getent passwd attempts' to 10
On Tue, 2011-10-11 at 10:25 +0300, Alexander Bokovoy wrote: Hi, https://fedorahosted.org/freeipa/ticket/1774 ACK. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 11 Oct 2011, Martin Kosek wrote: @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) Could you please also (in a separate patch) fix the above and others by adding translations? Other exception messages in plugins/config.py are designed to be used for user interactions but this one is not localized. + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses would it make sense to do sort(set(objectclasses)) to get unique list before using it further? Just a thought. get_allowed_attributes() will go to LDAP's schema to consult about the attributes and it seems to me we'd better not to do this multiple times for the same. +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: +checked_attrs.append(self.api.Object[obj].uuid_attribute) +for obj_attr in self.api.Object[obj].default_attributes: Shouldn't this be checked_attrs? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server validation
Based mainly on Rob's fix proposed in Trac. --- Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. https://fedorahosted.org/freeipa/ticket/1941 From 6b4759e252408ed3022673d719cfc16c3a179803 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 11 Oct 2011 10:54:34 +0200 Subject: [PATCH] Fix dnszone-add name_from_ip server validation Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. https://fedorahosted.org/freeipa/ticket/1941 --- ipaserver/rpcserver.py |9 - 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 39cdbcc7f353c1d0a01d10ff442a9bf0c66c3df9..35a10926292f01933825772edb852f34ef164619 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -231,7 +231,14 @@ class WSGIExecutioner(Executioner): finally: os.environ['LANG'] = lang if name: -params = self.Command[name].args_options_2_params(*args, **options) +try: +params = self.Command[name].args_options_2_params(*args, **options) +except Exception, e: +self.info( + 'exception %s caught when converting options: %s', e.__class__.__name__, str(e) +) +# get at least some context of what is going on +params = options if error: self.info('%s: %s(%s): %s', context.principal, name, ', '.join(self.Command[name]._repr_iter(**params)), e.__class__.__name__) else: -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0024 Force use of kerberos realm to be a string in config.py
Hi, there seems to be something new with python-2.7.2 on Fedora 16 and 'make lint' complains about dom_name = config.default_realm.lower() as config.default_realm is of type _Chainmap during static analysis. We get config.default_realm out of krbV.default_context().default_realm. The code change works fine with Fedora 15 as well (tested). -- / Alexander Bokovoy From c25b21972fb3a93b7c2ff1ab15715ae0bd3369b5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 11 Oct 2011 12:07:23 +0300 Subject: [PATCH 2/2] Force kerberos realm to be a string Fixes issue with Python linter on Fedora 16 where it assumes for C modules-provided objects that they are of type _Chainmap during static analysis. --- ipapython/config.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipapython/config.py b/ipapython/config.py index 051e39f92c8c0a8289c0bfdf8a53ad761c0457f6..d4c724dc9ac754cb221fe60d7c13bd0c716dd296 100644 --- a/ipapython/config.py +++ b/ipapython/config.py @@ -178,7 +178,7 @@ def __discover_config(discover_server = True): if not config.default_domain: #try once with REALM - domain -dom_name = config.default_realm.lower() +dom_name = str(config.default_realm).lower() name = _ldap._tcp.+dom_name+. rs = ipapython.dnsclient.query(name, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV) rl = len(rs) -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] bind-dyndb-ldap: Add new ldap_hostname option (ticket #1931)
Hello all, please see attached patch for bind-dyndb-ldap, it should solve (at least from bind-dyndb-ldap side) ticket #1931. It adds new ldap_hostname option and ipa-server-install utility should set this option when /bin/hostname is different from --hostname parameter. Comments are welcomed. Regards, Adam From c6913e6f0bb90253ad141917cb804f74dec070ae Mon Sep 17 00:00:00 2001 From: Adam Tkac at...@redhat.com Date: Tue, 11 Oct 2011 11:21:39 +0200 Subject: [PATCH] Added new ldap_hostname option. Signed-off-by: Adam Tkac at...@redhat.com --- NEWS |4 README|7 +++ src/ldap_helper.c | 11 +++ 3 files changed, 22 insertions(+), 0 deletions(-) diff --git a/NEWS b/NEWS index ce822b0..da3d11d 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,10 @@ [1] When connection to the LDAP was lost, the plugin didn't call the ldap_bind during reconnection. +[2] Added new option ldap_hostname which allows to set LDAP server hostname +when it is different from actual /bin/hostname. This option sets the +LDAP_OPT_HOST_NAME option. + 1.0.0b1 == diff --git a/README b/README index a46c998..1509068 100644 --- a/README +++ b/README @@ -183,6 +183,13 @@ reconnect_interval (default 60) Time (in seconds) after that the plugin should try to connect to LDAP server again in case connection is lost and immediate reconnection fails. +ldap_hostname (default ) + Sets hostname of the LDAP server. When it is set to , actual + /bin/hostname is used. Please prefer uri option, this option should be + used only in special cases, for example when GSSAPI authentication + is used and named service has Kerberos principal different from + /bin/hostname output. + 5.2 Sample configuration diff --git a/src/ldap_helper.c b/src/ldap_helper.c index aaa4dd6..8c88b4c 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -155,6 +155,7 @@ struct ldap_instance { ld_string_t *krb5_keytab; ld_string_t *fake_mname; isc_boolean_t psearch; + ld_string_t *ldap_hostname; isc_task_t *task; isc_thread_twatcher; isc_boolean_t exiting; @@ -324,6 +325,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, { krb5_keytab, default_string() }, { fake_mname, default_string() }, { psearch, default_boolean(ISC_FALSE) }, + { ldap_hostname, default_string() }, end_of_settings }; @@ -360,6 +362,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, CHECK(str_new(mctx, ldap_inst-sasl_password)); CHECK(str_new(mctx, ldap_inst-krb5_keytab)); CHECK(str_new(mctx, ldap_inst-fake_mname)); + CHECK(str_new(mctx, ldap_inst-ldap_hostname)); i = 0; ldap_settings[i++].target = ldap_inst-uri; @@ -379,6 +382,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, ldap_settings[i++].target = ldap_inst-krb5_keytab; ldap_settings[i++].target = ldap_inst-fake_mname; ldap_settings[i++].target = ldap_inst-psearch; + ldap_settings[i++].target = ldap_inst-ldap_hostname; CHECK(set_settings(ldap_settings, argv)); /* Validate and check settings. */ @@ -498,6 +502,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) str_destroy(ldap_inst-sasl_password); str_destroy(ldap_inst-krb5_keytab); str_destroy(ldap_inst-fake_mname); + str_destroy(ldap_inst-ldap_hostname); /* commented out for now, causes named to hang */ //dns_view_detach(ldap_inst-view); @@ -1341,6 +1346,12 @@ ldap_connect(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, ret = ldap_set_option(ld, LDAP_OPT_TIMEOUT, timeout); LDAP_OPT_CHECK(ret, failed to set timeout); + if (str_len(ldap_inst-ldap_hostname) 0) { + ret = ldap_set_option(ld, LDAP_OPT_HOST_NAME, + str_buf(ldap_inst-ldap_hostname)); + LDAP_OPT_CHECK(ret, failed to set LDAP_OPT_HOST_NAME); + } + if (ldap_conn-handle != NULL) ldap_unbind_ext_s(ldap_conn-handle, NULL, NULL); ldap_conn-handle = ld; -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 2011-10-11 at 12:01 +0300, Alexander Bokovoy wrote: On Tue, 11 Oct 2011, Martin Kosek wrote: @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) Could you please also (in a separate patch) fix the above and others by adding translations? Other exception messages in plugins/config.py are designed to be used for user interactions but this one is not localized. Patch based on 142 for config plugin i18n fix attached. I created a ticket to fix all of these issues in 3.0 branch: https://fedorahosted.org/freeipa/ticket/1953 + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses would it make sense to do sort(set(objectclasses)) to get unique list before using it further? Just a thought. get_allowed_attributes() will go to LDAP's schema to consult about the attributes and it seems to me we'd better not to do this multiple times for the same. I added a list(set()) to remove duplicates, I don't think it is necessary to sort it. +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: + checked_attrs.append(self.api.Object[obj].uuid_attribute) +for obj_attr in self.api.Object[obj].default_attributes: Shouldn't this be checked_attrs? Correct. The previous version worked because .append modified the original list. Fixed. Martin From 0ea928694f708a09091641466793fcf0eb3e5e89 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 11 Oct 2011 10:26:21 +0200 Subject: [PATCH] Improve default user/group object class validation When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 --- ipalib/plugins/config.py | 23 +++ ipaserver/plugins/ldap2.py |5 - 2 files changed, 27 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 7ef6265536672720bea05947f727767e5b5efa3d..6bd0d6ad8face71936a09fd80573fb1a8f70b265 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.errors import ValidationError +# 389-ds attributes that should be skipped in attribute checks +OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof', +'memberindirect', 'memberofindirect',) + __doc__ = _( Manage the IPA configuration @@ -212,6 +216,25 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = list(set(entry_attrs[attr] \ + + self.api.Object[obj].possible_objectclasses)) +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: +checked_attrs += [self.api.Object[obj].uuid_attribute] +for obj_attr in checked_attrs: +if obj_attr in OPERATIONAL_ATTRIBUTES: +continue +if obj_attr not in new_allowed_attrs: +raise errors.ValidationError(name=attr, +error=_('%s default attribute %s would not be allowed!') \ +% (obj, obj_attr)) + return dn api.register(config_mod) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index fddfe0f5af8a56f0066aa95ef4e5647b27f00dc4..382cc5760be09ba1633e258342a73adb931f70d4 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -43,6 +43,7 @@ from ldap.controls import LDAPControl # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN +from ipalib import _ import krbV @@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder):
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 11 Oct 2011, Martin Kosek wrote: On Tue, 2011-10-11 at 12:01 +0300, Alexander Bokovoy wrote: On Tue, 11 Oct 2011, Martin Kosek wrote: @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) Could you please also (in a separate patch) fix the above and others by adding translations? Other exception messages in plugins/config.py are designed to be used for user interactions but this one is not localized. Patch based on 142 for config plugin i18n fix attached. I created a ACK. ticket to fix all of these issues in 3.0 branch: https://fedorahosted.org/freeipa/ticket/1953 Thanks! + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses would it make sense to do sort(set(objectclasses)) to get unique list before using it further? Just a thought. get_allowed_attributes() will go to LDAP's schema to consult about the attributes and it seems to me we'd better not to do this multiple times for the same. I added a list(set()) to remove duplicates, I don't think it is necessary to sort it. Yes, this is fine. +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: + checked_attrs.append(self.api.Object[obj].uuid_attribute) +for obj_attr in self.api.Object[obj].default_attributes: Shouldn't this be checked_attrs? Correct. The previous version worked because .append modified the original list. Fixed. Hm.. +checked_attrs = self.api.Object[obj].default_attributes doesn't change anything -- you still get a reference to default_attributes and through checked_attrs += you'd modify the original one. Wouldn't the following be more correct: +checked_attrs = copy(self.api.Object[obj].default_attributes) ? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 2011-10-11 at 13:16 +0300, Alexander Bokovoy wrote: On Tue, 11 Oct 2011, Martin Kosek wrote: On Tue, 2011-10-11 at 12:01 +0300, Alexander Bokovoy wrote: On Tue, 11 Oct 2011, Martin Kosek wrote: @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) Could you please also (in a separate patch) fix the above and others by adding translations? Other exception messages in plugins/config.py are designed to be used for user interactions but this one is not localized. Patch based on 142 for config plugin i18n fix attached. I created a ACK. ticket to fix all of these issues in 3.0 branch: https://fedorahosted.org/freeipa/ticket/1953 Thanks! + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses would it make sense to do sort(set(objectclasses)) to get unique list before using it further? Just a thought. get_allowed_attributes() will go to LDAP's schema to consult about the attributes and it seems to me we'd better not to do this multiple times for the same. I added a list(set()) to remove duplicates, I don't think it is necessary to sort it. Yes, this is fine. +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: + checked_attrs.append(self.api.Object[obj].uuid_attribute) +for obj_attr in self.api.Object[obj].default_attributes: Shouldn't this be checked_attrs? Correct. The previous version worked because .append modified the original list. Fixed. Hm.. +checked_attrs = self.api.Object[obj].default_attributes doesn't change anything -- you still get a reference to default_attributes and through checked_attrs += you'd modify the original one. Wouldn't the following be more correct: +checked_attrs = copy(self.api.Object[obj].default_attributes) ? This was done on purpose. When you combine 2 lists in Python using + operator, a new list is created without modifying the old one. Check the following example: a = [1,2,3] b = [4] c = a+b print c [1, 2, 3, 4] print a [1, 2, 3] print b [4] c.append(5) print c [1, 2, 3, 4, 5] print a [1, 2, 3] print b [4] Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 11 Oct 2011, Martin Kosek wrote: This was done on purpose. When you combine 2 lists in Python using + operator, a new list is created without modifying the old one. Check the following example: a = [1,2,3] b = [4] c = a+b print c [1, 2, 3, 4] print a [1, 2, 3] print b [4] c.append(5) print c [1, 2, 3, 4, 5] print a [1, 2, 3] print b [4] Sorry, but this is not our case: a = [1,2,3] b = a b += [4] print a [1, 2, 3, 4] print b [1, 2, 3, 4] -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 2011-10-11 at 13:57 +0300, Alexander Bokovoy wrote: On Tue, 11 Oct 2011, Martin Kosek wrote: This was done on purpose. When you combine 2 lists in Python using + operator, a new list is created without modifying the old one. Check the following example: a = [1,2,3] b = [4] c = a+b print c [1, 2, 3, 4] print a [1, 2, 3] print b [4] c.append(5) print c [1, 2, 3, 4, 5] print a [1, 2, 3] print b [4] Sorry, but this is not our case: a = [1,2,3] b = a b += [4] print a [1, 2, 3, 4] print b [1, 2, 3, 4] You are right. This is an important Python lesson for me. c=c+a is NOT equal to c+=a as it is in C. Behold: a=[1,2,3] b=a b = b + [4] a [1, 2, 3] b [1, 2, 3, 4] a=[1,2,3] b=a b+= [4] a [1, 2, 3, 4] b [1, 2, 3, 4] Updated patch attached. Martin From 5d02e0ac2cbf1ea6fcb41195a3db90e211ed1912 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 11 Oct 2011 10:26:21 +0200 Subject: [PATCH] Improve default user/group object class validation When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 --- ipalib/plugins/config.py | 23 +++ ipaserver/plugins/ldap2.py |5 - 2 files changed, 27 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 7ef6265536672720bea05947f727767e5b5efa3d..aa0c19d2d5512dfdf69b26017606764f98ee39a7 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.errors import ValidationError +# 389-ds attributes that should be skipped in attribute checks +OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof', +'memberindirect', 'memberofindirect',) + __doc__ = _( Manage the IPA configuration @@ -212,6 +216,25 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute %s not allowed' % a ) + +for (attr, obj) in (('ipauserobjectclasses', 'user'), +('ipagroupobjectclasses', 'group')): +if attr in entry_attrs: +objectclasses = list(set(entry_attrs[attr] \ + + self.api.Object[obj].possible_objectclasses)) +new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, +raise_on_unknown=True) +checked_attrs = self.api.Object[obj].default_attributes +if self.api.Object[obj].uuid_attribute: +checked_attrs = checked_attrs + [self.api.Object[obj].uuid_attribute] +for obj_attr in checked_attrs: +if obj_attr in OPERATIONAL_ATTRIBUTES: +continue +if obj_attr not in new_allowed_attrs: +raise errors.ValidationError(name=attr, +error=_('%s default attribute %s would not be allowed!') \ +% (obj, obj_attr)) + return dn api.register(config_mod) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index fddfe0f5af8a56f0066aa95ef4e5647b27f00dc4..382cc5760be09ba1633e258342a73adb931f70d4 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -43,6 +43,7 @@ from ldap.controls import LDAPControl # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN +from ipalib import _ import krbV @@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder): else: return None -def get_allowed_attributes(self, objectclasses): +def get_allowed_attributes(self, objectclasses, raise_on_unknown=False): if not self.schema: self.get_schema() allowed_attributes = [] @@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder): obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) if obj is not None: allowed_attributes += obj.must + obj.may +elif raise_on_unknown: +raise errors.NotFound(reason=_('objectclass %s not found') % oc) return [unicode(a).lower() for a in list(set(allowed_attributes))] def get_single_value(self, attr): -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 11 Oct 2011, Martin Kosek wrote: When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server validation
On Tue, 2011-10-11 at 11:03 +0200, Martin Kosek wrote: Based mainly on Rob's fix proposed in Trac. --- Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. https://fedorahosted.org/freeipa/ticket/1941 We miss a test for name_from_ip parameter. I added 2 unit cases that verify this option works + reports a ValidationError when the IP address is wrong. Martin From d37bfdcd88bafb27f619ca012d7111611f25f860 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 11 Oct 2011 10:54:34 +0200 Subject: [PATCH] Fix dnszone-add name_from_ip server validation Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. Also implement 2 unit cases testing this option https://fedorahosted.org/freeipa/ticket/1941 --- ipaserver/rpcserver.py |9 +- tests/test_xmlrpc/test_dns_plugin.py | 48 ++ 2 files changed, 56 insertions(+), 1 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 39cdbcc7f353c1d0a01d10ff442a9bf0c66c3df9..35a10926292f01933825772edb852f34ef164619 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -231,7 +231,14 @@ class WSGIExecutioner(Executioner): finally: os.environ['LANG'] = lang if name: -params = self.Command[name].args_options_2_params(*args, **options) +try: +params = self.Command[name].args_options_2_params(*args, **options) +except Exception, e: +self.info( + 'exception %s caught when converting options: %s', e.__class__.__name__, str(e) +) +# get at least some context of what is going on +params = options if error: self.info('%s: %s(%s): %s', context.principal, name, ', '.join(self.Command[name]._repr_iter(**params)), e.__class__.__name__) else: diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py index f9bce61d9193e72b1a0b6d9b092be6e50251e7fc..679f285d5f053d26c46a400498c51e7bf889eefe 100644 --- a/tests/test_xmlrpc/test_dns_plugin.py +++ b/tests/test_xmlrpc/test_dns_plugin.py @@ -29,6 +29,7 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid dnszone1 = u'dnszone.test' dnszone2 = u'dnszone2.test' revdnszone1 = u'15.142.80.in-addr.arpa.' +revdnszone1_ip = u'80.142.15.0/24' dnsres1 = u'testdnsres' class test_dns(Declarative): @@ -551,6 +552,53 @@ class test_dns(Declarative): dict( +desc='Try to create a reverse zone from invalid IP', +command=( +'dnszone_add', [], { +'name_from_ip': u'foo', +'idnssoamname': u'ns1.%s' % dnszone1, +'idnssoarname': u'root.%s' % dnszone1, +'ip_address' : u'1.2.3.4', +} +), +expected=errors.ValidationError(name='name_from_ip', error='invalid format'), +), + + +dict( +desc='Create reverse from IP %s zone using name_from_ip option' % revdnszone1_ip, +command=( +'dnszone_add', [], { +'name_from_ip': revdnszone1_ip, +'idnssoamname': u'ns1.%s' % dnszone1, +'idnssoarname': u'root.%s' % dnszone1, +'ip_address' : u'1.2.3.4', +} +), +expected={ +'value': revdnszone1, +'summary': None, +'result': { +'dn': lambda x: DN(x) == \ +DN(('idnsname',revdnszone1),('cn','dns'),api.env.basedn), +'idnsname': [revdnszone1], +'idnszoneactive': [u'TRUE'], +'idnssoamname': [u'ns1.%s.' % dnszone1], +'nsrecord': [u'ns1.%s.' % dnszone1], +'idnssoarname': [u'root.%s.' % dnszone1], +'idnssoaserial': [fuzzy_digits], +'idnssoarefresh': [fuzzy_digits], +'idnssoaretry': [fuzzy_digits], +'idnssoaexpire': [fuzzy_digits], +'idnssoaminimum': [fuzzy_digits], +'idnsallowdynupdate': [u'FALSE'], +'objectclass': [u'top', u'idnsrecord', u'idnszone'], +}, +}, +), + + +dict( desc='Delete zone %r' % dnszone1,
Re: [Freeipa-devel] [PATCH] 142 Improve default user/group object class validation
On Tue, 2011-10-11 at 14:56 +0300, Alexander Bokovoy wrote: On Tue, 11 Oct 2011, Martin Kosek wrote: When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 ACK. Both patches (config plugin validation + config plugin i18n fix) pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server validation
Martin Kosek wrote: On Tue, 2011-10-11 at 11:03 +0200, Martin Kosek wrote: Based mainly on Rob's fix proposed in Trac. --- Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. https://fedorahosted.org/freeipa/ticket/1941 We miss a test for name_from_ip parameter. I added 2 unit cases that verify this option works + reports a ValidationError when the IP address is wrong. Martin ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 52 Disallow deletion of global password policy
Don't allow ipa pwpolicy-del global_policy. https://fedorahosted.org/freeipa/ticket/1936 Questions: Is it possible to disallow deletion of specific objects on LDAP level instead? The default HBAC rule, allow_all, can also be deleted - should it be disallowed too? Honza -- Jan Cholasta From c2fcc3b479a1cd52da3b8e518060ced69b9e2a46 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 11 Oct 2011 14:28:17 +0200 Subject: [PATCH] Disallow deletion of global password policy. ticket 1936 --- ipalib/plugins/pwpolicy.py |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index 79ea44d..f261de5 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -366,6 +366,14 @@ class pwpolicy_del(LDAPDelete): attribute=True, required=True, multivalue=True ) +def pre_callback(self, ldap, dn, *keys, **options): +if dn.lower() == global_policy_dn.lower(): +raise errors.ValidationError( +name='group', +error=_('cannot delete global password policy') +) +return dn + def post_callback(self, ldap, dn, *keys, **options): try: self.api.Command.cosentry_del(keys[-1]) -- 1.7.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 52 Disallow deletion of global password policy
Jan Cholasta wrote: Don't allow ipa pwpolicy-del global_policy. https://fedorahosted.org/freeipa/ticket/1936 Can you add a unit test case for this? Then ack. Questions: Is it possible to disallow deletion of specific objects on LDAP level instead? Well, that would be ideal in some cases. We'd need to write a plugin to intercept changes and have it compare it to a list of no deletes. You can file an RFE if you want, this might be handy to have. The default HBAC rule, allow_all, can also be deleted - should it be disallowed too? This is one we want to be removable. Before we had this the default HBAC stance was nobody can log in and it was jarring to most folks. It is possible to install without this rule using the option --no_hbac_allow rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0024 Force use of kerberos realm to be a string in config.py
Alexander Bokovoy wrote: Hi, there seems to be something new with python-2.7.2 on Fedora 16 and 'make lint' complains about dom_name = config.default_realm.lower() as config.default_realm is of type _Chainmap during static analysis. We get config.default_realm out of krbV.default_context().default_realm. The code change works fine with Fedora 15 as well (tested). ACK, pushed to master and ipa-2-1. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0023 Improve hbactest
Alexander Bokovoy wrote: Hi, two improvements for hbactest command: 1. Include indirect membership for users and hosts 2. Append FreeIPA default domain to hosts in hbactest request if they are not fully qualified ones. Fixes https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949 Two patches in the same commit because they affect the same code and otherwise would have created dependency between the patches anyway. ack, pushed to master and ipa-2-1 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
On Fri, 2011-10-07 at 09:18 -0400, Rob Crittenden wrote: Martin Kosek wrote: Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. But we add the entry to /etc/hosts right in the beginning. After the line marked with is printed. I double-checked it right now. Ok, this is totally freaky then. See ticket https://fedorahosted.org/freeipa/ticket/1931 I think it is worth mentioning there that the /etc/hosts entry is added in the beginning only if the hostname is not resolvable and IP address is passed by the user, i.e. only when the following line printed: # ipa-server-install --setup-dns (or --no-host-dns) ... Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 ipa.example.com] to your /etc/hosts file ... I saw that 1931 should be solved by a new custom hostname parameter passed to bind-dyndb-ldap plugin. I did some additional testing of my proposed patch 140 and it behaved fine. It is able to catch misconfigured /etc/hosts in both following ways: 1) invalid hostname for given IP address 1.2.3.4 foo or short name first: 1.2.3.4 foo foo.example.com To sum this up - I think the patch is ready for review. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 024 Added missing fields to password policy page
On 10/11/2011 01:30 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1944 (2.1.3 Release) No editable fields exist for maxfail, failinterval lockouttime and priority in password policy page. Thanks! Yi ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- ~ | Yi Zhang | | QA @ Mountain View, Calinfornia | | Cell: 408-509-6375| ~ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 53 Don't leak passwords through kdb5_ldap_util command line arguments
https://fedorahosted.org/freeipa/ticket/1948 Honza -- Jan Cholasta From aa87082562cfa6482bfc30c2f937e3adf947855a Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 11 Oct 2011 18:44:33 +0200 Subject: [PATCH] Don't leak passwords through kdb5_ldap_util command line arguments. ticket 1948 --- ipaserver/install/krbinstance.py | 12 ++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 513dc55..40d2e83 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -336,9 +336,17 @@ class KrbInstance(service.Service): if not replica: #populate the directory with the realm structure -args = [kdb5_ldap_util, -D, uid=kdc,cn=sysaccounts,cn=etc,+self.suffix, -w, self.kdc_password, create, -s, -P, self.master_password, -r, self.realm, -subtrees, self.suffix, -sscope, sub] +args = [kdb5_ldap_util, -D, uid=kdc,cn=sysaccounts,cn=etc,+self.suffix, create, -s, -r, self.realm, -subtrees, self.suffix, -sscope, sub] +dialogue = ( +# Password for uid=kdc,cn=sysaccounts,cn=etc,...: +self.kdc_password + '\n', +# Enter KDC database master key: +self.master_password + '\n', +# Re-enter KDC database master key to verify: +self.master_password + '\n', +) try: -ipautil.run(args, nolog=(self.kdc_password, self.master_password)) +ipautil.run(args, nolog=(self.kdc_password, self.master_password), stdin=''.join(dialogue)) except ipautil.CalledProcessError, e: print Failed to populate the realm structure in kerberos, e -- 1.7.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 890 OTP client enrollment with anonymous disabled
Fix OTP client enrollment when anonymous searches are disabled in 389-ds. This is fixed mostly by passing in the basedn to ipa-join so we don't have to hunt for it. I did modify that routine so it will look through all naming contexts to find the IPA one but this will fail if anonymous searches are not allowed. I fixed a couple of minor memory leaks too (valgrind still reports several but they are out of our control). This should be tested both with a OTP host and using an authorized user. rob From a49df4b6e301591fe0bc2d35e331d969eb589c5a Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 11 Oct 2011 17:30:33 -0400 Subject: [PATCH] Make ipa-join work against an LDAP server that disallows anon binds We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935 --- ipa-client/ipa-install/ipa-client-install |4 +- ipa-client/ipa-join.c | 194 + ipa-client/man/ipa-join.1 |5 +- 3 files changed, 94 insertions(+), 109 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee643de537d97180b7c04811fa800b71b36ca16f..c6220ad0a142a41d88dfa0b766beb222ea1847f4 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -31,7 +31,7 @@ try: from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists +from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, realm_to_suffix import ipapython.services as ipaservices from ipapython import ipautil from ipapython import dnsclient @@ -942,7 +942,7 @@ def install(options, env, fstore, statestore): print Test kerberos configuration failed return CLIENT_INSTALL_ERROR env['KRB5_CONFIG'] = krb_name -join_args = [/usr/sbin/ipa-join, -s, cli_server] +join_args = [/usr/sbin/ipa-join, -s, cli_server, -b, realm_to_suffix(cli_realm)] if options.debug: join_args.append(-d) if options.hostname: diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index aac80976d52540c115d00213878b2fe10155dad3..04f2312c2de64c705cbf2c44517417077de8398c 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -260,9 +260,11 @@ get_root_dn(const char *ipaserver, char **ldap_base) { LDAP *ld = NULL; char *root_attrs[] = {namingContexts, NULL}; +char *info_attrs[] = {info, NULL}; LDAPMessage *entry, *res = NULL; struct berval **ncvals; -int ret, rval = 0; +struct berval **infovals; +int i, ret, rval = 0; ld = connect_ldap(ipaserver, NULL, NULL); if (!ld) { @@ -281,7 +283,9 @@ get_root_dn(const char *ipaserver, char **ldap_base) goto done; } -/* for now just use the first result we get */ + *ldap_base = NULL; + +/* loop through to find the IPA context */ entry = ldap_first_entry(ld, res); ncvals = ldap_get_values_len(ld, entry, root_attrs[0]); if (!ncvals) { @@ -289,11 +293,38 @@ get_root_dn(const char *ipaserver, char **ldap_base) rval = 14; goto done; } +for (i = 0; !*ldap_base ncvals[i]; i++) { +ret = ldap_search_ext_s(ld, ncvals[i]-bv_val, +LDAP_SCOPE_BASE, (info=IPA*), info_attrs, +0, NULL, NULL, NULL, 0, res); -*ldap_base = strdup(ncvals[0]-bv_val); +if (ret != LDAP_SUCCESS) { +break; +} + +entry = ldap_first_entry(ld, res); +infovals = ldap_get_values_len(ld, entry, info_attrs[0]); +if (!strcmp(infovals[0]-bv_val, IPA V2.0)) +*ldap_base = strdup(ncvals[i]-bv_val); +ldap_msgfree(res); +res = NULL; +} ldap_value_free_len(ncvals); +if (ret != LDAP_SUCCESS) { +fprintf(stderr, _(Search for IPA namingContext failed with error %d\n), ret); +rval = 14; +goto done; +} + +if (!*ldap_base) { +fprintf(stderr, _(IPA namingContext not found\n)); +rval = 14; +goto done; +} + + done: if (res) ldap_msgfree(res); if (ld != NULL) { @@ -303,25 +334,31 @@ done: return rval; } +/* + * Get the certificate subject base from the IPA configuration. + * + * Not considered a show-stopper if this fails for some reason. + * + * The caller is
Re: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po translation file
John Dennis wrote: There were quite errors in es.po, it was difficult or impossible to track down where they came from, Transifex does not have good revision history. I fixed about 20% of the msgstr's in the file that had obvious problems which could be spotted by a non-Spanish speaking person. I think this should be left as it was: #: ipalib/plugins/config.py:76 msgid searchtimelimit must be -1 or 1. -msgstr searchtimelimit debe ser -1 ogt; 1. +msgstr There are some cases where leading white space is remove and a bunch where it is added. Are these ok? @@ -3184,7 +3117,7 @@ msgid msgstr \n -Búsqueda de cuentas de derechod. +Búsqueda de cuentas de derechod. Otherwise looks lots better rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel