Re: [Freeipa-devel] [PATCH] 0083 Remove internaldb pasword from password.conf
Also, Dogtag certificate renewal does not work with internaldb removed, I'm working on a patch to fix that. Dne 1.9.2014 v 18:19 Petr Viktorin napsal(a): On 11/06/2013 01:41 PM, Ana Krivokapic wrote: On 11/06/2013 01:34 PM, Ana Krivokapic wrote: Hello, This patch addresses tickethttps://fedorahosted.org/freeipa/ticket/4005. I tried installing a replica with this patch applied to the 4.1 branch, but ipa-ca-install fails with: 2014-09-01T16:12:58Z DEBUG stderr=pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning org.xml.sax.SAXParseException; Premature end of file. The pkispawn log ends with: 2014-09-01 18:12:35 pkispawn: INFO ... configuring 'pki.server.deployment.scriptlets.configuration' 2014-09-01 18:12:35 pkispawn: INFO ... mkdir -p /root/.dogtag/pki-tomcat/ca 2014-09-01 18:12:35 pkispawn: DEBUG... chmod 755 /root/.dogtag/pki-tomcat/ca 2014-09-01 18:12:35 pkispawn: DEBUG... chown 0:0 /root/.dogtag/pki-tomcat/ca 2014-09-01 18:12:35 pkispawn: INFO ... generating '/root/.dogtag/pki-tomcat/ca/password.conf' 2014-09-01 18:12:35 pkispawn: INFO ... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' 2014-09-01 18:12:35 pkispawn: DEBUG... chmod 660 /root/.dogtag/pki-tomcat/ca/password.conf 2014-09-01 18:12:35 pkispawn: DEBUG... chown 0:0 /root/.dogtag/pki-tomcat/ca/password.conf 2014-09-01 18:12:35 pkispawn: INFO ... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' 2014-09-01 18:12:35 pkispawn: INFO ... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' 2014-09-01 18:12:35 pkispawn: DEBUG... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2014-09-01 18:12:35 pkispawn: DEBUG... chown 498:498 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2014-09-01 18:12:35 pkispawn: INFO ... executing 'certutil -N -d /tmp/tmp-yRUhk2 -f /root/.dogtag/pki-tomcat/ca/password.conf' 2014-09-01 18:12:35 pkispawn: INFO ... executing 'systemctl daemon-reload' 2014-09-01 18:12:35 pkispawn: INFO ... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2014-09-01 18:12:35 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:35 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:36 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:36 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:37 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:37 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:38 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:38 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:51 pkispawn: DEBUG... ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseState0/StateTypeCA/TypeStatusrunning/StatusVersion10.1.1-1.fc20/Version/XMLResponse 2014-09-01 18:12:52 pkispawn: INFO ... constructing PKI configuration data. 2014-09-01 18:12:52 pkispawn: INFO ... configuring PKI configuration data. 2014-09-01 18:12:58 pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning org.xml.sax.SAXParseException; Premature end of file. 2014-09-01 18:12:58 pkispawn: DEBUG... Error Type: HTTPError 2014-09-01 18:12:58 pkispawn: DEBUG... Error Message: 500 Server Error: Internal Server Error 2014-09-01 18:12:58 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 463, in main rv = instance.spawn(deployer) File /usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py, line 126, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File /usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py, line 3194, in configure_pki_data
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0117] Allow to mask and unmask services
Hi, Dne 1.9.2014 v 16:54 Martin Basti napsal(a): This is required by DNSSEC installer Patch attached IMO masking/unmasking should be part of disabling/enabling a service in systemd. AFAIK in most other init systems when you disable a service, it has the same effect as masking the service in systemd - it will never be started until it is enabled/unmasked again. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0001 pwpolicy-add: Added better error handling
There's some trailing whitespace on lines 22 and 29 of the patch, but besides that ACK. Dne 26.8.2014 v 19:26 Thorsten Scherf napsal(a): Thanks Jan. Find the new patch attached. Cheers, Thorsten On [Tue, 26.08.2014 18:19], Jan Cholasta wrote: Hi, Dne 26.8.2014 v 17:53 Thorsten Scherf napsal(a): pwpolicy-add: Added better error handling Make error message more meaningful when a password policy is added for a non existing group. https://fedorahosted.org/freeipa/ticket/4334 thanks for the patch. Instead of raising NotFound manually, please use: self.api.Object.group.handle_not_found(keys[-1]) It raises NotFound as well, but automatically creates the error message. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0010 Add 'host' setting into default.conf configuration file
Dne 27.8.2014 v 16:49 David Kupka napsal(a): On 08/27/2014 11:22 AM, Jan Cholasta wrote: Dne 26.8.2014 v 15:55 Rob Crittenden napsal(a): David Kupka wrote: On 08/26/2014 03:08 PM, Jan Cholasta wrote: Hi, Dne 26.8.2014 v 13:01 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4481 Doing this will break ipa-client-automount and ipa-certupdate, because they assume that api.env.host contains the hostname of the local system (which is the default value). It looked suspiciously simple so I could expect that there is some catch. There is obviously some confusion about what the option should represent (documentation says server hostname, code does client hostname), IMO we should resolve that first. Ok, are there any suggestions? What is the desired state? AIUI the server option is deprecated because it wasn't being used, not that it needed to be replaced. I believe that in most cases the server name is pulled from the xmlrpc_uri. Yes, that's what the ticket says: https://fedorahosted.org/freeipa/ticket/3071. Ok, adding 'host' entry with local host name. host has always meant the local host name. I think the man page is wrong. +1 Fixing the line in man page. rob ACK as long as this works for Nalin. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
Forget to add str() conversion to some places when removing map(). Now it should be working again. On 08/27/2014 02:24 PM, David Kupka wrote: Patch modified according to jcholast's personally-delivered feedback: 1) use action='append' instead of that ugly parsing 2) do not use map(), FreeIPA doesn't like it On 08/25/2014 05:04 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/3575 Also should fix https://bugzilla.redhat.com/show_bug.cgi?id=1128380 as installation is no longer interrupted when multiple IPs are resolved. But it does not add the option to change the IP address during second run. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- David Kupka From 8eaea5ada941ac813e22efa076b6989d2dbf6be6 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 13:50:21 +0200 Subject: [PATCH] Detect and configure all usable IP addresses. Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 --- install/tools/ipa-server-install | 43 ipaserver/install/bindinstance.py | 46 +++-- ipaserver/install/installutils.py | 86 +++ 3 files changed, 94 insertions(+), 81 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6e77b434a018faec36a2808626c99a54bd493908..dde7731e5d991f3329efe8232fcd1bce434e280d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -176,7 +176,7 @@ def parse_options(): on their first login) basic_group.add_option(--hostname, dest=host_name, help=fully qualified name of server) basic_group.add_option(--ip-address, dest=ip_address, - type=ip, ip_local=True, + type=ip, ip_local=True, action=append, default=[], help=Master Server IP Address) basic_group.add_option(-N, --no-ntp, dest=conf_ntp, action=store_false, help=do not configure ntp, default=True) @@ -236,7 +236,8 @@ def parse_options(): type=ip, help=Add a DNS forwarder) dns_group.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) -dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use) +dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use, + action=append, default=[]) dns_group.add_option(--no-reverse, dest=no_reverse, action=store_true, default=False, help=Do not create reverse DNS zone) dns_group.add_option(--zonemgr, action=callback, callback=bindinstance.zonemgr_callback, @@ -832,11 +833,11 @@ def main(): realm_name = host_name = domain_name = -ip_address = +ip_address = [] master_password = dm_password = admin_password = -reverse_zone = None +reverse_zone = [] if not options.setup_dns and not options.unattended: if ipautil.user_input(Do you want to configure integrated DNS (BIND)?, False): @@ -895,11 +896,14 @@ def main(): domain_name = domain_name.lower() -ip = get_server_ip_address(host_name, fstore, options.unattended, options) -ip_address = str(ip) +ip_address = get_server_ip_address(host_name, fstore, options.unattended, options) -if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip): -sys.exit(1) +for ip in ip_address: +for rev_zone in reverse_zone: +if bindinstance.verify_reverse_zone(rev_zone, str(ip)): +break +else: +sys.exit(1) if not options.realm_name: realm_name = read_realm_name(domain_name, options.unattended) @@ -972,16 +976,23 @@ def main(): dns_forwarders = read_dns_forwarders() if options.reverse_zone: -reverse_zone = bindinstance.normalize_zone(options.reverse_zone) +for rz in options.reverse_zone: +reverse_zone.append(bindinstance.normalize_zone(rz)) elif not options.no_reverse: if options.unattended: -reverse_zone = util.get_reverse_zone_default(ip) +for ip in ip_address: +rz =
Re: [Freeipa-devel] [PATCH] 0001 pwpolicy-add: Added better error handling
Thanks to both! Pushed to master: a2eab057d4adfaa8da7fee07410e1a33efb7f95d Martin On 09/02/2014 09:19 AM, Jan Cholasta wrote: There's some trailing whitespace on lines 22 and 29 of the patch, but besides that ACK. Dne 26.8.2014 v 19:26 Thorsten Scherf napsal(a): Thanks Jan. Find the new patch attached. Cheers, Thorsten On [Tue, 26.08.2014 18:19], Jan Cholasta wrote: Hi, Dne 26.8.2014 v 17:53 Thorsten Scherf napsal(a): pwpolicy-add: Added better error handling Make error message more meaningful when a password policy is added for a non existing group. https://fedorahosted.org/freeipa/ticket/4334 thanks for the patch. Instead of raising NotFound manually, please use: self.api.Object.group.handle_not_found(keys[-1]) It raises NotFound as well, but automatically creates the error message. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0083 Remove internaldb pasword from password.conf
Patch attached. Dne 2.9.2014 v 09:03 Jan Cholasta napsal(a): Also, Dogtag certificate renewal does not work with internaldb removed, I'm working on a patch to fix that. Dne 1.9.2014 v 18:19 Petr Viktorin napsal(a): On 11/06/2013 01:41 PM, Ana Krivokapic wrote: On 11/06/2013 01:34 PM, Ana Krivokapic wrote: Hello, This patch addresses tickethttps://fedorahosted.org/freeipa/ticket/4005. I tried installing a replica with this patch applied to the 4.1 branch, but ipa-ca-install fails with: 2014-09-01T16:12:58Z DEBUG stderr=pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning org.xml.sax.SAXParseException; Premature end of file. The pkispawn log ends with: 2014-09-01 18:12:35 pkispawn: INFO ... configuring 'pki.server.deployment.scriptlets.configuration' 2014-09-01 18:12:35 pkispawn: INFO ... mkdir -p /root/.dogtag/pki-tomcat/ca 2014-09-01 18:12:35 pkispawn: DEBUG... chmod 755 /root/.dogtag/pki-tomcat/ca 2014-09-01 18:12:35 pkispawn: DEBUG... chown 0:0 /root/.dogtag/pki-tomcat/ca 2014-09-01 18:12:35 pkispawn: INFO ... generating '/root/.dogtag/pki-tomcat/ca/password.conf' 2014-09-01 18:12:35 pkispawn: INFO ... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' 2014-09-01 18:12:35 pkispawn: DEBUG... chmod 660 /root/.dogtag/pki-tomcat/ca/password.conf 2014-09-01 18:12:35 pkispawn: DEBUG... chown 0:0 /root/.dogtag/pki-tomcat/ca/password.conf 2014-09-01 18:12:35 pkispawn: INFO ... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' 2014-09-01 18:12:35 pkispawn: INFO ... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' 2014-09-01 18:12:35 pkispawn: DEBUG... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2014-09-01 18:12:35 pkispawn: DEBUG... chown 498:498 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2014-09-01 18:12:35 pkispawn: INFO ... executing 'certutil -N -d /tmp/tmp-yRUhk2 -f /root/.dogtag/pki-tomcat/ca/password.conf' 2014-09-01 18:12:35 pkispawn: INFO ... executing 'systemctl daemon-reload' 2014-09-01 18:12:35 pkispawn: INFO ... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2014-09-01 18:12:35 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:35 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:36 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:36 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:37 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:37 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:38 pkispawn: DEBUG... No connection - server may still be down 2014-09-01 18:12:38 pkispawn: DEBUG... No connection - exception thrown: HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by class 'socket.error': [Errno 111] Connection refused) 2014-09-01 18:12:51 pkispawn: DEBUG... ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseState0/StateTypeCA/TypeStatusrunning/StatusVersion10.1.1-1.fc20/Version/XMLResponse 2014-09-01 18:12:52 pkispawn: INFO ... constructing PKI configuration data. 2014-09-01 18:12:52 pkispawn: INFO ... configuring PKI configuration data. 2014-09-01 18:12:58 pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning org.xml.sax.SAXParseException; Premature end of file. 2014-09-01 18:12:58 pkispawn: DEBUG... Error Type: HTTPError 2014-09-01 18:12:58 pkispawn: DEBUG... Error Message: 500 Server Error: Internal Server Error 2014-09-01 18:12:58 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 463, in main rv = instance.spawn(deployer) File /usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py, line 126, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File
Re: [Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb
On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry Avoid `from ipalib.plugins.baseldap import *` in new code; instead import the module itself and use e.g. `baseldap.LDAPObject`. The stageuser help (docstring) is copied from the user plugin, and discusses things like account lockout and disabling users. It should rather explain what stageuser itself does. (And I don't very much like the Note about the interface being badly designed...) Also decide if the docs should call it staged user or stage user or stageuser. Hello Petr, Thanks for your review. I will rewrite the docstring to be only staged user related and I will adopt 'stage user' and 'stageuser'. About the interface, that is correct that I was not able to find a good solution. I need to add a 'stageuser' I use 'stageuser-add' and '--first' and '--last' are required. Now when a user got deleted ('user-del') and is later move to 'stage user' it also use the command line 'stageuser-add'. At this time the delete user is know/found by it 'user login'/uid. So '--first' and '--last' are not required to find it (can be used to check givenname/sn). Now I do not expect that 'stageuser-add' will be frequently used to move a Delete user to Stage user, so it is not a so painful constraint. A lot of the code is copied and pasted over from the users plugin. Don't do that. Either import things (e.g. validate_nsaccountlock) from the users plugin, or move the reused code into a shared module. For the `user` object, since so much is the same, it might be best to create a common base class for user and stageuser; and similarly for the Command plugins. I agree that user and stageuser have a lot of code in common. So it would be beneficial to have a common base class. Is it ok to put this in a file under freeipa/ipalib ? About the name of this class, what about 'accounts' or 'user_accounts' ? What do you mean by 'similarly for Command plugins' ?. If I create, for example, a freeipa/ipalib/accounts.py containing all the common code for 'user' and 'stageuser'. Then import it into freeipa/ipalib/plugins/user and freeipa/ipalib/plugins/stageuser I believe it will refactore the 'Command plugins'. The default permissions need different names, and you don't need another copy of the 'non_object' ones. Also, run the makeaci script. Ok. I will update the names. 'non_object' is not clear to me, what does this exactly mean when a managed_permission has 'non_object' True. In update_managed_permissions.py it is said that if True, it target a defaults value. But on the other side, the managed permissions also define 'ipapermtarget' (like ipauser or UPG) many thanks Petr thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb
On 09/02/2014 11:40 AM, thierry bordaz wrote: On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry Avoid `from ipalib.plugins.baseldap import *` in new code; instead import the module itself and use e.g. `baseldap.LDAPObject`. The stageuser help (docstring) is copied from the user plugin, and discusses things like account lockout and disabling users. It should rather explain what stageuser itself does. (And I don't very much like the Note about the interface being badly designed...) Also decide if the docs should call it staged user or stage user or stageuser. Hello Petr, Thanks for your review. I will rewrite the docstring to be only staged user related and I will adopt 'stage user' and 'stageuser'. About the interface, that is correct that I was not able to find a good solution. I need to add a 'stageuser' I use 'stageuser-add' and '--first' and '--last' are required. Now when a user got deleted ('user-del') and is later move to 'stage user' it also use the command line 'stageuser-add'. At this time the delete user is know/found by it 'user login'/uid. So '--first' and '--last' are not required to find it (can be used to check givenname/sn). Now I do not expect that 'stageuser-add' will be frequently used to move a Delete user to Stage user, so it is not a so painful constraint. Right, it's probably not worth worrying about. But you could make them optional formally, and validate them in the pre_callback. A lot of the code is copied and pasted over from the users plugin. Don't do that. Either import things (e.g. validate_nsaccountlock) from the users plugin, or move the reused code into a shared module. For the `user` object, since so much is the same, it might be best to create a common base class for user and stageuser; and similarly for the Command plugins. I agree that user and stageuser have a lot of code in common. So it would be beneficial to have a common base class. Is it ok to put this in a file under freeipa/ipalib ? About the name of this class, what about 'accounts' or 'user_accounts' ? Either ipalib/accounts.py or ipalib/plugins/accounts.py is fine. It would inherit from code in baseldap, which is in plugins, so putting it in plugins would be somewhat more consistent. What do you mean by 'similarly for Command plugins' ?. If I create, 'user' and 'stageuser' are Object plugins, 'user_add' and 'stageuser_add' are Command plugins. for example, a freeipa/ipalib/accounts.py containing all the common code for 'user' and 'stageuser'. Then import it into freeipa/ipalib/plugins/user and freeipa/ipalib/plugins/stageuser I believe it will refactore the 'Command plugins'. Yes, that's the idea. The default permissions need different names, and you don't need another copy of the 'non_object' ones. Also, run the makeaci script. Ok. I will update the names. 'non_object' is not clear to me, what does this exactly mean when a managed_permission has 'non_object' True. In update_managed_permissions.py it is said that if True, it target a defaults value. But on the other side, the managed permissions also define 'ipapermtarget' (like ipauser or UPG) 'non_object' means that it doesn't take attributes, such as ipapermlocation, from the Object it's defined in. If 'non_object' is false (or missing), the defaults are taken from the object but can be overridden. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached -- Martin Basti From 43fb8d981cc02b60c76b0a7040d0232bdf2165bc Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 28 Aug 2014 19:27:44 +0200 Subject: [PATCH] LDAP disable service This patch allows to disable service in LDAP (ipactl will not start it) --- ipaserver/install/service.py | 49 1 file changed, 49 insertions(+) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 1f01b275135173b7d0bfdb4d56729438a0853142..370f86fe308607162e9bd8b41144e3557ab0a7ab 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -375,6 +375,30 @@ class Service(object): self.ldap_connect() entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) + +# enable disabled service +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +pass +else: +if 'enabledService' in entry.get('ipaConfigString', []): +root_logger.debug(failed to enable %s Service startup entry (already enabled) % name) +return + +if 'ipaConfigString' in entry and entry['ipaConfigString'] is not None: +entry['ipaConfigString'].append('enabledService') +else: +entry['ipaConfigString'] = ['enabledService'] +root_logger.warning(%s Service startup entry has no 'ipaConfigString' attributes % name) + +try: +self.admin_conn.update_entry(entry) +except: +root_logger.debug(failed to re-enable %s Service startup entry (already enabled) % name) + +return + order = SERVICE_LIST[name][1] entry = self.admin_conn.make_entry( entry_name, @@ -390,6 +414,31 @@ class Service(object): root_logger.debug(failed to add %s Service startup entry % name) raise e +def ldap_disable(self, name, fqdn, ldap_suffix): +assert isinstance(ldap_suffix, DN) +if not self.admin_conn: +self.ldap_connect() + +entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +root_logger.debug(failed to disable %s Service startup entry (service not found) % name) +return + +if 'enabledService' not in entry.get('ipaConfigString', []): +root_logger.debug(failed to disable %s Service startup entry (Service already disabled) % name) +return + +entry['ipaConfigString'].remove('enabledService') + +try: +self.admin_conn.update_entry(entry) +except: +root_logger.debug(failed to disable %s Service startup entry % name) +raise + + class SimpleServiceInstance(Service): def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None): self.gensvc_name = gensvc_name -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0012 Add record(s) to /etc/host when IPA is configured as DNS server.
This patch depends on freeipa-dkupka-0009 as it modifies the same part of code. https://fedorahosted.org/freeipa/ticket/4220 -- David Kupka From 549e682809d9e0ccc6debe6676f22b3f9d1755f4 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 2 Sep 2014 10:49:26 +0200 Subject: [PATCH] Add record(s) to /etc/host when IPA is configured as DNS server. This is to avoid chicken-egg problem when directory server fails to start without resolvable hostname and named fails to provide hostname without directory server. https://fedorahosted.org/freeipa/ticket/4220 --- ipaserver/install/installutils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 5661de6b6b918a61a8de3ed16c25d4b7debd212d..293caffb5dc6e9219a90f4ec33abd3e13086e09f 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -487,7 +487,7 @@ def get_server_ip_address(host_name, fstore, unattended, options): hosts_record = record_in_hosts(str(ip_address)) if hosts_record is None: -if ip_add_to_hosts: +if ip_add_to_hosts or options.setup_dns: print Adding [+str(ip_address)+ +host_name+] to your /etc/hosts file fstore.backup_file(paths.HOSTS) add_record_to_hosts(str(ip_address), host_name) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation
On 28.8.2014 20:14, Nathaniel McCallum wrote: On Tue, 2014-08-19 at 16:46 -0400, Nathaniel McCallum wrote: Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 I still need a review for this. We are trying to get this in 4.0.2. Nathaniel ACK if comment below doesn't need any change: Maybe I'm missing something, but why do we do following check: `if 'objectclass' in entry_attrs:`? Shouldn't it be always True? Since the objectclass is set in LDAPCreate.execute. A pre-callback in an third party plugin can remove it, but I don't think we should care. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Use certmonger D-Bus API instead of messing with its files.
Dne 29.8.2014 v 14:34 David Kupka napsal(a): Hope, I've addressed all the issues (except 9 and 11, inline). Let's go for another round :-) On 08/27/2014 11:05 AM, Jan Cholasta wrote: Hi, Dne 25.8.2014 v 15:39 David Kupka napsal(a): On 08/19/2014 05:44 PM, Rob Crittenden wrote: David Kupka wrote: On 08/19/2014 09:58 AM, Martin Kosek wrote: On 08/19/2014 09:05 AM, David Kupka wrote: FreeIPA will use certmonger D-Bus API as discussed in this thread https://www.redhat.com/archives/freeipa-devel/2014-July/msg00304.html This change should prevent hard-to-reproduce bugs like https://fedorahosted.org/freeipa/ticket/4280 Thanks for this effort, the updated certmonger module looks much better! This will help us get rid of the non-standard communication with certmonger. Just couple initial comments from me by reading the code: 1) Testing needs fixed version of certmonger, right? This needs to be spelled out right with the patch. Yes, certmonger 0.75.13 and above should be fine according ticket https://fedorahosted.org/certmonger/ticket/36. Added to patch description. You should update the spec to set the minimum version as well. Sure, thanks. 2) Description text in patches is cheap, do not be afraid to use it and describe what you did and why. Link to the ticket is missing in the description as well: Ok, increased verbosity a bit :-) Subject: [PATCH] Use certmonger D-Bus API instead of messing with its files. --- 3) get_request_id API: criteria = ( -('cert_storage_location', dogtag_constants.ALIAS_DIR, - certmonger.NPATH), -('cert_nickname', nickname, None), +('cert_storage_location', dogtag_constants.ALIAS_DIR), +('cert_nickname', nickname), ) request_id = certmonger.get_request_id(criteria) Do we want to continue using the criteria object or should we rather switch to normal function options? I.e. rather using request_id = certmonger.get_request_id(cert_nickname=nickname, cert_storage_location=dogtag_constants.ALIAS_DIR) ? It would look more consistent with other calls. I am just asking, not insisting. I've no preference here. It seems to be a very small change. Has anyone a reason to do it one way and not the other? I think I used this criteria thing to avoid having a bazillion optional parameters and for future-proofing. I think at this point the list is probably pretty stable, so I'd base it on whether you care about having a whole ton of optional parameters or not (it has the advantage of self-documenting itself). The list is probably stable but also really excessive. I don't think it would help to have more than dozen optional parameters. So I prefer to leave as-is and change it in future if it is wanted. 3) Starting function: +try: +ipautil.run([paths.SYSTEMCTL, 'start', 'certmonger'], skip_output=True) +except Exception, e: +root_logger.error('Failed to start certmonger: %s' % e) +raise e I see 2 issues related to this code: a) Do not call SYSTEMCTL directly. To be platform independent, rather use services.knownservices.messagebus.start() that is overridable by someone else porting to non-systemd platforms. Is there anything that can't be done using ipalib/ipapython/ipaplatform? It can't make coffee (yet). b) In this case, do not use raise e, but just raise to keep the exception stack trace intact for better debugging. Every day there's something new to learn about python or FreeIPA. Both a) and b) should be fixed in other occasions and places. I found only one occurence of a) issue. Is there some hidden or are you talking about the whole FreeIPA project? 4) Feel free to add yourself to Authors section of this module. You refactored it greatly to earn it :-) Done. You already import dbus, why also separately import DBusException? Removed, thanks for noticing. rob 1) The patch needs to be rebased. I didn't notice the patch is targeted for 4.0. Can you please provide patches for both ipa-4-0 and ipa-4-1/master? 2) Please try to follow PEP8, at least in certmonger.py. 3) In certificate_renewal_update() in ipa-upgradeconfig you removed ca_name from criteria. 4) IMO renaming nickname to cert_nickname in dogtag_start_tracking() and stop_tracking() is unnecessary. We can keep calling request nicknames request_id and certificate nicknames nickname in our APIs. 5) I think it would be better to add a docstring to _cm_dbus_object.__init__() instead of doing this: # object is accesible over this DBus bus instance bus = None # DBus object path path = None # the actual DBus object obj = None # object interface name obj_dbus_if = None # object parent interface name parent_dbus_if = None # object inteface obj_if = None # property interface prop_if = None You removed the comments, but left the attributes there. You should remove them as well, they
Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage
On 09/01/2014 03:56 PM, Jan Cholasta wrote: Dne 4.8.2014 v 10:39 Jan Cholasta napsal(a): Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4039. Requires my patches 246 and 262 (current versions attached). Honza Forgot to update the man page. Updated patch attached. Could someone please review this? I ran into some trouble installing Dogtag, but it wasn't caused by this patch. ACK, pushed to: master: 774140196360c727f11c75622ace488d591ddfba ipa-4-1: aae78480220203b1c64c8b3c6b8297868c849110 ipa-4-0: 8999300894326d104ddf22a97d74d78fdab0984c -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage
Dne 2.9.2014 v 15:31 Petr Viktorin napsal(a): On 09/01/2014 03:56 PM, Jan Cholasta wrote: Dne 4.8.2014 v 10:39 Jan Cholasta napsal(a): Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4039. Requires my patches 246 and 262 (current versions attached). Honza Forgot to update the man page. Updated patch attached. Could someone please review this? I ran into some trouble installing Dogtag, but it wasn't caused by this patch. ACK, pushed to: master: 774140196360c727f11c75622ace488d591ddfba ipa-4-1: aae78480220203b1c64c8b3c6b8297868c849110 ipa-4-0: 8999300894326d104ddf22a97d74d78fdab0984c Thanks. Please also push the required patches (246 and 262) to ipa-4-0 (they already are in ipa-4-1 and master). -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0278] Fix ticket expiration check
On 19/08/14 13:40, Petr Spacek wrote: Hello, Fix ticket expiration check. https://fedorahosted.org/bind-dyndb-ldap/ticket/131 This is one of obvious bugs when you finally see it :-) The original code died miserably when named reload happened 0-300 seconds after ticket expiration. Symptoms (debug level 6): registering dynamic ldap driver for ipa. trying to establish LDAP connection to ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket Using default keytab file name: FILE:/etc/named.keytab Found valid Kerberos credentials in cache trying interactive bind using GSSAPI mechanism doing interactive bind got request for SASL_CB_USER bind to LDAP server failed: Local error couldn't establish connection in LDAP connection pool: failure LDAP instance 'ipa' destroyed load_configuration: failure reloading configuration failed: failure There is at least one other problem which causes deadlock on shutdown from time to time, I will look into it separately. Both problems are hard to reproduce. It seems that the best chance is to change logrotate period (/etc/logrotate.d/named) or Kerberos ticket policy (ipa krbtpolicy-mod) to the same values, keep fingers crossed and hope. On my VM it manifests after several iterations. This patch should go to all maintained branches (v2, v3, v4, master). ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Patch works for me. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] CLIENT: Explicitly require python-backports-ssl_match_hostname
On 09/01/2014 01:15 PM, Jakub Hrozek wrote: On Mon, Sep 01, 2014 at 11:01:23AM +0200, Martin Kosek wrote: On 08/25/2014 07:36 PM, Jakub Hrozek wrote: Hi, ipa-client-install was failing for me on a fresh F-21 machine until I manually dragged in python-backports-ssl_match_hostname Umh, thanks for the fix, but I do not think this spec is actually used in our build process. The last update was done in 2008 :-) We only use the global freeipa.spec.in and build client from that. I think we should just delete the old one. Martin OK, I promise to test my patches next time :-) rpm -q --requires shows the python-backports-ssl_match_hostname dependency now. What about the one in attachment? If it doesn't work for you, feel free to just take over the patch.. No, it is fine. I just added a link to the ticket. Pushed to: master: 42bf7abb5f81f0b8f98370f7330ab5c5dc2a2fb4 ipa-4-1: c03404423d30781ab18815472782f465915fec7f ipa-4-0: aa5d86cf84afe766a7493a184a6a55442298ea98 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] CLIENT: Explicitly require python-backports-ssl_match_hostname
On 09/01/2014 02:50 PM, Petr Viktorin wrote: On 09/01/2014 01:15 PM, Jakub Hrozek wrote: On Mon, Sep 01, 2014 at 11:01:23AM +0200, Martin Kosek wrote: On 08/25/2014 07:36 PM, Jakub Hrozek wrote: Hi, ipa-client-install was failing for me on a fresh F-21 machine until I manually dragged in python-backports-ssl_match_hostname Umh, thanks for the fix, but I do not think this spec is actually used in our build process. The last update was done in 2008 :-) We only use the global freeipa.spec.in and build client from that. I think we should just delete the old one. Martin OK, I promise to test my patches next time :-) rpm -q --requires shows the python-backports-ssl_match_hostname dependency now. What about the one in attachment? If it doesn't work for you, feel free to just take over the patch.. This also needs to be in BuildRequires to pass pylint. Patch attached. Rebased. -- Petr³ From 5469012469bb7250a8c3061bdfdecdacb355f306 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 2 Sep 2014 16:43:10 +0200 Subject: [PATCH] freeipa.spec.in: Add python-backports-ssl_match_hostname to BuildRequires This patch adds an explicit build dependency to python-backports-ssl_match_hostname. Without it, the build-time lint would fail. https://fedorahosted.org/freeipa/ticket/4515 --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 07824fed6cc22645f933681d821b79531c880bb8..24771ac8eea0390d3cc3db201ca9bc986e48dc53 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,6 +72,7 @@ BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico +BuildRequires: python-backports-ssl_match_hostname %description IPA is an integrated solution to provide centrally managed Identity (machine, -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0012 Add record(s) to /etc/host when IPA is configured as DNS server.
Ok, the patch no longer depends on 0009. The reason is that 0012 is going to ipa-4.0 and 0009 to ipa-4.1. On 09/02/2014 12:13 PM, David Kupka wrote: This patch depends on freeipa-dkupka-0009 as it modifies the same part of code. https://fedorahosted.org/freeipa/ticket/4220 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- David Kupka From 7dd0c42caa61378f43d69fa8f996ae2561a3005c Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 2 Sep 2014 16:32:30 +0200 Subject: [PATCH] Add record(s) to /etc/host when IPA is configured as DNS server. This is to avoid chicken-egg problem when directory server fails to start without resolvable hostname and named fails to provide hostname without directory server. https://fedorahosted.org/freeipa/ticket/4220 --- ipaserver/install/installutils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index dc98d7a51aa743c87b2d7667246b6f029b8a648b..3b9138fef6ca0d907a8dc11d70d7732bc84836e6 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -489,7 +489,7 @@ def get_server_ip_address(host_name, fstore, unattended, options): hosts_record = record_in_hosts(ip_address) if hosts_record is None: -if ip_add_to_hosts: +if ip_add_to_hosts or options.setup_dns: print Adding [+ip_address+ +host_name+] to your /etc/hosts file fstore.backup_file(paths.HOSTS) add_record_to_hosts(ip_address, host_name) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
The patch now depends on freeipa-dkupka-0012 as both modifies the same part of code. On 09/02/2014 10:29 AM, David Kupka wrote: Forget to add str() conversion to some places when removing map(). Now it should be working again. On 08/27/2014 02:24 PM, David Kupka wrote: Patch modified according to jcholast's personally-delivered feedback: 1) use action='append' instead of that ugly parsing 2) do not use map(), FreeIPA doesn't like it On 08/25/2014 05:04 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/3575 Also should fix https://bugzilla.redhat.com/show_bug.cgi?id=1128380 as installation is no longer interrupted when multiple IPs are resolved. But it does not add the option to change the IP address during second run. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- David Kupka From 8eaea5ada941ac813e22efa076b6989d2dbf6be6 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 13:50:21 +0200 Subject: [PATCH] Detect and configure all usable IP addresses. Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 --- install/tools/ipa-server-install | 43 ipaserver/install/bindinstance.py | 46 +++-- ipaserver/install/installutils.py | 86 +++ 3 files changed, 94 insertions(+), 81 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6e77b434a018faec36a2808626c99a54bd493908..dde7731e5d991f3329efe8232fcd1bce434e280d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -176,7 +176,7 @@ def parse_options(): on their first login) basic_group.add_option(--hostname, dest=host_name, help=fully qualified name of server) basic_group.add_option(--ip-address, dest=ip_address, - type=ip, ip_local=True, + type=ip, ip_local=True, action=append, default=[], help=Master Server IP Address) basic_group.add_option(-N, --no-ntp, dest=conf_ntp, action=store_false, help=do not configure ntp, default=True) @@ -236,7 +236,8 @@ def parse_options(): type=ip, help=Add a DNS forwarder) dns_group.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) -dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use) +dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use, + action=append, default=[]) dns_group.add_option(--no-reverse, dest=no_reverse, action=store_true, default=False, help=Do not create reverse DNS zone) dns_group.add_option(--zonemgr, action=callback, callback=bindinstance.zonemgr_callback, @@ -832,11 +833,11 @@ def main(): realm_name = host_name = domain_name = -ip_address = +ip_address = [] master_password = dm_password = admin_password = -reverse_zone = None +reverse_zone = [] if not options.setup_dns and not options.unattended: if ipautil.user_input(Do you want to configure integrated DNS (BIND)?, False): @@ -895,11 +896,14 @@ def main(): domain_name = domain_name.lower() -ip = get_server_ip_address(host_name, fstore, options.unattended, options) -ip_address = str(ip) +ip_address = get_server_ip_address(host_name, fstore, options.unattended, options) -if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip): -sys.exit(1) +for ip in ip_address: +for rev_zone in reverse_zone: +if bindinstance.verify_reverse_zone(rev_zone, str(ip)): +break +else: +sys.exit(1) if not options.realm_name: realm_name = read_realm_name(domain_name, options.unattended) @@ -972,16 +976,23 @@ def main(): dns_forwarders = read_dns_forwarders() if options.reverse_zone: -reverse_zone = bindinstance.normalize_zone(options.reverse_zone) +for rz in options.reverse_zone: +
Re: [Freeipa-devel] [PATCH] CLIENT: Explicitly require python-backports-ssl_match_hostname
On 09/02/2014 04:48 PM, Petr Viktorin wrote: On 09/01/2014 02:50 PM, Petr Viktorin wrote: On 09/01/2014 01:15 PM, Jakub Hrozek wrote: On Mon, Sep 01, 2014 at 11:01:23AM +0200, Martin Kosek wrote: On 08/25/2014 07:36 PM, Jakub Hrozek wrote: Hi, ipa-client-install was failing for me on a fresh F-21 machine until I manually dragged in python-backports-ssl_match_hostname Umh, thanks for the fix, but I do not think this spec is actually used in our build process. The last update was done in 2008 :-) We only use the global freeipa.spec.in and build client from that. I think we should just delete the old one. Martin OK, I promise to test my patches next time :-) rpm -q --requires shows the python-backports-ssl_match_hostname dependency now. What about the one in attachment? If it doesn't work for you, feel free to just take over the patch.. This also needs to be in BuildRequires to pass pylint. Patch attached. Rebased. Thanks for the catch, sorry for missing the updated patch earlier. ACK, pushed to: master: 68b7312639260926e3d4a07ab002f54ce238c72e ipa-4-1: cac070b121b0a676c1367602852b8fafe62a3330 ipa-4-0: 4adefc3f5d177337a7e1acfc2a07e67853e716c7 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 748 webui: extract complex pkey on Add and Edit
DNS zone 'Add and Edit' failed because of new DNS name encoding. This patch makes sure that keys are extracted properly. https://fedorahosted.org/freeipa/ticket/4520 -- Petr Vobornik From 686ac549bf92822a9c9692e58a89e41665faab08 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 2 Sep 2014 17:11:52 +0200 Subject: [PATCH] webui: extract complex pkey on Add and Edit DNS zone 'Add and Edit' failed because of new DNS name encoding. This patch makes sure that keys are extracted properly. https://fedorahosted.org/freeipa/ticket/4520 --- install/ui/src/freeipa/add.js | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/install/ui/src/freeipa/add.js b/install/ui/src/freeipa/add.js index 78f3890ad2320cbc3afd5cb9ae1e4ae2359d8023..7f5c29807bae8cc9db00e4e826a68facd1e5758a 100644 --- a/install/ui/src/freeipa/add.js +++ b/install/ui/src/freeipa/add.js @@ -166,12 +166,13 @@ IPA.entity_adder_dialog = function(spec) { function show_edit_page(entity,result) { var pkey_name = entity.metadata.primary_key; var pkey = result[pkey_name]; -if (pkey instanceof Array) { -pkey = pkey[0]; +if (!(pkey instanceof Array)) { +pkey = [pkey]; } +rpc.extract_objects(pkey); var pkeys = that.pkey_prefix.slice(0); -pkeys.push(pkey); +pkeys.push(pkey[0]); navigation.show_entity(that.entity.name, 'default', pkeys); } -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation
On Tue, 2014-09-02 at 13:49 +0200, Petr Vobornik wrote: On 28.8.2014 20:14, Nathaniel McCallum wrote: On Tue, 2014-08-19 at 16:46 -0400, Nathaniel McCallum wrote: Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 I still need a review for this. We are trying to get this in 4.0.2. Nathaniel ACK if comment below doesn't need any change: Maybe I'm missing something, but why do we do following check: `if 'objectclass' in entry_attrs:`? Shouldn't it be always True? Since the objectclass is set in LDAPCreate.execute. A pre-callback in an third party plugin can remove it, but I don't think we should care. I also thought that was odd, but I cargo-culted it to retain backwards compatibility. Attached is a version of the patch which doesn't retain this. I don't care which gets merged. Nathaniel From 258be9ea67b6e06b8dcf775e53eabfe081a91594 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Tue, 19 Aug 2014 16:32:33 -0400 Subject: [PATCH] Ensure ipaUserAuthTypeClass when needed on user creation Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 --- ipalib/plugins/user.py | 24 +++- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index f646e85827bba4544f962c36f5f15c2a89cb2d75..454d219725cbb2803ea4f5ead3ba76672f3fd02f 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -780,23 +780,21 @@ class user_add(LDAPCreate): if 'manager' in entry_attrs: entry_attrs['manager'] = self.obj._normalize_manager(entry_attrs['manager']) -if ('objectclass' in entry_attrs -and 'userclass' in entry_attrs -and 'ipauser' not in entry_attrs['objectclass']): +if 'userclass' in entry_attrs and \ + 'ipauser' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('ipauser') -if 'ipatokenradiusconfiglink' in entry_attrs: -cl = entry_attrs['ipatokenradiusconfiglink'] -if cl: -if 'objectclass' not in entry_attrs: -_entry = ldap.get_entry(dn, ['objectclass']) -entry_attrs['objectclass'] = _entry['objectclass'] +if 'ipauserauthtype' in entry_attrs and \ + 'ipauserauthtypeclass' not in entry_attrs['objectclass']: +entry_attrs['objectclass'].append('ipauserauthtypeclass') -if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: -entry_attrs['objectclass'].append('ipatokenradiusproxyuser') +rcl = entry_attrs.get('ipatokenradiusconfiglink', None) +if rcl: +if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: +entry_attrs['objectclass'].append('ipatokenradiusproxyuser') -answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl) -entry_attrs['ipatokenradiusconfiglink'] = answer +answer = self.api.Object['radiusproxy'].get_dn_if_exists(rcl) +entry_attrs['ipatokenradiusconfiglink'] = answer return dn -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation
On 21.8.2014 10:58, Martin Basti wrote: On 21/08/14 08:43, Petr Spacek wrote: On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS'] NACK http://tools.ietf.org/html/rfc4592#section-4.3 doesn't forbid CNAME with wildcard owner name. This subsection is is just a note for implementers about proper wildcard handling. Sorry :-) Thank you! Updated patches attached. # ipa dnsrecord-add ipa.example. '*' --ns-rec='ns' ipa: ERROR: invalid 'idnsname': owner of DNAME, DS, NS records should not be a wildcard domain name (RFC 4592) It would be nice to have more specific reference to RFC: 'RFC 4592 section 4'. CondACK: It can be pushed if you amend the error message. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0111-0113] Fix NS record coexistence validation
On 21.8.2014 19:21, Martin Basti wrote: During work on DNSSEC we found a wrong validation of NS records Patch 0113 fixes an error in tests caused by bind-dyndb-ldap bug https://fedorahosted.org/bind-dyndb-ldap/ticket/123 Patches attached. Functional ACK. It can be pushed if Python gurus don't see any problem. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115] DNS: allow to add root zone '.'
On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. # ipa dnszone-add . Authoritative nameserver: @ Administrator e-mail address [hostmaster.]: Administrator e-mail address: missing address domain Administrator e-mail address [hostmaster.]: hostmaster. Administrator e-mail address: missing address domain Administrator e-mail address [hostmaster.]: hostmaster.test. Nameserver IP address: 127.0.0.1 Zone name: . Active zone: TRUE Authoritative nameserver: @ Administrator e-mail address: hostmaster.test. SOA serial: 1409672572 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; # ipa dnszone-mod . --expire=555 Zone name: . Active zone: TRUE Authoritative nameserver: @ Administrator e-mail address: hostmaster.test. SOA serial: 1409672710 SOA refresh: 3600 SOA retry: 900 SOA expire: 555 SOA minimum: 3600 Allow query: any; Allow transfer: none; # ipa dnszone-del . Deleted DNS zone . Administrator e-mail address: missing address domain failure is IMHO acceptable in this case. It seems unlikely that root domain will have MX records :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0278] Fix ticket expiration check
On 2.9.2014 16:30, Martin Basti wrote: On 19/08/14 13:40, Petr Spacek wrote: Hello, Fix ticket expiration check. https://fedorahosted.org/bind-dyndb-ldap/ticket/131 This is one of obvious bugs when you finally see it :-) The original code died miserably when named reload happened 0-300 seconds after ticket expiration. Symptoms (debug level 6): registering dynamic ldap driver for ipa. trying to establish LDAP connection to ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket Using default keytab file name: FILE:/etc/named.keytab Found valid Kerberos credentials in cache trying interactive bind using GSSAPI mechanism doing interactive bind got request for SASL_CB_USER bind to LDAP server failed: Local error couldn't establish connection in LDAP connection pool: failure LDAP instance 'ipa' destroyed load_configuration: failure reloading configuration failed: failure There is at least one other problem which causes deadlock on shutdown from time to time, I will look into it separately. Both problems are hard to reproduce. It seems that the best chance is to change logrotate period (/etc/logrotate.d/named) or Kerberos ticket policy (ipa krbtpolicy-mod) to the same values, keep fingers crossed and hope. On my VM it manifests after several iterations. This patch should go to all maintained branches (v2, v3, v4, master). ACK Patch works for me. Thank you! Pushed to Git: master: 24f05cf9b9b6bd9c57d09dbd018da179eb8dc8bb v4: bc5f3139b7ce55e5a116331eeec3b154a4204daa v3: 55c91481ec3bdc6d3bca4d3bce58c5ba39b636db v2: 80f7663f309c0d0b9cb89ed8f8b38301b207360d -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0279] Always use task associated ISC event instead of global inst-task
Hello, Always use task associated with ISC event instead of global inst-task. This is necessary to prevent random crashes like: REQUIRE(task-state == task_state_running) failed https://fedorahosted.org/bind-dyndb-ldap/ticket/138 -- Petr^2 Spacek From 2be8cf6f1d42391ae83f7fb678b3013d5f2f3efe Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Sep 2014 18:50:57 +0200 Subject: [PATCH] Always use task associated ISC event instead of global inst-task. This is necessary to prevent random crashes like: REQUIRE(task-state == task_state_running) failed https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 33 ++--- src/ldap_helper.h | 5 +++-- src/zone_register.c | 4 ++-- 3 files changed, 23 insertions(+), 19 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index a163ee9b06f7d4fbe0fe5473172e827bfd3c38c2..199a565aed72c14d226d35da2adca81f7444f892 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1295,7 +1295,8 @@ delete_forwarding_table(ldap_instance_t *inst, dns_name_t *name, /* Delete zone by dns zone name */ isc_result_t -ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock, +ldap_delete_zone2(ldap_instance_t *inst, isc_task_t * const task, + dns_name_t *name, isc_boolean_t lock, isc_boolean_t preserve_forwarding) { isc_result_t result; @@ -1310,7 +1311,7 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock, dns_name_format(name, zone_name_char, DNS_NAME_FORMATSIZE); log_debug(1, deleting zone '%s', zone_name_char); if (lock) - run_exclusive_enter(inst-task, lock_state); + run_exclusive_enter(task, lock_state); if (!preserve_forwarding) { CHECK(delete_forwarding_table(inst, name, zone, @@ -1353,23 +1354,23 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock, cleanup: if (freeze) dns_view_freeze(inst-view); - run_exclusive_exit(inst-task, lock_state); + run_exclusive_exit(task, lock_state); return result; } /* Delete zone */ -static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT -ldap_delete_zone(ldap_instance_t *inst, const char *dn, isc_boolean_t lock, - isc_boolean_t preserve_forwarding) +static isc_result_t ATTR_NONNULL(1,3) ATTR_CHECKRESULT +ldap_delete_zone(ldap_instance_t *inst, isc_task_t * const task, const char *dn, + isc_boolean_t lock, isc_boolean_t preserve_forwarding) { isc_result_t result; dns_name_t name; dns_name_init(name, NULL); CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL)); - result = ldap_delete_zone2(inst, name, lock, preserve_forwarding); + result = ldap_delete_zone2(inst, task, name, lock, preserve_forwarding); cleanup: if (dns_name_dynamic(name)) @@ -1610,7 +1611,8 @@ cleanup: /* Parse the config object entry */ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT -ldap_parse_configentry(ldap_entry_t *entry, ldap_instance_t *inst) +ldap_parse_configentry(ldap_entry_t *entry, ldap_instance_t *inst, + isc_task_t * const task) { isc_result_t result; @@ -1628,14 +1630,14 @@ ldap_parse_configentry(ldap_entry_t *entry, ldap_instance_t *inst) result = setting_update_from_ldap_entry(dyn_update, inst-global_settings, idnsAllowDynUpdate, - entry, inst-task); + entry, task); if (result != ISC_R_SUCCESS result != ISC_R_IGNORE) goto cleanup; result = setting_update_from_ldap_entry(sync_ptr, inst-global_settings, idnsAllowSyncPTR, - entry, inst-task); + entry, task); if (result != ISC_R_SUCCESS result != ISC_R_IGNORE) goto cleanup; @@ -2234,7 +2236,7 @@ zone_security_change(ldap_entry_t * const entry, dns_name_t * const name, * in period where old zone was deleted but the new zone was not * created yet. */ run_exclusive_enter(task, lock_state); - CHECK(ldap_delete_zone2(inst, name, ISC_FALSE, ISC_TRUE)); + CHECK(ldap_delete_zone2(inst, task, name, ISC_FALSE, ISC_TRUE)); CHECK(ldap_parse_master_zoneentry(entry, olddb, inst, task)); cleanup: @@ -2402,7 +2404,8 @@ cleanup: /* Failure in ACL parsing or so. */ log_error_r(zone '%s': publishing failed, rolling back due to, entry-dn); - result = ldap_delete_zone2(inst, name, ISC_TRUE, ISC_FALSE); + result = ldap_delete_zone2(inst, task, name, ISC_TRUE, + ISC_FALSE); if (result != ISC_R_SUCCESS) log_error_r(zone '%s': rollback failed: , entry-dn); } @@ -4247,7 +4250,7 @@ update_zone(isc_task_t *task, isc_event_t *event) } */ } else { - CHECK(ldap_delete_zone(inst, pevent-dn, ISC_TRUE, ISC_FALSE)); + CHECK(ldap_delete_zone(inst, task, pevent-dn, ISC_TRUE, ISC_FALSE)); } cleanup: @@ -4274,7 +4277,7 @@ cleanup: } static void ATTR_NONNULLS -update_config(isc_task_t *task, isc_event_t *event) +update_config(isc_task_t * task, isc_event_t *event) { ldap_syncreplevent_t *pevent = (ldap_syncreplevent_t *)event;
Re: [Freeipa-devel] Search Base issues
Switching to freeipa-devel@ since it is an important issue. On Tue, 02 Sep 2014, Rob Crittenden wrote: Chris Whittle wrote: If I do this ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com -w 'nachopassword' -b uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com It works fine AFAICT there currently isn't a permission for the compat tree. The admin user can do it via 'Admin can manage any entry and of course DM can do it because it can do anything. A temporary workaround would be to add an aci manually: dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = *)(target = ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com;)(version 3.0;acl Read canlogin compat tree;allow (compare,read,search) userdn = ldap:///all;;) This won't show up as a permission and will grant all authenticated users read access to the canlogin compat tree. I'm assuming here this contains entries keyed on uid. We have several use-cases for compat tree and I wonder what to do with completely unauthenticated case? Do we still want to support that? Exposing the same data anonymously over compat tree when it is available only for authenticated users over primary tree isn't secure. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel