Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool
On Tuesday 16 of July 2013 14:10:44 Jan Cholasta wrote:
On 21.6.2013 11:45, Tomas Babej wrote:
Newly added features:
- options propagated to plugins
- made plugin content creation more comfortable, now 3 classes of
output are
available (debug, comment, command)
Now pretty much everything that comes into my mind is addressed, so
please have a look
at the current implementation.
The patch needs a rebase.
+class AdviceLogger(object):
Please don't use nested classes. If you want AdviceLogger to be
private-ish, you can rename it to _AdviceLogger.
Also I think AdviceLogger is a little bit misleading name, I would
prefer AdviceOutput or something like that.
Fixed.
Functionally the patch is OK, but I have some second thoughts about the
design. I'm not sure if using API plugins is truly the right thing to
do, as advises seem to be pretty much orthogonal to the rest of our API.
There are some negative side effects, such as initializing the API every
time ipa-advise is run, for each and every advice, which takes some
time, so there is a short but noticable delay.
What do you mean by that API is initialized for each and every advice?
AFAIK, the advice plugins are all imported at once, the the API is initialized.
They are imported only in the API 'advise' context, so no performance decrease
for the rest of the framework.
What are the benefits of
using API plugins for this, besides code reuse? (I'm not saying this
must be changed, just give it some thought, using something simpler
might be better.)
Code reuse is one thing. Also, ability to call the IPA commands from
within the plugins is the second factor. To allow that we would have to
inicialize the API anyway.
Also some important constants which can be leveraged by the plugins are
contained in api.env namespace.
Taking into consideration that running ipa-advise is more of a
one-time thing, I am willing to sacrifice a bit of delay in
favour of these advantages.
Updated patch attached.
TomasFrom d4384a2fd9991bec0aa6082046d1a87d5645add8 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 10 Jun 2013 14:43:24 +0200
Subject: [PATCH] Provide ipa-advise tool
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
---
freeipa.spec.in | 4 +
install/tools/Makefile.am | 1 +
install/tools/ipa-advise | 23
install/tools/man/Makefile.am | 1 +
install/tools/man/ipa-advise.1| 44 +++
ipalib/__init__.py| 7 +-
ipalib/frontend.py| 45 +++
ipalib/plugable.py| 2 +
ipaserver/advise/__init__.py | 22
ipaserver/advise/base.py | 169 ++
ipaserver/advise/plugins/__init__.py | 22
ipaserver/advise/plugins/fedora_authconfig.py | 41 +++
make-lint | 2 +-
setup.py | 2 +
14 files changed, 382 insertions(+), 3 deletions(-)
create mode 100755 install/tools/ipa-advise
create mode 100644 install/tools/man/ipa-advise.1
create mode 100644 ipaserver/advise/__init__.py
create mode 100644 ipaserver/advise/base.py
create mode 100644 ipaserver/advise/plugins/__init__.py
create mode 100644 ipaserver/advise/plugins/fedora_authconfig.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 86de29ffc16a199e382d2f6a6ad230a76758a55c..2f241b22c3bf2fb52aef04f8d2287565190d7870 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -600,6 +600,7 @@ fi
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipactl
%{_sbindir}/ipa-upgradeconfig
+%{_sbindir}/ipa-advise
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
%{_libexecdir}/ipa-otpd
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
@@ -615,6 +616,8 @@ fi
%dir %{python_sitelib}/ipaserver
%dir %{python_sitelib}/ipaserver/install
%dir %{python_sitelib}/ipaserver/install/plugins
+%dir %{python_sitelib}/ipaserver/advise
+%dir %{python_sitelib}/ipaserver/advise/plugins
%dir %{python_sitelib}/ipaserver/plugins
%dir %{_libdir}/ipa/certmonger
%attr(755,root,root) %{_libdir}/ipa/certmonger/*
@@ -730,6 +733,7 @@ fi
%{_mandir}/man8/ipa-upgradeconfig.8.gz
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
+%{_mandir}/man1/ipa-advise.1.gz
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 659ce0a87a65715b5829384f939c05e7026d763f..2cf66c6dfc1c272bb423253902e7339e7d159567 100644
--- a/install/tools/Makefile.am
+++
Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool
On 17.7.2013 13:13, Tomas Babej wrote: + class AdviceLogger(object): Please don't use nested classes. If you want AdviceLogger to be private-ish, you can rename it to _AdviceLogger. Also I think AdviceLogger is a little bit misleading name, I would prefer AdviceOutput or something like that. Fixed. Thanks. Functionally the patch is OK, but I have some second thoughts about the design. I'm not sure if using API plugins is truly the right thing to do, as advises seem to be pretty much orthogonal to the rest of our API. There are some negative side effects, such as initializing the API every time ipa-advise is run, for each and every advice, which takes some time, so there is a short but noticable delay. What do you mean by that API is initialized for each and every advice? For example when you run ipa-advise config-fedora-authconfig, all of the ipalib and advise plugins are initialized. Seems like an overkill just to print 6 lines of text. AFAIK, the advice plugins are all imported at once, the the API is initialized. They are imported only in the API 'advise' context, so no performance decrease for the rest of the framework. What are the benefits of using API plugins for this, besides code reuse? (I'm not saying this must be changed, just give it some thought, using something simpler might be better.) Code reuse is one thing. Also, ability to call the IPA commands from within the plugins is the second factor. To allow that we would have to inicialize the API anyway. ... which could be done on-demand when it is actually needed. Also some important constants which can be leveraged by the plugins are contained in api.env namespace. Taking into consideration that running ipa-advise is more of a one-time thing, I am willing to sacrifice a bit of delay in favour of these advantages. OK. I still think that it's rather strange to pretend that advices are part of our API when they don't actually contribute anything to the API, but that's more of a structural problem, not a problem with your patch. Updated patch attached. ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
I will release version 3.5 before end of this week. I have some small fixes
ready so it is worth to release it now.
To summarize the discussion - please remove following options from
configuration file and LDAP schema:
cache_ttl
psearch (attribute idnsPersistentSearch in idnsConfigObject)
zone_refresh (attribute idnsZoneRefresh in idnsConfigObject)
--
Petr^2 Spacek
I have a patch ready, but it can't be tested until 3.5 is out.
Tomas
From 076296b54e0137da343ebbd61ac96ef5da3efcfc Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 3 Jun 2013 14:37:20 +0200
Subject: [PATCH] Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
---
API.txt | 2 +-
freeipa.spec.in | 2 +-
install/share/60ipadns.ldif | 4 +-
install/share/bind.named.conf.template | 2 -
install/share/dns.ldif | 2 +-
install/tools/ipa-dns-install | 24 -
install/tools/ipa-server-install| 24 -
install/tools/ipa-upgradeconfig | 137
install/tools/man/ipa-dns-install.1 | 6 --
install/tools/man/ipa-server-install.1 | 6 --
install/ui/src/freeipa/dns.js | 3 +-
install/ui/test/data/dnsconfig_mod.json | 5 -
install/ui/test/data/dnsconfig_show.json| 5 -
install/ui/test/data/ipa_init_commands.json | 11 ---
install/ui/test/data/ipa_init_objects.json | 15 +--
install/updates/10-bind-schema.update | 7 +-
ipalib/plugins/dns.py | 10 +-
ipaserver/install/bindinstance.py | 39
ipaserver/install/plugins/dns.py| 2 +-
ipatests/test_xmlrpc/test_dns_plugin.py | 1 -
20 files changed, 111 insertions(+), 196 deletions(-)
diff --git a/API.txt b/API.txt
index 44b3dd444964c8dac595177f8601c82d0235eabe..8142bbc37406686dd8bafe94569aab4278259917 100644
--- a/API.txt
+++ b/API.txt
@@ -669,7 +669,7 @@ option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, required=False)
option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
-option: Int('idnszonerefresh', attribute=True, autofill=False, cli_name='zone_refresh', minvalue=0, multivalue=False, required=False)
+option: DeprecatedParam('idnszonerefresh', attribute=True, autofill=False, cli_name='zone_refresh', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b0beb16a4d29e414f4f7587038c311f5aa2272bd..aa365095cbbe44ceeaf65d7ce121b0ac 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -156,7 +156,7 @@ Obsoletes: freeipa-server-selinux 3.3.0
# IPA but if it is configured we need a way to require versions
# that work for us.
%if 0%{?fedora} = 18
-Conflicts: bind-dyndb-ldap 2.3-2
+Conflicts: bind-dyndb-ldap 3.5
%else
Conflicts: bind-dyndb-ldap 1.1.0-0.12.rc1
%endif
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 437986d3912f56c01d919b8bff2205a5eccfaf04..58673c0a204faf159dcade852b5c9e2677d2422c 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -47,9 +47,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.12 NAME 'idnsAllowTransfer' DESC 'BIND
attributeTypes: ( 2.16.840.1.113730.3.8.5.13 NAME 'idnsAllowSyncPTR' DESC 'permit synchronization of PTR records' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.14 NAME 'idnsForwardPolicy' DESC 'forward policy: only or first' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of forwarders' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow
Re: [Freeipa-devel] [PATCH] 0045 Expose ipaRangeType in Web UI
On 07/16/2013 06:46 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3759. Hello, Thanks for the patch, some comments: 1) idrange.js:183 I would avoid modifying widget html output in form methods. In this case you can simply add `layout: 'vertical'` to 'iparangetype' field definition. 2) idrange.js:187 Can be replaced by adding `enabled: false` to 'ipanttrusteddomainsid' field definition 3) I would rather see the switching logic encapsulated in a policy object than in a dialog. The main reason is to avoid using init() call in the factory. Most code other than method definitions in factory methods create mess in inheritance chain. Long term plan is to remove most of these calls. In this case, you can define public init method in the policy which will be automatically called after dialog instantiation. 4) IIUIC 'ipabaserid' have to be set together with 'ipanttrusteddomainsid' - 'ipabaserid' should be made required when is_ad_trust is true. 5) As I read plugins/idrange.py:487-530, the logic for enabling/making required 'ipabaserid' and 'ipasecondarybaserid' is quite more complex than implemented. IIUIC 'ipasecondarybaserid' should be required and enabled only when 'ipabaserid' is set. Additionally, both should be required and enabled if adtrust_is_enabled (in UI: `IPA.trust_enabled`). -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool
On 07/17/2013 01:48 PM, Jan Cholasta wrote: On 17.7.2013 13:13, Tomas Babej wrote: + class AdviceLogger(object): Please don't use nested classes. If you want AdviceLogger to be private-ish, you can rename it to _AdviceLogger. Also I think AdviceLogger is a little bit misleading name, I would prefer AdviceOutput or something like that. Fixed. Thanks. Functionally the patch is OK, but I have some second thoughts about the design. I'm not sure if using API plugins is truly the right thing to do, as advises seem to be pretty much orthogonal to the rest of our API. There are some negative side effects, such as initializing the API every time ipa-advise is run, for each and every advice, which takes some time, so there is a short but noticable delay. What do you mean by that API is initialized for each and every advice? For example when you run ipa-advise config-fedora-authconfig, all of the ipalib and advise plugins are initialized. Seems like an overkill just to print 6 lines of text. In this case, it at least uses options from IPA server configuration (api.env) - which I think will be the case for most avices of this kind. AFAIK, the advice plugins are all imported at once, the the API is initialized. They are imported only in the API 'advise' context, so no performance decrease for the rest of the framework. What are the benefits of using API plugins for this, besides code reuse? (I'm not saying this must be changed, just give it some thought, using something simpler might be better.) Code reuse is one thing. Also, ability to call the IPA commands from within the plugins is the second factor. To allow that we would have to inicialize the API anyway. ... which could be done on-demand when it is actually needed. Also some important constants which can be leveraged by the plugins are contained in api.env namespace. Taking into consideration that running ipa-advise is more of a one-time thing, I am willing to sacrifice a bit of delay in favour of these advantages. OK. I still think that it's rather strange to pretend that advices are part of our API when they don't actually contribute anything to the API, but that's more of a structural problem, not a problem with your patch. Updated patch attached. ACK. Honza Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Should ipa.service be a service?
On Mon, Jul 08, 2013 at 09:09:24AM -0400, Simo Sorce wrote: On Thu, 2013-06-20 at 17:13 +0200, Ana Krivokapic wrote: -After=network.target +After=network.target dirsrv.target pki-tomcatd@pki-tomcat.service pki-cad.target certmonger.service httpd.service krb5kdc.service messagebus.service nslcd.service nscd.service ntpd.service portmap.service rpcbind.service kadmin.service sshd.service autofs.service rpcgssd.service rpcidmapd.service chronyd.service Won't this cause ipa.service to try to restart things twice ? Also this will unconditionally try to start the CA even if not installed. NACK, please let ipa.service handle starting and stopping daemons. Hello, I'm coming late to this thread but: Should ipa really be a service under systemd? Wouldn't making it a target make things a bit more pure from systemd's point of view? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Should ipa.service be a service?
On Wed, 2013-07-17 at 14:06 +0200, Jan Pazdziora wrote: On Mon, Jul 08, 2013 at 09:09:24AM -0400, Simo Sorce wrote: On Thu, 2013-06-20 at 17:13 +0200, Ana Krivokapic wrote: -After=network.target +After=network.target dirsrv.target pki-tomcatd@pki-tomcat.service pki-cad.target certmonger.service httpd.service krb5kdc.service messagebus.service nslcd.service nscd.service ntpd.service portmap.service rpcbind.service kadmin.service sshd.service autofs.service rpcgssd.service rpcidmapd.service chronyd.service Won't this cause ipa.service to try to restart things twice ? Also this will unconditionally try to start the CA even if not installed. NACK, please let ipa.service handle starting and stopping daemons. Hello, I'm coming late to this thread but: Should ipa really be a service under systemd? Wouldn't making it a target make things a bit more pure from systemd's point of view? IPA is a multi-server system, we want to keep configuration in LDAP so that an admin can see and potentially control services for the whole domain at once from an admin workstation, w/o having to log on any specific server and change local files. That is why we read the startup list from LDAP in ipactl (called by ipa.service) and do not store it as targets in systemd. ipactl supports both systemd and sysv systems. Once we definitively abandon sysv we could kill ipactl and in it's stead dynamically change the list of targets in the ipa.service file directly. and enable/disable the scripts in the systemd units directory. However we would still need some sort of plugin/helper system that monitors the LDAP tree and applies the appropriate changes to the system when something is changed in LDAP. We have expressed the need for acting on the system upon changes in LDAP for other reasons too (rotating some keytabs, and manipulating other configuration files), I think we opened a ticket to handle monitoring the configuration subtree with the ability to cause changes in the local cn=config based on plugin configuration but I can't find the ticket right now. We could add the ability to launch a helper (via dbus or similar). Once we have that we could move to a native systemd configuration, until then ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 159 Run gpg-agent explicitly when encrypting/decrypting files
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/3767.
Honza
--
Jan Cholasta
From 7b24c86d28eab5a24456be8a665b17ec09ffb1a7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 17 Jul 2013 12:11:57 +
Subject: [PATCH] Run gpg-agent explicitly when encrypting/decrypting files.
Also add an option to ipautil.run to redirect command output to /dev/null.
https://fedorahosted.org/freeipa/ticket/3767
---
ipapython/ipautil.py | 19 ---
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index f2ca9d6..16ad42f 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -246,7 +246,7 @@ def shell_quote(string):
return ' + string.replace(', '\\'') + '
def run(args, stdin=None, raiseonerr=True,
-nolog=(), env=None, capture_output=True, cwd=None):
+nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
Execute a command and return stdin, stdout and the process return code.
@@ -288,7 +288,9 @@ def run(args, stdin=None, raiseonerr=True,
env[PATH] = /bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin
if stdin:
p_in = subprocess.PIPE
-if capture_output:
+if skip_output:
+p_out = p_err = open('/dev/null', 'w')
+elif capture_output:
p_out = subprocess.PIPE
p_err = subprocess.PIPE
@@ -308,12 +310,15 @@ def run(args, stdin=None, raiseonerr=True,
except:
root_logger.debug('Process execution failed')
raise
+finally:
+if skip_output:
+p_out.close()
root_logger.debug('Process finished, return code=%s', p.returncode)
# The command and its output may include passwords that we don't want
# to log. Replace those.
-if capture_output:
+if capture_output and not skip_output:
stdout = nolog_replace(stdout, nolog)
stderr = nolog_replace(stderr, nolog)
root_logger.debug('stdout=%s' % stdout)
@@ -389,8 +394,8 @@ def encrypt_file(source, dest, password, workdir = None):
#give gpg a fake dir so that we can leater remove all
#the cruft when we clean up the tempdir
os.mkdir(gpgdir)
-args = ['/usr/bin/gpg', '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-c', source]
-run(args, password)
+args = ['/usr/bin/gpg-agent', '--batch', '--homedir', gpgdir, '--daemon', '/usr/bin/gpg', '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-c', source]
+run(args, password, skip_output=True)
except:
raise
finally:
@@ -419,8 +424,8 @@ def decrypt_file(source, dest, password, workdir = None):
#give gpg a fake dir so that we can leater remove all
#the cruft when we clean up the tempdir
os.mkdir(gpgdir)
-args = ['/usr/bin/gpg', '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-d', source]
-run(args, password)
+args = ['/usr/bin/gpg-agent', '--batch', '--homedir', gpgdir, '--daemon', '/usr/bin/gpg', '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-d', source]
+run(args, password, skip_output=True)
except:
raise
finally:
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Should ipa.service be a service?
On Wed, Jul 17, 2013 at 08:21:21AM -0400, Simo Sorce wrote: That is why we read the startup list from LDAP in ipactl (called by ipa.service) and do not store it as targets in systemd. Can't the list in systemd be static and each service would identify (based on its own LDAP lookup or a lookup done by the first service in the row) whether it is actually configured to be running or not? Once we definitively abandon sysv we could kill ipactl and in it's stead dynamically change the list of targets in the ipa.service file directly. and enable/disable the scripts in the systemd units directory. However we would still need some sort of plugin/helper system that monitors the LDAP tree and applies the appropriate changes to the system when something is changed in LDAP. Upon the system/services startup or even during its general lifetime? We have expressed the need for acting on the system upon changes in LDAP for other reasons too (rotating some keytabs, and manipulating other configuration files), I think we opened a ticket to handle monitoring the configuration subtree with the ability to cause changes in the local cn=config based on plugin configuration but I can't find the ticket right now. We could add the ability to launch a helper (via dbus or similar). Once we have that we could move to a native systemd configuration, until then ... :-) -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 414 Require new selinux-policy replacing old server-selinux subpackage
On Wed, 17 Jul 2013, Martin Kosek wrote:
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
SELinux policy build is currently in koji:
http://koji.fedoraproject.org/koji/buildinfo?buildID=434328
bodhi update is planned to be done today as well. I tested both upgrade from
stable F19 version and clean installs and both worked fine.
I would like this patch to be included in upcoming FreeIPA 3.2.2 version.
Martin
From e0ad6af118eacf06c32f870106dc3d6159adcc66 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 17 Jul 2013 12:13:50 +0200
Subject: [PATCH] Require new selinux-policy replacing old server-selinux
subpackage
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
---
freeipa.spec.in | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
f0f1fc6a266847e1d99a895605ed6084f080b7d4..b45525996e8b0e00397e975dc93a46bd4928bdbc
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -129,7 +129,7 @@ Requires: python-memcached
Requires: systemd-units = 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy = 3.11.1-86
+Requires: selinux-policy = 3.12.1-65
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.44
Requires: pki-ca = 10.0.2
@@ -776,6 +776,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Jul 17 2013 Martin Kosek mko...@redhat.com - 3.2.1-4
+- Require selinux-policy 3.12.1-65 containing missing policy after removal of
+ freeipa-server-selinux subpackage
+
* Tue Jul 16 2013 Martin Kosek mko...@redhat.com - 3.2.1-3
- Drop freeipa-server-selinux subpackage
- Drop redundant directory /var/cache/ipa/sessions
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 159 Run gpg-agent explicitly when encrypting/decrypting files
On 07/17/2013 03:21 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3767. Honza There is a pylint problem: ipapython/ipautil.py:315: [E1103, run] Instance of 'int' has no 'close' member (but some types could not be inferred) Besides that, it seems to work just fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 414 Require new selinux-policy replacing old server-selinux subpackage
On 07/17/2013 04:04 PM, Alexander Bokovoy wrote:
On Wed, 17 Jul 2013, Martin Kosek wrote:
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
SELinux policy build is currently in koji:
http://koji.fedoraproject.org/koji/buildinfo?buildID=434328
bodhi update is planned to be done today as well. I tested both upgrade from
stable F19 version and clean installs and both worked fine.
I would like this patch to be included in upcoming FreeIPA 3.2.2 version.
Martin
From e0ad6af118eacf06c32f870106dc3d6159adcc66 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 17 Jul 2013 12:13:50 +0200
Subject: [PATCH] Require new selinux-policy replacing old server-selinux
subpackage
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
---
freeipa.spec.in | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
f0f1fc6a266847e1d99a895605ed6084f080b7d4..b45525996e8b0e00397e975dc93a46bd4928bdbc
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -129,7 +129,7 @@ Requires: python-memcached
Requires: systemd-units = 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy = 3.11.1-86
+Requires: selinux-policy = 3.12.1-65
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.44
Requires: pki-ca = 10.0.2
@@ -776,6 +776,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Jul 17 2013 Martin Kosek mko...@redhat.com - 3.2.1-4
+- Require selinux-policy 3.12.1-65 containing missing policy after removal
of
+ freeipa-server-selinux subpackage
+
* Tue Jul 16 2013 Martin Kosek mko...@redhat.com - 3.2.1-3
- Drop freeipa-server-selinux subpackage
- Drop redundant directory /var/cache/ipa/sessions
ACK
Pushed to master (rebased), ipa-3-2.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 159 Run gpg-agent explicitly when encrypting/decrypting files
On 07/17/2013 04:14 PM, Jan Cholasta wrote: On 17.7.2013 16:06, Martin Kosek wrote: On 07/17/2013 03:21 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3767. Honza There is a pylint problem: ipapython/ipautil.py:315: [E1103, run] Instance of 'int' has no 'close' member (but some types could not be inferred) Fixed. Besides that, it seems to work just fine. Martin Updated patch attached. Honza ACK. Pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0046 Properly handle non-existent CA file
Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3785. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From c965823f44137c38cb77bf42b4d74cb0c002975a Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Wed, 17 Jul 2013 16:30:15 +0200 Subject: [PATCH] Properly handle non-existent CA file https://fedorahosted.org/freeipa/ticket/3785 --- ipaserver/install/installutils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a716525b3ebc20fe516613d57f19377519212a5a..c0c5c793ee936fd404c48260fb6aaadc3bf233d9 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -721,7 +721,7 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): ca_cert_name = 'The Root CA' try: nssdb.import_pem_cert(ca_cert_name, CT,C,C, ca_file) -except ValueError, e: +except (ValueError, IOError) as e: raise ScriptError(str(e)) # Import everything in the PKCS#12 -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0046 Properly handle non-existent CA file
Hi, On 17.7.2013 16:38, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3785. NACK, this results in an unnecessarily ugly error message [Errno 2] No such file or directory: 'file'. I would suggest something like this instead: except IOError as e: raise ScriptError(Failed to open %s: %s % (ca_cert_name, e.strerror)) Can you please also check what happens if you pass non-existent filename to --dirsrv_pkcs12 and --http_pkcs12? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0046 Properly handle non-existent CA file
On 07/17/2013 04:57 PM, Jan Cholasta wrote: Hi, On 17.7.2013 16:38, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3785. NACK, this results in an unnecessarily ugly error message [Errno 2] No such file or directory: 'file'. I would suggest something like this instead: except IOError as e: raise ScriptError(Failed to open %s: %s % (ca_cert_name, e.strerror)) Fixed. Can you please also check what happens if you pass non-existent filename to --dirsrv_pkcs12 and --http_pkcs12? Honza I added a more specific error message to cover these cases. Updated patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From e16310f384a6009df3d373a04f684f75fa8a7a14 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Wed, 17 Jul 2013 16:30:15 +0200 Subject: [PATCH] Properly handle non-existent cert files https://fedorahosted.org/freeipa/ticket/3785 --- ipaserver/install/certs.py| 2 ++ ipaserver/install/installutils.py | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 06925d53b2fa6df6d94d41d758944b6497ce2bcd..5a44bd9b5158dd0e255c5a3b5ee042d06e265eb7 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -188,6 +188,8 @@ class NSSDatabase(object): if e.returncode == 17: raise RuntimeError(incorrect password for pkcs#12 file %s % pkcs12_filename) +elif e.returncode == 10: +raise RuntimeError(Failed to open %s % pkcs12_filename) else: raise RuntimeError(unknown error import pkcs#12 file %s % pkcs12_filename) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a716525b3ebc20fe516613d57f19377519212a5a..188971f40f7c15cb473d590c2fcc2001b6419db7 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -721,8 +721,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): ca_cert_name = 'The Root CA' try: nssdb.import_pem_cert(ca_cert_name, CT,C,C, ca_file) -except ValueError, e: +except ValueError as e: raise ScriptError(str(e)) +except IOError as e: +raise ScriptError(Failed to open %s: %s % (ca_cert_name, e.strerror)) # Import everything in the PKCS#12 nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0046 Properly handle non-existent CA file
On 17.7.2013 17:39, Ana Krivokapic wrote: On 07/17/2013 04:57 PM, Jan Cholasta wrote: Hi, On 17.7.2013 16:38, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3785. NACK, this results in an unnecessarily ugly error message [Errno 2] No such file or directory: 'file'. I would suggest something like this instead: except IOError as e: raise ScriptError(Failed to open %s: %s % (ca_cert_name, e.strerror)) Fixed. Hmm, seeing how RuntimeError is used for this kind of thing in import_pkcs12, I think it would make sense to catch the IOError right in import_pem_cert and re-raise it as RuntimeError and then handle that RuntimeError in check_pkcs12 (sorry for misleading you into doing something else in my previous mail). Can you please also check what happens if you pass non-existent filename to --dirsrv_pkcs12 and --http_pkcs12? Honza I added a more specific error message to cover these cases. Can you please also add it to find_root_cert_from_pkcs12? Updated patch attached. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNSSEC support design considerations: key material handling
On Tue, 2013-07-16 at 17:15 +0200, Petr Spacek wrote: On 15.7.2013 21:07, Simo Sorce wrote: Is there any place I can read about the format and requirements of these files ? There is no single format, because it is algorithm-dependent. See below. AFAIK it is nothing supported by OpenSSL, but I can be wrong. Thanks for attaching examples, it helps. KSK has to be rolled over manually because it requires changes in parent zone. (It could be automated for sub-zones if their parent zone is also managed by the same IPA server.) Is there any provision for using DNSSEC with private DNS deployments ? Yes, it is. DNSSEC supports 'Islands of Security' [Terminology]: DNS resolvers can be configured with 'trust anchors' explicitly. E.g. 'trust domain example.com only if it is signed by /this/ key, use root key for rest of the Internet' etc. [Terminology] http://tools.ietf.org/html/rfc4033#section-2 This means clients would have to be configured to explicitly trust a specific key for a zone right ? How hard would it be for us to configure IPA clients this way assuming by then we have a DNSSEC aware resolver we can configure on them ? Or is this going to make sense only for IPA deployments that have valid delegation from the public DNS system ? Hmmm I guess that as long as the KSK in the 'parent' zone is imported properly a private deployment of corp.myzone.com using the KSK of myzone.com will work just fine even if corp.myzone.com is not actually delegated but is a private DNS tree ? Or is that incorrect ? AFAIK there *has to be* delegation via DS record [Delegation Signer, DS] from the parent, but IMHO it could work if only the public key for internal zones is published (without any delegation to internal name servers etc.). I didn't try it, so 'here be dragons'. Are there test/zones keys that can be used to experiment ? [..] Initial key generation is closely related to the question how should we handle (periodic) key regeneration? (e.g. Generate new ZSK each month.) We only really need to generate (or import) the KSK of the parent zone, It seems that there is slight misunderstanding. KSK is the 'master key' for particular zone. This master key (KSK) signs other keys (ZSKs) and data are signed by ZSKs. Sorry I expressed myself badly, I mean we only need to generate one KSK at install time and make it available to the admin to be signed by the upper zone admins. But then all other keys including the ZSKs can be completely managed within IPA w/o explicit admin work if we have the right tooling. [..] No, the problem is that we need to define 'who' generates the keys. Remember FreeIPA is a multimaster system, we cannot have potentially conflicting cron jobs running on multiple servers. Right. It sounds like the CRL generation problem. Should we do the same for DNSSEC key regeneration? I.e. select one super-master and let it to handle key regeneration? Or should we find some more robust solution? I'm not against any of these possibilities :-) Falling back to SPOF should be the last resort or a temporary step during development. I would like to avoid SPOF architectures if at all possible. We could devise a way to automatically 'elect' a master, but have all other DNS servers also monitor that keys are regenerated an made available in the expected time frame and if not have one of the other DNS servers try to assume the leader role. I have some ideas hear using priorities etc, but I need to let them brew in my mind a little bit more :) [..] For these reasons I think that we can define new public key attribute in the same way as private key attribute: attributetypes: ( x.x.x.x.x NAME 'idnsSecPublicKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The resulting object class could be: objectClasses: ( x.x.x.x.x NAME 'idnsSecKeyPair' DESC 'DNSSEC key pair' SUP top STRUCTURAL MUST ( cn $ idnsSecPrivateKey $ idnsSecPublicKey ) ) Will bind read these attributes ? Or will we have to dump these values into files via bind-dyndb-ldap for bind9 to read them back ? AFAIK it has to be in files: Private key in one file and public key in the other file. I can't find any support for reading private keys from buffers. Ok so to summarize we basically are going to load the private key file in idnsSecPrivateKey and the public key file in idnsSecPublicKey as blobs and the have bind-dyndb-ldap fetch them and save them into files that bind can access. This means bind-dyndb-ldap will need to grow the ability to also clean p and synchronize the files over time. So there will need to be hooks to regularly check all needed files are in place and obsolete ones are deleted. Maybe we can grow a companion python helper to do this, as it is a relatively simple task, that is not performance critical and will be much easier to write in a scripting language than in C. But I am not opposed to an in-daemon solution
[Freeipa-devel] Announcing FreeIPA 3.2.2
The FreeIPA team is proud to announce FreeIPA v3.2.2. It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 and is on its way to updates-testing. == Highlights in 3.2.2 == === New features for 3.2.2 === * Significant improvement of performance with large number of users or groups. Several LDAP server indexes were added for this purpose. * freeipa-server-selinux package with custom FreeIPA SELinux policy is dropped, all policy is now contained in system policy package === Bug fixes === * Removes systemd-related deadlock when a server with running FreeIPA services is restarted * Fixes ownership issues in CRL publishing directory (/var/lib/ipa/pki-ca/publish/) * ipa-replica-prepare and ipa-replica-install now do not crash on system with gnupg2 package only (without older gnupg package) * CRL file can now be retrieved via plain http protocol without redirection to https, as defined in certificates published by FreeIPA * Entitlement plugin is removed from FreeIPA codebase as it was neither supported nor tested * Many bugfixes related to CA-less installation * ... and many others stabilization fixes, see Detailed changelog for full details == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the performance improvements requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 3.2.1 == === Ana Krivokapic (8): === * Fix displaying of success message * Improve handling of options in ipa-client-install * Do not display traceback to user * Fix bug in adtrustinstance * Use correct DS instance in ipactl status * Avoid systemd service deadlock during shutdown * Make sure replication works after DM password is changed * Use --ignore-dependencies only when necessary === Jan Cholasta (16): === * Use the correct PKCS#12 file for HTTP server. * Remove stray error condition in ipa-server-install. * Handle exceptions gracefully when verifying PKCS#12 files. * Skip empty lines when parsing pk12util output. * Do not allow installing CA replicas in CA-less setup. * Do not track DS certificate in CA-less setup. * Fix CA-less check in ipa-replica-install and ipa-ca-install. * Do not skip SSSD known hosts in ipa-client-install --ssh-trust-dns. * Skip cert issuer validation in service and host commands in CA-less install. * Check trust chain length in CA-less install. * Use LDAP search instead of *group_show to check if a group exists. * Use LDAP search instead of *group_show to check for a group objectclass. * Use LDAP modify operation directly to add/remove group members. * Add missing substring indices for attributes managed by the referint plugin. * Add missing equality index for ipaUniqueId. * Run gpg-agent explicitly when encrypting/decrypting files. === Lukas Slebodnik (1): === * Use pkg-config to detect cmocka === Martin Kosek (7): === * Remove entitlement support * Enable SASL mapping fallback. * Drop SELinux subpackage * Drop redundant directory /var/cache/ipa/sessions * Run server upgrade and restart in posttrans * Require new selinux-policy replacing old server-selinux subpackage * Become 3.2.2 === Nathaniel McCallum (3): === * Fix client install exception if /etc/ssh is missing * Permit reads to ipatokenRadiusProxyUser objects * Fix for small syntax error in OTP schema === Petr Vobornik (5): === * Regression fix: rule table with ext. member support doesn't offer any items * Fix default value selection in radio widget * Do not redirect to https in /ipa/ui on non-HTML files * Create Firefox configuration extension on CA-less install * Disable checkboxes and radios for readonly attributes === Rob Crittenden (1): === * Return the correct Content-type on negotiated XML-RPC requests. === Sumit Bose (1): === * Fix type of printf argument === Tomas Babej (2): === * Do not redirect ipa/crl to
[Freeipa-devel] [PATCH] Use libunistring ulc_casecmp() on unicode strings
attachedFrom c3216dc6e35ab2be96d1e0b9c9ff536e2340 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Tue, 16 Jul 2013 11:47:27 -0400
Subject: [PATCH] Use libunistring ulc_casecmp() on unicode strings
https://fedorahosted.org/freeipa/ticket/3772
---
daemons/configure.ac | 10 ++
daemons/ipa-kdb/Makefile.am | 1 +
daemons/ipa-kdb/ipa_kdb.h| 2 +-
daemons/ipa-kdb/ipa_kdb_common.c | 15 ---
daemons/ipa-kdb/ipa_kdb_principals.c | 15 ---
5 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index 8219f2c53eb5e940883dd2ffe25ca85cf83dd78b..a1211f39079925e2706e490c012199b20cf487e8 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -190,6 +190,16 @@ AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes],
[$SAMBA40EXTRA_LIBPATH])
dnl ---
+dnl Check for libunistring
+dnl ---
+AC_CHECK_HEADERS([unicase.h],,AC_MSG_ERROR([Could not find unicase.h]))
+AC_CHECK_LIB([unistring],
+ [ulc_casecmp],
+ [UNISTRING_LIBS=-lunistring],
+ [AC_MSG_ERROR([libunistring does not have ulc_casecmp])])
+AC_SUBST(UNISTRING_LIBS)
+
+dnl ---
dnl Check for libverto
dnl ---
PKG_CHECK_MODULES([LIBVERTO], [libverto])
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 13c4551318c7997397d0d83c51a0ffb99490e926..dc543dd56e5c1c094bc7356febea8c8362b94aa2 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -50,6 +50,7 @@ ipadb_la_LIBADD = \
$(KRB5_LIBS) \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
+ $(UNISTRING_LIBS) \
$(NULL)
if HAVE_CHECK
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 54869d8f9f19b7e19d03a5020782064d36aeadd3..f7797c493715d540f079ba3888e004418cdc19de 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -158,7 +158,7 @@ int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le,
char *attrname, krb5_timestamp *result);
int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
- char *attrname, char *value);
+ char *attrname, const char *value);
int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
LDAPDerefRes **results);
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index e227602ea081cc155bfffb80d2fb1758a66fa9a5..112086b57c9f83895589538b5494ae81fb14a948 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -21,6 +21,7 @@
*/
#include ipa_kdb.h
+#include unicase.h
static struct timeval std_timeout = {300, 0};
@@ -518,20 +519,28 @@ int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le,
}
int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
- char *attrname, char *value)
+ char *attrname, const char *value)
{
struct berval **vals;
int ret = ENOENT;
-int i;
+int i, result;
vals = ldap_get_values_len(lcontext, le, attrname);
if (vals) {
for (i = 0; vals[i]; i++) {
-if (strcasecmp(vals[i]-bv_val, value) == 0) {
+if (ulc_casecmp(vals[i]-bv_val, vals[i]-bv_len,
+value, strlen(value),
+NULL, NULL, result) != 0) {
+ret = errno;
+break;
+}
+
+if (result == 0) {
ret = 0;
break;
}
}
+
ldap_value_free_len(vals);
}
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3566e1ece897d79ced0f18a27c7acaaa64c83544..66d434a531b478dfff42dd7d389bc04ed72bad50 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -21,6 +21,7 @@
*/
#include ipa_kdb.h
+#include unicase.h
/*
* During TGS request search by ipaKrbPrincipalName (case-insensitive)
@@ -614,7 +615,7 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
bool found = false;
LDAPMessage *le = NULL;
struct berval **vals;
-int i;
+int i, result;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
@@ -643,7 +644,11 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
/* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
/* Use case-insensitive comparison in such cases */
if ((flags KRB5_KDB_FLAG_ALIAS_OK) != 0) {
-
Re: [Freeipa-devel] [PATCH] 0046 Properly handle non-existent CA file
On 07/17/2013 06:04 PM, Jan Cholasta wrote: On 17.7.2013 17:39, Ana Krivokapic wrote: On 07/17/2013 04:57 PM, Jan Cholasta wrote: Hi, On 17.7.2013 16:38, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3785. NACK, this results in an unnecessarily ugly error message [Errno 2] No such file or directory: 'file'. I would suggest something like this instead: except IOError as e: raise ScriptError(Failed to open %s: %s % (ca_cert_name, e.strerror)) Fixed. Hmm, seeing how RuntimeError is used for this kind of thing in import_pkcs12, I think it would make sense to catch the IOError right in import_pem_cert and re-raise it as RuntimeError and then handle that RuntimeError in check_pkcs12 (sorry for misleading you into doing something else in my previous mail). I don't see much value in doing that - it just adds complexity. I would rather leave it as it is. Can you please also check what happens if you pass non-existent filename to --dirsrv_pkcs12 and --http_pkcs12? Honza I added a more specific error message to cover these cases. Can you please also add it to find_root_cert_from_pkcs12? Done, thanks for catching that. Updated patch attached. Honza Updated patch is attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 688675612f2a139eb090301b8dec2b56b1a34df0 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Wed, 17 Jul 2013 16:30:15 +0200 Subject: [PATCH] Properly handle non-existent cert files https://fedorahosted.org/freeipa/ticket/3785 --- ipaserver/install/certs.py| 4 ipaserver/install/installutils.py | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 06925d53b2fa6df6d94d41d758944b6497ce2bcd..54ecf53df68312e6aa835ad2209f905210dfb7b0 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -188,6 +188,8 @@ def import_pkcs12(self, pkcs12_filename, db_password_filename, if e.returncode == 17: raise RuntimeError(incorrect password for pkcs#12 file %s % pkcs12_filename) +elif e.returncode == 10: +raise RuntimeError(Failed to open %s % pkcs12_filename) else: raise RuntimeError(unknown error import pkcs#12 file %s % pkcs12_filename) @@ -206,6 +208,8 @@ def find_root_cert_from_pkcs12(self, pkcs12_fname, passwd_fname=None): except ipautil.CalledProcessError, e: if e.returncode == 17: raise RuntimeError(incorrect password for pkcs#12 file) +elif e.returncode == 10: +raise RuntimeError(Failed to open %s % pkcs12_fname) else: raise RuntimeError(unknown error using pkcs#12 file) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a716525b3ebc20fe516613d57f19377519212a5a..188971f40f7c15cb473d590c2fcc2001b6419db7 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -721,8 +721,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): ca_cert_name = 'The Root CA' try: nssdb.import_pem_cert(ca_cert_name, CT,C,C, ca_file) -except ValueError, e: +except ValueError as e: raise ScriptError(str(e)) +except IOError as e: +raise ScriptError(Failed to open %s: %s % (ca_cert_name, e.strerror)) # Import everything in the PKCS#12 nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename) -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0047 Honor 'enabled' option for widgets
Hello,
This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3793.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From a5c286306cd0a4df596fcb8784de88545a51b043 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Wed, 17 Jul 2013 21:13:42 +0200
Subject: [PATCH] Honor 'enabled' option for widgets.
https://fedorahosted.org/freeipa/ticket/3793
---
install/ui/src/freeipa/widget.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 06fcef563ca416e6e3e1cc454f2e1dd665c68f26..2d27b1df55d922cd04360f625321402b6a1ced9c 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -98,6 +98,8 @@ IPA.input_widget = function(spec) {
that.writable = spec.writable === undefined ? true : spec.writable;
that.read_only = spec.read_only;
that.hidden = spec.hidden;
+that.enabled = spec.enabled === undefined ? true : spec.enabled;
+that.disabled = !that.enabled;
//events
//each widget can contain several events
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
