Re: [Freeipa-devel] [PATCH] 0118 add support for subdomains
On Fri, 04 Oct 2013, Alexander Bokovoy wrote: On Thu, 03 Oct 2013, Martin Kosek wrote: On 10/03/2013 03:10 PM, Alexander Bokovoy wrote: On Wed, 02 Oct 2013, Sumit Bose wrote: Please note that I did not test with more than 1 subdomain, since I do not have more ADs available. I have done some testing as well and the patches are working as expected except the trustdomain-disable issue Tomas mentioned. But I think it would be sufficient to add a comment to the release notes and fix this with the next release to not delay this release anymore. The patches are also working for trusts which were added with older releases. So ACK from my side for the functional part. New patchset is attached. I've fixed all outstanding issues and implemented proper SID filtering for subdomains. In addition, I've added MS-PAC cache eviction when we change blacklists from IPA side and forced removal of the domain from SID blacklist if the domain is being removed by trustdomain-del. 1) Minor issue in 0118: +if keys[0].lower() == keys[1].lower(): +raise errors.ValidationError(name='trustdomain_enable', +error=_(Root domain of the trust is always enabled for the existing trust)) The error message looks weird (double trustdomain_enable) # ipa trustdomain-enable realm domain ipa: ERROR: invalid 'trustdomain_enable': Root domain of the trust is always enabled for the existing trust I would rather do something like +raise errors.ValidationError(name='domain', 2) trustconfig-enable and trustconfig-disable should use standard output like other enable/disable methods. See user-enable/user-disable for example. Current situation puts all the authoritative information to summary which: a) Does not look nice in terminal # ipa trustdomain-disable very.long.long.long.realm very.long.long.long.domain Domain very.long.long.long.domain of trust very.long.long.long.realm is not allowed to access IPA resources b) How am I supposed to parse an information about the result if all I get is a text in summary? Using standard errors and output values will allow easier consumption of the API later (like in Web UI). I am attaching a patch (0001) how to make it consistent with other enable/disable commands. Example: # ipa trustdomain-disable realm domain ipa: ERROR: This entry is already disabled # ipa trustdomain-enable realm domain - Enabled trust domain domain - 3) Let's use standard primary key for the trustdomain object. This will let us overcome some hacks and also let us use handle_not_found method - patch attached (0002). 0002 also changes some ValidationError errors to standard errors, just for being consistent with the rest of the API. Note that in order to make primary_key=True, I had to enhance trustdomain_del command to manage multiple domains. I think these API fixes are a must, it would be very hard to amend the API later. If these patches are squashed to your 0118, it would be ACK from me to the Python side. I will let C parts and a functional test to Sumit's mighty hands. Thanks. I've merged these changes, along with a API.txt correction. In my tests these worked fine. I'll resend 0118 shortly. New edition of 0118 attached. -- / Alexander Bokovoy From 1e5d4090d53ce0e889f05359685efd8819771826 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 18 Sep 2013 17:04:19 +0200 Subject: [PATCH 2/8] trusts: support subdomains in a forest Add IPA CLI to manage trust domains. ipa trust-fetch-domains trust -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find trust -- show all available domains ipa trustdomain-del trust domain -- remove domain from IPA view about trust ipa trustdomain-enable trust domain -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable trust domain -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909 --- API.txt | 88 + ipalib/plugins/trust.py | 329 ipaserver/dcerpc.py | 54 3 files changed, 420 insertions(+), 51 deletions(-) diff --git a/API.txt b/API.txt index 761d1d1..40871f6 100644 --- a/API.txt +++ b/API.txt @@ -3423,6
Re: [Freeipa-devel] [PATCH] 0118 add support for subdomains
On Thu, 03 Oct 2013, Sumit Bose wrote: On Thu, Oct 03, 2013 at 06:04:24PM +0200, Martin Kosek wrote: On 10/03/2013 03:10 PM, Alexander Bokovoy wrote: On Wed, 02 Oct 2013, Sumit Bose wrote: Please note that I did not test with more than 1 subdomain, since I do not have more ADs available. I have done some testing as well and the patches are working as expected except the trustdomain-disable issue Tomas mentioned. But I think it would be sufficient to add a comment to the release notes and fix this with the next release to not delay this release anymore. The patches are also working for trusts which were added with older releases. So ACK from my side for the functional part. New patchset is attached. I've fixed all outstanding issues and implemented proper SID filtering for subdomains. In addition, I've added MS-PAC cache eviction when we change blacklists from IPA side and forced removal of the domain from SID blacklist if the domain is being removed by trustdomain-del. 1) Minor issue in 0118: +if keys[0].lower() == keys[1].lower(): +raise errors.ValidationError(name='trustdomain_enable', +error=_(Root domain of the trust is always enabled for the existing trust)) The error message looks weird (double trustdomain_enable) # ipa trustdomain-enable realm domain ipa: ERROR: invalid 'trustdomain_enable': Root domain of the trust is always enabled for the existing trust I would rather do something like +raise errors.ValidationError(name='domain', 2) trustconfig-enable and trustconfig-disable should use standard output like other enable/disable methods. See user-enable/user-disable for example. Current situation puts all the authoritative information to summary which: a) Does not look nice in terminal # ipa trustdomain-disable very.long.long.long.realm very.long.long.long.domain Domain very.long.long.long.domain of trust very.long.long.long.realm is not allowed to access IPA resources b) How am I supposed to parse an information about the result if all I get is a text in summary? Using standard errors and output values will allow easier consumption of the API later (like in Web UI). I am attaching a patch (0001) how to make it consistent with other enable/disable commands. Example: # ipa trustdomain-disable realm domain ipa: ERROR: This entry is already disabled # ipa trustdomain-enable realm domain - Enabled trust domain domain - 3) Let's use standard primary key for the trustdomain object. This will let us overcome some hacks and also let us use handle_not_found method - patch attached (0002). 0002 also changes some ValidationError errors to standard errors, just for being consistent with the rest of the API. Note that in order to make primary_key=True, I had to enhance trustdomain_del command to manage multiple domains. I think these API fixes are a must, it would be very hard to amend the API later. If these patches are squashed to your 0118, it would be ACK from me to the Python side. I will let C parts and a functional test to Sumit's mighty hands. Functional it is an ACK to all patches except 0123. The trustdomain-disabled issue found by Tomas is fixed with 0124. Patch 0123 is not needed and breaks setups with unpatched MIT Kerberos, which currently are more or less all. It does not allow users from the trusted forest root to get tickets for the IPA domain. In this case the TGT does not have any transited data, because it is a direct trust, but the client realm is not ours. So the plugin returns KRB5_PLUGIN_NO_HANDLE which is interpreted as an error in current MIT Kerberos versions. I would recommend to just drop the patch for this release and include an improved version in the next. I've fixed 0123 by allowing to proceed with the trust checks in case of empty transited realm and both client and server realms are not ours. The result will be success in case both client and server realms are either our realm or belong to any of the trusted domains. For this case empty transited realm considered a match. For me following cases work now: - principal from our realm asking for ticket of a service in our realm - principal from root level trusted domain asking for a ticket of a service in our realm - principal from a trusted domain asking for a ticket of a service in our realm - principal from our realm asking for a ticket of a service in a root level trusted domain - principal from our realm asking for a ticket of a service in a trusted domain These are supported use cases without your PoC patches, the last one works due to manual configuration file written by SSSD 1.11.3. Patch 0124 look good although
Re: [Freeipa-devel] [PATCHES] 0278-0279 Make it possible to run integration tests without Paramiko
On 10/03/2013 06:49 PM, Petr Vobornik wrote: On 09/18/2013 12:30 PM, Petr Viktorin wrote: Hello, These patches take the SSH2 bits out of the integration tests' Host class into a Transport class, and add a new Transport that uses /usr/bin/ssh to talk with remote hosts. The Host class is broken up to help adding AD trust tests (see Tomáš's patches 100-106, the WinHost addition can be simplified now; in the future adding e.g. a telnet transport should be easier). The spec file is not changed, I believe Paramiko is a better default for Fedora. The OpenSSH transport can be selected by setting IPA_TEST_SSH_TRANSPORT=openssh. https://fedorahosted.org/freeipa/ticket/3890 ACK This was pushed to master, ipa-3-3 by Petr Viktorin. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients
On 3.10.2013 23:43, Nathaniel McCallum wrote: Patch attached. I'm curious - what is the purpose of this patch? To prevent 1 second timeouts and re-transmits when OTP is in place? What is the expected performance impact? Could it be configured for OTP separately - somehow? (I guess that it is not possible now ...) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0118 add support for subdomains
On Fri, 04 Oct 2013, Alexander Bokovoy wrote: On Fri, 04 Oct 2013, Alexander Bokovoy wrote: On Thu, 03 Oct 2013, Martin Kosek wrote: On 10/03/2013 03:10 PM, Alexander Bokovoy wrote: On Wed, 02 Oct 2013, Sumit Bose wrote: Please note that I did not test with more than 1 subdomain, since I do not have more ADs available. I have done some testing as well and the patches are working as expected except the trustdomain-disable issue Tomas mentioned. But I think it would be sufficient to add a comment to the release notes and fix this with the next release to not delay this release anymore. The patches are also working for trusts which were added with older releases. So ACK from my side for the functional part. New patchset is attached. I've fixed all outstanding issues and implemented proper SID filtering for subdomains. In addition, I've added MS-PAC cache eviction when we change blacklists from IPA side and forced removal of the domain from SID blacklist if the domain is being removed by trustdomain-del. 1) Minor issue in 0118: +if keys[0].lower() == keys[1].lower(): +raise errors.ValidationError(name='trustdomain_enable', +error=_(Root domain of the trust is always enabled for the existing trust)) The error message looks weird (double trustdomain_enable) # ipa trustdomain-enable realm domain ipa: ERROR: invalid 'trustdomain_enable': Root domain of the trust is always enabled for the existing trust I would rather do something like +raise errors.ValidationError(name='domain', 2) trustconfig-enable and trustconfig-disable should use standard output like other enable/disable methods. See user-enable/user-disable for example. Current situation puts all the authoritative information to summary which: a) Does not look nice in terminal # ipa trustdomain-disable very.long.long.long.realm very.long.long.long.domain Domain very.long.long.long.domain of trust very.long.long.long.realm is not allowed to access IPA resources b) How am I supposed to parse an information about the result if all I get is a text in summary? Using standard errors and output values will allow easier consumption of the API later (like in Web UI). I am attaching a patch (0001) how to make it consistent with other enable/disable commands. Example: # ipa trustdomain-disable realm domain ipa: ERROR: This entry is already disabled # ipa trustdomain-enable realm domain - Enabled trust domain domain - 3) Let's use standard primary key for the trustdomain object. This will let us overcome some hacks and also let us use handle_not_found method - patch attached (0002). 0002 also changes some ValidationError errors to standard errors, just for being consistent with the rest of the API. Note that in order to make primary_key=True, I had to enhance trustdomain_del command to manage multiple domains. I think these API fixes are a must, it would be very hard to amend the API later. If these patches are squashed to your 0118, it would be ACK from me to the Python side. I will let C parts and a functional test to Sumit's mighty hands. Thanks. I've merged these changes, along with a API.txt correction. In my tests these worked fine. I'll resend 0118 shortly. New edition of 0118 attached. ... and updated 0124 to match the 0118. -- / Alexander Bokovoy From 34dc771417b247de180fe490da9fe9cb09644fee Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 3 Oct 2013 12:30:44 +0200 Subject: [PATCH 8/8] ipa-kdb: Handle parent-child relationship for subdomains When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service. --- daemons/ipa-kdb/ipa_kdb_mspac.c | 109 ipalib/plugins/trust.py | 6 +++ 2 files changed, 105 insertions(+), 10 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index e20de36..ff67391 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -37,6 +37,8 @@ struct ipadb_adtrusts { int len_sid_blacklist_incoming; struct
Re: [Freeipa-devel] [PATCHES] 170-171 Allow PKCS#12 files with empty password in install tools
On 3.10.2013 17:44, Petr Viktorin wrote: On 10/03/2013 01:15 PM, Petr Viktorin wrote: On 09/25/2013 10:46 AM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3897. Honza I'm still testing; it looks good except for unattended installs. With the attached fixup squashed in it works so far. Another problem is that the change pkcs12_info (password instead of filename) was not done in ipa-replica-install. Here is another fixup to correct this. Also, I'm attaching tests I used for this. If these changes look OK to you, then it's an ACK. Thanks! ACK to your changes (I don't know how I missed all of this, shame on me!) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0118 add support for subdomains
On 10/04/2013 09:40 AM, Alexander Bokovoy wrote: On Fri, 04 Oct 2013, Alexander Bokovoy wrote: On Fri, 04 Oct 2013, Alexander Bokovoy wrote: On Thu, 03 Oct 2013, Martin Kosek wrote: On 10/03/2013 03:10 PM, Alexander Bokovoy wrote: On Wed, 02 Oct 2013, Sumit Bose wrote: Please note that I did not test with more than 1 subdomain, since I do not have more ADs available. I have done some testing as well and the patches are working as expected except the trustdomain-disable issue Tomas mentioned. But I think it would be sufficient to add a comment to the release notes and fix this with the next release to not delay this release anymore. The patches are also working for trusts which were added with older releases. So ACK from my side for the functional part. New patchset is attached. I've fixed all outstanding issues and implemented proper SID filtering for subdomains. In addition, I've added MS-PAC cache eviction when we change blacklists from IPA side and forced removal of the domain from SID blacklist if the domain is being removed by trustdomain-del. 1) Minor issue in 0118: +if keys[0].lower() == keys[1].lower(): +raise errors.ValidationError(name='trustdomain_enable', +error=_(Root domain of the trust is always enabled for the existing trust)) The error message looks weird (double trustdomain_enable) # ipa trustdomain-enable realm domain ipa: ERROR: invalid 'trustdomain_enable': Root domain of the trust is always enabled for the existing trust I would rather do something like +raise errors.ValidationError(name='domain', 2) trustconfig-enable and trustconfig-disable should use standard output like other enable/disable methods. See user-enable/user-disable for example. Current situation puts all the authoritative information to summary which: a) Does not look nice in terminal # ipa trustdomain-disable very.long.long.long.realm very.long.long.long.domain Domain very.long.long.long.domain of trust very.long.long.long.realm is not allowed to access IPA resources b) How am I supposed to parse an information about the result if all I get is a text in summary? Using standard errors and output values will allow easier consumption of the API later (like in Web UI). I am attaching a patch (0001) how to make it consistent with other enable/disable commands. Example: # ipa trustdomain-disable realm domain ipa: ERROR: This entry is already disabled # ipa trustdomain-enable realm domain - Enabled trust domain domain - 3) Let's use standard primary key for the trustdomain object. This will let us overcome some hacks and also let us use handle_not_found method - patch attached (0002). 0002 also changes some ValidationError errors to standard errors, just for being consistent with the rest of the API. Note that in order to make primary_key=True, I had to enhance trustdomain_del command to manage multiple domains. I think these API fixes are a must, it would be very hard to amend the API later. If these patches are squashed to your 0118, it would be ACK from me to the Python side. I will let C parts and a functional test to Sumit's mighty hands. Thanks. I've merged these changes, along with a API.txt correction. In my tests these worked fine. I'll resend 0118 shortly. New edition of 0118 attached. ... and updated 0124 to match the 0118. Thanks Alexander and Sumit! The patches seem to work now - ACK. Pushed all to master, ipa-3-3. I just also updated our spec to require new SSSD. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 170-171 Allow PKCS#12 files with empty password in install tools
On 10/04/2013 09:55 AM, Jan Cholasta wrote: On 3.10.2013 17:44, Petr Viktorin wrote: On 10/03/2013 01:15 PM, Petr Viktorin wrote: On 09/25/2013 10:46 AM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3897. Honza I'm still testing; it looks good except for unattended installs. With the attached fixup squashed in it works so far. Another problem is that the change pkcs12_info (password instead of filename) was not done in ipa-replica-install. Here is another fixup to correct this. Also, I'm attaching tests I used for this. If these changes look OK to you, then it's an ACK. Thanks! ACK to your changes (I don't know how I missed all of this, shame on me!) Honza Pushed to master: 3a4a7458c72bb70673520a546ba463ec7fc94bcf ipa-3-3: c6113ab89b010bd60eff4084b8d244dde2563dcf -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [RFE] CA certificate renewal
Hi, you can find a draft of the design document for this feature at http://www.freeipa.org/page/V3/CA_certificate_renewal. Comments are welcome. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients
- Original Message - On 3.10.2013 23:43, Nathaniel McCallum wrote: Patch attached. I'm curious - what is the purpose of this patch? To prevent 1 second timeouts and re-transmits when OTP is in place? What is the expected performance impact? Could it be configured for OTP separately - somehow? (I guess that it is not possible now ...) It benefits also communication of large packets (when large MS-PAC or CAMMAC AD Data are attached), so it is a better choice for IPA in general. Especially given we have multiple KDC processes configured we do not want clients wasting KDC resources by making multiple processes do the same operation. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [DOC] Chapter 2 Installation
On Mon, 2013-09-30 at 17:48 +0200, Petr Vobornik wrote: On 09/27/2013 11:37 AM, Martin Basti wrote: On Fri, 2013-09-27 at 10:50 +0200, Martin Basti wrote: On Mon, 2013-08-26 at 17:16 +0200, Martin Basti wrote: Hello, this patch fix some setup outputs and remove outdated section about updating freeIPA version 2 -- Martin Basti Updated patch is attached 1. The new paragraph about different replica version does not sound good. Instead of: There is exception for using older version of replica by upgrading process, but there should not be long-running IPA; servers with different versions. Use: There is an exception to the rule — newer version of replica can be installed as a part of upgrade process. All other replicas have to be upgraded to the same version in a matter of days or weeks. There should not be long-running IPA; servers with different versions. Reworded, I hope, it sounds better now. Updated patch attached. -- Martin Basti From 48aab730c7f1f9eafdd2fbac4520ebe746629695 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 26 Aug 2013 15:28:42 +0200 Subject: [PATCH] Chapter 2 - Installing Fixed setup outputs Removed outdated section about updating version 2 https://fedorahosted.org/freeipa/ticket/3763 --- src/user_guide/en-US/Installing.xml | 265 +--- 1 file changed, 159 insertions(+), 106 deletions(-) diff --git a/src/user_guide/en-US/Installing.xml b/src/user_guide/en-US/Installing.xml index 4e653012ad21615480f59ceeadf83f5771cde1b4..2af23b53b4885421d570ec28b35aa9e21c32188d 100644 --- a/src/user_guide/en-US/Installing.xml +++ b/src/user_guide/en-US/Installing.xml @@ -85,8 +85,30 @@ section id=supported-browserstitleSupported Web Browsers/title para -The only supported browser to access the IPA; web UI is Firefox 3.x or 4.x. +These browsers are supported for connecting to the web UI: /para + itemizedlist +listitem + para + Firefox 15.x and newer + /para +/listitem +listitem + para + Firefox 10.x + /para +/listitem +listitem + para + Firefox 3.6 + /para +/listitem +listitem condition=redhat + para + Internet Explorer (self-service management only) + /para +/listitem + /itemizedlist /section section id=prerequisites @@ -142,14 +164,14 @@ If the IPA; server is configured to host its own DNS server, any previous existing DNS ignored. A records and PTR records do not need to match for the IPA; server machine, and the machine can have any configured IP address. /para /note - + /section section id=prereq-dstitleDS;/title para There must not be any instances of DSF; installed on the host machine. /para /section - + section id=prereq-systemtitleSystem Files /title para The server script overwrites system files to set up the IPA; domain. The system should be clean, without custom configuration for services like DNS and Kerberos, before configuring the IPA; server. @@ -602,91 +624,96 @@ negative-time-to-live hosts 20 /listitem listitem para + Choose to not configure DNS. (If you need to configure DNS see xref linkend=install-dns /.) + /para + programlisting Do you want to configure integrated DNS (BIND)? [no]: /programlisting + /listitem + listitem + para Enter the hostname. This is determined automatically using reverse DNS. /para -programlisting language=BashServer host name [ipaserver.example.com]:/programlisting +programlistingServer host name [ipaserver.example.com]:/programlisting /listitem listitem para Enter the domain name. This is determined automatically based on the hostname. /para -programlisting language=BashPlease confirm the domain name [example.com]:/programlisting - /listitem - listitem - para - The script then reprints the hostname, IP address, and domain name. - /para -programlisting language=BashThe IPA Master Server will be configured with -Hostname:ipaserver.example.com -IP address: 192.168.1.1 -Domain name: example.com/programlisting +programlistingPlease confirm the domain name [example.com]:/programlisting /listitem + listitem para Enter the new Kerberos realm name. This is usually based on the domain name. /para -programlisting language=BashPlease provide a realm name [EXAMPLE.COM]:/programlisting +programlistingPlease provide a realm name [EXAMPLE.COM]:/programlisting /listitem listitem para Enter the password for the DS; superuser, commandcn=Directory Manager/command. There are password strength requirements for this password, including a minimum password length. /para -programlisting language=BashDirectory Manager password: +programlistingDirectory Manager password:
[Freeipa-devel] [PATCHES] 0307-0308 Use direct RPC with specified version in client-install
These patches allow a client to enroll with old servers. The bug was reported in uploading SSH keys: https://fedorahosted.org/freeipa/ticket/3931 but while testing against v2.1 I found and fixed another bug that prevented the install. See the commit messages. With these patches I've successfully enrolled on: - Fedora 19, master - Fedora 19, 3.3.1-1 - Fedora 19, 3.3.1-1, CA-less - RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP) -- Petr³ From 1bbca44e773745dac321de986e47dd8c981b2d8b Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 4 Oct 2013 10:23:16 +0200 Subject: [PATCH] ipa-client-install: Use direct RPC instead of api.Command To make sure the installation works with older servers, use XML-RPC directly, with a version set explicitly so the request is not rejected. RPC was chosen over ldapmodify, because going through the API allows the server to process the request properly, or even cleanly reject it if there are incompatible changes in future versions. https://fedorahosted.org/freeipa/ticket/3931 --- ipa-client/ipa-install/ipa-client-install | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index fdfadee765b74a537a5872e13b5211a98e3d8865..e23e6dc5836244090126781db8da5e66cb706880 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1467,9 +1467,13 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): f.close() try: -result = api.Command['host_mod'](unicode(hostname), +# Use the RPC directly so older servers are supported +api.Backend.xmlclient.forward( +'host_mod', +unicode(hostname), ipasshpubkey=[pk.openssh() for pk in pubkeys], -updatedns=False +updatedns=False, +version=u'2.26', # this version adds support for SSH public keys ) except errors.EmptyModlist: pass @@ -2373,7 +2377,13 @@ def install(options, env, fstore, statestore): 'Cannot connect to the server due to generic error: %s', str(e)) return CLIENT_INSTALL_ERROR -remote_env = api.Command['env'](server=True)['result'] +# Use the RPC directly so older servers are supported +result = api.Backend.xmlclient.forward( +'env', +server=True, +version=u'2.0', +) +remote_env = result['result'] if not remote_env['enable_ra']: disable_ra() -- 1.8.3.1 From d802a84d6e4544e2d093fc36c7fb37ed4b5fb4f5 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 4 Oct 2013 00:44:51 +0200 Subject: [PATCH] ipa-client-install: Verify RPC connection with a ping With old servers, it is possible that xmlclient.connect() succeeds but commands fail with a Kerberos error. Verify that commands succeed by sending a ping after connecting. Follow-up to: https://fedorahosted.org/freeipa/ticket/3931 --- ipa-client/ipa-install/ipa-client-install | 9 + 1 file changed, 9 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e23e6dc5836244090126781db8da5e66cb706880..3c78c844b17468f347ef04198d58a12b11e4b4cb 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2350,13 +2350,22 @@ def install(options, env, fstore, statestore): pass # Now, let's try to connect to the server's XML-RPC interface +connected = False try: api.Backend.xmlclient.connect() +connected = True +root_logger.debug('Try RPC connection') +api.Backend.xmlclient.forward('ping') except errors.KerberosError, e: +if connected: +api.Backend.xmlclient.disconnect() root_logger.info('Cannot connect to the server due to ' + 'Kerberos error: %s. Trying with delegate=True', str(e)) try: api.Backend.xmlclient.connect(delegate=True) +root_logger.debug('Try RPC connection') +api.Backend.xmlclient.forward('ping') + root_logger.info('Connection with delegate=True successful') # The remote server is not capable of Kerberos S4U2Proxy delegation -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [DOC] Chapter 4 screenshots
On 09/25/2013 01:24 PM, Petr Vobornik wrote: On 09/18/2013 05:07 PM, Martin Basti wrote: Patch adds new screen-shots for chapter 4 Basic Usage NOTE: Patch doesn't cover part 4.3 Logging with web UI ACK, but I would wait for mbasti 0004 and 0005. Pushed to master -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [DOC] Chapter 2 Installation
On 10/04/2013 12:52 PM, Martin Basti wrote: On Mon, 2013-09-30 at 17:48 +0200, Petr Vobornik wrote: On 09/27/2013 11:37 AM, Martin Basti wrote: On Fri, 2013-09-27 at 10:50 +0200, Martin Basti wrote: On Mon, 2013-08-26 at 17:16 +0200, Martin Basti wrote: Hello, this patch fix some setup outputs and remove outdated section about updating freeIPA version 2 -- Martin Basti Updated patch is attached 1. The new paragraph about different replica version does not sound good. Instead of: There is exception for using older version of replica by upgrading process, but there should not be long-running IPA; servers with different versions. Use: There is an exception to the rule — newer version of replica can be installed as a part of upgrade process. All other replicas have to be upgraded to the same version in a matter of days or weeks. There should not be long-running IPA; servers with different versions. Reworded, I hope, it sounds better now. Updated patch attached. ACK, pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [DOC] 0002 Chapter 3 Installing clients
On 09/30/2013 06:29 PM, Petr Vobornik wrote: On 09/27/2013 05:52 PM, Martin Basti wrote: On Mon, 2013-08-26 at 17:25 +0200, Martin Basti wrote: Hello, this patch fix some setup outputs, add tips and order of command in examples -- Martin Basti Updated patch You did some additional changes(programlisting -- screen etc.) which were not previously discussed in a review. Please mention it also in a mail next time. This is weird, but it's commented out, so it doesn't matter: - admin_server = ipaserver.example.com:749 - default_domain = example.com - kdc = ipaserver.example.com:88 - } + admin_server = ipaserver.example.com:749 + default_domain = example.com + kdc = ipaserver.example.com:88 + } ACK Pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [DOC] 0005 Updated chapter 4 - login into web UI
On 10/01/2013 04:29 PM, Petr Vobornik wrote: On 09/30/2013 06:45 PM, Martin Basti wrote: On Fri, 2013-09-20 at 17:39 +0200, Petr Vobornik wrote: On 09/20/2013 04:06 PM, Martin Basti wrote: Logging into web UI and configuring web browser sections were outdated Thanks for the path. Here are my comments (some for existing issues): 1. There are whitespace warnings when applying this patch. Fixed 2. PDF output is bad. Images are too big - right half is not displayed. Several times there is image A with list item for image B below (image B is on the next page with list item for image C). I saw some 'missing image constraints warnings' during build - maybe that's the cause. More important is HTML, there is 440px width limit for images in PDF and current images are not readable in PDF 3. Section 4.3.5: Don't know why it's called 'Simple authentication'. Usually it's referred to as 'forms based authentication'. Changed to form based auth 3a. Following sentence is misleading: the error first says to renew the Kerberos credentials or to configure the browser to support Kerberos authentication. IIRC the previous dialog had different wording. The new one gives user two options but it doesn't encourage user to 'renew Kerberos credentials'. Also, you have deleted the first instruction but left a second: Then simply supply the UID and password for a configured FreeIPA user. without any context. IMO it should be reworded. Reworded 4. I think the entire section '4.3.6. Using the UI with Proxy Servers' is incorrect. Using Web UI with proxy is not an easy thing to do. http://www.redhat.com/archives/freeipa-users/2013-August/msg00065.html Removed section 5. Old unused images should be deleted. Deleted + deleted unused xml which requires unused images 6. Section 4.4.1 (not sure if it's related to this patch) says: randomly selects up to 20 entries that's not true. There is no randomness. It selects: First record: ($PAGE_NUM * 20 +1), up to Last: (($PAGE_NUM + 1) *20). When first index is 1. Fixed 6a. LDAP search limit: the option name is --pkey-only not --pkey. Fixed updated patch attached Note that 6 and 6a are implemented in mbasti 0004-2. ACK Pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [DOC] Chapter 4 text
On 10/03/2013 05:51 PM, Petr Vobornik wrote: On 10/03/2013 12:12 PM, Martin Basti wrote: On Tue, 2013-10-01 at 16:29 +0200, Petr Vobornik wrote: On 09/27/2013 05:52 PM, Martin Basti wrote: On Wed, 2013-09-18 at 17:10 +0200, Martin Basti wrote: Patch fix examples in chapter 4, adds new examples, fix out of date information. NOTE: Patch doesn't cover part 4.3 Logging with web UI Updated patch NACK 1. Table 4.1. Configuration Areas Per Tab is missing Trusts in IPA tab. This menu item is visible only if ipa-adtrust-install was run. +Trusts (shown if AD-trust exists) ipa-adtrust-install was run != AD-trust exists From ipa-adtrust-install man page: ipa-adtrust-install - Prepare an IPA server to be able to establish trust relationships with AD domains Fixed Updated patch attached ACK Pushed to master -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0309 Do no fail upgrade if the global anonymous read ACI is not, found
https://fedorahosted.org/freeipa/ticket/3956 -- Petr³ From 767a49c3ee7c4964453e3b8ffeee23ad2d9bc7bb Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 4 Oct 2013 13:28:16 +0200 Subject: [PATCH] Do no fail upgrade if the global anonymous read ACI is not found This helps forward compatibility: the anon ACI is scheduled for removal. https://fedorahosted.org/freeipa/ticket/3956 --- ipaserver/install/plugins/update_anonymous_aci.py | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py index af4196a681b163986b0b42c4d8be3e649b2026ac..2e01217f524e35208ab12f52befd54bdead5ac3b 100644 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ b/ipaserver/install/plugins/update_anonymous_aci.py @@ -20,7 +20,7 @@ from copy import deepcopy from ipaserver.install.plugins import FIRST, LAST from ipaserver.install.plugins.baseupdate import PostUpdate -from ipalib import api +from ipalib import api, errors from ipalib.aci import ACI from ipalib.plugins import aci from ipapython.ipa_log_manager import * @@ -42,7 +42,11 @@ def execute(self, **options): acistrs = entry_attrs.get('aci', []) acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) -rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) +try: +rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) +except errors.NotFound: +root_logger.error('Anonymous ACI not found, cannot update it') +return False, False, [] attrs = rawaci.target['targetattr']['expression'] rawfilter = rawaci.target.get('targetfilter', None) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0309 Do not fail upgrade if the global anonymous read ACI is not found
On 10/04/2013 01:49 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3956 ... Once more, without the typo in the subject. -- Petr³ From 767a49c3ee7c4964453e3b8ffeee23ad2d9bc7bb Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 4 Oct 2013 13:28:16 +0200 Subject: [PATCH] Do not fail upgrade if the global anonymous read ACI is not found This helps forward compatibility: the anon ACI is scheduled for removal. https://fedorahosted.org/freeipa/ticket/3956 --- ipaserver/install/plugins/update_anonymous_aci.py | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py index af4196a681b163986b0b42c4d8be3e649b2026ac..2e01217f524e35208ab12f52befd54bdead5ac3b 100644 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ b/ipaserver/install/plugins/update_anonymous_aci.py @@ -20,7 +20,7 @@ from copy import deepcopy from ipaserver.install.plugins import FIRST, LAST from ipaserver.install.plugins.baseupdate import PostUpdate -from ipalib import api +from ipalib import api, errors from ipalib.aci import ACI from ipalib.plugins import aci from ipapython.ipa_log_manager import * @@ -42,7 +42,11 @@ def execute(self, **options): acistrs = entry_attrs.get('aci', []) acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) -rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) +try: +rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) +except errors.NotFound: +root_logger.error('Anonymous ACI not found, cannot update it') +return False, False, [] attrs = rawaci.target['targetattr']['expression'] rawfilter = rawaci.target.get('targetfilter', None) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 424 Remove faulty DNS memberOf Task
This task was added with a DN colliding with privilege update memberOf task being run later and caused this task to be ineffective and thus miss some privilege membership, like SELinux User Map Administrators DNS update plugin do not need to run any task at all as privileges will be updated later in scope of 55-pbacmemberof.update https://fedorahosted.org/freeipa/ticket/3877 -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From cf5cda13a512afcba3163a16fbfa1b531456 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 4 Oct 2013 13:48:52 +0200 Subject: [PATCH] Remove faulty DNS memberOf Task This task was added with a DN colliding with privilege update memberOf task being run later and caused this task to be ineffective and thus miss some privilege membership, like SELinux User Map Administrators DNS update plugin do not need to run any task at all as privileges will be updated later in scope of 55-pbacmemberof.update https://fedorahosted.org/freeipa/ticket/3877 --- install/updates/40-dns.update | 11 ++- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 7ad366e6099aed5cfd240fa2068d9e41bc2af9aa..475a0c05cf3c54c2c26c65c608d205034dec9faf 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -1,5 +1,6 @@ # Add missing member values to attach permissions to their respective -# privileges and run a memberOf task. +# privileges +# Memberof task is already being run in 55-pbacmemberof.update dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX addifexist:objectclass: ipapermission addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' @@ -18,14 +19,6 @@ dn: cn=update dns dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX addifexist:objectclass: ipapermission -dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config -add: objectClass: top -add: objectClass: extensibleObject -add: cn: IPA PBAC memberOf $TIME -add: basedn: 'cn=privileges,cn=pbac,$SUFFIX' -add: filter: (objectclass=*) -add: ttl: 10 - # update DNS container dn: cn=dns, $SUFFIX addifexist: objectClass: idnsConfigObject -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 424 Remove faulty DNS memberOf Task
On 10/04/2013 01:52 PM, Martin Kosek wrote: This task was added with a DN colliding with privilege update memberOf task being run later and caused this task to be ineffective and thus miss some privilege membership, like SELinux User Map Administrators DNS update plugin do not need to run any task at all as privileges will be updated later in scope of 55-pbacmemberof.update https://fedorahosted.org/freeipa/ticket/3877 I could never reproduce the issue, but the fix seems plausible and doesn't break anything. So ACK, pushed to: master: b1451373c4f918621ce06d8144aaa63e141c ipa-3-3: b32ed6d8ba85ec4baa1ebd69c564f2c8fcf7a3a6 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 287 Update translations from Transifex
On 09/26/2013 01:10 PM, Petr Viktorin wrote: Hello, There'll be a Fedora 20 L10n test on Thursday, and maintainers are asked to push packages with updated translations by Friday. We're planning another minor release after that deadline; in the mean time I will put this patch into Fedora 20 Rawhide only. The patch goes on top of the ipa-3-3 branch. Welcome to new translators: Ubuntu's Adolfo Jayme Barrientos provided lots of new Spanish words, and Dralyab and Gé Baylardfor helped to keep French up to date. There has been no translation activity since I made the patch, and we're getting close to release, so I've pushed it to upstream as well. master: 321e8635ae74b9e494047ac22d384dfd92a9a28e ipa-3-3: 0a9304c5b91b09aac123591531b42c3610b8b987 Martin, you can remove the Fedora patch when you release. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0307-0308 Use direct RPC with specified version in client-install
On 4.10.2013 13:26, Petr Viktorin wrote: These patches allow a client to enroll with old servers. The bug was reported in uploading SSH keys: https://fedorahosted.org/freeipa/ticket/3931 but while testing against v2.1 I found and fixed another bug that prevented the install. See the commit messages. With these patches I've successfully enrolled on: - Fedora 19, master - Fedora 19, 3.3.1-1 - Fedora 19, 3.3.1-1, CA-less - RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP) Could you put the information to the freeipa.org web site? E.g. How-to join RHEL = 6.2 client to FreeIPA ? BTW, should we have some 'Compatibility' section in docs? Martin? I'm sorry for nitpicking :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0307-0308 Use direct RPC with specified version in client-install
On 10/04/2013 03:03 PM, Petr Spacek wrote: On 4.10.2013 13:26, Petr Viktorin wrote: These patches allow a client to enroll with old servers. The bug was reported in uploading SSH keys: https://fedorahosted.org/freeipa/ticket/3931 but while testing against v2.1 I found and fixed another bug that prevented the install. See the commit messages. With these patches I've successfully enrolled on: - Fedora 19, master - Fedora 19, 3.3.1-1 - Fedora 19, 3.3.1-1, CA-less - RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP) Could you put the information to the freeipa.org web site? E.g. How-to join RHEL = 6.2 client to FreeIPA ? The client tells you what to do, and warns that it's insecure. From the code it looks like in normal (not unattended) mode it'll even ask directly. I don't think we need an extra guide on the wiki. BTW, should we have some 'Compatibility' section in docs? Martin? I'm sorry for nitpicking :-) -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0307-0308 Use direct RPC with specified version in client-install
On Fri, 2013-10-04 at 15:03 +0200, Petr Spacek wrote: On 4.10.2013 13:26, Petr Viktorin wrote: These patches allow a client to enroll with old servers. The bug was reported in uploading SSH keys: https://fedorahosted.org/freeipa/ticket/3931 but while testing against v2.1 I found and fixed another bug that prevented the install. See the commit messages. With these patches I've successfully enrolled on: - Fedora 19, master - Fedora 19, 3.3.1-1 - Fedora 19, 3.3.1-1, CA-less - RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP) Could you put the information to the freeipa.org web site? E.g. How-to join RHEL = 6.2 client to FreeIPA ? BTW, should we have some 'Compatibility' section in docs? Martin? It is only for RHEL, it should be in IdM Guide, maintained by Deon. I'm sorry for nitpicking :-) -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0307-0308 Use direct RPC with specified version in client-install
Hi, On 4.10.2013 13:26, Petr Viktorin wrote: These patches allow a client to enroll with old servers. The bug was reported in uploading SSH keys: https://fedorahosted.org/freeipa/ticket/3931 but while testing against v2.1 I found and fixed another bug that prevented the install. See the commit messages. With these patches I've successfully enrolled on: - Fedora 19, master - Fedora 19, 3.3.1-1 - Fedora 19, 3.3.1-1, CA-less - RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP) ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0307-0308 Use direct RPC with specified version in client-install
On 10/04/2013 03:34 PM, Jan Cholasta wrote: Hi, On 4.10.2013 13:26, Petr Viktorin wrote: These patches allow a client to enroll with old servers. The bug was reported in uploading SSH keys: https://fedorahosted.org/freeipa/ticket/3931 but while testing against v2.1 I found and fixed another bug that prevented the install. See the commit messages. With these patches I've successfully enrolled on: - Fedora 19, master - Fedora 19, 3.3.1-1 - Fedora 19, 3.3.1-1, CA-less - RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP) ACK. Honza Thanks, pushed to: master: 5824a0e14e73f8d13a93f1b5213488ff9eaa ipa-3-3: 96ab7002ac2acfc129dd73f1fc9b023a6fbf3723 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0309 Do not fail upgrade if the global anonymous read ACI is not found
On 10/04/2013 01:50 PM, Petr Viktorin wrote: On 10/04/2013 01:49 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3956 ... Once more, without the typo in the subject. ACK! Works fine. Pushed to master, ipa-3-3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0304 ipapython.nsslib: Name arguments to NSPRError
On 10/02/2013 05:49 PM, Petr Vobornik wrote: On 10/02/2013 04:34 PM, Petr Viktorin wrote: As I found out when installing on a misconfigured system, we use wrong argument order for NSPRError in nsslib. This patch corrects the problem. ACK A nitpick: $ git diff HEAD~1 | pep8 --diff ./ipapython/nsslib.py:145:14: E111 indentation is not a multiple of four ./ipapython/nsslib.py:148:21: E128 continuation line under-indented for visual indent You are a bigger fan of pep8, so it's up to you... Thanks, fixed E111 and pushed to master: 80886a50e6157e6a0b8f3f09523ba7d2c2b8001c ipa-3-3: 54a7c84d02c92133b1d1283f01b7a46cbaa50229 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA 3.3.2
The FreeIPA team is proud to announce FreeIPA v3.3.2! It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 builds are already on their way to updates-testing repo. == Highlights in 3.3.2 == === Enhancements === * Multiple domains from a trusted Active Directory forest supported now * Issue warnings when installed FreeIPA realm differs from the main domain as this setup prevents configuring AD trusts * Allow PKCS#12 files with empty password in install tools === Bug fixes === * ipa-replica-manage no longer returns RUV error when removing a replica * ipa-replica-install no longer crashes when being run against a master with older Directory Server * When creating AD trust, report supported enctypes based on Kerberos realm configuration * ... and numerous other small fixes === Test improvements === * New tests for forced client re-enrollment feature * Integration tests no longer require python-paramiko and can run on top of bare SSH connection * Numerous small fixes in beakerlib integration == Supporting Multiple Domains from Trusted Active Directory Forest == Previously only a root level domain of a trusted AD forest was supported. Now all domains of the trusted AD forest can access resources in a FreeIPA domain. Free IPA admins are now able to refresh list of domains from a trusted AD forest and selectively enable and disable specific domains from accessing resources in FreeIPA domain. Following commands were added to FreeIPA CLI: * ipa trust-fetch-domains trust ** Refresh list of domains from a trusted AD forest. By default all found domains belonging to the forest will be allowed to access IPA resources. * ipa trustdomain-find trust [domain] ** List domains of the trusted AD forest, displaying their attributes. When ''domain'' is specified in addition to the trust name, only information about ''domain'' is shown. * ipa trustdomain-disable trust domain ** Disable access from domain of the trust to IPA resources. * ipa trustdomain-enable trust domain ** Enable access from domain of the trust to IPA resources. * ipa trustdomain-del trust domain ** Remove information about domain of the trust from IPA view about the trusted AD forest. Users from domain will not be able to access IPA resources. Following IPA commands were extended: * ipa trust-add trust ** When trust to an AD forest is established, list of domains of the forest will be fetched and identity ranges for them will be created automatically. In case of POSIX attributes being managed by the AD forest, a single identity range for the trusted forest's root level domain will be re-used. ** When trust to an AD forest is established, list of domains associated with IPA is provided to the DC of the forest root level domain. This information is used to enable name suffix routing for systems belonging to IPA domain. As result, if IPA master servers don't belong to IPA DNS domain namespace, they will be able to access resources in the trusted AD forest. FreeIPA 3.3.2 requires use of SSSD 1.11.1 due to integration of non-root level forest domains support. == Upgrading == === FreeIPA servers with CA installed prior to version 3.1 === Manual upgrade procedure is required for FreeIPA servers installed with version prior to 3.1. Please see http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration for details. === Other FreeIPA servers and clients === An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot: # ipa-upgradeconfig # ipa-ldap-updater --upgrade Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 3.3.1 == === Alexander Bokovoy (11): === *
[Freeipa-devel] [PATCH] 425 Do not allow '%' in DM password
Having '%' in DM password causes pkispawn to crash. Do not allow users to enter it until pkispawn is fixed. https://bugzilla.redhat.com/show_bug.cgi?id=953488 --- Pushed as a one-liner to master, ipa-3-3. Martin From 5621539945d8ce49a60222989632f32648e09aea Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 4 Oct 2013 17:39:28 +0200 Subject: [PATCH] Do not allow '%' in DM password Having '%' in DM password causes pkispawn to crash. Do not allow users to enter it until pkispawn is fixed. https://bugzilla.redhat.com/show_bug.cgi?id=953488 --- install/tools/ipa-server-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 0374efea3c33b3e02acf3226fdda23e358fbf5d9..8077bc207fd2cd48846f7c6fdb2bff14505dc10c 100644 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -110,7 +110,7 @@ def validate_dm_password(password): raise ValueError(Password must only contain ASCII characters) # Disallow characters that pkisilent doesn't process properly: -bad_characters = ' \\' +bad_characters = ' \\%' if any(c in bad_characters for c in password): raise ValueError('Password must not contain these characters: %s' % ', '.join('%s' % c for c in bad_characters)) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0020] Add IntEnum parameter to ipalib
This patch is preparatory for the OTP CLI patch. From 2e1f6213f9516c282857bc9138262a7501f3976f Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 30 Sep 2013 12:45:37 -0400 Subject: [PATCH] Add IntEnum parameter to ipalib --- ipalib/__init__.py | 2 +- ipalib/parameters.py | 14 ++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ipalib/__init__.py b/ipalib/__init__.py index d822ba5956d6afb6ef6d88063f8359926e47016b..ab89ab77ec94603d242e56436021c9b6ed8663cb 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -886,7 +886,7 @@ from frontend import Command, LocalOrRemote, Updater, Advice from frontend import Object, Method, Property from crud import Create, Retrieve, Update, Delete, Search from parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password, DNParam, DeprecatedParam -from parameters import BytesEnum, StrEnum, AccessTime, File +from parameters import BytesEnum, StrEnum, IntEnum, AccessTime, File from errors import SkipPluginModule from text import _, ngettext, GettextFactory, NGettextFactory diff --git a/ipalib/parameters.py b/ipalib/parameters.py index ab4b8321686bd88ad122a37ff289a0153e65ea21..fbcb87537ba662763a00e12178d424a8718baa8a 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1567,6 +1567,20 @@ class StrEnum(Enum): type = unicode +class IntEnum(Enum): + +Enumerable for integer data (stored in the ``int`` type). + + +type = int + +def _convert_scalar(self, value, index=None): +return Int._convert_scalar(self, value, index=index) + +def _validate_scalar(self, value, index=None): +Int._validate_scalar(self, value, index=index) + + class Any(Param): A parameter capable of holding values of any type. For internal use only. -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0021] Don't special case the Password class in Param.__init__()
This patch is preparatory for the OTP CLI patch. From 2678ff4e2f22e7e81bf40b30ffcd0efe0ecf08c2 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 30 Sep 2013 13:06:37 -0400 Subject: [PATCH] Don't special case the Password class in Param.__init__() --- ipalib/parameters.py | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index fbcb87537ba662763a00e12178d424a8718baa8a..925f442968ab93b2b6df4e386d03558300bf5990 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -398,11 +398,11 @@ class Param(ReadOnly): # We keep these values to use in __repr__(): self.param_spec = name self.__kw = dict(kw) - -if isinstance(self, Password): -self.password = True -else: + +try: self.password = False +except AttributeError: +pass # Merge in kw from parse_param_spec(): (name, kw_from_spec) = parse_param_spec(name) @@ -633,9 +633,8 @@ class Param(ReadOnly): Return a value safe for logging. -This is used so that passwords don't get logged. If this is a -`Password` instance and ``value`` is not ``None``, a constant -``u''`` is returned. For example: +This is used so that sensitive values like passwords don't get logged. +For example: p = Password('my_password') p.safe_value(u'This is my password') @@ -643,9 +642,6 @@ class Param(ReadOnly): p.safe_value(None) is None True -If this is not a `Password` instance, ``value`` is returned unchanged. -For example: - s = Str('my_str') s.safe_value(u'Some arbitrary value') u'Some arbitrary value' @@ -1501,6 +1497,10 @@ class Password(Str): kwargs = Str.kwargs + ( ('confirm', bool, True), ) + +def __init__(self, name, *rules, **kw): +self.password = True +super(Password, self).__init__(name, *rules, **kw) def _convert_scalar(self, value, index=None): if isinstance(value, (tuple, list)) and len(value) == 2: -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0022] Document no_search in Param flags
This patch is preparatory for the OTP CLI patch. From 7266de355c15aab383fb1328ce468d08011b545b Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Tue, 1 Oct 2013 13:55:22 -0400 Subject: [PATCH] Document no_search in Param flags --- ipalib/parameters.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 925f442968ab93b2b6df4e386d03558300bf5990..30b9c920db95a1ec891d1a71553f11d3db645ed5 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -328,7 +328,9 @@ class Param(ReadOnly): * no_display (Output parameters only): do not display the parameter * no_create: do not include the parameter for crud.Create based commands -* no_update: do not include the parameter for crud.update based +* no_update: do not include the parameter for crud.Update based + commands +* no_search: do not include the parameter for crud.Search based commands * no_option: this attribute is not displayed in the CLI, usually because there's a better way of setting it (for example, a -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0023] Add optional_create flag
This patch is preparatory for the OTP CLI patch. From 56389a8c6cdc811c7b94de9b037d7c859931b69f Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Tue, 1 Oct 2013 13:57:24 -0400 Subject: [PATCH] Add optional_create flag This permits IDs to be automatically generated if not specified. --- ipalib/crud.py | 15 ++- ipalib/parameters.py | 2 ++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ipalib/crud.py b/ipalib/crud.py index 72ea142da74e2f088bda36a06653f9e201f5dcc8..81caf57b58a575d0e96bde9c282d497ca693e0a8 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -133,16 +133,21 @@ class Create(Method): has_output = output.standard_entry +def __clone(self, param, **kw): +if 'optional_create' in param.flags: +kw['required'] = False +return param.clone(**kw) + def get_args(self): if self.obj.primary_key: -yield self.obj.primary_key.clone(attribute=True) +yield self.__clone(self.obj.primary_key, attribute=True) for arg in super(Create, self).get_args(): -yield arg +yield self.__clone(arg) def get_options(self): if self.extra_options_first: for option in super(Create, self).get_options(): -yield option +yield self.__clone(option) for option in self.obj.params_minus(self.args): attribute = 'virtual_attribute' not in option.flags if 'no_create' in option.flags: @@ -153,10 +158,10 @@ class Create(Method): autofill=False, alwaysask=True ) else: -yield option.clone(attribute=attribute) +yield self.__clone(option, attribute=attribute) if not self.extra_options_first: for option in super(Create, self).get_options(): -yield option +yield self.__clone(option) class PKQuery(Method): diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 30b9c920db95a1ec891d1a71553f11d3db645ed5..e645b02a1d442e10c315b05e7bcda3469d33de4d 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -351,6 +351,8 @@ class Param(ReadOnly): not be given at all. All crud.Update commands automatically convert required parameters to `nonempty` ones, so the value can be unspecified (unchanged) but cannot be deleted. +* optional_create: do not require the parameter for crud.Create + based commands - hint: this attribute is currently not used - alwaysask: when enabled, CLI asks for parameter value even when the parameter is not `required` -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0024] Add OTP support to ipalib CLI
This patch supersedes my patch 0017 and requires patches 0020-0023. I believe I have solved all of the outstanding issues from the review of patch 0017, unless otherwise noted: 1. I'm not actually sure what the format of the date parameters is. Could someone clarify this for me? Should I do something differently here? 2. In this new version of the patch, we are writing default values for many of the token attributes. It would be nice to have some global defaults for these default values, but this is not currently implemented. I think this would make a clean secondary patch on top of this current patch. 3. Dmitri brought up the idea of having tokens automatically expire by default. Is this a good idea? I think this dovetails nicely with #2 above. 4. This patch does not currently protect the deletion of the last token as previously discussed. Here is why I think this is still needed, but in the form of a DS plugin: We need to account for a state when the user is enabled for OTP but has not yet configured any tokens. I believe this state should be when the otp user auth type is set, but the user has no assigned tokens. In this state, the user should be able to log in with single factor authentication. Once the user has added tokens, however, should we allow the user to remove all his own tokens and return to single factor authentication? If yes, nothing further is needed. If no, then protection in the FreeIPA framework is not sufficient and this needs to be checked at the DS plugin level. I suspect Dmitri might answer that this needs to be a matter of policy. 5. There appears to be some sort of permissions issue with users and adding their own tokens. I have not looked into this yet, but I will review this early next week. Since this is a small bug fix to an existing feature, I figured it was out of scope for this patch. 6. When a user is deleted, all his tokens are deleted as well. This is sensible default behavior. However, in the case of hardware tokens, it may be more desirable to orphan these objects for future assignment to new users. Does anyone have any opinions on this topic? Nathaniel From 6dc9d669542110ad16786b767d8c457b2670dff6 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Tue, 1 Oct 2013 14:26:38 -0400 Subject: [PATCH] Add OTP support to ipalib CLI https://fedorahosted.org/freeipa/ticket/3368 --- API.txt| 101 +- VERSION| 2 +- freeipa.spec.in| 2 + ipalib/errors.py | 16 +++ ipalib/plugins/config.py | 2 +- ipalib/plugins/otptoken.py | 332 + ipalib/plugins/user.py | 10 +- 7 files changed, 458 insertions(+), 7 deletions(-) create mode 100644 ipalib/plugins/otptoken.py diff --git a/API.txt b/API.txt index 6d5d1a191a52f0b748720c607e4a65d735394b48..79f2a4342e77c315315d64c3d9c11bb2935ea2ff 100644 --- a/API.txt +++ b/API.txt @@ -514,7 +514,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) -option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius')) +option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp')) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -2208,6 +2208,99 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) +command: otptoken_add +args: 1,20,3 +arg: Str('ipatokenuniqueid', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=False) +option: Str('addattr', cli_name='addattr', exclude='webui', multivalue=True, required=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', multivalue=False, required=True) +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Bool('ipatokendisabled', attribute=True,
Re: [Freeipa-devel] DNS views in FreeIPA again
On 10/01/2013 04:45 AM, Petr Spacek wrote: On 23.9.2013 19:06, Dmitri Pal wrote: On 09/23/2013 10:25 AM, Petr Spacek wrote: On 20.9.2013 19:29, Dmitri Pal wrote: 5) Met with James (the blogger) and the community guy who created puppet scripts for IPA. He was trying to convince me that we need to support the use case when IPA is the DNS that provides two different sets of the IPA addresses for the IPA clients running inside the subnet and outside the subnet. I see a clear use case and value. So that get back to the views. Why do we thing views will be a problem in IPA? In principle - it is technically possible. Just pretty hard. - It requires re-designing of LDAP schema for DNS. - It implies that we will have to adapt all parts of FreeIPA and bind-dyndb-ldap which touches the LDAP. - And also re-design CLI and WebUI, because views adds one level of indirection: Your will need some tool to see what is in the particular view, move records from one view to another, share records between views, do exceptions etc. We tried to design schema for views approximately year ago, but there wasn't a clear agreement on that. Hm. OK. That means that we are probably over complicating things. Do you have a pointer to design? It has been more 'discussion' without clear outcome then real design: https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html https://www.redhat.com/archives/freeipa-devel/2012-May/msg00208.html Let us table the actual design conversation for now but when we start 3.5 planning I want to take a closer look. We should move the discussion to freeipa-devel at thins point ... I have spent some time thinking about DNS views and I think that we should design support for DNS views as soon as possible. Opening up the discussion. This is FreeIPA general stuff: I think that the idea of different internal and external views is not specific to DNS.Other things that might be different between internal and external: Kerberos might only want to let a subset of users get tickets from outside the VPN, and only provide service tickets for services in the DMZ You might want to run an Kerberos KDC proxy outside of the IPA instance LDAP might be limited to read only when accessed from outside, and only a subset of users, or a subset of the data from other entities would be exposed Dogtag might want to only publish CRL and expose OCSP to the outside world IPA ui might be limited to self service Perhaps a better abstraction is an IPA proxy, a server that is an incomplete replica of an IPA server. As such it would get: 1. A subset of the data from the canonical LDAP server 2. Some of that data would be modified, such as the A records marked for external use 3. It will not push updates to the centralized server. It will be configured to not accept updates from the outside world. Resulting design will significantly influence bind-dyndb-ldap internals also DNSSEC support. At the moment, the code relies on assumption that one LDAP object = one DNS name. We have to find out if DNS views will break this assumption as soon as possible. IMHO views will change things significantly, including this 1:1 mapping - which will require major code re-design. I would like to avoid re-designing for DNSSEC and then immediate re-design for DNS views. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNS views in FreeIPA again
On 10/04/2013 04:31 PM, Adam Young wrote: On 10/01/2013 04:45 AM, Petr Spacek wrote: On 23.9.2013 19:06, Dmitri Pal wrote: On 09/23/2013 10:25 AM, Petr Spacek wrote: On 20.9.2013 19:29, Dmitri Pal wrote: 5) Met with James (the blogger) and the community guy who created puppet scripts for IPA. He was trying to convince me that we need to support the use case when IPA is the DNS that provides two different sets of the IPA addresses for the IPA clients running inside the subnet and outside the subnet. I see a clear use case and value. So that get back to the views. Why do we thing views will be a problem in IPA? In principle - it is technically possible. Just pretty hard. - It requires re-designing of LDAP schema for DNS. - It implies that we will have to adapt all parts of FreeIPA and bind-dyndb-ldap which touches the LDAP. - And also re-design CLI and WebUI, because views adds one level of indirection: Your will need some tool to see what is in the particular view, move records from one view to another, share records between views, do exceptions etc. We tried to design schema for views approximately year ago, but there wasn't a clear agreement on that. Hm. OK. That means that we are probably over complicating things. Do you have a pointer to design? It has been more 'discussion' without clear outcome then real design: https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html https://www.redhat.com/archives/freeipa-devel/2012-May/msg00208.html Let us table the actual design conversation for now but when we start 3.5 planning I want to take a closer look. We should move the discussion to freeipa-devel at thins point ... I have spent some time thinking about DNS views and I think that we should design support for DNS views as soon as possible. Opening up the discussion. This is FreeIPA general stuff: I think that the idea of different internal and external views is not specific to DNS.Other things that might be different between internal and external: Kerberos might only want to let a subset of users get tickets from outside the VPN, and only provide service tickets for services in the DMZ You might want to run an Kerberos KDC proxy outside of the IPA instance LDAP might be limited to read only when accessed from outside, and only a subset of users, or a subset of the data from other entities would be exposed Dogtag might want to only publish CRL and expose OCSP to the outside world IPA ui might be limited to self service Perhaps a better abstraction is an IPA proxy, a server that is an incomplete replica of an IPA server. As such it would get: 1. A subset of the data from the canonical LDAP server 2. Some of that data would be modified, such as the A records marked for external use 3. It will not push updates to the centralized server. It will be configured to not accept updates from the outside world. Resulting design will significantly influence bind-dyndb-ldap internals also DNSSEC support. At the moment, the code relies on assumption that one LDAP object = one DNS name. We have to find out if DNS views will break this assumption as soon as possible. IMHO views will change things significantly, including this 1:1 mapping - which will require major code re-design. I would like to avoid re-designing for DNSSEC and then immediate re-design for DNS views. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This brings us to the read only replicas. May be it is time to think about those more seriously? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel