[Freeipa-devel] [PATCH] 167 Fix service-disable in CA-less install
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/3886.
Honza
--
Jan Cholasta
From 90f08d568ecc085bc559c7565bb106e6e7415839 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Thu, 29 Aug 2013 08:44:43 +0200
Subject: [PATCH] Fix service-disable in CA-less install.
https://fedorahosted.org/freeipa/ticket/3886
---
ipalib/plugins/service.py | 41 +
1 file changed, 21 insertions(+), 20 deletions(-)
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index b10054f..0a49d8d 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -624,27 +624,28 @@ class service_disable(LDAPQuery):
done_work = False
if 'usercertificate' in entry_attrs:
-cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
-try:
-serial = unicode(x509.get_serial_number(cert, x509.DER))
+if self.api.env.enable_ra:
+cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
try:
-result = api.Command['cert_show'](unicode(serial))['result']
-if 'revocation_reason' not in result:
-try:
-api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
-except errors.NotImplementedError:
-# some CA's might not implement revoke
-pass
-except errors.NotImplementedError:
-# some CA's might not implement revoke
-pass
-except NSPRError, nsprerr:
-if nsprerr.errno == -8183:
-# If we can't decode the cert them proceed with
-# disabling the service
-self.log.info(Problem decoding certificate %s % nsprerr.args[1])
-else:
-raise nsprerr
+serial = unicode(x509.get_serial_number(cert, x509.DER))
+try:
+result = api.Command['cert_show'](unicode(serial))['result']
+if 'revocation_reason' not in result:
+try:
+api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
+except errors.NotImplementedError:
+# some CA's might not implement revoke
+pass
+except errors.NotImplementedError:
+# some CA's might not implement revoke
+pass
+except NSPRError, nsprerr:
+if nsprerr.errno == -8183:
+# If we can't decode the cert them proceed with
+# disabling the service
+self.log.info(Problem decoding certificate %s % nsprerr.args[1])
+else:
+raise nsprerr
# Remove the usercertificate altogether
ldap.update_entry(dn, {'usercertificate': None})
--
1.8.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 167 Fix service-disable in CA-less install
On 08/29/2013 08:48 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3886. Honza Thanks, ACK, pushed to: master: 7c66912824fbc2a4a2d1daf603b204fd7321bd8f ipa-3-3: fe4a96de52c15eb54d828a4ea0144b392d4a101b -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA server package group
On 08/28/2013 12:20 PM, Tomas Babej wrote: On 08/28/2013 12:03 PM, Petr Viktorin wrote: On 08/28/2013 11:46 AM, Tomas Babej wrote: On 08/26/2013 10:14 AM, Tomas Babej wrote: On Mon 26 Aug 2013 10:12:09 AM CEST, Petr Vobornik wrote: On 08/26/2013 09:54 AM, Tomas Babej wrote: Hi, I cooked up a patch for comps that adds a FreeIPA package group. Please chime in if you're OK with package selection / description. For illustration, see the attached image. FreeIPA will be added as an add-on in an installer under the Infrastructure server environment, that means, in the included images it will be at the same level as DNS or FTP server. It will also appear in the Software Selection tool (PackageKit). It should also be available under as yum groupinstall FreeIPA server, and in PackageKit, as I understand comps is also source for that too. https://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups https://fedorahosted.org/freeipa/ticket/3630 IMO the Audit part in the description is false advertisement. Same issue is in package descriptions. I know, it's taken directly from there. I'd rather have it consistent, if we're going to change it here, we should do there too, so that we do not end up with multiple (seemingly incomplete) descriptions at various places. Anybody else does have any other concerns? We need to move with this effort since string freeze for F20 is coming. I'm particulary dubious about including the freeipa-tests package. I don't think that should be included, developer tests are unnecessary for a server. It was marked as optional in the initial proposal, but I agree it's unnecessary for it to be there at all. We discussed the A (as Audit) part in the description with Rob. The fact is that this is taken from the freeipa-server package description and nobody complained in 7 years. Updated tests attached. Oh, one more thing I remembered just now -- is it too late? We should include bind-dyndb-ldap (which pulls in bind). Preferably as default. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA server package group
On 08/29/2013 11:55 AM, Petr Viktorin wrote: On 08/28/2013 12:20 PM, Tomas Babej wrote: On 08/28/2013 12:03 PM, Petr Viktorin wrote: On 08/28/2013 11:46 AM, Tomas Babej wrote: On 08/26/2013 10:14 AM, Tomas Babej wrote: On Mon 26 Aug 2013 10:12:09 AM CEST, Petr Vobornik wrote: On 08/26/2013 09:54 AM, Tomas Babej wrote: Hi, I cooked up a patch for comps that adds a FreeIPA package group. Please chime in if you're OK with package selection / description. For illustration, see the attached image. FreeIPA will be added as an add-on in an installer under the Infrastructure server environment, that means, in the included images it will be at the same level as DNS or FTP server. It will also appear in the Software Selection tool (PackageKit). It should also be available under as yum groupinstall FreeIPA server, and in PackageKit, as I understand comps is also source for that too. https://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups https://fedorahosted.org/freeipa/ticket/3630 IMO the Audit part in the description is false advertisement. Same issue is in package descriptions. I know, it's taken directly from there. I'd rather have it consistent, if we're going to change it here, we should do there too, so that we do not end up with multiple (seemingly incomplete) descriptions at various places. Anybody else does have any other concerns? We need to move with this effort since string freeze for F20 is coming. I'm particulary dubious about including the freeipa-tests package. I don't think that should be included, developer tests are unnecessary for a server. It was marked as optional in the initial proposal, but I agree it's unnecessary for it to be there at all. We discussed the A (as Audit) part in the description with Rob. The fact is that this is taken from the freeipa-server package description and nobody complained in 7 years. Updated tests attached. Oh, one more thing I remembered just now -- is it too late? We should include bind-dyndb-ldap (which pulls in bind). Preferably as default. I included it there. If anyone else wants to chime in, please do now, I'll create a ticket with rel-eng at the end of the day. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 272fcf907816e42bb38803de4dc0ae14a8c98676 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 26 Aug 2013 09:26:23 +0200 Subject: [PATCH] Add FreeIPA server package group --- comps-f20.xml.in | 15 +++ comps-f21.xml.in | 15 +++ 2 files changed, 30 insertions(+) diff --git a/comps-f20.xml.in b/comps-f20.xml.in index 5e3aa7985d1621b02da6aef322e47cdac3ba55bc..9494a5fdb941e6a94f18fde26b930081c8071639 100644 --- a/comps-f20.xml.in +++ b/comps-f20.xml.in @@ -2358,6 +2358,19 @@ /packagelist /group group +idfreeipa-server/id +_nameFreeIPA Server/_name +_descriptionIntegrated solution to provide centrally managed Identity, Policy and Audit./_description +defaultfalse/default +uservisibletrue/uservisible +packagelist + packagereq type=mandatoryfreeipa-server/packagereq + packagereq type=defaultfreeipa-server-strict/packagereq + packagereq type=defaultfreeipa-server-trust-ad/packagereq + packagereq type=defaultbind-dyndb-ldap/packagereq +/packagelist + /group + group idfinnish-support/id _nameFinnish Support/_name _description/ @@ -6373,6 +6386,7 @@ optionlist groupiddogtag/groupid groupiddns-server/groupid + groupidfreeipa-server/groupid groupidftp-server/groupid groupidmail-server/groupid groupidnetwork-server/groupid @@ -6589,6 +6603,7 @@ groupiddirectory-server/groupid groupiddns-server/groupid groupiddogtag/groupid + groupidfreeipa-server/groupid groupidftp-server/groupid groupidha/groupid groupidhaproxy/groupid diff --git a/comps-f21.xml.in b/comps-f21.xml.in index 8dea507bee171e0e4ada778a6104939ceafdddae..ce41839a3f52faaa530280b4ae701ac62069d4e9 100644 --- a/comps-f21.xml.in +++ b/comps-f21.xml.in @@ -2358,6 +2358,19 @@ /packagelist /group group +idfreeipa-server/id +_nameFreeIPA Server/_name +_descriptionIntegrated solution to provide centrally managed Identity, Policy and Audit./_description +defaultfalse/default +uservisibletrue/uservisible +packagelist + packagereq type=mandatoryfreeipa-server/packagereq + packagereq type=defaultfreeipa-server-strict/packagereq + packagereq type=defaultfreeipa-server-trust-ad/packagereq + packagereq type=defaultbind-dyndb-ldap/packagereq +/packagelist + /group + group idfinnish-support/id _nameFinnish Support/_name _description/ @@ -6386,6 +6399,7 @@ optionlist groupiddogtag/groupid groupiddns-server/groupid + groupidfreeipa-server/groupid
Re: [Freeipa-devel] [PATCH 0087] Log proper error message when defaultNamingContext not found
On 08/28/2013 02:11 PM, Tomas Babej wrote: On 08/28/2013 01:22 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, When adding a trust using trust-add with misconfigured DNS, an improper LDAP entry might be returned. Log a proper error message. https://fedorahosted.org/freeipa/ticket/3690 I think this should this include which KeyError was raised to help diagnose the problem. rob Fixed and rebased on top of current head. ACK, pushed to master: a3d489443c85629aa176df048c6b3505a7ee4586[[BR]] ipa-3-3: c0dddb4d69bbd1015b6ce0476e6537b1e1448b0a -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0059 Create DS user and group during ipa-restore
Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3856. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From f1a2a00f72961c88530be8aa1a62fb15758d90b5 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Thu, 29 Aug 2013 12:11:55 +0200 Subject: [PATCH] Create DS user and group during ipa-restore ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856 --- install/share/copy-schema-to-ca.py | 5 ++-- install/tools/ipa-replica-install | 15 ++-- install/tools/ipa-server-install | 11 + ipaserver/install/dsinstance.py| 29 --- ipaserver/install/installutils.py | 47 ++ ipaserver/install/ipa_backup.py| 4 ++-- ipaserver/install/ipa_restore.py | 8 --- ipaserver/install/krbinstance.py | 2 +- 8 files changed, 66 insertions(+), 55 deletions(-) diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 1888f12513aa3edf22149e9330afea99f62bf41d..fe99a9256f1298bae1c746ea0c4d41339a4fbebb 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -15,10 +15,11 @@ import pwd import shutil -from ipapython import services, ipautil, dogtag +from ipapython import services, ipautil from ipapython.ipa_log_manager import root_logger, standard_logging_setup -from ipaserver.install.dsinstance import DS_USER, schema_dirname +from ipaserver.install.dsinstance import schema_dirname from ipaserver.install.cainstance import PKI_USER +from ipaserver.install.installutils import DS_USER from ipalib import api SERVERID = PKI-IPA diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 947c51f6f287ffce52994408352601388faf56a6..0c2a1c6804e28cfef89da86c0e3b5fcaf2c5bfa1 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -147,7 +147,7 @@ def get_dirman_password(): return installutils.read_password(Directory Manager (existing master), confirm=False, validate=False) def set_owner(config, dir): -pw = pwd.getpwnam(dsinstance.DS_USER) +pw = pwd.getpwnam(installutils.DS_USER) os.chown(dir, pw.pw_uid, pw.pw_gid) def install_replica_ds(config): @@ -574,18 +574,7 @@ def main(): api.finalize() # Create DS group if it doesn't exist yet -try: -grp.getgrnam(dsinstance.DS_GROUP) -root_logger.debug(ds group %s exists % dsinstance.DS_GROUP) -group_exists = True -except KeyError: -group_exists = False -args = [/usr/sbin/groupadd, -r, dsinstance.DS_GROUP] -try: -ipautil.run(args) -root_logger.debug(done adding DS group) -except ipautil.CalledProcessError, e: -root_logger.critical(failed to add DS group: %s % e) +group_exists = installutils.create_ds_group() sstore.backup_state(install, group_exists, group_exists) #Automatically disable pkinit w/ dogtag until that is supported diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 86ca3447bfaab1763324ce57c67c073a8fa93963..3054a5c99b5d72d74ea3908cfc3d60647c25ce4b 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -971,16 +971,7 @@ def main(): ipaservices.backup_and_replace_hostname(fstore, sstore, host_name) # Create DS group if it doesn't exist yet -try: -grp.getgrnam(dsinstance.DS_GROUP) -root_logger.debug(ds group %s exists % dsinstance.DS_GROUP) -except KeyError: -args = [/usr/sbin/groupadd, -r, dsinstance.DS_GROUP] -try: -ipautil.run(args) -root_logger.debug(done adding DS group) -except ipautil.CalledProcessError, e: -root_logger.critical(failed to add DS group: %s % e) +installutils.create_ds_group() # Create a directory server instance if external != 2: diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index f543efadc6568a022fbb0a2ee07833612f9466f7..872e8c1941608f47a52335b1ac813102abdecff3 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -45,8 +45,6 @@ SERVER_ROOT_32 = /usr/lib/dirsrv CACERT=/etc/ipa/ca.crt -DS_USER = 'dirsrv' -DS_GROUP = 'dirsrv' def find_server_root(): if ipautil.dir_exists(SERVER_ROOT_64): @@ -194,7 +192,7 @@ def __init__(self, realm_name=None, domain_name=None, dm_password=None, def __common_setup(self, enable_ssl=False): -self.step(creating directory server user, self.__create_ds_user) +self.step(creating directory server user, installutils.create_ds_user) self.step(creating directory server instance, self.__create_instance) self.step(adding default schema, self.__add_default_schemas)
Re: [Freeipa-devel] [PATCH] 1104 move NULL check
On 08/28/2013 04:40 PM, Rob Crittenden wrote: Move a NULL check in the lockout plugin to address something Coverity found. There is no risk of a crash here but it there is also no point calling something if we know the values are NULL. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0269 Add man pages for testing tools
Petr Viktorin wrote: On 08/28/2013 12:02 AM, Rob Crittenden wrote: Petr Viktorin wrote: Hello, This patch adds man pages for testing tools. As far as I can see, we use autotools for installing man pages. I added the autotools machinery to ipatests/man only. I'd appreciate if an autotools expert could check if this approach is OK. Or would it be better to not use autotools at all here? https://fedorahosted.org/freeipa/ticket/3855 (part 5) Thanks for the review! You don't have any man pages in section 8 so that can be removed from Makefile.am. Removed You need to add a line break for the various ways to run the commands. ipa-test-config [options] ipa-test-config [options] --global ipa-test-config [options] hostname renders as ipa-test-config [options]ipa-test-config[options]--global ipa-test-config [options] hostname Added ipa-test-config lacks a header. Which header do you mean? I see the same header as on the other pages. ipa-test-config doesn't say where the configuration is stored. It is not stored anywhere; it's read from environment variables and printed to stdout. I've clarified the description a bit. ipa-test-task, in the install-topo description drop the word Please. Removed Almost none of the 72 options to ipa-run-test are documented in the man page. These are taken from the nosetests command and documented in nosetests(1). Also, the list can change depending on what plugins are installed. I think pointing the reader to nosetests(1) is enough. rob It's a shame the test commands don't run in the tree. Well, they will work in-tree if you set PYTHONPATH to the tree. For example these work without the packages installed: PYTHONPATH=. ./ipatests/ipa-run-tests test_ipalib/test_config.py PYTHONPATH=. ./ipatests/ipa-test-task uninstall-all You can also point the system-installed ipa-run-tests to in-tree tests. You just need to use an absolute path because it changes the current directory: ipa-run-tests `pwd`/ipatests/test_ipalib/test_config.py ACK. Please correct the creation date in the man pages before pushing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 119 CLDAP: make sure an empty reply is returned on any error
On 08/28/2013 10:25 AM, Sumit Bose wrote: Hi, this patch fixes an issue in the CLDAP plugin found by Coverity. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0269 Add man pages for testing tools
On 08/29/2013 03:03 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 08/28/2013 12:02 AM, Rob Crittenden wrote: Petr Viktorin wrote: Hello, This patch adds man pages for testing tools. As far as I can see, we use autotools for installing man pages. I added the autotools machinery to ipatests/man only. I'd appreciate if an autotools expert could check if this approach is OK. Or would it be better to not use autotools at all here? https://fedorahosted.org/freeipa/ticket/3855 (part 5) Thanks for the review! You don't have any man pages in section 8 so that can be removed from Makefile.am. Removed You need to add a line break for the various ways to run the commands. ipa-test-config [options] ipa-test-config [options] --global ipa-test-config [options] hostname renders as ipa-test-config [options]ipa-test-config[options]--global ipa-test-config [options] hostname Added ipa-test-config lacks a header. Which header do you mean? I see the same header as on the other pages. ipa-test-config doesn't say where the configuration is stored. It is not stored anywhere; it's read from environment variables and printed to stdout. I've clarified the description a bit. ipa-test-task, in the install-topo description drop the word Please. Removed Almost none of the 72 options to ipa-run-test are documented in the man page. These are taken from the nosetests command and documented in nosetests(1). Also, the list can change depending on what plugins are installed. I think pointing the reader to nosetests(1) is enough. rob It's a shame the test commands don't run in the tree. Well, they will work in-tree if you set PYTHONPATH to the tree. For example these work without the packages installed: PYTHONPATH=. ./ipatests/ipa-run-tests test_ipalib/test_config.py PYTHONPATH=. ./ipatests/ipa-test-task uninstall-all You can also point the system-installed ipa-run-tests to in-tree tests. You just need to use an absolute path because it changes the current directory: ipa-run-tests `pwd`/ipatests/test_ipalib/test_config.py ACK. Please correct the creation date in the man pages before pushing. rob Thank you! Corrected pushed. master: f742520760d1b146cd3c5e79a6c86a024570ff6a ipa-3-3: 5945988d7373d65d5a38b11ade84fabe9ac7bb68 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1104 move NULL check
On 08/29/2013 02:57 PM, Tomas Babej wrote: On 08/28/2013 04:40 PM, Rob Crittenden wrote: Move a NULL check in the lockout plugin to address something Coverity found. There is no risk of a crash here but it there is also no point calling something if we know the values are NULL. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Pushed to master: 3940a574f95750e6bd02dcc30953db0fe9146f0a ipa-3-3: 0688827f3c287c1ec354f90e4748b0c23c4c9883 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 119 CLDAP: make sure an empty reply is returned on any error
On 08/29/2013 03:15 PM, Tomas Babej wrote: On 08/28/2013 10:25 AM, Sumit Bose wrote: Hi, this patch fixes an issue in the CLDAP plugin found by Coverity. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Thank you! Pushed to master: 5c357b462df8f67379cb3d7f69b1684117f569f3 ipa-3-3: 219a007e8ed7c22edae7e790d1ff73af21a91388 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] EXTDOM: Do not overwrite domain_name for INP_SID
On Mon, Aug 26, 2013 at 10:14:27AM +0200, Jakub Hrozek wrote: Hi, I found the problem when testing Sumit's PAC responder SSSD patches. It seems that the domain name is always overwritten with input SID. I think using the domain we parse out from output of getnamebysid can be safely used, but I'm not all that familiar with the extdom plugin.. good catch. ACK bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] EXTDOM: Do not overwrite domain_name for INP_SID
On 08/29/2013 03:30 PM, Sumit Bose wrote: On Mon, Aug 26, 2013 at 10:14:27AM +0200, Jakub Hrozek wrote: Hi, I found the problem when testing Sumit's PAC responder SSSD patches. It seems that the domain name is always overwritten with input SID. I think using the domain we parse out from output of getnamebysid can be safely used, but I'm not all that familiar with the extdom plugin.. good catch. ACK bye, Sumit Thank you! Pushed to master: ec08458b656e09dc71f51aac55f6d268469a9b11 ipa-3-3: be0fea02d0bb9cf370faeb1bd3ccfbbbc90d86e6 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 161 Use configured dogtag LDAP port instead of default one when renewing certs
On 23.7.2013 18:26, Jan Cholasta wrote:
On 22.7.2013 17:40, Simo Sorce wrote:
On Mon, 2013-07-22 at 17:36 +0200, Jan Cholasta wrote:
if nickname == 'subsystemCert cert-pki-ca':
-update_people_entry('pkidbuser', cert)
+update_people_entry(dogtag_uri, 'pkidbuser', cert)
This is probably wrong, there is no pkidbuser in old instances.
My subsystemCert has a subject of CN=CA Subsystem,O=REALM and this
cert is associated to an object named:
uid=CA-sevrver-name-9443,ou=people,o=ipaca
I think you need to search the db to find the right object(s) to update.
Right. Updated patch attached.
Honza
Rebased on top of current master ipa-3-1.
--
Jan Cholasta
From f9a7db524f2b28ddd31c1cd68737032add07dbee Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 23 Jul 2013 10:19:42 +
Subject: [PATCH] Fix certificate renewal scripts to work with separate CA DS
instance.
https://fedorahosted.org/freeipa/ticket/3805
---
install/restart_scripts/renew_ca_cert | 4 +--
install/restart_scripts/renew_ra_cert | 2 +-
ipaserver/install/cainstance.py | 60 ---
3 files changed, 44 insertions(+), 22 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index ab394b9..a2d0e46 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -85,9 +85,7 @@ finally:
# Done withing stopped_service context, CA restarted here
update_cert_config(nickname, cert)
-
-if nickname == 'subsystemCert cert-pki-ca':
-update_people_entry('pkidbuser', cert)
+update_people_entry(cert)
if nickname == 'auditSigningCert cert-pki-ca':
# Fix trust on the audit cert
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index e541e4b..596ca2b 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -41,7 +41,7 @@ db = certs.CertDB(api.env.realm)
dercert = db.get_cert_from_db('ipaCert', pem=False)
# Load it into dogtag
-update_people_entry('ipara', dercert)
+update_people_entry(dercert)
attempts = 0
updated = False
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 15d79fd..4f99b6f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -40,6 +40,7 @@ import ConfigParser
from ipapython import dogtag
from ipapython.certdb import get_ca_nickname
from ipapython import certmonger
+from ipalib import api
from ipalib import pkcs10, x509
from ipalib import errors
from ipapython.dn import DN
@@ -1729,58 +1730,81 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
base64.b64encode(cert),
quotes=False, separator='=')
-def update_people_entry(uid, dercert):
+def update_people_entry(dercert):
Update the userCerticate for an entry in the dogtag ou=People. This
is needed when a certificate is renewed.
-uid: uid of user to update
dercert: An X509.3 certificate in DER format
Logging is done via syslog
Returns True or False
-dn = DN(('uid',uid),('ou','People'),('o','ipaca'))
+base_dn = DN(('ou','People'), ('o','ipaca'))
serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
subject = x509.get_subject(dercert, datatype=x509.DER)
issuer = x509.get_issuer(dercert, datatype=x509.DER)
attempts = 0
-dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
+configured_constants = dogtag.configured_constants(api)
+dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
updated = False
try:
dm_password = certmonger.get_pin('internaldb')
except IOError, e:
-syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+syslog.syslog(
+syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
return False
while attempts 10:
conn = None
try:
conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-conn.connect(bind_dn=DN(('cn', 'directory manager')),
-bind_pw=dm_password)
-(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
-entry_attrs['usercertificate'].append(dercert)
-entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
-subject)
-conn.update_entry(dn, entry_attrs)
+conn.connect(
+bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
+
+filter = conn.make_filter(
+{'description': ';%s;%s' % (issuer, subject)},
+exact=False, trailing_wildcard=False)
+try:
+entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, filter)
+except errors.NotFound:
+entries = []
+
Re: [Freeipa-devel] [PATCH] 161 Use configured dogtag LDAP port instead of default one when renewing certs
On 29.8.2013 16:32, Jan Cholasta wrote:
On 23.7.2013 18:26, Jan Cholasta wrote:
On 22.7.2013 17:40, Simo Sorce wrote:
On Mon, 2013-07-22 at 17:36 +0200, Jan Cholasta wrote:
if nickname == 'subsystemCert cert-pki-ca':
-update_people_entry('pkidbuser', cert)
+update_people_entry(dogtag_uri, 'pkidbuser', cert)
This is probably wrong, there is no pkidbuser in old instances.
My subsystemCert has a subject of CN=CA Subsystem,O=REALM and this
cert is associated to an object named:
uid=CA-sevrver-name-9443,ou=people,o=ipaca
I think you need to search the db to find the right object(s) to update.
Right. Updated patch attached.
Honza
Rebased on top of current master ipa-3-1.
... and now with the correct patches attached.
--
Jan Cholasta
From f9a7db524f2b28ddd31c1cd68737032add07dbee Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 23 Jul 2013 10:19:42 +
Subject: [PATCH] Fix certificate renewal scripts to work with separate CA DS
instance.
https://fedorahosted.org/freeipa/ticket/3805
---
install/restart_scripts/renew_ca_cert | 4 +--
install/restart_scripts/renew_ra_cert | 2 +-
ipaserver/install/cainstance.py | 60 ---
3 files changed, 44 insertions(+), 22 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index ab394b9..a2d0e46 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -85,9 +85,7 @@ finally:
# Done withing stopped_service context, CA restarted here
update_cert_config(nickname, cert)
-
-if nickname == 'subsystemCert cert-pki-ca':
-update_people_entry('pkidbuser', cert)
+update_people_entry(cert)
if nickname == 'auditSigningCert cert-pki-ca':
# Fix trust on the audit cert
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index e541e4b..596ca2b 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -41,7 +41,7 @@ db = certs.CertDB(api.env.realm)
dercert = db.get_cert_from_db('ipaCert', pem=False)
# Load it into dogtag
-update_people_entry('ipara', dercert)
+update_people_entry(dercert)
attempts = 0
updated = False
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 15d79fd..4f99b6f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -40,6 +40,7 @@ import ConfigParser
from ipapython import dogtag
from ipapython.certdb import get_ca_nickname
from ipapython import certmonger
+from ipalib import api
from ipalib import pkcs10, x509
from ipalib import errors
from ipapython.dn import DN
@@ -1729,58 +1730,81 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
base64.b64encode(cert),
quotes=False, separator='=')
-def update_people_entry(uid, dercert):
+def update_people_entry(dercert):
Update the userCerticate for an entry in the dogtag ou=People. This
is needed when a certificate is renewed.
-uid: uid of user to update
dercert: An X509.3 certificate in DER format
Logging is done via syslog
Returns True or False
-dn = DN(('uid',uid),('ou','People'),('o','ipaca'))
+base_dn = DN(('ou','People'), ('o','ipaca'))
serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
subject = x509.get_subject(dercert, datatype=x509.DER)
issuer = x509.get_issuer(dercert, datatype=x509.DER)
attempts = 0
-dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
+configured_constants = dogtag.configured_constants(api)
+dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
updated = False
try:
dm_password = certmonger.get_pin('internaldb')
except IOError, e:
-syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+syslog.syslog(
+syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
return False
while attempts 10:
conn = None
try:
conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-conn.connect(bind_dn=DN(('cn', 'directory manager')),
-bind_pw=dm_password)
-(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
-entry_attrs['usercertificate'].append(dercert)
-entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
-subject)
-conn.update_entry(dn, entry_attrs)
+conn.connect(
+bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
+
+filter = conn.make_filter(
+{'description': ';%s;%s' % (issuer, subject)},
+exact=False, trailing_wildcard=False)
+try:
+entries = conn.get_entries(base_dn,
[Freeipa-devel] [PATCH] 0060 Add warning when uninstalling active replica
Hello,
This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3867.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 29732542431dfa3d2a41607f6537690655a7a027 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 29 Aug 2013 17:44:02 +0200
Subject: [PATCH] Add warning when uninstalling active replica
Add a warning when trying to uninstall a replica that has active replication
agreements.
https://fedorahosted.org/freeipa/ticket/3867
---
install/tools/ipa-server-install | 32 +++-
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 86ca3447bfaab1763324ce57c67c073a8fa93963..7444a6f8720f2c6ca89fcd0bcbf0a2077dabf83f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -28,18 +28,16 @@
import sys
import os
-import errno
import grp
-import subprocess
import signal
import shutil
-import glob
import pickle
import random
import tempfile
import nss.error
import base64
-from optparse import OptionGroup, OptionValueError, SUPPRESS_HELP
+import pwd
+from optparse import OptionGroup, OptionValueError
from ipaserver.install import dsinstance
from ipaserver.install import krbinstance
@@ -51,10 +49,11 @@ from ipaserver.install import cainstance
from ipaserver.install import memcacheinstance
from ipaserver.install import otpdinstance
from ipaserver.install import sysupgrade
-
+from ipaserver.install import replication
from ipaserver.install import service, installutils
from ipapython import version
from ipapython import certmonger
+from ipapython import ipaldap
from ipaserver.install.installutils import *
from ipaserver.plugins.ldap2 import ldap2
@@ -624,6 +623,29 @@ def main():
print Aborting uninstall operation.
sys.exit(1)
+conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm)
+conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
+rm = replication.ReplicationManager(api.env.realm, api.env.host, None,
+conn=conn)
+agreements = rm.find_ipa_replication_agreements()
+
+if agreements:
+other_masters = [a.get('cn')[0][4:] for a in agreements]
+print \nReplication agreements with the following IPA masters
+print found: %s. % , .join(other_masters)
+print Removing any replication agreements before uninstalling
+print the server is strongly recommended.
+print You can remove replication agreements by running the
+print following command on any other IPA master:
+print $ ipa-replica-manage del %s % api.env.host
+if not (options.unattended or user_input(Are you sure you want
+ to continue with the
+ uninstall procedure?,
+ False)):
+print
+print Aborting uninstall operation.
+sys.exit(1)
+
return uninstall()
if options.external_ca:
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA 3.3.1
The FreeIPA team is proud to announce FreeIPA v3.3.1! This is a bugfix release. It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 builds will be ready soon. == Highlights in 3.3.1 == === Bug fixes === * ipa-server-certinstall now works correctly both with a CA subsystem and in CA-less installations * The --subject option in ipa-server-install is now handled correctly * During installation, directory server tuning is performed correctly on sysV and systemd systems * During installation, the CA service is stopped during configuration file changes to prevent race conditions === Test improvements === * Integration tests for CA-less installation, Kerberos flags, and related Web UI parts were added to the test suite * Test suite now passes after ipa-adtrust-install == Upgrading == === FreeIPA servers with CA installed prior to version 3.1 === Manual upgrade procedure is required for FreeIPA servers installed with version prior to 3.1. Please see http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration for details. === Other FreeIPA servers and clients === An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot: # ipa-upgradeconfig # ipa-ldap-updater --upgrade Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 3.3.0 == === Alexander Bokovoy (1): === * Remove systemd upgrader as it is not used anymore === Ana Krivokapic (4): === * Handle --subject option in ipa-server-install * Fix broken replica installation * Add integration tests for Kerberos Flags * Fix tests which fail after ipa-adtrust-install === Jakub Hrozek (1): === * EXTDOM: Do not overwrite domain_name for INP_SID === Jan Cholasta (12): === * Make PKCS#12 handling in ipa-server-certinstall closer to what other tools do. * Port ipa-server-certinstall to the admintool framework. * Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12. * Ignore empty mod error when updating DS SSL config in ipa-server-certinstall. * Replace only the cert instead of the whole NSS DB in ipa-server-certinstall. * Untrack old and track new cert with certmonger in ipa-server-certinstall. * Add --pin option to ipa-server-certinstall. * Ask for PKCS#12 password interactively in ipa-server-certinstall. * Fix nsSaslMapping object class before configuring SASL mappings. * Add --dirman-password option to ipa-server-certinstall. * Fix ipa-server-certinstall usage string. * Fix service-disable in CA-less install. === Martin Kosek (3): === * Prevent *.pyo and *.pyc multilib problems * Remove rpmlint warnings in spec file * Fix selected minor issues in the spec file and license === Nathaniel McCallum (1): === * Bypass ipa-replica-conncheck ssh tests when ssh is not installed === Petr Viktorin (4): === * Allow freeipa-tests to work with older paramiko versions * Add missing license header to ipa-test-config * Add CA-less install tests * Add man pages for testing tools === Petr Vobornik (7): === * Removal of deprecated selenium tests * Add base-id, range-size and range-type options to trust-add dialog * Hide 'New Certificate' action on CA-less install * Web UI integration tests: CA-less * Web UI Integration tests: Kerberos Flags * Web UI integration tests: ID range types * Update idrange search facet after trust creation === Rob Crittenden (1): === * Re-order NULL check in ipa_lockout. === Simo Sorce (3): === * pwd-plugin: Fix ignored return error * kdb-mspac: Fix out of bounds memset * kdb-princ: Fix memory leak === Sumit Bose (1): === * CLDAP: make sure an empty reply is returned on any error === Tomas Babej
