Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > You can use the attached script (changepw.py) to test the PW change
> > interface from command line (on IPA server).
> >
> > ---
> >
> > IPA server web form-based authentication allows logins for users
> > which for some reason cannot use Kerberos authentication. However,
> > when a password for such users expires, they are unable change the
> > password via web interface.
> >
> > This patch adds a new WSGI script attached to URL
> > /ipa/session/change_password which can be accessed without
> > authentication and which provides password change capability
> > for web services.
> >
> > The actual password change in the script is processed with kpasswd
> > to be consistent with /ipa/session/login_password.
> >
> > Password result is passed both in the resulting HTML page, but
> > also in HTTP headers for easier parsing in web services:
> >X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> >(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> >
> > https://fedorahosted.org/freeipa/ticket/2276
>
> It is probably more efficient to change the password using ldap. Simo,
> do you know of an advantage of using one over the other? Better password
> policy reporting may be reason enough.
Yes you'll get better error reporting, plus forking out kpasswd is quite
ugly, the python ldap code should be able to use the ldap passwd extend
op quite easily.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1024 add client session support
Rob Crittenden wrote:
Rob Crittenden wrote:
This adds client session support. The session key is stored in the
kernel key ring.
Your first request should go to /ipa/session/xml where it should be
rejected with a 401. The next will go to /ipa/xml which will be
accepted. This should all be invisible to the client.
Subsequent requests should go to /ipa/session/xml which should let you
in with the cookie.
You can add the -vv option after ipa to see fully what is going on, e.g.
ipa -vv user-show admin
To manage your keyring use the keyctl command like:
$ keyctl list @s
2 keys in keyring:
353548226: --alswrv 1000 -1 keyring: _uid.1000
941350591: --alswrv 1000 1000 user: ipa_session_cookie
To remove a key:
$ keyctl unlink 941350591 @s
rob
Hmm, this doesn't play too nice with the lite-server. Let me see if I
can track it down. The ccache is being removed, probably as part of the
session code. Sessions don't make sense with the lite server since it
uses the local ccache directly.
Updated patch. Don't clean up the ccache if in the lite-server.
rob
>From 3b0c83313725a4906e7078ef1791881a799c427e Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 6 Jun 2012 22:54:16 -0400
Subject: [PATCH] Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
---
install/conf/ipa.conf| 10 +-
ipalib/rpc.py| 84 +++--
ipapython/kernel_keyring.py | 99 +++
ipaserver/plugins/xmlserver.py |3 +-
ipaserver/rpcserver.py | 229 --
tests/test_ipapython/test_keyring.py | 147 ++
6 files changed, 493 insertions(+), 79 deletions(-)
create mode 100644 ipapython/kernel_keyring.py
create mode 100644 tests/test_ipapython/test_keyring.py
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 89c9849ca6656ae3da585a72392d5d2463f4d892..948fee6fc10d35c3fefb82d0f3ed09cefb9b16e8 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,7 @@
#
-# VERSION 4 - DO NOT REMOVE THIS LINE
+# VERSION 5 - DO NOT REMOVE THIS LINE
+#
+# This file may be overwritten on upgrades.
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
@@ -66,6 +68,12 @@ KrbConstrainedDelegationLock ipa
Allow from all
+
+ Satisfy Any
+ Order Deny,Allow
+ Allow from all
+
+
Satisfy Any
Order Deny,Allow
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd18b6bbf566362e9954bd25235512dda7baaffc..b8f5987377b6eea74268a2c3f07bf6f1ecefdd54 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -47,6 +47,7 @@ from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError
from ipalib import errors
from ipalib.request import context, Connection
from ipapython import ipautil
+from ipapython import kernel_keyring
import httplib
import socket
@@ -257,6 +258,13 @@ class SSLTransport(LanguageAwareTransport):
conn.connect()
return conn
+def parse_response(self, response):
+session_cookie = response.getheader('Set-Cookie')
+if session_cookie:
+kernel_keyring.update_key('ipa_session_cookie', session_cookie)
+return LanguageAwareTransport.parse_response(self, response)
+
+
class KerbTransport(SSLTransport):
"""
Handles Kerberos Negotiation authentication to an XML-RPC server.
@@ -281,8 +289,20 @@ class KerbTransport(SSLTransport):
raise errors.KerberosError(major=major, minor=minor)
def get_host_info(self, host):
+"""
+Two things can happen here. If we have a session we will add
+a cookie for that. If not we will set an Authorization header.
+"""
(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
+if not isinstance(extra_headers, list):
+extra_headers = []
+
+session_data = getattr(context, 'session_data', None)
+if session_data:
+extra_headers.append(('Cookie', session_data))
+return (host, extra_headers, x509)
+
# Set the remote host principal
service = "HTTP@" + host.split(':')[0]
@@ -296,9 +316,6 @@ class KerbTransport(SSLTransport):
except kerberos.GSSError, e:
self._handle_exception(e, service=service)
-if not isinstance(extra_headers, list):
-extra_headers = []
-
for (h, v) in extra_headers:
if h == 'Authorization':
extra_headers.remove((h, v))
@@ -345,12 +362,12 @@ class xmlclient(Connectible):
server = '%s://%s%s' % (scheme, ipautil.format_netloc(self.conn._ServerProxy__host), self.conn._ServerProxy__handler)
return server
-def get_url
Re: [Freeipa-devel] [PATCH] 0059 Fix update plugin order
Petr Viktorin wrote: While messing with the ipa-ldap-updater, I found the order method was using an algorithm that could give incorrect results. I'm submitting a fix in an extra patch, as it's largely unrelated and shouldn't be so controversial. Can you open a ticket on this? We like to have a ticket for every commit (minus a random one-liner here and there). thanks rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion
Martin Kosek wrote: When invalid data is passed, an unhandled decimal exception could be raised in Decimal number conversion. Handle the exception more gracefully and report proper ipalib.errors.ConversionError. https://fedorahosted.org/freeipa/ticket/2705 I'm being pedantic but I think the Decimal special values need to be handled better. Using Infinity returns a rather odd message: $ ipa dnsrecord-add example.com Record name: foo Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: LOC LOC Degrees Latitude: 90 [LOC Minutes Latitude]: 59 [LOC Seconds Latitude]: 9 >>> LOC Seconds Latitude: quantize result has too many digits for current context [LOC Seconds Latitude]: Infinity >>> LOC Seconds Latitude: quantize with one INF And using NaN raises an unhandled exception: [LOC Seconds Latitude]: NaN ipa: ERROR: InvalidOperation: comparison involving NaN Traceback (most recent call last): File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run kw = self.argv_to_keyword_arguments(cmd, argv[1:]) File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in argv_to_keyword_arguments self.prompt_interactively(cmd, kw) File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in prompt_interactively callback(kw) File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, in interactive_prompt_callback user_options = param.prompt_parts(self.Backend) File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in prompt_parts self.__get_part_param(backend, part, user_options, default) File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in __get_part_param output_kw[name] = part(raw) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in __call__ self.validate(value, supplied=self.name in kw) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in validate self._validate_scalar(value) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in _validate_scalar error = rule(ugettext, value) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in _rule_minvalue if value < self.minvalue: File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ ans = self._compare_check_nans(other, context) File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans self) File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error raise error(explanation) InvalidOperation: comparison involving NaN ipa: ERROR: an internal error has occurred Otherwise it does what it should. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Martin Kosek wrote:
You can use the attached script (changepw.py) to test the PW change
interface from command line (on IPA server).
---
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
It is probably more efficient to change the password using ldap. Simo,
do you know of an advantage of using one over the other? Better password
policy reporting may be reason enough.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0057 Only allow root to run update plugins
Petr Viktorin wrote: On 06/05/2012 06:53 PM, Petr Viktorin wrote: On 06/05/2012 04:18 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/05/2012 03:00 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/05/2012 10:06 AM, Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a warning in that case. https://fedorahosted.org/freeipa/ticket/2621 Hi Petr, I am not sure I like the proposed solution. If there is a legitimate reason to run this plugin as non-root (eg admin user) then you should change the connection part to try to use GSSAPI auth over ldap when non-root, not just throw a warning. If there is no reason for anyone but root to run this script then we should just abort if not root IMO. Simo. I would keep this script runable for root users only. Regularly, this should not be run manually but as a part of RPM update which is done by root. It is being run manually only when something is broken anyway and I am not convinced that non-root users should be involved in such recovery. Martin Thanks for the advice. The attached patch only allows root to run ipa-ldap-updater. NACK. It is very handy for developers to be able to run ipa-ldap-updater to test update files. rob Developers can run it as root, I don't see a problem here. I'd really rather not. This does nothing requiring root permissions, it's all done over LDAP. I'd rather trade not running some plugins than always requiring root. rob Thanks for info on how the tool is used. I looked into it deeper. The proper fix would be to use the ldap2 backend here, instead of the IPAdmin. That's ticket 2660, and it'll be quite a lot of work to get ReplicationManager and tools that depend on that ported. But, I think it makes sense to require root if (and only if) plugins are run. Justification below. Would that work for your use case? There are currently three modes ipa-ldap-updater can run in: 1) --upgrade (needs root, runs plugins) 2) no --upgrade, either no files specified or --plugins (doesn't need root, runs plugins) 3) no --upgrade, specific files specified without --plugins (doesn't need root, doesn't run plugins) I propose to make mode 2 require root. There are two major uses of the script: install/upgrade (first two modes), and a developer testing update files (third or possibly second mode). Install/upgrade is always run as root, and the developer usually doesn't need to run the plugins (if they do, they should run as root anyway, so that some (parts of) plugins aren't skipped). Some of the plugins ask to restart the DS. Without root privileges, the restart (but not the rest of the plugin) is skipped. I think this is just asking for trouble. Some plugins (or parts of plugins) don't need root, but I don't think singling these out and testing both cases is worth the effort. The attached patch that implements the above. I re-ordered the code a bit to put the checks before the DM password prompt, so you don't enter the password only to find out you had to use sudo or different options. I'll try to live with not being able to run plugins as non-root. If it turns out to be very painful to develop w/o it I'll open a new ticket. ACK, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica
Dmitri Pal wrote: On 06/07/2012 09:20 AM, Simo Sorce wrote: On Thu, 2012-06-07 at 09:16 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: Scott Poore wrote: Running this by the mailing list to see if I should open an RFE. Should we have the ability to install replicas where the host entries already exist in IPA? So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? Thoughts? I asked Scott to pose this to the list. I'm a little uneasy about it but perhaps I'm just paranoid. This isn't proposing that an enrolled client be able to become a replica, but right now if a host entry exists for a target replica server we require it be removed before proceeding. The reason being we don't know what else is associated with that host (well, we do, but it sure seems like a lot of work to fetch it all). The host could already have an HTTP server, for example. Or it could have other certs or services. So the question is, is it adequate to require the removal or should we go through the trouble to see if there are any conflicting services? We don't have a TGT when preparing a replica so this would mean a bit of manual LDAP work which could very well be a pain source in the future. Uhmm why should we care at replica preparation time ? All the kerberos keys are created at install time, is it for certs ? In that case I would suggest we defer creation of certs to install time so it becomes non-issue. At install time we detect if certs/keys are already available (and functional) and we just reuse them if so. What am I missing ? Simo. The problem isn't at prepare time, it is at install time. In order to generate the certs on the fly we would have to prompt for a user with permissions to issue certs along with the DM password when installing. You already got grumpy when we started asking for a user when doing the conn-check. I understand that, maybe we should just defer it, as I said earlier I would like us to go and use only the admin user at install time, and the admin user would have those privileges. Simo. IMO when you do replica prepare it should do an extra lookup to see if the host already exists and been enrolled, i.e. keys or cert have been provisioned. If it finds the host record it should bail out with a warning. An override option like --force can be introduced to clean the system. I assume that replica prepare would also create a host entry for the replica but not update it until replica is provisioned. Then when we install replica it should take over the system. It still leaves room for the user to shoot himself in the foot by creating a replica package but then installing a client. I do not know if we can prevent this join operation on the server or not. If the fact that replica package was created is recorded in LDAP then we probably can. It is just as easy to catch this at install time, which we do now, and provide the user with the info they need to proceed. Eventually we are going to do this entirely on-line so there will be no prepare step. It may be nice to take an enrolled client and promote it into being a replica too. I was just wondering if I was being overly paranoid in requiring that a host be removed from IPA (therefore removing any existing certs and services it may have) before allowing it to become a replica. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica
On 06/07/2012 09:20 AM, Simo Sorce wrote: > On Thu, 2012-06-07 at 09:16 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: Scott Poore wrote: > Running this by the mailing list to see if I should open an RFE. > > Should we have the ability to install replicas where the host entries > already exist in IPA? > > So, we could in theory do a host-add before running ipa-replica-install > on the soon to be replica. There may be some useful cases for supporting > this. Could be useful in a location that starts growing for "promoting" > a client to a Replica for use in that location. Maybe as an override > flag to the ipa-replica-install command? > > Thoughts? I asked Scott to pose this to the list. I'm a little uneasy about it but perhaps I'm just paranoid. This isn't proposing that an enrolled client be able to become a replica, but right now if a host entry exists for a target replica server we require it be removed before proceeding. The reason being we don't know what else is associated with that host (well, we do, but it sure seems like a lot of work to fetch it all). The host could already have an HTTP server, for example. Or it could have other certs or services. So the question is, is it adequate to require the removal or should we go through the trouble to see if there are any conflicting services? We don't have a TGT when preparing a replica so this would mean a bit of manual LDAP work which could very well be a pain source in the future. >>> Uhmm why should we care at replica preparation time ? >>> All the kerberos keys are created at install time, is it for certs ? >>> In that case I would suggest we defer creation of certs to install time >>> so it becomes non-issue. >>> At install time we detect if certs/keys are already available (and >>> functional) and we just reuse them if so. >>> >>> What am I missing ? >>> >>> Simo. >>> >> The problem isn't at prepare time, it is at install time. >> >> In order to generate the certs on the fly we would have to prompt for a >> user with permissions to issue certs along with the DM password when >> installing. You already got grumpy when we started asking for a user >> when doing the conn-check. > I understand that, maybe we should just defer it, as I said earlier I > would like us to go and use only the admin user at install time, and the > admin user would have those privileges. > > Simo. > IMO when you do replica prepare it should do an extra lookup to see if the host already exists and been enrolled, i.e. keys or cert have been provisioned. If it finds the host record it should bail out with a warning. An override option like --force can be introduced to clean the system. I assume that replica prepare would also create a host entry for the replica but not update it until replica is provisioned. Then when we install replica it should take over the system. It still leaves room for the user to shoot himself in the foot by creating a replica package but then installing a client. I do not know if we can prevent this join operation on the server or not. If the fact that replica package was created is recorded in LDAP then we probably can. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC
Petr Vobornik wrote: On 05/26/2012 12:36 AM, Simo Sorce wrote: The original ldap driver we used up to 2.2 had 2 options admins could set to limit the amount of writes to the database on certain auditing related operations. In particular disable_last_success is really important to reduce the load on database servers. I have implemented ticket #2734 with a little twist. Instead of adding local options in krb5.conf I create global options in the LDAP tree, so that all KDCs in the domain have the same configuration. The 2 new options can be set in ipaConfigString attribute of the cn=ipaConfig object under cn=etc,$SUFFIX These are: KDC:Disable Last Success KDC:Disable Lockout 8><-- Simo. Attaching patch which adds these two new configuration values to Web UI. ACK, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC
Simo Sorce wrote: On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote: Simo Sorce wrote: The original ldap driver we used up to 2.2 had 2 options admins could set to limit the amount of writes to the database on certain auditing related operations. In particular disable_last_success is really important to reduce the load on database servers. I have implemented ticket #2734 with a little twist. Instead of adding local options in krb5.conf I create global options in the LDAP tree, so that all KDCs in the domain have the same configuration. The 2 new options can be set in ipaConfigString attribute of the cn=ipaConfig object under cn=etc,$SUFFIX These are: KDC:Disable Last Success KDC:Disable Lockout The first string if set will disable updating the krbLastSuccessfulAuth field in the service/user entry. The second one will prevent changing any of the Lockout related fields and will effectively disable lockout policies. I think we may want to set the first one by default in future. The last successful auth field is not very interesting in general and is cause for a lot of writes that pressure a lot the LDAP server and get replicated everywhere with a storm multiplier effect we'd like to avoid. The lockout one instead happen only when there are failed authentication attempt, this means it never happens when keytabs are used for example. And even with users it should happen rarely enough that traking lockouts by default make leaving these writes on by default is a good tradeoff. Note that simply setting the lockout policy to never lockout is *not* equivalent to setting KDC:Disable Lockout, as it does not prevent writes to the database. I've tested setting KDC:Disable Last Success and it effectively prevent MOD operation from showing up in the server access log. Any change to these configuration options requires a reconnection from the KDC to the LDAP server, the simplest way to cause that is to restart the KDC service. Simo. In ipadb_get_global_configs() should there be a call to LOG_OOM()? Also, if ipadb_simple_search() or ipadb_get_global_configs() fails should we log the result code when non-zero? Well this code runs in the KDC, not in DIRSRV so LOG_OOM() wouldn't work. Perhaps we should add KDC_LOG() macros, but that would be a separate task imo. Simo. Ah, right, sorry about that. I opened a separate ticket to improve logging in the ipa-kdb module. ACK, pushed to master and ipa-2-2. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0058 Prevent deletion of the last admin
Petr Viktorin wrote: On 06/05/2012 11:43 PM, Rob Crittenden wrote: Petr Viktorin wrote: Raise an error when trying to delete the last user from the 'admins' group The 'admin' group name seems like something that shouldn't be hardcoded, but that's how it's done in the webui and some of our ACIs, and I don't see another solution short of adding a new attribute. https://fedorahosted.org/freeipa/ticket/2564 This looks ok, I think it should go further and prevent the last member to be removed from the admins group too. rob This updated patch prevents that, plus removing the admins group itself. ACK, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1024 add client session support
Rob Crittenden wrote: This adds client session support. The session key is stored in the kernel key ring. Your first request should go to /ipa/session/xml where it should be rejected with a 401. The next will go to /ipa/xml which will be accepted. This should all be invisible to the client. Subsequent requests should go to /ipa/session/xml which should let you in with the cookie. You can add the -vv option after ipa to see fully what is going on, e.g. ipa -vv user-show admin To manage your keyring use the keyctl command like: $ keyctl list @s 2 keys in keyring: 353548226: --alswrv 1000 -1 keyring: _uid.1000 941350591: --alswrv 1000 1000 user: ipa_session_cookie To remove a key: $ keyctl unlink 941350591 @s rob Hmm, this doesn't play too nice with the lite-server. Let me see if I can track it down. The ccache is being removed, probably as part of the session code. Sessions don't make sense with the lite server since it uses the local ccache directly. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1024 add client session support
This adds client session support. The session key is stored in the
kernel key ring.
Your first request should go to /ipa/session/xml where it should be
rejected with a 401. The next will go to /ipa/xml which will be
accepted. This should all be invisible to the client.
Subsequent requests should go to /ipa/session/xml which should let you
in with the cookie.
You can add the -vv option after ipa to see fully what is going on, e.g.
ipa -vv user-show admin
To manage your keyring use the keyctl command like:
$ keyctl list @s
2 keys in keyring:
353548226: --alswrv 1000-1 keyring: _uid.1000
941350591: --alswrv 1000 1000 user: ipa_session_cookie
To remove a key:
$ keyctl unlink 941350591 @s
rob
>From e4d66c491a1fb0c375b977742125494a76898aef Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 6 Jun 2012 22:54:16 -0400
Subject: [PATCH] Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
---
install/conf/ipa.conf| 10 +-
ipalib/rpc.py| 84 +++--
ipapython/kernel_keyring.py | 99 +++
ipaserver/plugins/xmlserver.py |3 +-
ipaserver/rpcserver.py | 228 --
tests/test_ipapython/test_keyring.py | 147 ++
6 files changed, 492 insertions(+), 79 deletions(-)
create mode 100644 ipapython/kernel_keyring.py
create mode 100644 tests/test_ipapython/test_keyring.py
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 89c9849ca6656ae3da585a72392d5d2463f4d892..948fee6fc10d35c3fefb82d0f3ed09cefb9b16e8 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,7 @@
#
-# VERSION 4 - DO NOT REMOVE THIS LINE
+# VERSION 5 - DO NOT REMOVE THIS LINE
+#
+# This file may be overwritten on upgrades.
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
@@ -66,6 +68,12 @@ KrbConstrainedDelegationLock ipa
Allow from all
+
+ Satisfy Any
+ Order Deny,Allow
+ Allow from all
+
+
Satisfy Any
Order Deny,Allow
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd18b6bbf566362e9954bd25235512dda7baaffc..b8f5987377b6eea74268a2c3f07bf6f1ecefdd54 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -47,6 +47,7 @@ from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError
from ipalib import errors
from ipalib.request import context, Connection
from ipapython import ipautil
+from ipapython import kernel_keyring
import httplib
import socket
@@ -257,6 +258,13 @@ class SSLTransport(LanguageAwareTransport):
conn.connect()
return conn
+def parse_response(self, response):
+session_cookie = response.getheader('Set-Cookie')
+if session_cookie:
+kernel_keyring.update_key('ipa_session_cookie', session_cookie)
+return LanguageAwareTransport.parse_response(self, response)
+
+
class KerbTransport(SSLTransport):
"""
Handles Kerberos Negotiation authentication to an XML-RPC server.
@@ -281,8 +289,20 @@ class KerbTransport(SSLTransport):
raise errors.KerberosError(major=major, minor=minor)
def get_host_info(self, host):
+"""
+Two things can happen here. If we have a session we will add
+a cookie for that. If not we will set an Authorization header.
+"""
(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
+if not isinstance(extra_headers, list):
+extra_headers = []
+
+session_data = getattr(context, 'session_data', None)
+if session_data:
+extra_headers.append(('Cookie', session_data))
+return (host, extra_headers, x509)
+
# Set the remote host principal
service = "HTTP@" + host.split(':')[0]
@@ -296,9 +316,6 @@ class KerbTransport(SSLTransport):
except kerberos.GSSError, e:
self._handle_exception(e, service=service)
-if not isinstance(extra_headers, list):
-extra_headers = []
-
for (h, v) in extra_headers:
if h == 'Authorization':
extra_headers.remove((h, v))
@@ -345,12 +362,12 @@ class xmlclient(Connectible):
server = '%s://%s%s' % (scheme, ipautil.format_netloc(self.conn._ServerProxy__host), self.conn._ServerProxy__handler)
return server
-def get_url_list(self):
+def get_url_list(self, xmlrpc_uri):
"""
Create a list of urls consisting of the available IPA servers.
"""
# the configured URL defines what we use for the discovered servers
-(scheme, netloc, path, params, query, fragment) = urlparse.urlparse(self.env.xmlrpc_uri)
+(scheme, netloc
Re: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable
On Thu, Jun 07, 2012 at 04:03:46PM +0200, Martin Kosek wrote: > On Thu, 2012-06-07 at 15:33 +0200, Petr Spacek wrote: > > Hello, > > > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: > > bind-dyndb-ldap crashes during zone unload when NS is not resolvable. > > > > During investigation I found other two suspicious places. This patch adds > > only > > comment near to them. Any changes (as necessary) will be in separate patch. > > > > Petr^2 Spacek > > Thanks Petr for investigation and quick fix! > > Adam, if this pass your review, I think it would be great to have an F17 > build at least in koji so that we can switch psearch on by default so > that other developers start testing it (with the new bind-dyndb-ldap > build so that their unit tests do not crash named). The patch was ok and update has been submitted to bodhi. It should be in updates-testing very soon. Regards, Adam -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1023 tool for configuring automount
Rob Crittenden wrote:
Here is a tool that can be used to configure automount in an IPA client.
It can use either SSSD or autofs for automount. It also configures NFSv4
on the client so secure maps will work.
rebased patch
>From b4bc62c59e073f72c8abb45550d092953820a954 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 29 May 2012 14:20:38 -0400
Subject: [PATCH] Configure automount using autofs or sssd.
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.
NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.
https://fedorahosted.org/freeipa/ticket/1233
---
freeipa.spec.in| 10 +
ipa-client/ipa-install/Makefile.am |1 +
ipa-client/ipa-install/ipa-configure-automount | 437
ipa-client/man/Makefile.am |1 +
ipa-client/man/ipa-configure-automount.1 | 88 +
ipapython/platform/base.py |3 +-
ipapython/platform/fedora16.py |3 +
7 files changed, 542 insertions(+), 1 deletion(-)
create mode 100755 ipa-client/ipa-install/ipa-configure-automount
create mode 100644 ipa-client/man/ipa-configure-automount.1
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 987ba90..797e060 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -237,6 +237,10 @@ Requires: bind-utils
Requires: oddjob-mkhomedir
Requires: python-krbV
Requires: python-dns
+Requires: libsss_autofs
+Requires: autofs
+Requires: libnfsidmap
+Requires: nfs-utils
Obsoletes: ipa-client >= 1.0
@@ -656,6 +660,7 @@ fi
%defattr(-,root,root,-)
%doc COPYING README Contributors.txt
%{_sbindir}/ipa-client-install
+%{_sbindir}/ipa-configure-automount
%{_sbindir}/ipa-getkeytab
%{_sbindir}/ipa-rmkeytab
%{_sbindir}/ipa-join
@@ -670,6 +675,7 @@ fi
%{_mandir}/man1/ipa-getkeytab.1.gz
%{_mandir}/man1/ipa-rmkeytab.1.gz
%{_mandir}/man1/ipa-client-install.1.gz
+%{_mandir}/man1/ipa-configure-automount.1.gz
%{_mandir}/man1/ipa-join.1.gz
%{_mandir}/man5/default.conf.5.gz
@@ -701,6 +707,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Thu Jun 7 2012 Rob Crittenden - 2.99.0-32
+- Add client requires on libsss-autofs, autofs, libnfsidmap and nfs-utils
+ for configuring automount and NFS.
+
* Mon Jun 4 2012 Alexander Bokovoy - 2.99.0-31
- Add python-crypto to build dependencies for AD server-side code
diff --git a/ipa-client/ipa-install/Makefile.am b/ipa-client/ipa-install/Makefile.am
index ad0c4e0..0fa94c1 100644
--- a/ipa-client/ipa-install/Makefile.am
+++ b/ipa-client/ipa-install/Makefile.am
@@ -2,6 +2,7 @@ NULL =
sbin_SCRIPTS = \
ipa-client-install \
+ ipa-configure-automount \
$(NULL)
EXTRA_DIST = \
diff --git a/ipa-client/ipa-install/ipa-configure-automount b/ipa-client/ipa-install/ipa-configure-automount
new file mode 100755
index 000..57e4180
--- /dev/null
+++ b/ipa-client/ipa-install/ipa-configure-automount
@@ -0,0 +1,437 @@
+#!/usr/bin/env python
+#
+# Authors:
+# Rob Crittenden
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
Re: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable
On Thu, Jun 07, 2012 at 03:33:18PM +0200, Petr Spacek wrote:
> Hello,
>
> this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77:
> bind-dyndb-ldap crashes during zone unload when NS is not
> resolvable.
>
> During investigation I found other two suspicious places. This patch
> adds only comment near to them. Any changes (as necessary) will be
> in separate patch.
Thanks, pushed to master.
> From 970984bc84556ac1355de9f67eb4de20c823f4ce Mon Sep 17 00:00:00 2001
> From: Petr Spacek
> Date: Thu, 7 Jun 2012 15:27:27 +0200
> Subject: [PATCH] Fix crash during zone unload when NS is not resolvable.
> https://fedorahosted.org/bind-dyndb-ldap/ticket/77
> Signed-off-by: Petr Spacek
>
> ---
> src/ldap_helper.c | 11 +--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/src/ldap_helper.c b/src/ldap_helper.c
> index
> 5965d30e51fa50fcb4b38d35e023a529fd6a121f..a1ef9a27e5d1b031a53e779d58b7490bd3d41d05
> 100644
> --- a/src/ldap_helper.c
> +++ b/src/ldap_helper.c
> @@ -30,6 +30,7 @@
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -788,7 +789,12 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t
> *name, isc_boolean_t lock)
> freeze = ISC_TRUE;
> }
>
> - dns_zone_unload(zone);
> + /* Do not unload partially loaded zones, they have incomplete
> structures. */
> + dns_db_t *dbp = NULL;
> + if (dns_zone_getdb(zone,&dbp) != DNS_R_NOTLOADED) {
> + dns_db_detach(&dbp); /* dns_zone_getdb() attaches DB implicitly
> */
> + dns_zone_unload(zone);
> + }
> CHECK(dns_zt_unmount(inst->view->zonetable, zone));
> CHECK(zr_del_zone(inst->zone_register, name));
> dns_zonemgr_releasezone(inst->zmgr, zone);
> @@ -1013,7 +1019,7 @@ ldap_parse_zoneentry(ldap_entry_t *entry,
> ldap_instance_t *inst)
>
> /* Check if we are already serving given zone */
> result = zr_get_zone_ptr(inst->zone_register, &name, &zone);
> - if (result != ISC_R_SUCCESS) {
> + if (result != ISC_R_SUCCESS) { /* TODO: What about other errors? */
> CHECK(create_zone(inst, &name, &zone));
> CHECK(zr_add_zone(inst->zone_register, zone, dn));
> publish = ISC_TRUE;
> @@ -2760,6 +2766,7 @@ update_action(isc_task_t *task, isc_event_t *event)
> mctx = pevent->mctx;
>
> result = manager_get_ldap_instance(pevent->dbname, &inst);
> + /* TODO: Can it happen? */
> if (result != ISC_R_SUCCESS)
> goto cleanup;
>
> --
> 1.7.7.6
>
--
Adam Tkac, Red Hat, Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix crash on reload with persistent search enabled
On Thu, Jun 07, 2012 at 02:46:56PM +0200, Petr Spacek wrote:
> Hello,
>
> this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/78:
> Crash on reload with persistent search enabled.
Thanks, pushed to master.
> From ea1119e533a5171586ef8a3bddf66138ccb88b7e Mon Sep 17 00:00:00 2001
> From: Petr Spacek
> Date: Thu, 7 Jun 2012 14:42:40 +0200
> Subject: [PATCH] Fix crash during BIND reload with persistent search enabled.
> https://fedorahosted.org/bind-dyndb-ldap/ticket/78
> Signed-off-by: Petr Spacek
>
> ---
> src/ldap_helper.c |2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/ldap_helper.c b/src/ldap_helper.c
> index
> 5965d30e51fa50fcb4b38d35e023a529fd6a121f..dc4fdf5e9f6c8661337fe0cffb1437bc16515075
> 100644
> --- a/src/ldap_helper.c
> +++ b/src/ldap_helper.c
> @@ -3078,7 +3078,7 @@ static isc_threadresult_t
> ldap_psearch_watcher(isc_threadarg_t arg)
> {
> ldap_instance_t *inst = (ldap_instance_t *)arg;
> - ldap_connection_t *conn;
> + ldap_connection_t *conn = NULL;
> struct timeval tv;
> int ret, cnt;
> isc_result_t result;
> --
> 1.7.7.6
>
--
Adam Tkac, Red Hat, Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable
On Thu, 2012-06-07 at 15:33 +0200, Petr Spacek wrote: > Hello, > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: > bind-dyndb-ldap crashes during zone unload when NS is not resolvable. > > During investigation I found other two suspicious places. This patch adds > only > comment near to them. Any changes (as necessary) will be in separate patch. > > Petr^2 Spacek Thanks Petr for investigation and quick fix! Adam, if this pass your review, I think it would be great to have an F17 build at least in koji so that we can switch psearch on by default so that other developers start testing it (with the new bind-dyndb-ldap build so that their unit tests do not crash named). Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default
On 06/05/2012 09:32 AM, Martin Kosek wrote: Thanks for digging out the traceback, I already reported this error to bind-dyndb-ldap: https://bugzilla.redhat.com/show_bug.cgi?id=827401 Petr, what's the status of this bug? I guess we cannot push this set of patches to enable the psearch by default until this is fixed. Otherwise bind-dyndb-ldap would crash_every_ DNS unit test case. Updated set of patches attached. Martin Patch is on the list. I'm on PTO from tomorrow, please ask Adam to build new package for Fedora as necessary. Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable
Hello,
this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77:
bind-dyndb-ldap crashes during zone unload when NS is not resolvable.
During investigation I found other two suspicious places. This patch adds only
comment near to them. Any changes (as necessary) will be in separate patch.
Petr^2 Spacek
From 970984bc84556ac1355de9f67eb4de20c823f4ce Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Thu, 7 Jun 2012 15:27:27 +0200
Subject: [PATCH] Fix crash during zone unload when NS is not resolvable.
https://fedorahosted.org/bind-dyndb-ldap/ticket/77
Signed-off-by: Petr Spacek
---
src/ldap_helper.c | 11 +--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 5965d30e51fa50fcb4b38d35e023a529fd6a121f..a1ef9a27e5d1b031a53e779d58b7490bd3d41d05 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -788,7 +789,12 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock)
freeze = ISC_TRUE;
}
- dns_zone_unload(zone);
+ /* Do not unload partially loaded zones, they have incomplete structures. */
+ dns_db_t *dbp = NULL;
+ if (dns_zone_getdb(zone,&dbp) != DNS_R_NOTLOADED) {
+ dns_db_detach(&dbp); /* dns_zone_getdb() attaches DB implicitly */
+ dns_zone_unload(zone);
+ }
CHECK(dns_zt_unmount(inst->view->zonetable, zone));
CHECK(zr_del_zone(inst->zone_register, name));
dns_zonemgr_releasezone(inst->zmgr, zone);
@@ -1013,7 +1019,7 @@ ldap_parse_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst)
/* Check if we are already serving given zone */
result = zr_get_zone_ptr(inst->zone_register, &name, &zone);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS) { /* TODO: What about other errors? */
CHECK(create_zone(inst, &name, &zone));
CHECK(zr_add_zone(inst->zone_register, zone, dn));
publish = ISC_TRUE;
@@ -2760,6 +2766,7 @@ update_action(isc_task_t *task, isc_event_t *event)
mctx = pevent->mctx;
result = manager_get_ldap_instance(pevent->dbname, &inst);
+ /* TODO: Can it happen? */
if (result != ISC_R_SUCCESS)
goto cleanup;
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica
On Thu, 2012-06-07 at 09:16 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: > >> Scott Poore wrote: > >>> Running this by the mailing list to see if I should open an RFE. > >>> > >>> Should we have the ability to install replicas where the host entries > >>> already exist in IPA? > >>> > >>> So, we could in theory do a host-add before running ipa-replica-install > >>> on the soon to be replica. There may be some useful cases for supporting > >>> this. Could be useful in a location that starts growing for "promoting" > >>> a client to a Replica for use in that location. Maybe as an override > >>> flag to the ipa-replica-install command? > >>> > >>> Thoughts? > >> > >> I asked Scott to pose this to the list. I'm a little uneasy about it but > >> perhaps I'm just paranoid. > >> > >> This isn't proposing that an enrolled client be able to become a > >> replica, but right now if a host entry exists for a target replica > >> server we require it be removed before proceeding. > >> > >> The reason being we don't know what else is associated with that host > >> (well, we do, but it sure seems like a lot of work to fetch it all). The > >> host could already have an HTTP server, for example. Or it could have > >> other certs or services. > >> > >> So the question is, is it adequate to require the removal or should we > >> go through the trouble to see if there are any conflicting services? We > >> don't have a TGT when preparing a replica so this would mean a bit of > >> manual LDAP work which could very well be a pain source in the future. > > > > Uhmm why should we care at replica preparation time ? > > All the kerberos keys are created at install time, is it for certs ? > > In that case I would suggest we defer creation of certs to install time > > so it becomes non-issue. > > At install time we detect if certs/keys are already available (and > > functional) and we just reuse them if so. > > > > What am I missing ? > > > > Simo. > > > > The problem isn't at prepare time, it is at install time. > > In order to generate the certs on the fly we would have to prompt for a > user with permissions to issue certs along with the DM password when > installing. You already got grumpy when we started asking for a user > when doing the conn-check. I understand that, maybe we should just defer it, as I said earlier I would like us to go and use only the admin user at install time, and the admin user would have those privileges. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica
Simo Sorce wrote: On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: Scott Poore wrote: Running this by the mailing list to see if I should open an RFE. Should we have the ability to install replicas where the host entries already exist in IPA? So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? Thoughts? I asked Scott to pose this to the list. I'm a little uneasy about it but perhaps I'm just paranoid. This isn't proposing that an enrolled client be able to become a replica, but right now if a host entry exists for a target replica server we require it be removed before proceeding. The reason being we don't know what else is associated with that host (well, we do, but it sure seems like a lot of work to fetch it all). The host could already have an HTTP server, for example. Or it could have other certs or services. So the question is, is it adequate to require the removal or should we go through the trouble to see if there are any conflicting services? We don't have a TGT when preparing a replica so this would mean a bit of manual LDAP work which could very well be a pain source in the future. Uhmm why should we care at replica preparation time ? All the kerberos keys are created at install time, is it for certs ? In that case I would suggest we defer creation of certs to install time so it becomes non-issue. At install time we detect if certs/keys are already available (and functional) and we just reuse them if so. What am I missing ? Simo. The problem isn't at prepare time, it is at install time. In order to generate the certs on the fly we would have to prompt for a user with permissions to issue certs along with the DM password when installing. You already got grumpy when we started asking for a user when doing the conn-check. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-06-07 at 10:56 +0300, Alexander Bokovoy wrote: > On Thu, 07 Jun 2012, Martin Kosek wrote: > >It may have been an issue on my side. I will open a ticket if I hit a > >unit test error again. > > > >I did a next round of review for your patches, I did not find any > >show-stopper why not to push your patches. Lets get them grilled also by > >other team members :-)I just logged one issue I found with > >ipa-adtrust-install: > >https://fedorahosted.org/freeipa/ticket/2815 > I think we should do check on whether we he valid ticket prior to do > configuration, similar to how we do check DM password availability. > Besides the keytab fetch we also need to create the service which > requires appropriate admin permissions. > > > >ACK. Pushed all 13 patches to master. > Great! Thanks for the thorough review. Excellent news! Thanks a lot to all involved for the great work done! Simo. > Sumit, please rebase and send your remaining patches for review. > -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica
On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: > Scott Poore wrote: > > Running this by the mailing list to see if I should open an RFE. > > > > Should we have the ability to install replicas where the host entries > > already exist in IPA? > > > > So, we could in theory do a host-add before running ipa-replica-install on > > the soon to be replica. There may be some useful cases for supporting > > this. Could be useful in a location that starts growing for "promoting" a > > client to a Replica for use in that location. Maybe as an override flag to > > the ipa-replica-install command? > > > > Thoughts? > > I asked Scott to pose this to the list. I'm a little uneasy about it but > perhaps I'm just paranoid. > > This isn't proposing that an enrolled client be able to become a > replica, but right now if a host entry exists for a target replica > server we require it be removed before proceeding. > > The reason being we don't know what else is associated with that host > (well, we do, but it sure seems like a lot of work to fetch it all). The > host could already have an HTTP server, for example. Or it could have > other certs or services. > > So the question is, is it adequate to require the removal or should we > go through the trouble to see if there are any conflicting services? We > don't have a TGT when preparing a replica so this would mean a bit of > manual LDAP work which could very well be a pain source in the future. Uhmm why should we care at replica preparation time ? All the kerberos keys are created at install time, is it for certs ? In that case I would suggest we defer creation of certs to install time so it becomes non-issue. At install time we detect if certs/keys are already available (and functional) and we just reuse them if so. What am I missing ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0021 Fix crash on reload with persistent search enabled
Hello,
this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/78: Crash on
reload with persistent search enabled.
Petr^2 Spacek
From ea1119e533a5171586ef8a3bddf66138ccb88b7e Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Thu, 7 Jun 2012 14:42:40 +0200
Subject: [PATCH] Fix crash during BIND reload with persistent search enabled.
https://fedorahosted.org/bind-dyndb-ldap/ticket/78
Signed-off-by: Petr Spacek
---
src/ldap_helper.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 5965d30e51fa50fcb4b38d35e023a529fd6a121f..dc4fdf5e9f6c8661337fe0cffb1437bc16515075 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -3078,7 +3078,7 @@ static isc_threadresult_t
ldap_psearch_watcher(isc_threadarg_t arg)
{
ldap_instance_t *inst = (ldap_instance_t *)arg;
- ldap_connection_t *conn;
+ ldap_connection_t *conn = NULL;
struct timeval tv;
int ret, cnt;
isc_result_t result;
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local
now with patches :-)
On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote:
> Hi,
>
> this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a
> consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete.
>
> This first patch is just a minor cleanup which is not related to the
> ticket. The second make create_keys() a public function so the it can be
> called by the ipasam plugin as well. Finally the third patch removes the
> kadmin.local call and calls the KEYTAB_SET_OID extented operation
> instead.
>
> bye,
> Sumit
From adf2c4145587b5505a74beb9f3b0893781ae3119 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 20 Dec 2011 13:56:00 +0100
Subject: [PATCH] ipasam: remove unused struct elements
---
daemons/ipa-sam/ipa_sam.c | 11 ---
1 Datei geändert, 11 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index
3e88050670c5d2bc760d9de0806f9ea1a164c0d3..2627025a8f2f757ca62c58b541c002f46e7c3be1
100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -182,17 +182,6 @@ do { \
#define HAS_KRB_TICKET_POLICY_AUX (1<<9)
struct ipasam_privates {
- NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
- struct samu *sampass);
- NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
- struct samu *sampass);
- NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
- TALLOC_CTX *tmp_ctx, const char *name,
- uint32_t acb_info, uint32_t *rid);
- NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
-TALLOC_CTX *tmp_ctx,
-const char *name,
-uint32_t *rid);
char *realm;
char *base_dn;
char *trust_dn;
--
1.7.10.2
From 2f2e777838c1258e45e6185f99ec9806163e5dc7 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 13 Mar 2012 10:29:00 +0100
Subject: [PATCH] Move some krb5 keys related functions from ipa-client to
util
---
ipa-client/ipa-getkeytab.c | 381 +---
util/ipa_krb5.c| 362 +
util/ipa_krb5.h| 36 +
3 Dateien geändert, 403 Zeilen hinzugefügt(+), 376 Zeilen entfernt(-)
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index
7d7b971769cccece5dfe36934f6c73e5986df877..ca6e63413d64060afb802b1e807920ffaac2bb31
100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -41,30 +41,6 @@
#include "ipa_krb5.h"
#include "ipa-client-common.h"
-/* Salt types */
-#define NO_SALT-1
-#define KRB5_KDB_SALTTYPE_NORMAL0
-#define KRB5_KDB_SALTTYPE_V41
-#define KRB5_KDB_SALTTYPE_NOREALM 2
-#define KRB5_KDB_SALTTYPE_ONLYREALM 3
-#define KRB5_KDB_SALTTYPE_SPECIAL 4
-#define KRB5_KDB_SALTTYPE_AFS3 5
-
-#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1"
-#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2"
-
-struct krb_key_salt {
-krb5_enctype enctype;
-krb5_int32 salttype;
-krb5_keyblock key;
-krb5_data salt;
-};
-
-struct keys_container {
-krb5_int32 nkeys;
-struct krb_key_salt *ksdata;
-};
-
static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void
*sit)
{
sasl_interact_t *in = NULL;
@@ -122,357 +98,6 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags,
void *priv_data, void *s
return ret;
}
-static void free_keys_contents(krb5_context krbctx, struct keys_container
*keys)
-{
-struct krb_key_salt *ksdata;
-int i;
-
-ksdata = keys->ksdata;
-for (i = 0; i < keys->nkeys; i++) {
-krb5_free_keyblock_contents(krbctx, &ksdata[i].key);
-krb5_free_data_contents(krbctx, &ksdata[i].salt);
-}
-free(ksdata);
-
-keys->ksdata = NULL;
-keys->nkeys = 0;
-}
-
-/* Determines Encryption and Salt types,
- * allocates key_salt data storage,
- * filters out equivalent encodings,
- * returns 0 if no enctypes available, >0 if enctypes are available */
-static int prep_ksdata(krb5_context krbctx, const char *str,
- struct keys_container *keys)
-{
-struct krb_key_salt *ksdata;
-krb5_error_code krberr;
-int n, i, j, nkeys;
-
-if (str == NULL) {
-krb5_enctype *ktypes;
-
-krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
-if (krberr) {
-fprintf(stderr, _("No system preferred enctypes ?!\n"));
-return 0;
-}
-
-for (n = 0; ktypes[n]; n++) /* count */ ;
-
-ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
-if (NULL == ksdata) {
-fprintf(stderr, _("Out of memory!?\n"));
-return 0;
-}
-
-for (i
[Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local
Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. This first patch is just a minor cleanup which is not related to the ticket. The second make create_keys() a public function so the it can be called by the ipasam plugin as well. Finally the third patch removes the kadmin.local call and calls the KEYTAB_SET_OID extented operation instead. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion
When invalid data is passed, an unhandled decimal exception could
be raised in Decimal number conversion. Handle the exception
more gracefully and report proper ipalib.errors.ConversionError.
https://fedorahosted.org/freeipa/ticket/2705
>From 6f2204609c25df15c1debcfffbee29846aa380b9 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Thu, 7 Jun 2012 09:25:19 +0200
Subject: [PATCH] Do not crash in Decimal parameter conversion
When invalid data is passed, an unhandled decimal exception could
be raised in Decimal number conversion. Handle the exception
more gracefully and report proper ipalib.errors.ConversionError.
https://fedorahosted.org/freeipa/ticket/2705
---
ipalib/parameters.py |9 ++---
tests/test_ipalib/test_parameters.py | 14 +-
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 529f15b3719ecb190dd7655abfaec9fb7c20b56c..8f61eb5cdc04eceff56b1f63e46e472b5db494ca 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1247,15 +1247,18 @@ class Decimal(Number):
assert type(value) is decimal.Decimal
if self.precision is not None:
quantize_exp = decimal.Decimal(10) ** -self.precision
-return value.quantize(quantize_exp)
-
+try:
+value.quantize(quantize_exp)
+except decimal.DecimalException, e:
+raise ConversionError(name=self.get_param_name(),
+ error=unicode(e))
return value
def _convert_scalar(self, value, index=None):
if isinstance(value, (basestring, float)):
try:
value = decimal.Decimal(value)
-except Exception, e:
+except decimal.DecimalException, e:
raise ConversionError(name=self.get_param_name(), index=index,
error=unicode(e))
diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py
index fc9569e736fd6e3b862b9add5c5dd3c95f5ed45d..dbebdb2cf13c1364a2df7971ab5a1d34e60f45b7 100644
--- a/tests/test_ipalib/test_parameters.py
+++ b/tests/test_ipalib/test_parameters.py
@@ -32,7 +32,7 @@ from tests.util import dummy_ugettext, assert_equal
from tests.data import binary_bytes, utf8_bytes, unicode_str
from ipalib import parameters, text, errors, config
from ipalib.constants import TYPE_ERROR, CALLABLE_ERROR, NULLS
-from ipalib.errors import ValidationError
+from ipalib.errors import ValidationError, ConversionError
from ipalib import _
from xmlrpclib import MAXINT, MININT
@@ -1358,6 +1358,18 @@ class test_Decimal(ClassChecker):
assert dummy.called() is True
dummy.reset()
+def test_invalid_operation(self):
+"""
+Test `decimal.InvalidOperation` exception in Decimal conversion
+"""
+o = self.cls('my_number', precision=2)
+assert o.precision == 2
+e = raises(ConversionError, o, '123456789012345678901234567890')
+
+assert str(e) == \
+"invalid 'my_number': quantize result has too many digits for current context"
+
+
class test_AccessTime(ClassChecker):
"""
Test the `ipalib.parameters.AccessTime` class.
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-06-07 at 11:31 +0200, Petr Viktorin wrote:
> On 06/07/2012 09:48 AM, Martin Kosek wrote:
> > On Wed, 2012-06-06 at 12:50 +0300, Alexander Bokovoy wrote:
> >> On Mon, 04 Jun 2012, Martin Kosek wrote:
> >>> 2) Unit tests need to be updated, currently there is about a dozen test
> >>> case errors, e.g. extra ipakrbprincipalalias attribute in services or
> >>> new ipakrbprincipal objectclass for hosts
> >> I did run unit tests. All passed except two which are not related to
> >> trusts code and were failing before as well. All other issues found
> >> during previous rounds of the review are fixed and squashed in patches
> >> in my fedorapeople's tree.
> >>
> >> ==
> >> FAIL: test_automember[39]: host_add: Create u'web5.ipa.local'
> >> --
> >> Traceback (most recent call last):
> >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in
> >> runTest
> >> self.test(*self.arg)
> >> File
> >> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> >> line 249, in
> >> func = lambda: self.check(nice, **test)
> >> File
> >> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> >> line 264, in check
> >> self.check_output(nice, cmd, args, options, expected, extra_check)
> >> File
> >> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> >> line 290, in check_output
> >> assert_deepequal(expected, got, nice)
> >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py",
> >> line 331, in assert_deepequal
> >> assert_deepequal(e_sub, g_sub, doc, stack + (key,))
> >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py",
> >> line 325, in assert_deepequal
> >> doc, sorted(missing), sorted(extra), expected, got, stack
> >> AssertionError: assert_deepequal: dict keys mismatch.
> >> test_automember[39]: host_add: Create u'web5.ipa.local'
> >> missing keys = []
> >> extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup']
> >> expected = {'dn':
> >> u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local',
> >> 'has_keytab': False, 'description': [u'Test host 3'], 'objectclass':
> >> [u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject',
> >> u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux',
> >> u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn':
> >> [u'web5.ipa.local'], 'has_password': False, 'ipauniqueid':
> >> [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$',
> >> , None)], 'krbprincipalname':
> >> [u'host/web5.ipa.local@IPA.LOCAL'], 'managedby_host':
> >> [u'web5.ipa.local']}
> >> got = {'dn':
> >> u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local',
> >> 'has_keytab': False, 'description': (u'Test host 3',), 'objectclass':
> >> (u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice',
> >> u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost',
> >> u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',),
> >> 'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',),
> >> 'has_password': False, 'ipauniqueid':
> >> (u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname':
> >> (u'host/web5.ipa.local@IPA.LOCAL',), 'managedby_host':
> >> (u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)}
> >> path = ('result',)
> >>
> >> ==
> >> FAIL: test_group[21]: group_find: Search for all groups
> >> --
> >> Traceback (most recent call last):
> >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in
> >> runTest
> >> self.test(*self.arg)
> >> File
> >> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> >> line 249, in
> >> func = lambda: self.check(nice, **test)
> >> File
> >> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> >> line 264, in check
> >> self.check_output(nice, cmd, args, options, expected, extra_check)
> >> File
> >> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> >> line 290, in check_output
> >> assert_deepequal(expected, got, nice)
> >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py",
> >> line 331, in assert_deepequal
> >> assert_deepequal(e_sub, g_sub, doc, stack + (key,))
> >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py",
> >> line 339, in assert_deepequal
> >> VALUE % (doc, expected, got, stack)
> >> AssertionError: assert_deepequal: expected != got.
> >> test_group[21]: group_find: Search for all groups
> >> expec
Re: [Freeipa-devel] [PATCH] 0050 Fail on unknown Command options
On 05/28/2012 04:16 PM, Martin Kosek wrote: On Mon, 2012-05-28 at 15:46 +0200, Petr Vobornik wrote: On 05/25/2012 09:20 AM, Petr Vobornik wrote: On 05/16/2012 02:11 PM, Martin Kosek wrote: On Wed, 2012-05-16 at 10:37 +0200, Petr Viktorin wrote: On 05/16/2012 09:58 AM, Martin Kosek wrote: On Tue, 2012-05-15 at 13:35 +0200, Petr Viktorin wrote: On 05/15/2012 09:55 AM, Martin Kosek wrote: On Mon, 2012-05-14 at 14:47 +0200, Petr Viktorin wrote: The final part of rejecting unknown Command arguments: enable the validation, add tests. Also fix up things that were changed since the previous patches. https://fedorahosted.org/freeipa/ticket/2509 8><-- Attaching a rebased patch. Yup, this one is fine. Now, I did not find issues in the patch itself, tests are clean. However, thanks to this new check I found issues in Web UI (automember, selfservice, delegation screen) which use illegal options and which should be fixed before we push your patch: https://fedorahosted.org/freeipa/ticket/2760 Martin I found an issue in automountmap_add_indirect. It complains that 'key' is unknown option. I found another options which were functional and now it complains: * hbacsvcgroup_find: no_hbacsvc * hbacsvc_find: not_in_hbacsvcgroup * same issue in sudo commands and sudo command groups. I didn't check all relationships, so it may be broken elsewhere as well. I don't think this is an error on server side - it never had filter options like these in the modules you referenced (though we may add them as an RFE when needed). When you pass these options in the UI to the server side, its just NOOP - or an error when Petr's patch is applied. Martin All issues found in Web UI are fixed. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On 06/07/2012 09:48 AM, Martin Kosek wrote:
On Wed, 2012-06-06 at 12:50 +0300, Alexander Bokovoy wrote:
On Mon, 04 Jun 2012, Martin Kosek wrote:
2) Unit tests need to be updated, currently there is about a dozen test
case errors, e.g. extra ipakrbprincipalalias attribute in services or
new ipakrbprincipal objectclass for hosts
I did run unit tests. All passed except two which are not related to
trusts code and were failing before as well. All other issues found
during previous rounds of the review are fixed and squashed in patches
in my fedorapeople's tree.
==
FAIL: test_automember[39]: host_add: Create u'web5.ipa.local'
--
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File
"/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
line 249, in
func = lambda: self.check(nice, **test)
File
"/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
line 264, in check
self.check_output(nice, cmd, args, options, expected, extra_check)
File
"/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
line 290, in check_output
assert_deepequal(expected, got, nice)
File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
331, in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
325, in assert_deepequal
doc, sorted(missing), sorted(extra), expected, got, stack
AssertionError: assert_deepequal: dict keys mismatch.
test_automember[39]: host_add: Create u'web5.ipa.local'
missing keys = []
extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup']
expected = {'dn':
u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local',
'has_keytab': False, 'description': [u'Test host 3'], 'objectclass':
[u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject',
u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux',
u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn':
[u'web5.ipa.local'], 'has_password': False, 'ipauniqueid':
[Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$',
, None)], 'krbprincipalname':
[u'host/web5.ipa.local@IPA.LOCAL'], 'managedby_host':
[u'web5.ipa.local']}
got = {'dn':
u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local',
'has_keytab': False, 'description': (u'Test host 3',), 'objectclass':
(u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice',
u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost',
u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',),
'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',),
'has_password': False, 'ipauniqueid':
(u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname':
(u'host/web5.ipa.local@IPA.LOCAL',), 'managedby_host':
(u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)}
path = ('result',)
==
FAIL: test_group[21]: group_find: Search for all groups
--
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File
"/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
line 249, in
func = lambda: self.check(nice, **test)
File
"/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
line 264, in check
self.check_output(nice, cmd, args, options, expected, extra_check)
File
"/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
line 290, in check_output
assert_deepequal(expected, got, nice)
File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
331, in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
339, in assert_deepequal
VALUE % (doc, expected, got, stack)
AssertionError: assert_deepequal: expected != got.
test_group[21]: group_find: Search for all groups
expected = 5
got = 6
path = ('count',)
--
Ran 1407 tests in 358.194s
FAILED (errors=2, failures=2)
==
FAILED under '/usr/bin/python2.7'
** FAIL **
It may have been an issue on my side. I will open a ticket if I hit a
unit test error again.
I did a next round of review for your patches, I did not find any
show-stopper why not to push your patches. Lets get them g
[Freeipa-devel] [PATCH] 156 Action panel for service provisioning
Service provisioning status widget was modified only to display the
has_keytab status. Button for 'delete key,unprovision' was moved as
action to newly created action panel in the same section. This required
to moved the creation of the unprovisioning dialog from that widget to
new separate dialog.
Action for action panel and all required status evaluators for
enabling/disabling of that action were also created.
https://fedorahosted.org/freeipa/ticket/2252
--
Petr Vobornik
From a760fda79133edc5b71b12b8b26a06d29e462abc Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Thu, 7 Jun 2012 10:44:34 +0200
Subject: [PATCH] Action panel for service provisioning
Servise provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog.
Action for action panel and all required status evaluators for enabling/disabling of that action were also created.
https://fedorahosted.org/freeipa/ticket/2252
---
install/ui/service.js | 226 +++-
1 files changed, 127 insertions(+), 99 deletions(-)
diff --git a/install/ui/service.js b/install/ui/service.js
index 129f166a3d11338522c2eb95ede7d51280382aa5..f714e410e523d95d25bf0e9c823dd0e0dd50ad9b 100644
--- a/install/ui/service.js
+++ b/install/ui/service.js
@@ -57,10 +57,15 @@ IPA.service.entity = function(spec) {
},
{
name: 'provisioning',
+action_panel: {
+factory: IPA.action_panel,
+name: 'provisioning_actions',
+actions: ['unprovision']
+},
fields: [
{
type: 'service_provisioning_status',
-name: 'krblastpwdchange',
+name: 'has_keytab',
label: IPA.messages.objects.service.status
}
]
@@ -75,7 +80,16 @@ IPA.service.entity = function(spec) {
}
]
}
-]
+],
+actions: [
+IPA.service.unprovision_action
+],
+state: {
+evaluators: [
+IPA.service.has_keytab_evaluator,
+IPA.service.krbprincipalkey_acl_evaluator
+]
+}
}).
association_facet({
name: 'managedby_host',
@@ -227,7 +241,7 @@ IPA.service_provisioning_status_widget = function (spec) {
that.widget_create(container);
-var div = $('', {
+that.status_valid = $('', {
name: 'kerberos-key-valid',
style: 'display: none;'
}).appendTo(container);
@@ -236,23 +250,15 @@ IPA.service_provisioning_status_widget = function (spec) {
src: 'images/check-icon.png',
style: 'float: left;',
'class': 'status-icon'
-}).appendTo(div);
+}).appendTo(that.status_valid);
var content_div = $('', {
style: 'float: left;'
-}).appendTo(div);
+}).appendTo(that.status_valid);
-content_div.append(''+IPA.messages.objects.service.valid+':');
+content_div.append(''+IPA.messages.objects.service.valid+'');
-content_div.append(' ');
-
-$('', {
-'type': 'button',
-'name': 'unprovision',
-'value': IPA.messages.objects.service.delete_key_unprovision
-}).appendTo(content_div);
-
-div = $('', {
+that.status_missing = $('', {
name: 'kerberos-key-missing',
style: 'display: none;'
}).appendTo(container);
@@ -261,76 +267,18 @@ IPA.service_provisioning_status_widget = function (spec) {
src: 'images/caution-icon.png',
style: 'float: left;',
'class': 'status-icon'
-}).appendTo(div);
+}).appendTo(that.status_missing);
content_div = $('', {
style: 'float: left;'
-}).appendTo(div);
+}).appendTo(that.status_missing);
content_div.append(''+IPA.messages.objects.service.missing+'');
-
-that.status_valid = $('div[name=kerberos-key-valid]', that.container);
-that.status_missing = $('div[name=kerberos-key-missing]', that.container);
-
-var button = $('input[name=unprovision]', that.container);
-that.unprovision_button = IPA.button({
-name: 'unprovision',
-'label': IPA.messages.objects.service.delete_key_unprovision,
-'click': that.unprovision
-});
-button.replaceWith(that.unprovision_button);
-};
-
-that.unprovision = function()
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 07 Jun 2012, Martin Kosek wrote: It may have been an issue on my side. I will open a ticket if I hit a unit test error again. I did a next round of review for your patches, I did not find any show-stopper why not to push your patches. Lets get them grilled also by other team members :-)I just logged one issue I found with ipa-adtrust-install: https://fedorahosted.org/freeipa/ticket/2815 I think we should do check on whether we he valid ticket prior to do configuration, similar to how we do check DM password availability. Besides the keytab fetch we also need to create the service which requires appropriate admin permissions. ACK. Pushed all 13 patches to master. Great! Thanks for the thorough review. Sumit, please rebase and send your remaining patches for review. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Wed, 2012-06-06 at 12:50 +0300, Alexander Bokovoy wrote:
> On Mon, 04 Jun 2012, Martin Kosek wrote:
> >2) Unit tests need to be updated, currently there is about a dozen test
> >case errors, e.g. extra ipakrbprincipalalias attribute in services or
> >new ipakrbprincipal objectclass for hosts
> I did run unit tests. All passed except two which are not related to
> trusts code and were failing before as well. All other issues found
> during previous rounds of the review are fixed and squashed in patches
> in my fedorapeople's tree.
>
> ==
> FAIL: test_automember[39]: host_add: Create u'web5.ipa.local'
> --
> Traceback (most recent call last):
>File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
> self.test(*self.arg)
>File
> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> line 249, in
> func = lambda: self.check(nice, **test)
>File
> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> line 264, in check
> self.check_output(nice, cmd, args, options, expected, extra_check)
>File
> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> line 290, in check_output
> assert_deepequal(expected, got, nice)
>File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
> 331, in assert_deepequal
> assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
> 325, in assert_deepequal
> doc, sorted(missing), sorted(extra), expected, got, stack
> AssertionError: assert_deepequal: dict keys mismatch.
>test_automember[39]: host_add: Create u'web5.ipa.local'
>missing keys = []
>extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup']
>expected = {'dn':
> u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local',
> 'has_keytab': False, 'description': [u'Test host 3'], 'objectclass':
> [u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject',
> u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux',
> u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn':
> [u'web5.ipa.local'], 'has_password': False, 'ipauniqueid':
> [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$',
> , None)], 'krbprincipalname':
> [u'host/web5.ipa.local@IPA.LOCAL'], 'managedby_host':
> [u'web5.ipa.local']}
>got = {'dn':
> u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local',
> 'has_keytab': False, 'description': (u'Test host 3',), 'objectclass':
> (u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice',
> u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost',
> u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',),
> 'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',),
> 'has_password': False, 'ipauniqueid':
> (u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname':
> (u'host/web5.ipa.local@IPA.LOCAL',), 'managedby_host':
> (u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)}
>path = ('result',)
>
> ==
> FAIL: test_group[21]: group_find: Search for all groups
> --
> Traceback (most recent call last):
>File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
> self.test(*self.arg)
>File
> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> line 249, in
> func = lambda: self.check(nice, **test)
>File
> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> line 264, in check
> self.check_output(nice, cmd, args, options, expected, extra_check)
>File
> "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py",
> line 290, in check_output
> assert_deepequal(expected, got, nice)
>File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
> 331, in assert_deepequal
> assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line
> 339, in assert_deepequal
> VALUE % (doc, expected, got, stack)
> AssertionError: assert_deepequal: expected != got.
>test_group[21]: group_find: Search for all groups
>expected = 5
>got = 6
>path = ('count',)
>
> --
> Ran 1407 tests in 358.194s
>
> FAILED (errors=2, failures=2)
> ==
> FAILED under '/usr/bin/python2.7'
>
> ** FAIL **
>
It may have been an issue on my side. I will open a ticket if I hit a
unit test error again.
I d
