Re: [Freeipa-devel] [PATCH 0153] ipatests: Fix incorrect order of operations when restoring

[Tomas Babej]

Given the fact that the patch has been ACKed, can we push the current
iteration?

On 02/20/2014 01:07 PM, Petr Viktorin wrote:
> On 02/20/2014 12:58 PM, Jan Pazdziora wrote:
>> On Thu, Feb 20, 2014 at 12:20:12PM +0100, Petr Viktorin wrote:
>>> On 02/19/2014 04:54 PM, Jan Pazdziora wrote:

 However: since this is about restoring a backup, can't the backup
 contain the extended attributes, so that the SELinux context gets
 restored to the original state (which could be different from what
 the restorecon will give you)?
>>>
>>> Well, I guess you're the Beaker authority here. Is that necessary
>>
>> This is not about Beaker, is it?
>
> It is; all other use cases I know of use disposable or at least
> single-purpose VMs.
>
>> But since you mention it, beakerlib does cp -a upon backup and restore
>>
>> 
>> https://git.fedorahosted.org/cgit/beakerlib.git/tree/src/infrastructure.sh#n484
>>
>> 
>> https://git.fedorahosted.org/cgit/beakerlib.git/tree/src/infrastructure.sh#n593
>>
>>
>> for files to preserve the SELinux context, plus chcon --reference
>> upon backup for directories:
>>
>> 
>> https://git.fedorahosted.org/cgit/beakerlib.git/tree/src/infrastructure.sh#n495
>>
>>
>>> when restoring?
>>> The tests expect a "sane" state, and they return to that; using a
>>> somehow customized machine to test on is a bad idea anyway.
>>
>> You might specifically want to run your test on non-sane state because
>> you want to test that the non-sane state will for example produce
>> correct error, SELinux-related or other.
>
> In that case you're on your own, you should wrap the test in custom
> setup & teardown code.
>
>
> There's no way we can perfectly restore a system after IPA has been
> installed on it, much less if it was an unstable/testing version of
> IPA, so returning to a sane state seems good for me.
>

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0138] ipalib: Expose krbPrincipalExpiration in CLI

[Tomas Babej]

Rebased to current master.

On 01/09/2014 04:31 PM, Tomas Babej wrote:
> Hi,
>
> Adds a krbPrincipalExpiration attribute to the user class
> in user.py ipalib plugin as a DateTime parameter.
>
> Part of: https://fedorahosted.org/freeipa/ticket/3306
>

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From bb07e020187a754ae1c2347ad390a8952d139966 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 9 Jan 2014 11:26:44 +0100
Subject: [PATCH] ipalib: Expose krbPrincipalExpiration in CLI

Adds a krbPrincipalExpiration attribute to the user class
in user.py ipalib plugin as a DateTime parameter.

Part of: https://fedorahosted.org/freeipa/ticket/3306
---
 API.txt| 9 ++---
 VERSION| 4 ++--
 ipalib/plugins/user.py | 9 +++--
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/API.txt b/API.txt
index 504a60ff31686cfa828c3a8f17debd6dad3bb60d..4ca226897313f7d3411b86b7e2324191376dc31e 100644
--- a/API.txt
+++ b/API.txt
@@ -3788,7 +3788,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: Output('value', , None)
 command: user_add
-args: 1,39,3
+args: 1,40,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3805,6 +3805,7 @@ option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, mult
 option: Str('ipatokenradiusconfiglink', attribute=True, cli_name='radius', multivalue=False, required=False)
 option: Str('ipatokenradiususername', attribute=True, cli_name='radius_username', multivalue=False, required=False)
 option: StrEnum('ipauserauthtype', attribute=True, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp'))
+option: DateTime('krbprincipalexpiration', attribute=True, cli_name='principal_expiration', multivalue=False, required=False)
 option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False)
 option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False)
 option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
@@ -3855,7 +3856,7 @@ output: Output('result', , None)
 output: Output('summary', (, ), None)
 output: Output('value', , None)
 command: user_find
-args: 1,49,4
+args: 1,50,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=False, query=True, required=False)
@@ -3875,6 +3876,7 @@ option: Str('initials', attribute=True, autofill=False, cli_name='initials', mul
 option: Str('ipatokenradiusconfiglink', attribute=True, autofill=False, cli_name='radius', multivalue=False, query=True, required=False)
 option: Str('ipatokenradiususername', attribute=True, autofill=False, cli_name='radius_username', multivalue=False, query=True, required=False)
 option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, query=True, required=False, values=(u'password', u'radius', u'otp'))
+option: DateTime('krbprincipalexpiration', attribute=True, autofill=False, cli_name='principal_expiration', multivalue=False, query=True, required=False)
 option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, query=True, required=False)
 option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False)
 option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False)
@@ -3911,7 +3913,7 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: user_mod
-args: 1,40,3
+args: 1,41,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3929,6 +3931,7 @@ option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey'
 option: Str('ipatokenradiusconfiglink', attribute=True, autofill=False, cli_name='radius', multivalue=False, required=False)
 option: Str('ipatokenradiususername', attribute=True, autofill=False, cli_name='radius_username', multivalue=False, required=False)
 option: StrEnum('ipauserauthtype', attribute=True, autofi

Re: [Freeipa-devel] DNSSEC design page

[Simo Sorce]

On Mon, 2014-02-24 at 13:11 +0100, Ludwig Krispenz wrote:
> Hi,
> 
> here is a draft to start discussion. Lt me know if it is the right 
> direction and what you're missing.
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema

I think we need to think hard if you really can make all those
attributes a MUST for the private key, as not all the attributes seem to
apply to all encryption algorithms. Would have to have to add bogus
attributes in some cases.

Also can you add some examples on how we would use these classes to
store DNS keys ?

Ideally the example would show the LDAP tree and some example data in
detail, and also what operation we think would be common.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration

[Nathaniel McCallum]

Before this patch, ipa-kdb would load global configuration on startup
and never update it. This means that if global configuration is changed,
the KDC never receives the new configuration until it is restarted.

This patch enables caching of the global configuration with a timeout of
60 seconds.

https://fedorahosted.org/freeipa/ticket/4153
>From 7daeae56671d7b3049b0341aad66c96877431bbe Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Mon, 24 Feb 2014 14:19:13 -0500
Subject: [PATCH] Periodically refresh global ipa-kdb configuration

Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.

This patch enables caching of the global configuration with a timeout of
60 seconds.

https://fedorahosted.org/freeipa/ticket/4153
---
 daemons/ipa-kdb/ipa_kdb.c| 65 +---
 daemons/ipa-kdb/ipa_kdb.h| 17 +++---
 daemons/ipa-kdb/ipa_kdb_audit_as.c   |  4 +--
 daemons/ipa-kdb/ipa_kdb_mspac.c  |  7 ++--
 daemons/ipa-kdb/ipa_kdb_principals.c |  6 ++--
 5 files changed, 62 insertions(+), 37 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 0f3996cdfa35374c005bc1ed174dea0816a27747..1b55735f1118ccbba2fc5d810c0171724634f9ad 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -25,6 +25,8 @@
 
 #include "ipa_kdb.h"
 
+#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
+
 struct ipadb_context *ipadb_get_context(krb5_context kcontext)
 {
 void *db_ctx;
@@ -41,6 +43,7 @@ struct ipadb_context *ipadb_get_context(krb5_context kcontext)
 static void ipadb_context_free(krb5_context kcontext,
struct ipadb_context **ctx)
 {
+struct ipadb_global_config *cfg;
 size_t c;
 
 if (*ctx != NULL) {
@@ -56,10 +59,11 @@ static void ipadb_context_free(krb5_context kcontext,
 ipadb_mspac_struct_free(&(*ctx)->mspac);
 krb5_free_default_realm(kcontext, (*ctx)->realm);
 
-for (c = 0; (*ctx)->authz_data && (*ctx)->authz_data[c]; c++) {
-free((*ctx)->authz_data[c]);
+cfg = &(*ctx)->config;
+for (c = 0; cfg->authz_data && cfg->authz_data[c]; c++) {
+free(cfg->authz_data[c]);
 }
-free((*ctx)->authz_data);
+free(cfg->authz_data);
 
 free(*ctx);
 *ctx = NULL;
@@ -209,7 +213,7 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
 ldap_value_free_len(vals);
 }
 
-int ipadb_get_global_configs(struct ipadb_context *ipactx)
+static int ipadb_load_global_config(struct ipadb_context *ipactx)
 {
 char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR,
   IPA_USER_AUTH_TYPE, NULL };
@@ -241,45 +245,40 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
 }
 
 /* Check for permitted authentication types. */
-ipadb_parse_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
+ipadb_parse_user_auth(ipactx->lcontext, res, &ipactx->config.user_auth);
 
-vals = ldap_get_values_len(ipactx->lcontext, first,
-   "ipaConfigString");
-if (!vals || !vals[0]) {
-/* no config, set nothing */
-ret = 0;
-goto done;
-}
-
-for (i = 0; vals[i]; i++) {
+/* Load config strings. */
+vals = ldap_get_values_len(ipactx->lcontext, first, "ipaConfigString");
+for (i = 0; vals && vals[i]; i++) {
 if (strncasecmp("KDC:Disable Last Success",
 vals[i]->bv_val, vals[i]->bv_len) == 0) {
-ipactx->disable_last_success = true;
+ipactx->config.disable_last_success = true;
 continue;
 }
+
 if (strncasecmp("KDC:Disable Lockout",
 vals[i]->bv_val, vals[i]->bv_len) == 0) {
-ipactx->disable_lockout = true;
+ipactx->config.disable_lockout = true;
 continue;
 }
 }
 
+	/* Load authz data. */
 ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, first,
  IPA_KRB_AUTHZ_DATA_ATTR, &authz_data_list);
-if (ret != 0 && ret != ENOENT) {
-goto done;
-}
 if (ret == 0) {
-if (ipactx->authz_data != NULL) {
-for (i = 0; ipactx->authz_data[i]; i++) {
-free(ipactx->authz_data[i]);
-}
-free(ipactx->authz_data);
+if (ipactx->config.authz_data != NULL) {
+for (i = 0; ipactx->config.authz_data[i]; i++)
+free(ipactx->config.authz_data[i]);
+free(ipactx->config.authz_data);
 }
 
-ipactx->authz_data = authz_data_list;
-}
+ipactx->config.authz_data = authz_data_list;
+} else if (ret != ENOENT)
+goto done;
 
+/* Success! */
+ipactx->config.last_update = time(NULL);
 ret = 0;
 
 done:
@@ -289,6 +288,18 @@ do

Re: [Freeipa-devel] [PATCH 0228] Drop unnecessary #define _BSD_SOURCE

[Lukas Slebodnik]

On (24/02/14 16:48), Petr Spacek wrote:
>Hello,
>
>Drop unnecessary #define _BSD_SOURCE.
>
>-- 
>Petr^2 Spacek

>From 1b5105e3ab92f2a898313da5f7e20e6f3e9d1d2a Mon Sep 17 00:00:00 2001
>From: Petr Spacek 
>Date: Mon, 24 Feb 2014 16:48:09 +0100
>Subject: [PATCH] Drop unnecessary #define _BSD_SOURCE.
>
>Signed-off-by: Petr Spacek 
>---
> src/krb5_helper.c | 2 --
> 1 file changed, 2 deletions(-)
>
>diff --git a/src/krb5_helper.c b/src/krb5_helper.c
>index 
>d1787209483f2ae49b480492290ff5d4bafc677c..71f4fff9fec551abbd81e25c59de80d2ded0dfc6
> 100644
>--- a/src/krb5_helper.c
>+++ b/src/krb5_helper.c
>@@ -15,8 +15,6 @@
>  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>  */
> 
>-#define _BSD_SOURCE
>-
> #include 
> #include 
> #include 
>-- 
>1.8.5.3
>

Simo is an author (according to git blame)
He defined this macro due to function setenv

from man setenv:
NAME
   setenv - change or add an environment variable

SYNOPSIS
   #include 

   int setenv(const char *name, const char *value, int overwrite);

   int unsetenv(const char *name);

   Feature Test Macro Requirements for glibc (see feature_test_macros(7)):

   setenv(), unsetenv():
   _BSD_SOURCE || _POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600


Macros _BSD_SOURCE _POSIX_C_SOURCE were defined when I included
header file . I tested only on fedora 20. It can be used
on the other distributions.

I would rather let this macro as is.

If you really want to remove unused macro, you should look
to the another file :-)

ldap_helper.c:3829:0: warning: macro "LDAP_ENTRYCHANGE_ALL" is not used 
[-Wunused-macros]
 #define LDAP_ENTRYCHANGE_ALL (LDAP_SYNC_CAPI_ADD | LDAP_SYNC_CAPI_DELETE | 
LDAP_SYNC_CAPI_MODIFY)

LS

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0228] Drop unnecessary #define _BSD_SOURCE

[Petr Spacek]

Hello,

Drop unnecessary #define _BSD_SOURCE.

--
Petr^2 Spacek
From 1b5105e3ab92f2a898313da5f7e20e6f3e9d1d2a Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 24 Feb 2014 16:48:09 +0100
Subject: [PATCH] Drop unnecessary #define _BSD_SOURCE.

Signed-off-by: Petr Spacek 
---
 src/krb5_helper.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/krb5_helper.c b/src/krb5_helper.c
index d1787209483f2ae49b480492290ff5d4bafc677c..71f4fff9fec551abbd81e25c59de80d2ded0dfc6 100644
--- a/src/krb5_helper.c
+++ b/src/krb5_helper.c
@@ -15,8 +15,6 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#define _BSD_SOURCE
-
 #include 
 #include 
 #include 
-- 
1.8.5.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 531-541 OTP UI

[Nathaniel McCallum]

On Mon, 2014-02-24 at 15:48 +0100, Petr Vobornik wrote:
> On 24.2.2014 15:31, Nathaniel McCallum wrote:
> > On Mon, 2014-02-24 at 11:04 +0100, Petr Vobornik wrote:
> >> On 21.2.2014 20:00, Nathaniel McCallum wrote:
> >>> Is it possible to do something more intelligent for the key and date
> >>> fields in the add-token UI?
> >>>
> >>> Date fields are currently just a text box. Is there any sort of calendar
> >>> we could use here? If not, I'm still unsure of what the format should be
> >>> for this field.
> >>
> >> It's the format you chose :), try to fill it in CLI, you will have the
> >> same proble. From API level it's just string, from LDAP it's generalized
> >> time.
> >
> > Is there a better option? I'm open to suggestions.
> 
> As I mentioned below, it's being implemented. The datetime patches will 
> be send separately. The core OTP UI patches should not be blocked by them.
> 
> >
> >> I've an UI patch prepared where you can write it in ISO format, with a
> >> validator attached to it, so user will be noticed about the format, but
> >> it's waiting for:
> >> https://www.redhat.com/archives/freeipa-devel/2014-January/msg00057.html
> >> https://www.redhat.com/archives/freeipa-devel/2014-January/msg00060.html
> >>
> >>>
> >>> The key field should probably have a note indicating that it is Base32
> >>> encoding. It would also be nice to restrict the input to Base32
> >>> characters. Maybe even automatic case correction...
> >>
> >> Actually I think it doesn't help much. Show me a person who can write
> >> base32 encoded string But I agree that a validator with some regex
> >> to limit the chars and a note that it should be base32 string is better.
> >> The question is what's the purpose of this field from user perspective.
> >> Is a human being suppose to fill it or is it meant to be only filled by
> >> some provisioning systems? In UI it's just as a backup?
> >>
> >> If there is a use case where user is suppose to choose the key, it would
> >> be better to fill the key and convert it to base32 string on a server.
> >
> > I can't think of any case where a user would use the key field.
> >
> > However, there are at least two important cases where an admin would do
> > this:
> > 1. Hardware tokens
> > 2. Transferring OATH (TOTP/HOTP) tokens from another system
> >
> > Nathaniel
> >
> What is the input format for these two cases? Is it base32 so admin can 
> enter it into UI or is it plain text so he has to use different tool to 
> encode it to base32 and then fill into UI?

In both of the above cases, I suspect the predominant use will be
scripts written to take a token store and import the tokens. This is
mostly a non-UI case.

RFC 6030 uses Base64 for unencrypted tokens. Base32 is also in wide use.
This is largely because, with fewer characters and no case-sensitivity,
Base32 is easier to type. I don't know of any other encodings in wide
use.

It would be nice to support both of them, but I'm not sure how this is
possible. Suggestions are welcome.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 531-541 OTP UI

[Petr Vobornik]

On 24.2.2014 15:31, Nathaniel McCallum wrote:

On Mon, 2014-02-24 at 11:04 +0100, Petr Vobornik wrote:

On 21.2.2014 20:00, Nathaniel McCallum wrote:

Is it possible to do something more intelligent for the key and date
fields in the add-token UI?

Date fields are currently just a text box. Is there any sort of calendar
we could use here? If not, I'm still unsure of what the format should be
for this field.


It's the format you chose :), try to fill it in CLI, you will have the
same proble. From API level it's just string, from LDAP it's generalized
time.


Is there a better option? I'm open to suggestions.


As I mentioned below, it's being implemented. The datetime patches will 
be send separately. The core OTP UI patches should not be blocked by them.





I've an UI patch prepared where you can write it in ISO format, with a
validator attached to it, so user will be noticed about the format, but
it's waiting for:
https://www.redhat.com/archives/freeipa-devel/2014-January/msg00057.html
https://www.redhat.com/archives/freeipa-devel/2014-January/msg00060.html



The key field should probably have a note indicating that it is Base32
encoding. It would also be nice to restrict the input to Base32
characters. Maybe even automatic case correction...


Actually I think it doesn't help much. Show me a person who can write
base32 encoded string But I agree that a validator with some regex
to limit the chars and a note that it should be base32 string is better.
The question is what's the purpose of this field from user perspective.
Is a human being suppose to fill it or is it meant to be only filled by
some provisioning systems? In UI it's just as a backup?

If there is a use case where user is suppose to choose the key, it would
be better to fill the key and convert it to base32 string on a server.


I can't think of any case where a user would use the key field.

However, there are at least two important cases where an admin would do
this:
1. Hardware tokens
2. Transferring OATH (TOTP/HOTP) tokens from another system

Nathaniel

What is the input format for these two cases? Is it base32 so admin can 
enter it into UI or is it plain text so he has to use different tool to 
encode it to base32 and then fill into UI?


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Announcing bind-dyndb-ldap version 4.1

[Petr Spacek]

The FreeIPA team is proud to announce bind-dyndb-ldap version 4.1.

It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/

The new version has also been built for Fedora 20 and and is on its way to 
updates-testing:

https://admin.fedoraproject.org/updates/bind-dyndb-ldap-4.1-1.fc20

This release *requires an LDAP server with support for RFC 4533* (aka 
SyncRepl) and contains other significant changes.


Please read all the following text! :-)


== Changes in 4.0 and 4.1 ==
[1] Persistent search and zone refresh were replaced by RFC 4533 (SyncRepl).
Options zone_refresh, cache_ttl and psearch were removed.
LDAP attributes idnsZoneRefresh and idnsPersistentSearch were removed.
https://fedorahosted.org/bind-dyndb-ldap/ticket/120

[2] Internal database was re-factored and replaced by RBT DB from BIND 9.
As a result, read-query performance is nearly same as with plain BIND.
Wildcard records are supported and queries for non-existing records
do not impose additional load on LDAP server.
https://fedorahosted.org/bind-dyndb-ldap/ticket/95
https://fedorahosted.org/bind-dyndb-ldap/ticket/6

[3] Plug-in creates journal file for each DNS zone in LDAP. This allows us
to support IXFR. Working directory has to be writable by named,
please see README - configuration option "directory".
https://fedorahosted.org/bind-dyndb-ldap/ticket/64

[4] SOA serial auto-increment feature is now mandatory. The plugin has to have
write access to LDAP.
(Proper SOA serial maintenance is required for journaling.)

[5] Data are not served to clients until initial synchronization with LDAP
is finished. All queries are answered with NXDOMAIN during synchronization.

[6] Crash caused by invalid SOA record was fixed.

[7] Empty instance names (specified by "dynamic-db" directive) were disallowed.

[8] Typo in LDAP schema was fixed.
https://fedorahosted.org/bind-dyndb-ldap/ticket/121

[9] Minor bugs in error handling found by static code analyzers were fixed.

Known problems and limitations
[1] LDAP MODRDN (rename) is not supported at the moment.

[2] Zones enabled at run-time are not loaded properly.
You have to restart BIND after changing idnsZoneActive attribute to TRUE.

[3] Zones and records deleted when connection to LDAP is down are not
refreshed properly after re-connection.
You have to restart BIND to restore consistency.


== Upgrading ==
A server can be upgraded by installing updated RPM. BIND has to be restarted 
manually after the RPM installation.


*Make sure that BIND can write to working directory as described in README* 
before you restart BIND.


You will need to clean up configuration file /etc/named.conf if your 
configuration contains typos or other unsupported options.


Downgrading back to any 3.x version is supported as long as record types not 
supported by old version are not utilized.



== Feedback ==
Please provide comments, report bugs and send any other feedback via the 
freeipa-users mailing list:

http://www.redhat.com/mailman/listinfo/freeipa-users

--
Petr Spacek
Software engineer
Red Hat

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 531-541 OTP UI

[Nathaniel McCallum]

On Mon, 2014-02-24 at 11:04 +0100, Petr Vobornik wrote:
> On 21.2.2014 20:00, Nathaniel McCallum wrote:
> > Is it possible to do something more intelligent for the key and date
> > fields in the add-token UI?
> >
> > Date fields are currently just a text box. Is there any sort of calendar
> > we could use here? If not, I'm still unsure of what the format should be
> > for this field.
> 
> It's the format you chose :), try to fill it in CLI, you will have the 
> same proble. From API level it's just string, from LDAP it's generalized 
> time.

Is there a better option? I'm open to suggestions.

> I've an UI patch prepared where you can write it in ISO format, with a 
> validator attached to it, so user will be noticed about the format, but 
> it's waiting for:
> https://www.redhat.com/archives/freeipa-devel/2014-January/msg00057.html
> https://www.redhat.com/archives/freeipa-devel/2014-January/msg00060.html
> 
> >
> > The key field should probably have a note indicating that it is Base32
> > encoding. It would also be nice to restrict the input to Base32
> > characters. Maybe even automatic case correction...
> 
> Actually I think it doesn't help much. Show me a person who can write 
> base32 encoded string But I agree that a validator with some regex 
> to limit the chars and a note that it should be base32 string is better. 
> The question is what's the purpose of this field from user perspective. 
> Is a human being suppose to fill it or is it meant to be only filled by 
> some provisioning systems? In UI it's just as a backup?
> 
> If there is a use case where user is suppose to choose the key, it would 
> be better to fill the key and convert it to base32 string on a server.

I can't think of any case where a user would use the key field.

However, there are at least two important cases where an admin would do
this:
1. Hardware tokens
2. Transferring OATH (TOTP/HOTP) tokens from another system

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0154] man: sshd should be run at least once before client

[Tomas Babej]

Hi,

If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.

https://fedorahosted.org/freeipa/ticket/4055

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 


>From 62f3e481845c4cef40f5c53136d91982977db791 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Wed, 27 Nov 2013 09:49:32 +0100
Subject: [PATCH] man: sshd should be run at least once before client
 enrollment

If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.

https://fedorahosted.org/freeipa/ticket/4055
---
 ipa-client/man/ipa-client-install.1 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 51a276202ac28b630d928e70dd658fad929b8d2b..44c4a5fe1c654a7ede45bc5042d6990cf715d1d7 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -30,6 +30,9 @@ An authorized user is required to join a client machine to IPA. This can take th
 
 This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable ).
 
+.SS "Assumptions"
+The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys on its own accord. If SSH keys are not present (e.g when running the ipa-client-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server.
+
 .SS "Hostname Requirements"
 Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication.
 
-- 
1.8.5.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 240 Always use real entry DNs for memberOf in ldap2

[Petr Viktorin]

On 02/24/2014 10:18 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


Thanks, ACK, pushed to master: 792c3f9c8c65e24953241247a242490c8fb32492


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0226-0227] Update NEWS & Bump NVR to 4.1

[Petr Spacek]

Hello,

Update NEWS for upcoming 4.1 release & Bump NVR to 4.1.

Pushed to master:
da67bf43d89886dd2cce9f1fd3f75ce44c3ab9ed
2dec00224214045d7f00d901fb107b789c8c082d

--
Petr^2 Spacek
From da67bf43d89886dd2cce9f1fd3f75ce44c3ab9ed Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 24 Feb 2014 13:46:37 +0100
Subject: [PATCH] Update NEWS for upcoming 4.1 release.

Signed-off-by: Petr Spacek 
---
 NEWS | 4 
 1 file changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index 67c5f8be4069c8a3b153491a9557f29b7b13972d..d997df58dca5b77d84c0fafa2757cf49e15f7d65 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+4.1
+
+[1] Fix few minor bugs in error handling found by static code analyzers.
+
 4.0
 
 [1] Persistent search and zone refresh were replaced by RFC 4533 (SyncRepl).
-- 
1.8.5.3

From 2dec00224214045d7f00d901fb107b789c8c082d Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 24 Feb 2014 13:57:13 +0100
Subject: [PATCH] Bump NVR to 4.1.

Signed-off-by: Petr Spacek 
---
 configure.ac | 2 +-
 contrib/bind-dyndb-ldap.spec | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index afa4ee60152fe2923755411165c80fb77d25132e..91739c03d9d6de2a9c07129ff0d71b024953293b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [4.0], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [4.1], [freeipa-devel@redhat.com])
 
 AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
 
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 396be0708645a2f9355120166cd2e2795b4fdf26..b345b1b5cb6cad99cf2f1c4df7d9f1e2b144548d 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
 %define VERSION %{version}
 
 Name:   bind-dyndb-ldap
-Version:4.0
+Version:4.1
 Release:0%{?dist}
 Summary:LDAP back-end plug-in for BIND
 
@@ -49,8 +49,7 @@ rm -rf %{buildroot}
 %files
 %defattr(-,root,root,-)
 %doc NEWS README COPYING doc/{example.ldif,schema}
-%dir %{_localstatedir}/named/dyndb-ldap
-%attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
+%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
 %{_libdir}/bind/ldap.so
 
 
-- 
1.8.5.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH][bind-dyndb-ldap] Fix potential dereference of NULL pointer in sync_ctx_init

[Petr Spacek]

On 21.2.2014 19:35, Lukas Slebodnik wrote:

On (13/12/13 17:44), Petr Spacek wrote:

On 12.11.2013 16:13, Petr Spacek wrote:

On 5.11.2013 12:29, Tomas Hozza wrote:

- Original Message -

Hello,

Improve performance of initial LDAP synchronization.

Changes are not journaled and SOA serial is not incremented during initial
LDAP synchronization.

This eliminates unnecessary synchronous writes to journal and also
unnecessary SOA serial writes to LDAP.

See commit messages and comments in syncrepl.c for all the gory details.



ACK.

Patches look good. AXFR and IXFR works as expected. Also BIND starts up much
faster with these patches. Good job... :)

Regards,

Tomas


Hmm, further testing revealed that patch 203 changed behavior little bit:
Zones were loaded from LDAP correctly, but the SOA serial wasn't changed at
all. As a result, zone transfers return inconsistent results if the data in
LDAP are changed when BIND was not running.

Patch 203-v2 imitates the old behavior from bind-dyndb-ldap 3.x: Zone serial
is bumped *once* for each zone, so any changed in LDAP will be transferred
correctly (with new serial).


Patch 202 v2 was rebased and fixes reconnection to LDAP and solves
deadlock caused by too eager locking.

Patch 203 v3 was rebased and fixes reconnection to LDAP.

These patches should go to master branch.

--
Petr^2 Spacek



When I was testing upcoming bind-dyndb-ldap 4.0 release,
There was an interesting warning from clang static analyser.
I thought it was a false passitive, but it isn't.

Patch is attached



From b73e345393d55fe411875d52e6fe4c98e1de8c04 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 9 Dec 2013 11:11:10 +0100
Subject: [PATCH] Detect end of initial LDAP synchronization phase.

LDAP intermediate message with refreshDone = TRUE is translated to
sync_barrier_wait() call. This call sends 'barrier event' to all tasks
involved in syncrepl event processing. The call will return when all tasks
have processed all events enqueued before the call.

Effectively, all events produced by initial LDAP synchronization
are processed first. Current state of synchronization is available via
sync_state_get() call.

See comments in syncrepl.c for all the gory details.

Signed-off-by: Petr Spacek 
---
src/Makefile.am   |   2 +
src/ldap_helper.c |  67 +--
src/ldap_helper.h |   2 +
src/syncrepl.c| 351 ++
src/syncrepl.h|  63 ++
5 files changed, 473 insertions(+), 12 deletions(-)
create mode 100644 src/syncrepl.c
create mode 100644 src/syncrepl.h






+/**
+ * Initialize synchronization context.
+ *
+ * @param[in]  taskTask used for first synchronization events.
+ * Typically the ldap_inst->task.
+ * @param[out] sctxp   The new synchronization context.
+ *
+ * @post state == sync_init
+ * @post task_cnt == 1
+ * @post tasks list contains the task
+ */
+isc_result_t
+sync_ctx_init(isc_mem_t *mctx, isc_task_t *task, sync_ctx_t **sctxp) {
+   isc_result_t result;
+   sync_ctx_t *sctx = NULL;
+   isc_boolean_t lock_ready = ISC_FALSE;
+   isc_boolean_t cond_ready = ISC_FALSE;
+   isc_boolean_t refcount_ready = ISC_FALSE;
+
+   REQUIRE(sctxp != NULL && *sctxp == NULL);

  ^^
   *sctxp is NULL



+   REQUIRE(ISCAPI_TASK_VALID(task));
+
+   CHECKED_MEM_GET_PTR(mctx, sctx);
+   ZERO_PTR(sctx);
+   isc_mem_attach(mctx, &sctx->mctx);
+
+   CHECK(isc_mutex_init(&sctx->mutex));
+   lock_ready = ISC_TRUE;
+   CHECK(isc_condition_init(&sctx->cond));
+   cond_ready = ISC_TRUE;
+
+   /* refcount includes ldap_inst->task implicitly */
+   CHECK(isc_refcount_init(&sctx->task_cnt, 0));
+   refcount_ready = ISC_TRUE;
+
+   ISC_LIST_INIT(sctx->tasks);
+
+   sctx->state = sync_init;
+   CHECK(sync_task_add(sctx, task));
+
+   *sctxp = sctx;

 ^^
value to *sctxp is asigned only on this line.


+   return ISC_R_SUCCESS;
+
+cleanup:

*sctxp will be NULL in cleanup section


+   if (lock_ready == ISC_TRUE)
+   isc_mutex_destroy(&(*sctxp)->mutex);

   &(NULL)->mutex
  It does not look like a good idea :-)

+   if (cond_ready == ISC_TRUE)
+   isc_condition_init(&(*sctxp)->cond);
+   if (refcount_ready == ISC_TRUE)
+   isc_refcount_destroy(&(*sctxp)->task_cnt);
+   MEM_PUT_AND_DETACH(*sctxp);
+   return result;
+}
+


LS


ACK. Thank you for discovering this!

Pushed to master: e346fbce099eacb1cd860e0624dcaaea36161169

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0225] Remove unused variables and dead code from syncrepl_update()

[Petr Spacek]

On 24.2.2014 13:53, Lukas Slebodnik wrote:

On (24/02/14 13:36), Petr Spacek wrote:

Hello,

Remove unused variables and dead code from syncrepl_update().

--
Petr^2 Spacek



From 0a779d8cbf7a9d63567967600786202a060d7859 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 24 Feb 2014 13:35:23 +0100
Subject: [PATCH] Remove unused variables and dead code from syncrepl_update().

Signed-off-by: Petr Spacek 
---
src/ldap_helper.c | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 
c81131101648368e209414e7612623fad4405ff3..05951fccbc655aef20177ea4a905159141665800
 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -4274,8 +4274,6 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t 
*entry, int chgtype)
dns_name_t zone_name;
dns_zone_t *zone_ptr = NULL;
char *dn = NULL;
-   char *prevdn_ldap = NULL;
-   char *prevdn = NULL;
char *dbname = NULL;
const char *ldap_base = NULL;
isc_boolean_t isbase;
@@ -4385,7 +4383,7 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t 
*entry, int chgtype)
pevent->mctx = mctx;
pevent->dbname = dbname;
pevent->dn = dn;
-   pevent->prevdn = prevdn;
+   pevent->prevdn = NULL;
pevent->chgtype = chgtype;
pevent->entry = entry;
isc_task_send(task, (isc_event_t **)&pevent);
@@ -4406,12 +4404,8 @@ cleanup:
isc_mem_free(mctx, dbname);
if (dn != NULL)
isc_mem_free(mctx, dn);
-   if (prevdn != NULL)
-   isc_mem_free(mctx, prevdn);
if (mctx != NULL)
isc_mem_detach(&mctx);
-   if (prevdn_ldap != NULL)
-   ldap_memfree(prevdn);
ldap_entry_destroy(inst->mctx, &entry);
if (task != NULL)
isc_task_detach(&task);
--
1.8.5.3



ACK


Thanks, pushed to master: 84aafe2fdb416ffa243f3b6815e1aad65db45a51

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH][bind-dyndb-ldap] Include missing header files.

[Petr Spacek]

On 21.2.2014 16:16, Petr Spacek wrote:

On 21.2.2014 15:12, Lukas Slebodnik wrote:

ehlo,

Function get_krb5_tgt is declared in header file krb5_helper.h, but this header
file was not included in implementation file krb5_helper.c

Function fs_dirs_create is declared in header file fs.h, but this header file
was not included in the implementation file fs.c

LS


ACK, thanks.


Pushed to master: eb93b6796619e2a93031dbf60ef00f3c0c88b018

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0224-0225] Add function attributes warn_unused_result and nonnull and add missing CHECK()s to string operations

[Petr Spacek]

On 21.2.2014 19:14, Lukas Slebodnik wrote:

On (21/02/14 16:12), Petr Spacek wrote:

Hello,

Add function attributes warn_unused_result and nonnull
where appropriate and add missing CHECK()s to string operations.

Lukas, thanks for catching the missing CHECK() around str_new().

As a reward, you can review attached patches.

Have fun! :-)

--
Petr^2 Spacek



From 063f776fc083c1fa26419a1ea63df98b9953826f Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 21 Feb 2014 15:21:36 +0100
Subject: [PATCH] Add missing CHECK()s to string operations.

Signed-off-by: Petr Spacek 
---
src/ldap_helper.c |  4 ++--
src/str.c |  4 ++--
src/str.h | 28 ++--
src/util.h|  2 ++
4 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 
b0dd3391f4dca88992ac7869b34d943a381d51be..be37ce575c0965856afabcb59c5eba949ad902fd
 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1772,7 +1772,7 @@ ldap_replace_serial(ldap_instance_t *inst, dns_name_t 
*zone,

REQUIRE(inst != NULL);

-   str_new(inst->mctx, &dn);
+   CHECK(str_new(inst->mctx, &dn));
CHECK(dnsname_to_dn(inst->zone_register, zone, dn));

change.mod_op = LDAP_MOD_REPLACE;
@@ -2405,7 +2405,7 @@ ldap_query(ldap_instance_t *ldap_inst, ldap_connection_t 
*ldap_conn,
CHECK(ldap_pool_getconnection(ldap_inst->pool, &ldap_conn));

va_start(ap, filter);
-   str_vsprintf(ldap_qresult->query_string, filter, ap);
+   CHECK(str_vsprintf(ldap_qresult->query_string, filter, ap));
va_end(ap);

 ^^
va_end have to be called every time.
It would be better to move check after va_end(ap)
 va_start(ap, filter);
 result = str_vsprintf(ldap_qresult->query_string, filter, ap);
 va_end(ap);
 CHECK(result);




Fixed and pushed to master: 960e00f4dee9a4be82c61a968e7b31aa863638cd


From 50cb2a22cad24463145b8e18582d13fc20dc8011 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 21 Feb 2014 15:58:19 +0100
Subject: [PATCH] Add function attributes warn_unused_result and nonnull where
appropriate.

Signed-off-by: Petr Spacek 
---
src/acl.c   |  22 
src/acl.h   |   6 +-
src/fs.h|   4 +-
src/fwd_register.h  |  10 ++--
src/krb5_helper.c   |   2 +-
src/krb5_helper.h   |   2 +-
src/ldap_convert.c  |   8 +--
src/ldap_convert.h  |  10 ++--
src/ldap_entry.c|   2 +-
src/ldap_entry.h|  26 -
src/ldap_helper.c   | 156 ++--
src/ldap_helper.h   |   2 +-
src/rbt_helper.c|   2 +-
src/rbt_helper.h|   4 +-
src/rdlist.c|   4 +-
src/rdlist.h|   8 +--
src/semaphore.h |   4 +-
src/settings.c  |   4 +-
src/settings.h  |  18 +++---
src/syncrepl.c  |   2 +-
src/syncrepl.h  |  14 ++---
src/zone_manager.c  |   4 +-
src/zone_manager.h  |   6 +-
src/zone_register.h |  18 +++---
24 files changed, 169 insertions(+), 169 deletions(-)



Patch works well. I did a small test with a function find_db_instance.


Pushed to master: 7e4323eacb74ad6a5658cc256fc4c347abc01ddc



-   result = find_db_instance(name, &db_inst);
+   find_db_instance(name, &db_inst);

   CC   ldap_la-zone_manager.lo
../src/zone_manager.c:126:2: error: ignoring return value of function declared 
with
   warn_unused_result attribute [-Werror,-Wunused-result]
 find_db_instance(name, &db_inst);
 ^~~~ ~~
1 error generated.

Attribute "__attribute__((warn_unused_result))" is not generated
if macro __GNUC__ is not defined. (make CFLAGS+="-U__GNUC__")

Some lines are longer than 80 columns, but I am not very familiar with
your coding style. Otherwise 2nd patch looks good.

LS


Thank you very much for your time!

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0225] Remove unused variables and dead code from syncrepl_update()

[Lukas Slebodnik]

On (24/02/14 13:36), Petr Spacek wrote:
>Hello,
>
>Remove unused variables and dead code from syncrepl_update().
>
>-- 
>Petr^2 Spacek

>From 0a779d8cbf7a9d63567967600786202a060d7859 Mon Sep 17 00:00:00 2001
>From: Petr Spacek 
>Date: Mon, 24 Feb 2014 13:35:23 +0100
>Subject: [PATCH] Remove unused variables and dead code from syncrepl_update().
>
>Signed-off-by: Petr Spacek 
>---
> src/ldap_helper.c | 8 +---
> 1 file changed, 1 insertion(+), 7 deletions(-)
>
>diff --git a/src/ldap_helper.c b/src/ldap_helper.c
>index 
>c81131101648368e209414e7612623fad4405ff3..05951fccbc655aef20177ea4a905159141665800
> 100644
>--- a/src/ldap_helper.c
>+++ b/src/ldap_helper.c
>@@ -4274,8 +4274,6 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t 
>*entry, int chgtype)
>   dns_name_t zone_name;
>   dns_zone_t *zone_ptr = NULL;
>   char *dn = NULL;
>-  char *prevdn_ldap = NULL;
>-  char *prevdn = NULL;
>   char *dbname = NULL;
>   const char *ldap_base = NULL;
>   isc_boolean_t isbase;
>@@ -4385,7 +4383,7 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t 
>*entry, int chgtype)
>   pevent->mctx = mctx;
>   pevent->dbname = dbname;
>   pevent->dn = dn;
>-  pevent->prevdn = prevdn;
>+  pevent->prevdn = NULL;
>   pevent->chgtype = chgtype;
>   pevent->entry = entry;
>   isc_task_send(task, (isc_event_t **)&pevent);
>@@ -4406,12 +4404,8 @@ cleanup:
>   isc_mem_free(mctx, dbname);
>   if (dn != NULL)
>   isc_mem_free(mctx, dn);
>-  if (prevdn != NULL)
>-  isc_mem_free(mctx, prevdn);
>   if (mctx != NULL)
>   isc_mem_detach(&mctx);
>-  if (prevdn_ldap != NULL)
>-  ldap_memfree(prevdn);
>   ldap_entry_destroy(inst->mctx, &entry);
>   if (task != NULL)
>   isc_task_detach(&task);
>-- 
>1.8.5.3
>

ACK

LS

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0225] Remove unused variables and dead code from syncrepl_update()

[Petr Spacek]

Hello,

Remove unused variables and dead code from syncrepl_update().

--
Petr^2 Spacek
From 0a779d8cbf7a9d63567967600786202a060d7859 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 24 Feb 2014 13:35:23 +0100
Subject: [PATCH] Remove unused variables and dead code from syncrepl_update().

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index c81131101648368e209414e7612623fad4405ff3..05951fccbc655aef20177ea4a905159141665800 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -4274,8 +4274,6 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype)
 	dns_name_t zone_name;
 	dns_zone_t *zone_ptr = NULL;
 	char *dn = NULL;
-	char *prevdn_ldap = NULL;
-	char *prevdn = NULL;
 	char *dbname = NULL;
 	const char *ldap_base = NULL;
 	isc_boolean_t isbase;
@@ -4385,7 +4383,7 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype)
 	pevent->mctx = mctx;
 	pevent->dbname = dbname;
 	pevent->dn = dn;
-	pevent->prevdn = prevdn;
+	pevent->prevdn = NULL;
 	pevent->chgtype = chgtype;
 	pevent->entry = entry;
 	isc_task_send(task, (isc_event_t **)&pevent);
@@ -4406,12 +4404,8 @@ cleanup:
 			isc_mem_free(mctx, dbname);
 		if (dn != NULL)
 			isc_mem_free(mctx, dn);
-		if (prevdn != NULL)
-			isc_mem_free(mctx, prevdn);
 		if (mctx != NULL)
 			isc_mem_detach(&mctx);
-		if (prevdn_ldap != NULL)
-			ldap_memfree(prevdn);
 		ldap_entry_destroy(inst->mctx, &entry);
 		if (task != NULL)
 			isc_task_detach(&task);
-- 
1.8.5.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC design page

[Ludwig Krispenz]

Hi,

here is a draft to start discussion. Lt me know if it is the right 
direction and what you're missing.

https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema

Ludwig

On 02/18/2014 03:17 PM, Jan Cholasta wrote:

Hi,

On 18.2.2014 14:02, Ludwig Krispenz wrote:

Hi,

yesterday jan asked me about the status of the schema and if it would be
ready for certificate storage an dthat puzzled me a bit and showed that
I still do not really understand what you want to store in LDAP.
Two me there are two very different approaches.

1] LDAP as store for high level objects like certs and keys
For certs and related stuff there is rfc4523 and the schema for ldif
exists. For keys we would decide if the key is stored in PKCS#8 format
or as bind keypairs and define a key attribute and that's it. we could
export keys with softhsm, (eventually convert them) and add to ldap, in
the long term solution the PKCS#11 replacemnt would need to manage these
high level objects


I think RFC 4523 is not the right schema in this case, as it is suited 
for PKIs rather than generic cryptographic data storage. For example, 
RFC 4523 distinguishes between CA and end entity certificates, but in 
PKCS#11 there are just certificates without any semantics attached to 
them.




2] low level replacement for eg the sqlite3 database in softhsm.
That's what I sometimes get the impression what is wanted. SoftHsm has
one component Softdatabase with an API, which more or less passes sets
of attributes (attributes defined by PKCS#11) and then stores it as
records in sql where each record has a keytype and opaque blob of data.
If that is what is wanted the decision would be how fingrained the pkcs
objects/attribute types would have to be mapped to ldap: one ldap
attribute for each possible attribute type ?


One-to-one mapping of attributes from PKCS#11 to LDAP would be the 
most straightforward way of doing this, but I think we can do some 
optimization for our needs. For example, like you said above, we can 
use a single attribute containing PKCS#8 encoded private key rather 
than using one attribute per private key component.


I don't think we need an LDAP attribute for every possible PKCS#11 
attribute, ATM it would be sufficient to have just these attributes 
necessary to represent private key, public key and certificate objects.


So, I would say it should be something between high-level and low-level.

Honza



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 531-541 OTP UI

[Petr Vobornik]

On 21.2.2014 20:00, Nathaniel McCallum wrote:

Is it possible to do something more intelligent for the key and date
fields in the add-token UI?

Date fields are currently just a text box. Is there any sort of calendar
we could use here? If not, I'm still unsure of what the format should be
for this field.


It's the format you chose :), try to fill it in CLI, you will have the 
same proble. From API level it's just string, from LDAP it's generalized 
time.


I've an UI patch prepared where you can write it in ISO format, with a 
validator attached to it, so user will be noticed about the format, but 
it's waiting for:

https://www.redhat.com/archives/freeipa-devel/2014-January/msg00057.html
https://www.redhat.com/archives/freeipa-devel/2014-January/msg00060.html



The key field should probably have a note indicating that it is Base32
encoding. It would also be nice to restrict the input to Base32
characters. Maybe even automatic case correction...


Actually I think it doesn't help much. Show me a person who can write 
base32 encoded string But I agree that a validator with some regex 
to limit the chars and a note that it should be base32 string is better. 
The question is what's the purpose of this field from user perspective. 
Is a human being suppose to fill it or is it meant to be only filled by 
some provisioning systems? In UI it's just as a backup?


If there is a use case where user is suppose to choose the key, it would 
be better to fill the key and convert it to base32 string on a server.




Nathaniel

On Fri, 2014-02-21 at 15:24 +0100, Petr Vobornik wrote:

On 10.2.2014 14:12, Petr Vobornik wrote:

On 13.1.2014 17:09, Petr Vobornik wrote:

Hi,

these patches implements the OTP Web UI.

Last 5 patches is the OTP UI.

First 6 patches is a little refactoring/bug fixes needed for them.
General password dialog is introduced to avoid another implementation.

Self-service UI is implemented to be very simple. Atm user can choose
only token name. Admin interface allows to enter all values.

It's based on the RCUE work -> we need to push RCUE first. Thanks
Nathaniel for review of the last font package. It will speed things up.

Know bugs:
- there is clash in id's of checkboxes preventing editation of
subsequently displayed ones with the same name. Will be fixed in
separate patch.
- bugs caused by bugs in API (adding/removal of own tokens in
self-service, inability to enter key on token creation -
https://fedorahosted.org/freeipa/ticket/4099)
- datetime format (widget+validator) will be implemented in separate
patch
- no support of not reviewed CLI patches (HOTP..)

Cgit:
http://fedorapeople.org/cgit/pvoborni/public_git/freeipa.git/log/?h=otp

https://fedorahosted.org/freeipa/ticket/3369



patch 540-1 has been updated
- QR code is centered
- QR code correction level was lowered from H to M

All other current patches from sub-threads are attached as well (it was
getting hard to keep track of them).



Attaching new version of patch 537: 537-4

It:
* adds HOTP support - new switch in adder dialog and ipatokenhotpcounter
field in details facet
* removes 'default' radio button in adder dialog in ipatokenotpalgorithm
and ipatokenotpdigits field


Btw I've encountered an issue on Web UI login when:
- user is created
- token is created for him
- admin resets user's password and changes auth type to 'otp'
- user tries to login with psw+otp

The initial login-password call is successful but subsequent change
password fails - it uses the old psw+otp.

I'll address this issue in https://fedorahosted.org/freeipa/ticket/3903
which is almost implemented.


I also plan to hide fields without any value in otp token details page
in self-service mode. This will be done after #3903 because some
prerequisites for #3903 add useful code for that task.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel




--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 240 Always use real entry DNs for memberOf in ldap2

[Jan Cholasta]

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
>From 8fda212b0a14bab2caf3d30faaa63c83b7aa23c5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 24 Feb 2014 10:10:27 +0100
Subject: [PATCH] Always use real entry DNs for memberOf in ldap2.

https://fedorahosted.org/freeipa/ticket/4192
---
 ipaserver/plugins/ldap2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index f6284dc..17bd841 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -258,8 +258,8 @@ class ldap2(LDAPClient, CrudBackend):
 indirect.remove(dn)
 direct.add(dn)
 
+entry['memberof'] = list(direct)
 if indirect:
-entry['memberof'] = list(direct)
 entry['memberofindirect'] = list(indirect)
 
 config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]}
-- 
1.8.5.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel