Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Petr Viktorin]

On 09/11/2014 10:24 PM, Martin Kosek wrote:

On 09/11/2014 08:49 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote:

On 09/11/2014 05:37 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote:

Hello,

We have another important issue to resolve. Current FreeIPA 4.0.2
ACI settings
cause older SSSD clients to fail as they get returned an LDAP deref
call
results without objectclass attribute and just with entryusn
attribute. Details
in https://fedorahosted.org/freeipa/ticket/4534. While I agree SSSD
should be
more tolerant in this case, it still breaks old clients which we
should prevent.

There are 2 ways how to fix I currently see:

1) Return objectclass for any entry, just like we do with
operational attributes

This would include adding objectclass to System: Read Timestamp
and USN
Operational Attributes. However, I am rather cautious about this
approach as
even though objectclass does not usually carry a secret
information, we could
still leak some information about our DIT to unprivileged user.


Our DIT is public and known, I see no problem.


I rather meant the LDAP tree and it's contents (custom groups, sudo
rules,
roles, ...).

I did one more test and found out we cannot do this as it would
undermine the
ACIs we have right now. As soon as objectclass is allowed globally,
ldapsearch
returns every object even if no other attribute is returned:

# ldapsearch -h `hostname` -Y GSSAPI -b
cn=pbac,dc=mkosek-fedora20,dc=test
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# User Administrators, privileges, pbac, mkosek-fedora20.test
dn: cn=User
Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
...

It would not show any more info before that, but even the list of
permissions,
privileges and roles along with it's names is a leaked information.



2) Show objectclass+operational attributes in our Read ACIs
Other way I see is to update *all* our Read permissions allowing
reading
objectclass attribute and also allow the chosen LDAP operational
attribute.
This would let the LDAP caller to always get either all these
discussed
attributes but none at all.


Do we want to do this? Any other (better) idea how to approach it?


I honestly am not sure I understand the distinction between 1 and 2,
can
you provide the actual ACIs or a behavior example ?

Simo.


Currently, our ACI allows reading entryusn in any LDAP entry. So user
(SSSD)
running LDAP deref call gets entryusn from object it does not have a
read
access to:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# memberof: entryusn=845;cn=replication
administrators,cn=privileges,cn=pba
   c,dc=mkosek-fedora20,dc=test

# memberof: entryusn=75;cn=add replication
agreements,cn=permissions,cn=pba
   c,dc=mkosek-fedora20,dc=test
...

This confuses SSSD (sees entryusn but does not see objectclass
attribute) + may
give out some information we do not want to give out. Fortunately, bare
ldapsearch does not show anything:

# ldapsearch -h `hostname` -Y GSSAPI -b cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
entryusn
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test with
scope subtree
# filter: (objectclass=*)
# requesting: entryusn
#

# search result
search: 4
result: 0 Success

# numResponses: 1


The idea behind Option 1 was to add ACI to allow reading objectclass
attribute
globally, for our entire tree. (as noted above, not an option).

The idea behind Option 2 was to:
- remove global ACI allowing reading entryusn (System: Read Timestamp
and USN
Operational Attributes)


Removing a default ACI is difficult (read: new code that could go wrong) 
if we want to handle 4.0.2 properly, since installing/upgrading to 4.0.2 
will always add it back.
Perhaps we should just say in the release notes that people should 
remove it manually if they're upgrading from 4.0.2?



- update all our Read permissions to allow entryusn

Then for example, if user (SSSD) is allowed to read RBAC role
objects, he would
not be able to read either objectclass or entryusn attributes. This
means users
would be only allowed to read entryusn for objects that they can
really read
(i.e. for objects where they can read at least objectclass).

Did that clarify the options?

Of course, there is still option 3) to close as wontfix and let older
SSSDs be
incompatible with FreeIPA 4.0+.


No, 3 

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Martin Kosek]

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use 
389-ds-base-1.3.3.2-1.fc20.x86_64:


# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is 
defined as


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off by 
default in our config and with current setting, users could not put it to on 
(for whatever reason) without the value being overwritten with every run of 
FreeIPA upgrade.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Martin Kosek]

On 09/12/2014 09:35 AM, Petr Viktorin wrote:

On 09/11/2014 10:24 PM, Martin Kosek wrote:

On 09/11/2014 08:49 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote:

On 09/11/2014 05:37 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote:

Hello,

We have another important issue to resolve. Current FreeIPA 4.0.2
ACI settings
cause older SSSD clients to fail as they get returned an LDAP deref
call
results without objectclass attribute and just with entryusn
attribute. Details
in https://fedorahosted.org/freeipa/ticket/4534. While I agree SSSD
should be
more tolerant in this case, it still breaks old clients which we
should prevent.

There are 2 ways how to fix I currently see:

1) Return objectclass for any entry, just like we do with
operational attributes

This would include adding objectclass to System: Read Timestamp
and USN
Operational Attributes. However, I am rather cautious about this
approach as
even though objectclass does not usually carry a secret
information, we could
still leak some information about our DIT to unprivileged user.


Our DIT is public and known, I see no problem.


I rather meant the LDAP tree and it's contents (custom groups, sudo
rules,
roles, ...).

I did one more test and found out we cannot do this as it would
undermine the
ACIs we have right now. As soon as objectclass is allowed globally,
ldapsearch
returns every object even if no other attribute is returned:

# ldapsearch -h `hostname` -Y GSSAPI -b
cn=pbac,dc=mkosek-fedora20,dc=test
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# User Administrators, privileges, pbac, mkosek-fedora20.test
dn: cn=User
Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
...

It would not show any more info before that, but even the list of
permissions,
privileges and roles along with it's names is a leaked information.



2) Show objectclass+operational attributes in our Read ACIs
Other way I see is to update *all* our Read permissions allowing
reading
objectclass attribute and also allow the chosen LDAP operational
attribute.
This would let the LDAP caller to always get either all these
discussed
attributes but none at all.


Do we want to do this? Any other (better) idea how to approach it?


I honestly am not sure I understand the distinction between 1 and 2,
can
you provide the actual ACIs or a behavior example ?

Simo.


Currently, our ACI allows reading entryusn in any LDAP entry. So user
(SSSD)
running LDAP deref call gets entryusn from object it does not have a
read
access to:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# memberof: entryusn=845;cn=replication
administrators,cn=privileges,cn=pba
   c,dc=mkosek-fedora20,dc=test

# memberof: entryusn=75;cn=add replication
agreements,cn=permissions,cn=pba
   c,dc=mkosek-fedora20,dc=test
...

This confuses SSSD (sees entryusn but does not see objectclass
attribute) + may
give out some information we do not want to give out. Fortunately, bare
ldapsearch does not show anything:

# ldapsearch -h `hostname` -Y GSSAPI -b cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
entryusn
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test with
scope subtree
# filter: (objectclass=*)
# requesting: entryusn
#

# search result
search: 4
result: 0 Success

# numResponses: 1


The idea behind Option 1 was to add ACI to allow reading objectclass
attribute
globally, for our entire tree. (as noted above, not an option).

The idea behind Option 2 was to:
- remove global ACI allowing reading entryusn (System: Read Timestamp
and USN
Operational Attributes)


Removing a default ACI is difficult (read: new code that could go wrong) if we
want to handle 4.0.2 properly, since installing/upgrading to 4.0.2 will always
add it back.
Perhaps we should just say in the release notes that people should remove it
manually if they're upgrading from 4.0.2?


Well, I am not convinced that everyone reads the release notes, so I would 
rather delete this permission in 4.0.3. Hopefully, there won't be many 4.0.2 
users. It seems as a lesser evil to me than having SSSD clients broken.



- update all our Read permissions to allow entryusn

Then for example, if user (SSSD) is allowed to read RBAC role
objects, he would
not be able to read either objectclass or entryusn attributes. This
means users
would be only 

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Alexander Bokovoy]

On Fri, 12 Sep 2014, Martin Kosek wrote:

Operational Attributes)


Removing a default ACI is difficult (read: new code that could go wrong) if we
want to handle 4.0.2 properly, since installing/upgrading to 4.0.2 will always
add it back.
Perhaps we should just say in the release notes that people should remove it
manually if they're upgrading from 4.0.2?


Well, I am not convinced that everyone reads the release notes, so I 
would rather delete this permission in 4.0.3. Hopefully, there won't 
be many 4.0.2 users. It seems as a lesser evil to me than having SSSD 
clients broken.

If we are going to replace other ACIs by adding to them a right to read
these attributes, then removing a separate default ACI is not a problem,
isn't it?

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Petr Viktorin]

On 09/12/2014 09:48 AM, Alexander Bokovoy wrote:

On Fri, 12 Sep 2014, Martin Kosek wrote:

Operational Attributes)


Removing a default ACI is difficult (read: new code that could go
wrong) if we
want to handle 4.0.2 properly, since installing/upgrading to 4.0.2
will always
add it back.
Perhaps we should just say in the release notes that people should
remove it
manually if they're upgrading from 4.0.2?


Well, I am not convinced that everyone reads the release notes, so I
would rather delete this permission in 4.0.3. Hopefully, there won't
be many 4.0.2 users. It seems as a lesser evil to me than having SSSD
clients broken.

If we are going to replace other ACIs by adding to them a right to read
these attributes, then removing a separate default ACI is not a problem,
isn't it?


It's not much of a policy problem, it's just adding new code this late 
in the cycle: The permission updater doesn't yet have a mechanism to 
remove a permission, so I'm writing it now.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Ludwig Krispenz]

On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...
Also, we will need to add the F21 389-ds-base build to FreeIPA 
Copr:

http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 
downstream only

after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.
what do you mean by no such issues ? I don't think that 389/F21 
will
be the first bug free software. At the moment Thierry is 
investigating a
crash in dna-plugin and Noriko a memory leak, which could be in 
F21 -




any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use 
389-ds-base-1.3.3.2-1.fc20.x86_64:


# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the 
end. It is defined as

that typo was already in my first draft of the patch, sorry


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it 
is off by default in our config and with current setting, users could 
not put it to on (for whatever reason) without the value being 
overwritten with every run of FreeIPA upgrade.
could there be an upgrade from a install not yet using that params. 
should only:allowWeakCipher be replaced by addifnew ?




Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Martin Kosek]

On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:


On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is
defined as

that typo was already in my first draft of the patch, sorry


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
on (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.

could there be an upgrade from a install not yet using that params. should
only:allowWeakCipher be replaced by addifnew ?


You can try default:allowWeakCiphers: off - it would set the attribute to off 
if it was not there before.


Given you are probably working on updated version, I would also recommend 
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad From field - I would rather expect it to be Ludwig Krispenz 
lkris...@redhat.com than lkrispen lkris...@redhat.com


Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[thierry bordaz]

On 09/11/2014 10:24 PM, Martin Kosek wrote:

On 09/11/2014 08:49 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote:

On 09/11/2014 05:37 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote:

Hello,

We have another important issue to resolve. Current FreeIPA 4.0.2 
ACI settings
cause older SSSD clients to fail as they get returned an LDAP 
deref call
results without objectclass attribute and just with entryusn 
attribute. Details
in https://fedorahosted.org/freeipa/ticket/4534. While I agree 
SSSD should be
more tolerant in this case, it still breaks old clients which we 
should prevent.


There are 2 ways how to fix I currently see:

1) Return objectclass for any entry, just like we do with 
operational attributes


This would include adding objectclass to System: Read Timestamp 
and USN
Operational Attributes. However, I am rather cautious about this 
approach as
even though objectclass does not usually carry a secret 
information, we could

still leak some information about our DIT to unprivileged user.


Our DIT is public and known, I see no problem.


I rather meant the LDAP tree and it's contents (custom groups, sudo 
rules,

roles, ...).

I did one more test and found out we cannot do this as it would 
undermine the
ACIs we have right now. As soon as objectclass is allowed globally, 
ldapsearch

returns every object even if no other attribute is returned:

# ldapsearch -h `hostname` -Y GSSAPI -b 
cn=pbac,dc=mkosek-fedora20,dc=test

SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# User Administrators, privileges, pbac, mkosek-fedora20.test
dn: cn=User 
Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
...

It would not show any more info before that, but even the list of 
permissions,

privileges and roles along with it's names is a leaked information.



2) Show objectclass+operational attributes in our Read ACIs
Other way I see is to update *all* our Read permissions allowing 
reading
objectclass attribute and also allow the chosen LDAP operational 
attribute.
This would let the LDAP caller to always get either all these 
discussed

attributes but none at all.


Do we want to do this? Any other (better) idea how to approach it?


I honestly am not sure I understand the distinction between 1 and 
2, can

you provide the actual ACIs or a behavior example ?

Simo.


Currently, our ACI allows reading entryusn in any LDAP entry. So 
user (SSSD)
running LDAP deref call gets entryusn from object it does not have a 
read

access to:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# memberof: entryusn=845;cn=replication 
administrators,cn=privileges,cn=pba

   c,dc=mkosek-fedora20,dc=test

# memberof: entryusn=75;cn=add replication 
agreements,cn=permissions,cn=pba

   c,dc=mkosek-fedora20,dc=test
...

This confuses SSSD (sees entryusn but does not see objectclass 
attribute) + may

give out some information we do not want to give out. Fortunately, bare
ldapsearch does not show anything:

# ldapsearch -h `hostname` -Y GSSAPI -b cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test 
entryusn

SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test 
with scope subtree

# filter: (objectclass=*)
# requesting: entryusn
#

# search result
search: 4
result: 0 Success

# numResponses: 1


The idea behind Option 1 was to add ACI to allow reading objectclass 
attribute

globally, for our entire tree. (as noted above, not an option).

The idea behind Option 2 was to:
- remove global ACI allowing reading entryusn (System: Read 
Timestamp and USN

Operational Attributes)
- update all our Read permissions to allow entryusn

Then for example, if user (SSSD) is allowed to read RBAC role 
objects, he would
not be able to read either objectclass or entryusn attributes. This 
means users
would be only allowed to read entryusn for objects that they can 
really read

(i.e. for objects where they can read at least objectclass).

Did that clarify the options?

Of course, there is still option 3) to close as wontfix and let 
older SSSDs be

incompatible with FreeIPA 4.0+.


No, 3 is definitely not on the table, I would rather do 1, but I guess 2
is the only good way for now ?

Simo.


Yeah - 1) would be easy to implement, but it would be a step back in 
our ACI model (global allowing ACI again...).


Something based on 2) 

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Martin Kosek]

On 09/12/2014 10:27 AM, thierry bordaz wrote:

On 09/11/2014 10:24 PM, Martin Kosek wrote:

On 09/11/2014 08:49 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote:

On 09/11/2014 05:37 PM, Simo Sorce wrote:

On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote:

Hello,

We have another important issue to resolve. Current FreeIPA 4.0.2 ACI
settings
cause older SSSD clients to fail as they get returned an LDAP deref call
results without objectclass attribute and just with entryusn attribute.
Details
in https://fedorahosted.org/freeipa/ticket/4534. While I agree SSSD
should be
more tolerant in this case, it still breaks old clients which we should
prevent.

There are 2 ways how to fix I currently see:

1) Return objectclass for any entry, just like we do with operational
attributes

This would include adding objectclass to System: Read Timestamp and USN
Operational Attributes. However, I am rather cautious about this
approach as
even though objectclass does not usually carry a secret information, we
could
still leak some information about our DIT to unprivileged user.


Our DIT is public and known, I see no problem.


I rather meant the LDAP tree and it's contents (custom groups, sudo rules,
roles, ...).

I did one more test and found out we cannot do this as it would undermine the
ACIs we have right now. As soon as objectclass is allowed globally, ldapsearch
returns every object even if no other attribute is returned:

# ldapsearch -h `hostname` -Y GSSAPI -b cn=pbac,dc=mkosek-fedora20,dc=test
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# User Administrators, privileges, pbac, mkosek-fedora20.test
dn: cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
...

It would not show any more info before that, but even the list of permissions,
privileges and roles along with it's names is a leaked information.



2) Show objectclass+operational attributes in our Read ACIs
Other way I see is to update *all* our Read permissions allowing reading
objectclass attribute and also allow the chosen LDAP operational attribute.
This would let the LDAP caller to always get either all these discussed
attributes but none at all.


Do we want to do this? Any other (better) idea how to approach it?


I honestly am not sure I understand the distinction between 1 and 2, can
you provide the actual ACIs or a behavior example ?

Simo.


Currently, our ACI allows reading entryusn in any LDAP entry. So user (SSSD)
running LDAP deref call gets entryusn from object it does not have a read
access to:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
...
# memberof: entryusn=845;cn=replication administrators,cn=privileges,cn=pba
   c,dc=mkosek-fedora20,dc=test

# memberof: entryusn=75;cn=add replication agreements,cn=permissions,cn=pba
   c,dc=mkosek-fedora20,dc=test
...

This confuses SSSD (sees entryusn but does not see objectclass attribute) +
may
give out some information we do not want to give out. Fortunately, bare
ldapsearch does not show anything:

# ldapsearch -h `hostname` -Y GSSAPI -b cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test entryusn
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=replication
administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test with scope
subtree
# filter: (objectclass=*)
# requesting: entryusn
#

# search result
search: 4
result: 0 Success

# numResponses: 1


The idea behind Option 1 was to add ACI to allow reading objectclass attribute
globally, for our entire tree. (as noted above, not an option).

The idea behind Option 2 was to:
- remove global ACI allowing reading entryusn (System: Read Timestamp and USN
Operational Attributes)
- update all our Read permissions to allow entryusn

Then for example, if user (SSSD) is allowed to read RBAC role objects, he
would
not be able to read either objectclass or entryusn attributes. This means
users
would be only allowed to read entryusn for objects that they can really read
(i.e. for objects where they can read at least objectclass).

Did that clarify the options?

Of course, there is still option 3) to close as wontfix and let older SSSDs be
incompatible with FreeIPA 4.0+.


No, 3 is definitely not on the table, I would rather do 1, but I guess 2
is the only good way for now ?

Simo.


Yeah - 1) would be easy to implement, but it would be a step back in our ACI
model (global allowing ACI again...).

Something based on 2) is the 

Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.

[David Kupka]

On 09/08/2014 05:56 PM, Martin Basti wrote:

On 02/09/14 16:55, David Kupka wrote:

The patch now depends on freeipa-dkupka-0012 as both modifies the same
part of code.


freeipa-dkupka-0012 is now accepted and merged upstream so there is no 
need to take this dependency into account.




On 09/02/2014 10:29 AM, David Kupka wrote:

Forget to add str() conversion to some places when removing map(). Now
it should be working again.

On 08/27/2014 02:24 PM, David Kupka wrote:

Patch modified according to jcholast's personally-delivered feedback:

  1) use action='append' instead of that ugly parsing

  2) do not use map(), FreeIPA doesn't like it

On 08/25/2014 05:04 PM, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/3575

Also should fix https://bugzilla.redhat.com/show_bug.cgi?id=1128380 as
installation is no longer interrupted when multiple IPs are resolved.
But it does not add the option to change the IP address during second
run.



I haven't tested it yet, I only take a look because there may be
conflict with 'dns root zone support' refactoring

1)
+for ns_ip_address in nameserver_ip_address:
+add_zone(self.domain, self.zonemgr,
dns_backup=self.dns_backup,
+ns_hostname=api.env.host, ns_ip_address=ns_ip_address,
+force=True)
Are you sure this will work? Domain name is the same, so no new zone
will be created (DuplicateEntry exception is handled inside add_zone
function).
IMO you should call add_zone only once.


Fixed, thanks.



BTW: I will change the add_zone function in refactoring , ns_hostname
wil be remove, and ns_ip_address will take an p+ipv6 address

2)
+resolv_txt = ''
+for ip_address in self.ip_address:
+resolv_txt += search +self.domain+\nnameserver
+str(ip_address)+\n
There is multiple search statements.

search example.com
nameserver 192.168.1.1
search example.com
nameserver 2001:db8::1
...

and also there si a limit of namesevers which can be in resolv.conf, but
I dont know if we care,  statements over limit should be just ignored.
http://linux.die.net/man/5/resolv.conf


Since now, only localhost addresses (::1, 127.0.0.1) are placed inside 
this file when DNS server is part of the installation.




3)
self.ip_address is confusing for me, I'm expecting only one address.
Could it be ip_addresses or ip_address_list? Ask the framework gurus :-)



Changed to plural as there are other variables named this way.

--
David Kupka
From 7c5bc742b08403a1a6d878b21dc725a2f71f48da Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 27 Aug 2014 13:50:21 +0200
Subject: [PATCH] Detect and configure all usable IP addresses.

Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.

https://fedorahosted.org/freeipa/ticket/3575
---
 install/tools/ipa-replica-install| 69 ++-
 install/tools/ipa-server-install | 63 -
 ipaserver/install/bindinstance.py| 74 +++--
 ipaserver/install/installutils.py| 94 
 ipaserver/install/ipa_replica_prepare.py | 66 --
 5 files changed, 207 insertions(+), 159 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 7c9e27e2b9d248653681c85236d3541ec9ab0ec7..6ca78a9c60d61d811ab09eb898966fb55bb3daf6 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -67,8 +67,8 @@ def parse_options():
   default=False, help=configure a dogtag CA)
 basic_group.add_option(--setup-kra, dest=setup_kra, action=store_true,
   default=False, help=configure a dogtag KRA)
-basic_group.add_option(--ip-address, dest=ip_address,
-  type=ip, ip_local=True,
+basic_group.add_option(--ip-address, dest=ip_addresses,
+  type=ip, ip_local=True, action=append, default=[],
   help=Replica server IP Address)
 basic_group.add_option(-p, --password, dest=password, sensitive=True,
   help=Directory Manager (existing master) password)
@@ -112,7 +112,8 @@ def parse_options():
   type=ip, help=Add a DNS forwarder)
 dns_group.add_option(--no-forwarders, dest=no_forwarders, action=store_true,
   default=False, help=Do not add any DNS forwarders, use root servers instead)
-dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use)
+dns_group.add_option(--reverse-zone, dest=reverse_zones, default=[],
+ action=append, help=The reverse DNS zone to use)
 dns_group.add_option(--no-reverse, dest=no_reverse, 

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Martin Kosek]

On 09/12/2014 10:25 AM, Martin Kosek wrote:

On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:


On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is
defined as

that typo was already in my first draft of the patch, sorry


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
on (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.

could there be an upgrade from a install not yet using that params. should
only:allowWeakCipher be replaced by addifnew ?


You can try default:allowWeakCiphers: off - it would set the attribute to off
if it was not there before.

Given you are probably working on updated version, I would also recommend
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad From field - I would rather expect it to be Ludwig Krispenz
lkris...@redhat.com than lkrispen lkris...@redhat.com

Thanks,
Martin


Hello, any update on this front? Are you or Nathaniel updating the patch?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0001 Update-SSL-ciphers-configured-in-389-ds-base

[Ludwig Krispenz]

please review attached patch for ticket: 
https://fedorahosted.org/freeipa/ticket/4395


use new options in 389-ds to configure enabled ciphers
From e3ab55b01c7d800ffe9f4a43f328087d97e328db Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz lkris...@redhat.com
Date: Fri, 12 Sep 2014 12:43:31 +0200
Subject: [PATCH] Update SSL ciphers configured in 389-ds-base

use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later

https://fedorahosted.org/freeipa/ticket/4395
---
 freeipa.spec.in  | 6 +++---
 install/updates/20-sslciphers.update | 6 ++
 install/updates/Makefile.am  | 1 +
 ipaserver/install/dsinstance.py  | 7 ++-
 4 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 install/updates/20-sslciphers.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0e43ee755e5ada38b8c9260d133d3d8434591470..8d66bdc3cf221d025ecea19c131f075a54dc32d9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -18,7 +18,7 @@ Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel = 1.3.2.16
+BuildRequires:  389-ds-base-devel = 1.3.3.2
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils = %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -87,7 +87,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base = 1.3.2.20
+Requires: 389-ds-base = 1.3.3.2
 Requires: openldap-clients  2.4.35-4
 Requires: nss = 3.14.3-12.0
 Requires: nss-tools = 3.14.3-12.0
@@ -124,7 +124,7 @@ Requires: zip
 Requires: policycoreutils = %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger = 0.75.13
-Requires(pre): 389-ds-base = 1.3.2.20
+Requires(pre): 389-ds-base = 1.3.3.2
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 
diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
new file mode 100644
index ..b0c952f498bc89568029f1d01eaded4db1371c76
--- /dev/null
+++ b/install/updates/20-sslciphers.update
@@ -0,0 +1,6 @@
+# change configured ciphers
+# the result of this update will be that all ciphers
+# provided by NSS which ar not weak will be enabled
+dn: cn=encryption,cn=config
+only:nsSSL3Ciphers: +all
+addifnew:allowWeakCipher: off
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index a6d24b94f040293ab76866f9651079d08d4ac297..b137ffedcaf1278478a2da0cac99f5850e8efd56 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -14,6 +14,7 @@ app_DATA =\
 	20-indices.update		\
 	20-nss_ldap.update		\
 	20-replication.update		\
+	20-sslciphers.update		\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 61ea52a6bbdfc1b0d5fbc2baa87af92895541069..c15ef2ceb10b5f8815039e07e95d6fbac5a081c4 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -655,11 +655,8 @@ class DsInstance(service.Service):
 conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
 
 mod = [(ldap.MOD_REPLACE, nsSSLClientAuth, allowed),
-   (ldap.MOD_REPLACE, nsSSL3Ciphers,
--rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha)]
+   (ldap.MOD_REPLACE, nsSSL3Ciphers, +all),
+   (ldap.MOD_REPLACE, allowWeakCipher, off)]
 conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
 mod = [(ldap.MOD_ADD, nsslapd-security, on)]
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn timestamp entries to individual permissions

[Petr Viktorin]

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now automatically 
added to every read permission that targets objectclass, whether managed 
or user-created.


The 'System: Read Timestamp and USN Operational Attributes', which was 
added for 4.0.2, is removed on upgrade.



--
Petr³
From f794853264041cac730855c12ba96ab9cc564762 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 12 Sep 2014 09:59:52 +0200
Subject: [PATCH] permission plugin: Auto-add operational atttributes to read
 permissions

The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534
---
 ACI.txt  | 82 
 ipalib/plugins/permission.py |  8 +++
 ipatests/test_xmlrpc/test_permission_plugin.py   | 44 +
 ipatests/test_xmlrpc/test_realmdomains_plugin.py |  3 +-
 4 files changed, 95 insertions(+), 42 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 2a3f582765b1ff1de9669f187adb9a57b19f938f..9a161a1839057198930c6e0f31a9bc3d491320ee 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -1,7 +1,7 @@
 dn: cn=automember,cn=etc,dc=ipa,dc=example
-aci: (targetattr = automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || objectclass)(targetfilter = (objectclass=automemberdefinition))(version 3.0;acl permission:System: Read Automember Definitions;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || createtimestamp || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=automemberdefinition))(version 3.0;acl permission:System: Read Automember Definitions;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=automember,cn=etc,dc=ipa,dc=example
-aci: (targetattr = automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass)(targetfilter = (objectclass=automemberregexrule))(version 3.0;acl permission:System: Read Automember Rules;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || createtimestamp || description || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=automemberregexrule))(version 3.0;acl permission:System: Read Automember Rules;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=tasks,cn=config
 aci: (targetattr = *)(target = ldap:///cn=*,cn=automember rebuild membership,cn=tasks,cn=config)(version 3.0;acl permission:System: Read Automember Tasks;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=automount,dc=ipa,dc=example
@@ -13,7 +13,7 @@ aci: (targetfilter = (objectclass=automount))(version 3.0;acl permission:Syst
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Add Automount Locations;allow (add) groupdn = ldap:///cn=System: Add Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=automount,dc=ipa,dc=example
-aci: (targetattr = automountinformation || automountkey || automountmapname || cn || description || objectclass)(version 3.0;acl permission:System: Read Automount Configuration;allow (compare,read,search) userdn = ldap:///anyone;;)
+aci: (targetattr = automountinformation || automountkey || automountmapname || cn || createtimestamp || description || entryusn || modifytimestamp || objectclass)(version 3.0;acl permission:System: Read Automount Configuration;allow (compare,read,search) userdn = ldap:///anyone;;)
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Remove Automount Locations;allow (delete) groupdn = ldap:///cn=System: Remove Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=automount,dc=ipa,dc=example
@@ -23,7 +23,7 @@ aci: (targetattr = automountmapname || description)(targetfilter = (objectcla
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = (objectclass=automountmap))(version 3.0;acl permission:System: Remove Automount Maps;allow (delete) groupdn = ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
-aci: (targetattr = cn || 

Re: [Freeipa-devel] [PATCH 0291-0294] Fix locking to prevent crashes and deadlocks

[Martin Basti]

On 11/09/14 21:58, Petr Spacek wrote:

On 11.9.2014 18:34, Martin Basti wrote:

On 11/09/14 15:57, Martin Basti wrote:

On 11/09/14 11:59, Petr Spacek wrote:

Hello,

I was fighting with random crashes for couple of days ... and 
discovered
that run_exclusive_enter()/isc_task_beginexclusive() usage was 
completely

incorrect and didn't actually lock anything.

This series of patches reworks internal locking (and related event 
system)

to work around limitations of isc_task_beginexclusive() mechanism.

It would be better to get rid of isc_task_beginexclusive() 
completely but
IMHO it is not possible because of BIND's dns_view*() functions 
have to be

guarded with it.


Testing is going to be interesting because we are speaking about race
conditions.

I used ~ 100 DNS zones, each zone had ~ 100 random domain names 
inside with

random A//TXT RRs. My LDIF is here:
http://people.redhat.com/~pspacek/a/2014/09/11/dns-test.ldif.xz

I was able to randomly reproduce various crashes when BIND was 
running with

more threads than usually.

You can try to run BIND with this command (as root) and play games 
with -n

parameter:
$ export KRB5_KTNAME=/etc/named.keytab
$ named -4 -g -u named -m record -n 10

Please test also the case where BIND receives SIGINT during 
start-up. It is

possible to run BIND with commands above and wait for message:
11-Sep-2014 11:54:58.092 running

At this point send SIGINT (CTRL+C) to BIND and see what happens. It 
could

crash or deadlock.

It is necessary to send the signal before BIND prints this message:
11-Sep-2014 11:55:11.707 zone z1.test/IN: loaded serial 1410429304

Let me know if you need any assistance.


I need your assistance, I haven't been able to reproduce it.

Martin


I applied the patchset, and NACK


I don't understand how I could possibly miss this. I was convinced 
that the patch set was thoroughly tested ...


Anyway, attached patch should fix the problem you were facing. Please 
re-test it.


Thank you!

Petr^2 Spacek


#1
If named is running and I randomly choose few zones and delete them, 
it causes

named failure

dig @localhost A r1.z12.test

;  DiG 9.9.4-P2-RedHat-9.9.4-12.P2.fc20  @localhost A 
r1.z12.test

; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

* SIGINT doesn't work
* rndc doesn't work
* DS worksSIGINT signal stops working.

Output:
snip
11-Sep-2014 11:26:37.495 client 127.0.0.1#62615: received notify for 
zone

'z99.test'

^C^C^C^C^C^C^C^C


Process:
named29125  1.1  2.9 789972 45976 pts/0Sl+  11:26   0:02 
named -4 -g

-u named -m record -n 10

I have to kill it with kill -9

#2
same as #1 If new zone is added,

#3
same as #1 If new record is added

#4
same as #1 If record is deleted

Functional ACK

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0291-0294] Fix locking to prevent crashes and deadlocks

[Petr Spacek]

On 12.9.2014 14:45, Martin Basti wrote:

On 11/09/14 21:58, Petr Spacek wrote:

On 11.9.2014 18:34, Martin Basti wrote:

On 11/09/14 15:57, Martin Basti wrote:

On 11/09/14 11:59, Petr Spacek wrote:

Hello,

I was fighting with random crashes for couple of days ... and discovered
that run_exclusive_enter()/isc_task_beginexclusive() usage was completely
incorrect and didn't actually lock anything.

This series of patches reworks internal locking (and related event system)
to work around limitations of isc_task_beginexclusive() mechanism.

It would be better to get rid of isc_task_beginexclusive() completely but
IMHO it is not possible because of BIND's dns_view*() functions have to be
guarded with it.


Testing is going to be interesting because we are speaking about race
conditions.

I used ~ 100 DNS zones, each zone had ~ 100 random domain names inside with
random A//TXT RRs. My LDIF is here:
http://people.redhat.com/~pspacek/a/2014/09/11/dns-test.ldif.xz

I was able to randomly reproduce various crashes when BIND was running with
more threads than usually.

You can try to run BIND with this command (as root) and play games with -n
parameter:
$ export KRB5_KTNAME=/etc/named.keytab
$ named -4 -g -u named -m record -n 10

Please test also the case where BIND receives SIGINT during start-up. It is
possible to run BIND with commands above and wait for message:
11-Sep-2014 11:54:58.092 running

At this point send SIGINT (CTRL+C) to BIND and see what happens. It could
crash or deadlock.

It is necessary to send the signal before BIND prints this message:
11-Sep-2014 11:55:11.707 zone z1.test/IN: loaded serial 1410429304

Let me know if you need any assistance.


I need your assistance, I haven't been able to reproduce it.

Martin


...


Functional ACK


Pushed to master:
1d23e27e0198cacdbbb14ac13ff039c33546d9af
09386eb446ac8d9c12110d21f2d4da36c1b792bf
e7d8f6f175eae795c603eee00d06d5799b2d6c39
17a29e20406ad9db0b28fcb6ec4b02394385fe53

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0295-0296] Release 5.3

[Petr Spacek]

Hello,

Update NEWS for upcoming 5.3 release.
Pushed to master: b1a176d0b71127b428db3a901f736d1ca2ed6a65

Bump NVR to 5.3.
Pushed to master: 9886db5772a6635bdc33f718685b7df0ea1a3ea1

--
Petr^2 Spacek
From b1a176d0b71127b428db3a901f736d1ca2ed6a65 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 12 Sep 2014 15:10:48 +0200
Subject: [PATCH] Update NEWS for upcoming 5.3 release.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 NEWS | 4 
 1 file changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index e5117116286dd61441b950073bfe8672012e278d..f9869ba447ff34bed0d42d514846f8a47e5be496 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+5.3
+
+[1] Internal locking was reworked to prevent crashes and deadlocks.
+
 5.2
 
 [1] Kerberos ticket expiration is now handled correctly.
-- 
1.9.3

From 9886db5772a6635bdc33f718685b7df0ea1a3ea1 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 12 Sep 2014 15:11:20 +0200
Subject: [PATCH] Bump NVR to 5.3.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 configure.ac | 2 +-
 contrib/bind-dyndb-ldap.spec | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2604819c399f3fe3fa547dd90fef61dea77f5b61..adb3b549e13f243d3f18adc91ddf766d036c4686 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [5.2], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [5.3], [freeipa-devel@redhat.com])
 
 AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
 
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index bb23bcc27257af70c4c588bd4e5b4799b2089abb..70796e62e349a94fb97047d00e4f2b145576412d 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
 %define VERSION %{version}
 
 Name:   bind-dyndb-ldap
-Version:5.2
+Version:5.3
 Release:0%{?dist}
 Summary:LDAP back-end plug-in for BIND
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

[Martin Basti]

On 03/09/14 12:45, Martin Basti wrote:

On 03/09/14 12:27, Martin Kosek wrote:

On 09/02/2014 05:46 PM, Petr Spacek wrote:

On 25.8.2014 14:52, Martin Basti wrote:

Patches attached.

Ticket: https://fedorahosted.org/freeipa/ticket/4149

There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause 
the named

service is stopped after deleting zone.
Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
Functional ACK, it works for me. It can be pushed if Python gurus 
are okay with

the code.
Is it safe to commit the change given that bind-dyndb-ldap still 
crash when .

is removed? Wouldn't it break our CI tests?

Maybe we should wait until fixed bind-dydnb-ldap is released. 
Hopefully it

would be soon.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

It will broke tests, don't push it until bind-dyndb-ldap is fixed.
Currently I'm testing bind-dyndb-ldap related patch.


Added patches 120 and 121, which are required by DNS to work correctly.
Patches 120 and 121 add all DNS replicas to zone apex as NS, 
--name-server option doesn't add NS record, only changes the SOA MNAME 
attribute


Original and new patches attached.

--
Martin Basti

From 9ed12420bf52a2d2dab1f8cc4f1f6b1b5f86a801 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Fri, 22 Aug 2014 17:11:22 +0200
Subject: [PATCH 1/2] Fix DNS plugin to allow to add root zone

Ticket: https://fedorahosted.org/freeipa/ticket/4149
---
 ipalib/plugins/dns.py | 53 ++-
 1 file changed, 31 insertions(+), 22 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 24b303d8405aa3b4a6e0474e75d0e46e6949860d..9c8d09856a57f12b0ff1a52c8f0277f7abb29cdd 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1783,17 +1783,21 @@ class DNSZoneBase(LDAPObject):
 zone = keys[-1]
 assert isinstance(zone, DNSName)
 assert zone.is_absolute()
-zone = zone.ToASCII()
+zone_a = zone.ToASCII()
+
+# special case when zone is the root zone ('.')
+if zone == DNSName.root:
+return super(DNSZoneBase, self).get_dn(zone_a, **options)
 
 # try first relative name, a new zone has to be added as absolute
 # otherwise ObjectViolation is raised
-zone = zone[:-1]
-dn = super(DNSZoneBase, self).get_dn(zone, **options)
+zone_a = zone_a[:-1]
+dn = super(DNSZoneBase, self).get_dn(zone_a, **options)
 try:
 self.backend.get_entry(dn, [''])
 except errors.NotFound:
-zone = u%s. % zone
-dn = super(DNSZoneBase, self).get_dn(zone, **options)
+zone_a = u%s. % zone_a
+dn = super(DNSZoneBase, self).get_dn(zone_a, **options)
 
 return dn
 
@@ -1825,6 +1829,8 @@ class DNSZoneBase(LDAPObject):
 try:
 api.Command['permission_del'](permission_name, force=True)
 except errors.NotFound, e:
+if zone == DNSName.root:  # special case root zone
+raise
 # compatibility, older IPA versions which allows to create zone
 # without absolute zone name
 permission_name_rel = self.permission_name(
@@ -1988,20 +1994,21 @@ class DNSZoneBase_add_permission(LDAPQuery):
 permission_name = self.obj.permission_name(keys[-1])
 
 # compatibility with older IPA versions which allows relative zonenames
-permission_name_rel = self.obj.permission_name(
-keys[-1].relativize(DNSName.root)
-)
-try:
-api.Object['permission'].get_dn_if_exists(permission_name_rel)
-except errors.NotFound:
-pass
-else:
-# permission exists without absolute domain name
-raise errors.DuplicateEntry(
-message=_('permission %(value)s already exists') % {
-'value': permission_name
-}
+if keys[-1] != DNSName.root:  # special case root zone
+permission_name_rel = self.obj.permission_name(
+keys[-1].relativize(DNSName.root)
 )
+try:
+api.Object['permission'].get_dn_if_exists(permission_name_rel)
+except errors.NotFound:
+pass
+else:
+# permission exists without absolute domain name
+raise errors.DuplicateEntry(
+message=_('permission %(value)s already exists') % {
+'value': permission_name
+}
+)
 
 permission = api.Command['permission_add_noaci'](permission_name,
  ipapermissiontype=u'SYSTEM'
@@ -2417,12 +2424,14 @@ class dnszone_add(DNSZoneBase_add):
nameserver_ip_address)
 
 # Add entry to 

[Freeipa-devel] [PATCH 0122] Add dogtag 10.2 to specfile

[Martin Basti]

I always forgot to install dogtag 10.2, so here is updated specfile.

COPR: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

Patch atached.  ipa-4-1

--
Martin Basti

From 36de55fd8edc63c50cb6494a1a432eb1eb21fb44 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Fri, 12 Sep 2014 13:19:40 +0200
Subject: [PATCH] dogtag to spec.file

---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2e19733e5c1638896ca82b50463f35dd49fed6e5..b288405bb94ff25c53e762c7f727225323470733 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -115,8 +115,8 @@ Requires(post): systemd-units
 Requires: selinux-policy = 3.12.1-179
 Requires(post): selinux-policy-base
 Requires: slapi-nis = 0.47.7
-Requires: pki-ca = 10.1.1
-Requires: pki-kra = 10.1.1
+Requires: pki-ca = 10.2.0
+Requires: pki-kra = 10.2.0
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0122] Add dogtag 10.2 to specfile

[Alexander Bokovoy]

On Fri, 12 Sep 2014, Martin Basti wrote:

I always forgot to install dogtag 10.2, so here is updated specfile.

COPR: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

ACK if you fix the commit message (see below), NACK for the link, as
dogtag 10.2 is going to Rawhide and F21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10296/dogtag-pki-10.2.0-2.fc21
https://admin.fedoraproject.org/updates/FEDORA-2014-10309/dogtag-pki-theme-10.2.0-1.fc21
https://admin.fedoraproject.org/updates/FEDORA-2014-10300/pki-core-10.2.0-1.fc21
https://admin.fedoraproject.org/updates/FEDORA-2014-10297/pki-console-10.2.0-1.fc21

They should have been pushed in the same update, though.

Martin, can you please add a small blurb in the commit message that
Dogtag 10.2 is required due to support of a Vault feature?

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Nathaniel McCallum]

On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
 On 09/12/2014 10:25 AM, Martin Kosek wrote:
  On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
 
  On 09/12/2014 09:37 AM, Martin Kosek wrote:
  On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
 
  On 09/11/2014 04:31 PM, Petr Viktorin wrote:
  On 09/11/2014 04:26 PM, Martin Kosek wrote:
  ...
  Also, we will need to add the F21 389-ds-base build to FreeIPA 
  Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there any
  known issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA
  4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream 
  only
  after all..
 
  We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
  couldn't include the patch even there.
  There better be no such issues.
  what do you mean by no such issues ? I don't think that 389/F21 
  will
  be the first bug free software. At the moment Thierry is 
  investigating a
  crash in dna-plugin and Noriko a memory leak, which could be in F21 -
 
 
  any known issues in the F21 389-ds-base build that would prevent
  upstream FreeIPA 4.0.x to be based on it
 
  Yes. 389 will not start if weak ciphers are specified. Currently,
  FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
  work at all because the DS will never start.
 
  We need this patch merged: https://fedorahosted.org/389/ticket/47838
 
  Done: thanks everyone on the DS side!
 
  Then, we need an F21 build of 389-ds-base.
 
  Done: thanks nhosoi!
 
  Then we need to merge Ludwig's IPA patch from this thread with a
  versioned dependency on the new 389-ds-base build.
 
  New patch attached which includes a versioned dep on the new DS.
 
  ipa-server-install still fails for me, even when I use
  389-ds-base-1.3.3.2-1.fc20.x86_64:
 
  # ipa-server-install
  ...
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
  Done configuring the web interface (httpd).
  Applying LDAP updates
  Unexpected error - see /var/log/ipaserver-install.log for details:
  ObjectclassViolation: attribute allowweakciphers not allowed
 
 
  I think you simply use a wrong config name - have extra s in the end. 
  It is
  defined as
  that typo was already in my first draft of the patch, sorry
 
  allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]
 
 
  Also, do we really need to put it to off in the updates? AFAIU, it is 
  off
  by default in our config and with current setting, users could not put it 
  to
  on (for whatever reason) without the value being overwritten with every 
  run
  of FreeIPA upgrade.
  could there be an upgrade from a install not yet using that params. should
  only:allowWeakCipher be replaced by addifnew ?
 
  You can try default:allowWeakCiphers: off - it would set the attribute to 
  off
  if it was not there before.
 
  Given you are probably working on updated version, I would also recommend
  following
 
  http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
 
  as I saw couple nitpicks with your patch
  - ticket number in patch description and not in it's body
  - bad From field - I would rather expect it to be Ludwig Krispenz
  lkris...@redhat.com than lkrispen lkris...@redhat.com
 
  Thanks,
  Martin
 
 Hello, any update on this front? Are you or Nathaniel updating the patch?

Attached.
From d4d24366c6392a1cd0c3d7c8513e20d0f9520766 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Fri, 12 Sep 2014 10:02:00 -0400
Subject: [PATCH] Update 389 SSL cipher config

We allow 389 to choose its own ciphers, but we default to
disabling weak ciphers. This offloads the choice to the
proper place so that we don't have to manage it in FreeIPA
anymore.

Thanks to Ludwig Krispenz lkris...@redhat.com for the
first version of this patch.

https://fedorahosted.org/freeipa/ticket/4395
---
 freeipa.spec.in  | 6 +++---
 install/updates/20-sslciphers.update | 6 ++
 install/updates/Makefile.am  | 1 +
 ipaserver/install/dsinstance.py  | 7 ++-
 4 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 install/updates/20-sslciphers.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b672ecb03bdd73c1a911a6a982ccd894bebcbce4..685b345fedb9d157c8deedc66f8712da32c5963b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -18,7 +18,7 @@ Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel = 1.3.2.16
+BuildRequires:  389-ds-base-devel = 1.3.3.2
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils = 

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Ludwig Krispenz]

Hi,

I alread had sent a patch for review, It is exactly like yours with one 
exception:

65c61
 +default:allowWeakCipher: off
---
 +addifnew:allowWeakCipher: off

I tested with default, but it was ignored - is default only used for new 
entries ?


On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:

On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:

On 09/12/2014 10:25 AM, Martin Kosek wrote:

On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:

On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:

On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..

We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -


any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it

Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838

Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.

Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.

New patch attached which includes a versioned dep on the new DS.

ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
   [12/13]: restarting httpd
   [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is
defined as

that typo was already in my first draft of the patch, sorry

allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
on (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.

could there be an upgrade from a install not yet using that params. should
only:allowWeakCipher be replaced by addifnew ?

You can try default:allowWeakCiphers: off - it would set the attribute to off
if it was not there before.

Given you are probably working on updated version, I would also recommend
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad From field - I would rather expect it to be Ludwig Krispenz
lkris...@redhat.com than lkrispen lkris...@redhat.com

Thanks,
Martin

Hello, any update on this front? Are you or Nathaniel updating the patch?

Attached.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0122] Add dogtag 10.2 to specfile

[Martin Basti]

On 12/09/14 16:02, Martin Basti wrote:

I always forgot to install dogtag 10.2, so here is updated specfile.

COPR: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

Patch atached.  ipa-4-1




I'm not sure if dogtag 10.2 is required in 4.1

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Nathaniel McCallum]

Sorry, I missed that. Let's take your patch.

On Fri, 2014-09-12 at 16:16 +0200, Ludwig Krispenz wrote:
 Hi,
 
 I alread had sent a patch for review, It is exactly like yours with one 
 exception:
 65c61
  +default:allowWeakCipher: off
 ---
   +addifnew:allowWeakCipher: off
 
 I tested with default, but it was ignored - is default only used for new 
 entries ?
 
 On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
  On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
  On 09/12/2014 10:25 AM, Martin Kosek wrote:
  On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
  On 09/12/2014 09:37 AM, Martin Kosek wrote:
  On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
  On 09/11/2014 04:31 PM, Petr Viktorin wrote:
  On 09/11/2014 04:26 PM, Martin Kosek wrote:
  ...
  Also, we will need to add the F21 389-ds-base build to FreeIPA 
  Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there 
  any
  known issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA
  4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream 
  only
  after all..
  We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so 
  we
  couldn't include the patch even there.
  There better be no such issues.
  what do you mean by no such issues ? I don't think that 389/F21 
  will
  be the first bug free software. At the moment Thierry is 
  investigating a
  crash in dna-plugin and Noriko a memory leak, which could be in 
  F21 -
 
  any known issues in the F21 389-ds-base build that would prevent
  upstream FreeIPA 4.0.x to be based on it
  Yes. 389 will not start if weak ciphers are specified. Currently,
  FreeIPA specifies weak ciphers. This means that FreeIPA in F21 
  doesn't
  work at all because the DS will never start.
 
  We need this patch merged: https://fedorahosted.org/389/ticket/47838
  Done: thanks everyone on the DS side!
 
  Then, we need an F21 build of 389-ds-base.
  Done: thanks nhosoi!
 
  Then we need to merge Ludwig's IPA patch from this thread with a
  versioned dependency on the new 389-ds-base build.
  New patch attached which includes a versioned dep on the new DS.
  ipa-server-install still fails for me, even when I use
  389-ds-base-1.3.3.2-1.fc20.x86_64:
 
  # ipa-server-install
  ...
 [12/13]: restarting httpd
 [13/13]: configuring httpd to start on boot
  Done configuring the web interface (httpd).
  Applying LDAP updates
  Unexpected error - see /var/log/ipaserver-install.log for details:
  ObjectclassViolation: attribute allowweakciphers not allowed
 
 
  I think you simply use a wrong config name - have extra s in the end. 
  It is
  defined as
  that typo was already in my first draft of the patch, sorry
  allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | 
  off]
 
 
  Also, do we really need to put it to off in the updates? AFAIU, it is 
  off
  by default in our config and with current setting, users could not put 
  it to
  on (for whatever reason) without the value being overwritten with 
  every run
  of FreeIPA upgrade.
  could there be an upgrade from a install not yet using that params. 
  should
  only:allowWeakCipher be replaced by addifnew ?
  You can try default:allowWeakCiphers: off - it would set the attribute 
  to off
  if it was not there before.
 
  Given you are probably working on updated version, I would also recommend
  following
 
  http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
 
  as I saw couple nitpicks with your patch
  - ticket number in patch description and not in it's body
  - bad From field - I would rather expect it to be Ludwig Krispenz
  lkris...@redhat.com than lkrispen lkris...@redhat.com
 
  Thanks,
  Martin
  Hello, any update on this front? Are you or Nathaniel updating the patch?
  Attached.
 


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0001 Update-SSL-ciphers-configured-in-389-ds-base

[Nathaniel McCallum]

On Fri, 2014-09-12 at 13:21 +0200, Ludwig Krispenz wrote:
 please review attached patch for ticket: 
 https://fedorahosted.org/freeipa/ticket/4395
 
 use new options in 389-ds to configure enabled ciphers

ACK. Let's get 4.0.3 out the door! :)

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn timestamp entries to individual permissions

[Martin Kosek]

On 09/12/2014 01:53 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now automatically added
to every read permission that targets objectclass, whether managed or
user-created.

The 'System: Read Timestamp and USN Operational Attributes', which was added
for 4.0.2, is removed on upgrade.




This looks good to me. deref search now return expected results:

# ldapsearch -h `hostname` -Y GSSAPI -b 
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E 
'deref=memberof:objectclass,entryusn'

SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test with scope 
subtree

# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof: objectclass=top;objectclass=groupofnames;objectclass=posixgr
 oup;objectclass=ipausergroup;objectclass=ipaobject;objectclass=nestedG
 roup;entryusn=16719;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
 =test

# memberof: objectclass=top;objectclass=ipaobject;objectclass=groupofnam
 es;objectclass=ipausergroup;objectclass=nestedgroup;entryusn=375;cn=t
 rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person
...


I.e. only the memberof objects that the host has access to are dereferenced. 
Updated permissions also look OK.


Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?


1 permission matched

  Permission name: System: Read Creator and Modifier Operational Attributes
  Granted rights: read, compare, search
  Effective attributes: creatorsname, modifiersname
  Default attributes: modifiersname, creatorsname
  Bind rule type: all
  Subtree: dc=mkosek-fedora20,dc=test
  Extra target filter: (objectclass=*)

Number of entries returned 1

? Any host can still use deref to for example find creatorsname or 
modifiersname of memberof entries.


I would personally rather delete the permission and keep the attributes only 
for DM (and admin) or make it permission-based as SSSD does not use it anyway, 
AFAIK.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [Freeipa-interest] Announcing bind-dyndb-ldap version 5.3

[Petr Spacek]

The FreeIPA team is proud to announce bind-dyndb-ldap version 5.3.

It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/

The new version has also been built for Fedora 21+ and and is on its way to 
updates-testing:

https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5.3-1.fc21

This version is also available from FreeIPA COPR repo:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/

5.3

[1] Internal locking was reworked to prevent crashes and deadlocks.

5.2

[1] Kerberos ticket expiration is now handled correctly.
https://fedorahosted.org/bind-dyndb-ldap/ticket/131

[2] BIND no longer crashes after removing root zone from LDAP.
https://fedorahosted.org/bind-dyndb-ldap/ticket/138

[3] Root zone handling was fixed to prevent accidental child zone removal.
https://fedorahosted.org/bind-dyndb-ldap/ticket/122

[4] Temporary files for idnsZone objects are now inside master/ subdirectory.

[5] Temporary directories are created with ug=rwx,o= permissions to enable
POSIX ACL usage.

[6] Naming rules for working directories have changed: See README section 6.

[7] Documentation clearly states that idnsZoneActive attribute is not supported.


== Upgrading ==
A server can be upgraded by installing updated RPM. BIND has to be restarted 
manually after the RPM installation.


!!! CAUTION !!!
idnsZone object class changed it's semantics in version 5.0. Please read
https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README
and update idnsForwarders and idnsForward policy attributes in your DNS zones 
accordingly.


Transition from idnsZone to idnsForwardZone object class can be made seamless 
if you change data in LDAP before you upgrade to version 5.x. All 
bind-dyndb-ldap versions = 3.0 support the idnsForwardZone object class.



Users of FreeIPA  4.0 should be careful when upgrading bind-dyndb-ldap to 
version = 5.0 (if they do not upgrade to FreeIPA 4.x at the same time).


Configuration semantics related to conditional (per-zone) forwarding has 
changed and FreeIPA  4.0 doesn't have appropriate user interface and API.


It is safe to upgrade if you use *only* global forwarders (shown by 'ipa 
dnsconfig-show') and *do not* use per-zone forwarders (shown by 'ipa 
dnszone-show').


Don't hesitate to ask freeipa-users mailing list if you need help with upgrade.
!!! CAUTION !!!

Downgrading back to any 4.x version is supported.


== Feedback ==
Please provide comments, report bugs and send any other feedback via the 
freeipa-users mailing list:

http://www.redhat.com/mailman/listinfo/freeipa-users

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Simo Sorce]

On Fri, 2014-09-12 at 09:42 +0200, Martin Kosek wrote:
 
 Well, I am not convinced that everyone reads the release notes, so I
 would rather delete this permission in 4.0.3. Hopefully, there won't
 be many 4.0.2 users. It seems as a lesser evil to me than having SSSD
 clients broken.

+1

such fundamental issues *must* be handle automatically if we can.

Simo.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

[Simo Sorce]

On Fri, 2014-09-12 at 10:27 +0200, thierry bordaz wrote:
 On 09/11/2014 10:24 PM, Martin Kosek wrote:
  On 09/11/2014 08:49 PM, Simo Sorce wrote:
  On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote:
  On 09/11/2014 05:37 PM, Simo Sorce wrote:
  On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote:
  Hello,
 
  We have another important issue to resolve. Current FreeIPA 4.0.2 
  ACI settings
  cause older SSSD clients to fail as they get returned an LDAP 
  deref call
  results without objectclass attribute and just with entryusn 
  attribute. Details
  in https://fedorahosted.org/freeipa/ticket/4534. While I agree 
  SSSD should be
  more tolerant in this case, it still breaks old clients which we 
  should prevent.
 
  There are 2 ways how to fix I currently see:
 
  1) Return objectclass for any entry, just like we do with 
  operational attributes
 
  This would include adding objectclass to System: Read Timestamp 
  and USN
  Operational Attributes. However, I am rather cautious about this 
  approach as
  even though objectclass does not usually carry a secret 
  information, we could
  still leak some information about our DIT to unprivileged user.
 
  Our DIT is public and known, I see no problem.
 
  I rather meant the LDAP tree and it's contents (custom groups, sudo 
  rules,
  roles, ...).
 
  I did one more test and found out we cannot do this as it would 
  undermine the
  ACIs we have right now. As soon as objectclass is allowed globally, 
  ldapsearch
  returns every object even if no other attribute is returned:
 
  # ldapsearch -h `hostname` -Y GSSAPI -b 
  cn=pbac,dc=mkosek-fedora20,dc=test
  SASL/GSSAPI authentication started
  SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
  SASL SSF: 56
  SASL data security layer installed.
  ...
  # User Administrators, privileges, pbac, mkosek-fedora20.test
  dn: cn=User 
  Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup
  ...
 
  It would not show any more info before that, but even the list of 
  permissions,
  privileges and roles along with it's names is a leaked information.
 
 
  2) Show objectclass+operational attributes in our Read ACIs
  Other way I see is to update *all* our Read permissions allowing 
  reading
  objectclass attribute and also allow the chosen LDAP operational 
  attribute.
  This would let the LDAP caller to always get either all these 
  discussed
  attributes but none at all.
 
 
  Do we want to do this? Any other (better) idea how to approach it?
 
  I honestly am not sure I understand the distinction between 1 and 
  2, can
  you provide the actual ACIs or a behavior example ?
 
  Simo.
 
  Currently, our ACI allows reading entryusn in any LDAP entry. So 
  user (SSSD)
  running LDAP deref call gets entryusn from object it does not have a 
  read
  access to:
 
  # ldapsearch -h `hostname` -Y GSSAPI -b
  uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
  'deref=memberof:objectclass,entryusn'
  SASL/GSSAPI authentication started
  SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
  SASL SSF: 56
  SASL data security layer installed.
  ...
  # memberof: entryusn=845;cn=replication 
  administrators,cn=privileges,cn=pba
 c,dc=mkosek-fedora20,dc=test
 
  # memberof: entryusn=75;cn=add replication 
  agreements,cn=permissions,cn=pba
 c,dc=mkosek-fedora20,dc=test
  ...
 
  This confuses SSSD (sees entryusn but does not see objectclass 
  attribute) + may
  give out some information we do not want to give out. Fortunately, bare
  ldapsearch does not show anything:
 
  # ldapsearch -h `hostname` -Y GSSAPI -b cn=replication
  administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test 
  entryusn
  SASL/GSSAPI authentication started
  SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
  SASL SSF: 56
  SASL data security layer installed.
  # extended LDIF
  #
  # LDAPv3
  # base cn=replication
  administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test 
  with scope subtree
  # filter: (objectclass=*)
  # requesting: entryusn
  #
 
  # search result
  search: 4
  result: 0 Success
 
  # numResponses: 1
 
 
  The idea behind Option 1 was to add ACI to allow reading objectclass 
  attribute
  globally, for our entire tree. (as noted above, not an option).
 
  The idea behind Option 2 was to:
  - remove global ACI allowing reading entryusn (System: Read 
  Timestamp and USN
  Operational Attributes)
  - update all our Read permissions to allow entryusn
 
  Then for example, if user (SSSD) is allowed to read RBAC role 
  objects, he would
  not be able to read either objectclass or entryusn attributes. This 
  means users
  would be only allowed to read entryusn for objects that they can 
  really read
  (i.e. for objects where they can read at least objectclass).
 
  Did that clarify the options?
 
  Of course, there is still option 3) to close as wontfix and 

Re: [Freeipa-devel] [PATCH 0122] Add dogtag 10.2 to specfile

[Martin Kosek]

On 09/12/2014 04:14 PM, Martin Basti wrote:

On 12/09/14 16:02, Martin Basti wrote:

I always forgot to install dogtag 10.2, so here is updated specfile.

COPR: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

Patch atached.  ipa-4-1




I'm not sure if dogtag 10.2 is required in 4.1



It is not. It is only required for the DRM feature, i.e. FreeIPA 4.2, i.e. 
master branch.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn timestamp entries to individual permissions

[Simo Sorce]

On Fri, 2014-09-12 at 13:53 +0200, Petr Viktorin wrote:
 https://fedorahosted.org/freeipa/ticket/4534
 
 The entryusn and timestamp operational attributes are now automatically 
 added to every read permission that targets objectclass, whether managed 
 or user-created.
 
 The 'System: Read Timestamp and USN Operational Attributes', which was 
 added for 4.0.2, is removed on upgrade.

Not tested but LGTM.
Simo.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

[Rob Crittenden]

Ludwig Krispenz wrote:
 Hi,
 
 I alread had sent a patch for review, It is exactly like yours with one
 exception:
 65c61
  +default:allowWeakCipher: off
 ---
 +addifnew:allowWeakCipher: off
 
 I tested with default, but it was ignored - is default only used for new
 entries ?

Correct. A value for default is only added when creating an entirely new
entry. addifnew adds the value to the entry only if it doesn't already
exist.

rob

 
 On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
 On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
 On 09/12/2014 10:25 AM, Martin Kosek wrote:
 On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
 On 09/12/2014 09:37 AM, Martin Kosek wrote:
 On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
 On 09/11/2014 04:31 PM, Petr Viktorin wrote:
 On 09/11/2014 04:26 PM, Martin Kosek wrote:
 ...
 Also, we will need to add the F21 389-ds-base build to
 FreeIPA Copr:
 http://copr.fedoraproject.org/coprs/mkosek/freeipa/
 so that F20 users can upgrade to the newest FreeIPA. Are
 there any
 known issues
 in the F21 389-ds-base build that would prevent upstream
 FreeIPA
 4.0.x to be
 based on it?

 If yes, we may need to include the patch in Fedora 21
 downstream only
 after all..
 We're basing the Fedora 21 Alpha downstream on FreeIPA
 4.0.3, so we
 couldn't include the patch even there.
 There better be no such issues.
 what do you mean by no such issues ? I don't think that
 389/F21 will
 be the first bug free software. At the moment Thierry is
 investigating a
 crash in dna-plugin and Noriko a memory leak, which could be
 in F21 -

 any known issues in the F21 389-ds-base build that would prevent
 upstream FreeIPA 4.0.x to be based on it
 Yes. 389 will not start if weak ciphers are specified. Currently,
 FreeIPA specifies weak ciphers. This means that FreeIPA in F21
 doesn't
 work at all because the DS will never start.

 We need this patch merged:
 https://fedorahosted.org/389/ticket/47838
 Done: thanks everyone on the DS side!

 Then, we need an F21 build of 389-ds-base.
 Done: thanks nhosoi!

 Then we need to merge Ludwig's IPA patch from this thread with a
 versioned dependency on the new 389-ds-base build.
 New patch attached which includes a versioned dep on the new DS.
 ipa-server-install still fails for me, even when I use
 389-ds-base-1.3.3.2-1.fc20.x86_64:

 # ipa-server-install
 ...
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
 Done configuring the web interface (httpd).
 Applying LDAP updates
 Unexpected error - see /var/log/ipaserver-install.log for details:
 ObjectclassViolation: attribute allowweakciphers not allowed


 I think you simply use a wrong config name - have extra s in the
 end. It is
 defined as
 that typo was already in my first draft of the patch, sorry
 allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on
 | off]


 Also, do we really need to put it to off in the updates? AFAIU,
 it is off
 by default in our config and with current setting, users could not
 put it to
 on (for whatever reason) without the value being overwritten
 with every run
 of FreeIPA upgrade.
 could there be an upgrade from a install not yet using that params.
 should
 only:allowWeakCipher be replaced by addifnew ?
 You can try default:allowWeakCiphers: off - it would set the
 attribute to off
 if it was not there before.

 Given you are probably working on updated version, I would also
 recommend
 following

 http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

 as I saw couple nitpicks with your patch
 - ticket number in patch description and not in it's body
 - bad From field - I would rather expect it to be Ludwig Krispenz
 lkris...@redhat.com than lkrispen lkris...@redhat.com

 Thanks,
 Martin
 Hello, any update on this front? Are you or Nathaniel updating the
 patch?
 Attached.
 
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0122] Add dogtag 10.2 to specfile

[Martin Basti]

On 12/09/14 16:38, Martin Kosek wrote:

On 09/12/2014 04:14 PM, Martin Basti wrote:

On 12/09/14 16:02, Martin Basti wrote:

I always forgot to install dogtag 10.2, so here is updated specfile.

COPR: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

Patch atached.  ipa-4-1




I'm not sure if dogtag 10.2 is required in 4.1



It is not. It is only required for the DRM feature, i.e. FreeIPA 4.2, 
i.e. master branch.


Martin


Thank you.

Updated patch attached.
push only to master branch then

--
Martin Basti

From 516eeb18971a86de27ce8c86ebb00105f6d3d9e6 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Fri, 12 Sep 2014 13:19:40 +0200
Subject: [PATCH] Dogtag 10.2 to spec.file

Dogtag 10.2 is required due to support a Vault feature
---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2e19733e5c1638896ca82b50463f35dd49fed6e5..b288405bb94ff25c53e762c7f727225323470733 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -115,8 +115,8 @@ Requires(post): systemd-units
 Requires: selinux-policy = 3.12.1-179
 Requires(post): selinux-policy-base
 Requires: slapi-nis = 0.47.7
-Requires: pki-ca = 10.1.1
-Requires: pki-kra = 10.1.1
+Requires: pki-ca = 10.2.0
+Requires: pki-kra = 10.2.0
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn timestamp entries to individual permissions

[Petr Viktorin]

On 09/12/2014 04:25 PM, Martin Kosek wrote:

On 09/12/2014 01:53 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now
automatically added
to every read permission that targets objectclass, whether managed or
user-created.

The 'System: Read Timestamp and USN Operational Attributes', which was
added
for 4.0.2, is removed on upgrade.




This looks good to me. deref search now return expected results:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof:
objectclass=top;objectclass=groupofnames;objectclass=posixgr
  oup;objectclass=ipausergroup;objectclass=ipaobject;objectclass=nestedG
  roup;entryusn=16719;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
  =test

# memberof:
objectclass=top;objectclass=ipaobject;objectclass=groupofnam
  es;objectclass=ipausergroup;objectclass=nestedgroup;entryusn=375;cn=t
  rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person
...


I.e. only the memberof objects that the host has access to are
dereferenced. Updated permissions also look OK.

Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?


1 permission matched

   Permission name: System: Read Creator and Modifier Operational
Attributes
   Granted rights: read, compare, search
   Effective attributes: creatorsname, modifiersname
   Default attributes: modifiersname, creatorsname
   Bind rule type: all
   Subtree: dc=mkosek-fedora20,dc=test
   Extra target filter: (objectclass=*)

Number of entries returned 1

? Any host can still use deref to for example find creatorsname or
modifiersname of memberof entries.

I would personally rather delete the permission and keep the attributes
only for DM (and admin) or make it permission-based as SSSD does not use
it anyway, AFAIK.

Martin


This version removes 'System: Read Creator and Modifier Operational 
Attributes' as well.


--
Petr³
From f794853264041cac730855c12ba96ab9cc564762 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 12 Sep 2014 09:59:52 +0200
Subject: [PATCH] permission plugin: Auto-add operational atttributes to read
 permissions

The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534
---
 ACI.txt  | 82 
 ipalib/plugins/permission.py |  8 +++
 ipatests/test_xmlrpc/test_permission_plugin.py   | 44 +
 ipatests/test_xmlrpc/test_realmdomains_plugin.py |  3 +-
 4 files changed, 95 insertions(+), 42 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 2a3f582765b1ff1de9669f187adb9a57b19f938f..9a161a1839057198930c6e0f31a9bc3d491320ee 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -1,7 +1,7 @@
 dn: cn=automember,cn=etc,dc=ipa,dc=example
-aci: (targetattr = automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || objectclass)(targetfilter = (objectclass=automemberdefinition))(version 3.0;acl permission:System: Read Automember Definitions;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || createtimestamp || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=automemberdefinition))(version 3.0;acl permission:System: Read Automember Definitions;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=automember,cn=etc,dc=ipa,dc=example
-aci: (targetattr = automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass)(targetfilter = (objectclass=automemberregexrule))(version 3.0;acl permission:System: Read Automember Rules;allow (compare,read,search) groupdn = ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = 

Re: [Freeipa-devel] [PATCH] 0001 Update-SSL-ciphers-configured-in-389-ds-base

[Martin Kosek]

On 09/12/2014 04:18 PM, Nathaniel McCallum wrote:

On Fri, 2014-09-12 at 13:21 +0200, Ludwig Krispenz wrote:

please review attached patch for ticket:
https://fedorahosted.org/freeipa/ticket/4395

use new options in 389-ds to configure enabled ciphers


ACK. Let's get 4.0.3 out the door! :)


Thanks! Works for me as well.

Pushed to:
master: ab196220fdd886fc2b19980f8e9a4b384845
ipa-4-1: 90e87310c6c8cb0bf88917afd0793a2a2ec1d5b6
ipa-4-0: 93b9d029ce147eb6b4c4ad36ce3c75e5fad37214

As we now depend on F21 version of 389-ds-base, I fired a build of the latest 
DS to the mkosek/freeipa Copr to not break the dependencies. I hope 389-ds-base 
will fix the install crash + the RI problems ASAP.


I would not start a 4.0.3 release right now though, I would like to have fixes 
for ticket 4534 included too (patches on review, partially acked by me).


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn timestamp entries to individual permissions

[Martin Kosek]

On 09/12/2014 04:46 PM, Petr Viktorin wrote:

On 09/12/2014 04:25 PM, Martin Kosek wrote:

On 09/12/2014 01:53 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now
automatically added
to every read permission that targets objectclass, whether managed or
user-created.

The 'System: Read Timestamp and USN Operational Attributes', which was
added
for 4.0.2, is removed on upgrade.




This looks good to me. deref search now return expected results:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof:
objectclass=top;objectclass=groupofnames;objectclass=posixgr
  oup;objectclass=ipausergroup;objectclass=ipaobject;objectclass=nestedG
  roup;entryusn=16719;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
  =test

# memberof:
objectclass=top;objectclass=ipaobject;objectclass=groupofnam
  es;objectclass=ipausergroup;objectclass=nestedgroup;entryusn=375;cn=t
  rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person
...


I.e. only the memberof objects that the host has access to are
dereferenced. Updated permissions also look OK.

Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?


1 permission matched

   Permission name: System: Read Creator and Modifier Operational
Attributes
   Granted rights: read, compare, search
   Effective attributes: creatorsname, modifiersname
   Default attributes: modifiersname, creatorsname
   Bind rule type: all
   Subtree: dc=mkosek-fedora20,dc=test
   Extra target filter: (objectclass=*)

Number of entries returned 1

? Any host can still use deref to for example find creatorsname or
modifiersname of memberof entries.

I would personally rather delete the permission and keep the attributes
only for DM (and admin) or make it permission-based as SSSD does not use
it anyway, AFAIK.

Martin


This version removes 'System: Read Creator and Modifier Operational Attributes'
as well.



Works fine. ACK.

(You will need to regenerate ACI.txt for each merged branch as there are 
conflicts).


Thanks!
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0001 Update-SSL-ciphers-configured-in-389-ds-base

[Martin Kosek]

On 09/12/2014 04:47 PM, Martin Kosek wrote:

On 09/12/2014 04:18 PM, Nathaniel McCallum wrote:

On Fri, 2014-09-12 at 13:21 +0200, Ludwig Krispenz wrote:

please review attached patch for ticket:
https://fedorahosted.org/freeipa/ticket/4395

use new options in 389-ds to configure enabled ciphers


ACK. Let's get 4.0.3 out the door! :)


Thanks! Works for me as well.

Pushed to:
master: ab196220fdd886fc2b19980f8e9a4b384845
ipa-4-1: 90e87310c6c8cb0bf88917afd0793a2a2ec1d5b6
ipa-4-0: 93b9d029ce147eb6b4c4ad36ce3c75e5fad37214

As we now depend on F21 version of 389-ds-base, I fired a build of the latest
DS to the mkosek/freeipa Copr to not break the dependencies. I hope 389-ds-base
will fix the install crash + the RI problems ASAP.

I would not start a 4.0.3 release right now though, I would like to have fixes
for ticket 4534 included too (patches on review, partially acked by me).


... aand https://fedorahosted.org/freeipa/ticket/4537 which also needs to be 
included in 4.0.3.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0644 Update referential integrity config for DS 1.3.3

[Petr Viktorin]

https://fedorahosted.org/freeipa/ticket/4537

See commit message for the story behind this one.

--
Petr³
From e36ecfee32a331bfd031a48df2abe7e0ce8ec987 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 12 Sep 2014 17:14:14 +0200
Subject: [PATCH] Update referential integrity config for DS 1.3.3

Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:

nsslapd-pluginarg3: member
nsslapd-pluginarg4: uniquemember
nsslapd-pluginarg5: owner
nsslapd-pluginarg6: seeAlso

In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.

The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.

Convert IPA defaults to use referint-membership-attr.

https://fedorahosted.org/freeipa/ticket/4537
---
 install/share/referint-conf.ldif   | 33 -
 install/updates/25-referint.update | 34 --
 2 files changed, 24 insertions(+), 43 deletions(-)

diff --git a/install/share/referint-conf.ldif b/install/share/referint-conf.ldif
index 408f7598a2127a33373ec26d4f4ea1ab7ed73734..7c36395828580b677b8acef33625847609362eca 100644
--- a/install/share/referint-conf.ldif
+++ b/install/share/referint-conf.ldif
@@ -2,36 +2,3 @@ dn: cn=referential integrity postoperation,cn=plugins,cn=config
 changetype: modify
 replace: nsslapd-pluginenabled
 nsslapd-pluginenabled: on
--
-add: nsslapd-pluginArg7
-nsslapd-pluginArg7: manager
--
-add: nsslapd-pluginArg8
-nsslapd-pluginArg8: secretary
--
-add: nsslapd-pluginArg9
-nsslapd-pluginArg9: memberuser
--
-add: nsslapd-pluginArg10
-nsslapd-pluginArg10: memberhost
--
-add: nsslapd-pluginArg11
-nsslapd-pluginArg11: sourcehost
--
-add: nsslapd-pluginArg12
-nsslapd-pluginArg12: memberservice
--
-add: nsslapd-pluginArg13
-nsslapd-pluginArg13: managedby
--
-add: nsslapd-pluginArg14
-nsslapd-pluginArg14: memberallowcmd
--
-add: nsslapd-pluginArg15
-nsslapd-pluginArg15: memberdenycmd
--
-add: nsslapd-pluginArg16
-nsslapd-pluginArg16: ipasudorunas
--
-add: nsslapd-pluginArg17
-nsslapd-pluginArg17: ipasudorunasgroup
diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update
index 65af05128e433d683d61272cad6145fa8f084b04..c4bff5dac4956eb0ef4b132a2ce5dafdb53e286e 100644
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@@ -2,13 +2,27 @@
 # pres and eq indexes defined in 20-indices.update must be set for all these
 # attributes
 dn: cn=referential integrity postoperation,cn=plugins,cn=config
-add: nsslapd-pluginArg9: memberuser
-add: nsslapd-pluginArg10: memberhost
-add: nsslapd-pluginArg11: sourcehost
-add: nsslapd-pluginArg12: memberservice
-add: nsslapd-pluginArg13: managedby
-add: nsslapd-pluginArg14: memberallowcmd
-add: nsslapd-pluginArg15: memberdenycmd
-add: nsslapd-pluginArg16: ipasudorunas
-add: nsslapd-pluginArg17: ipasudorunasgroup
-add: nsslapd-pluginArg18: ipatokenradiusconfiglink
+remove: nsslapd-pluginArg7: manager
+remove: nsslapd-pluginArg8: secretary
+remove: nsslapd-pluginArg9: memberuser
+remove: nsslapd-pluginArg10: memberhost
+remove: nsslapd-pluginArg11: sourcehost
+remove: nsslapd-pluginArg12: memberservice
+remove: nsslapd-pluginArg13: managedby
+remove: nsslapd-pluginArg14: memberallowcmd
+remove: nsslapd-pluginArg15: memberdenycmd
+remove: nsslapd-pluginArg16: ipasudorunas
+remove: nsslapd-pluginArg17: ipasudorunasgroup
+remove: nsslapd-pluginArg18: ipatokenradiusconfiglink
+add: referint-membership-attr: manager
+add: referint-membership-attr: secretary
+add: referint-membership-attr: memberuser
+add: referint-membership-attr: memberhost
+add: referint-membership-attr: sourcehost
+add: referint-membership-attr: memberservice
+add: referint-membership-attr: managedby
+add: referint-membership-attr: memberallowcmd
+add: referint-membership-attr: memberdenycmd
+add: referint-membership-attr: ipasudorunas
+add: referint-membership-attr: ipasudorunasgroup
+add: referint-membership-attr: ipatokenradiusconfiglink
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0644 Update referential integrity config for DS 1.3.3

[Martin Kosek]

On 09/12/2014 05:35 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4537

See commit message for the story behind this one.



Thanks. Works as a charm, so ACK.

Pushed to:
master: d61fb40542abb0aa66c49d987813099fda356adf
ipa-4-1: f8771db202bcca4419be847c00f167362311e28e
ipa-4-0: c6baecec1ec866d77f9a476d01c7931fce6d95da

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0644 Update referential integrity config for DS 1.3.3

[Ludwig Krispenz]

On 09/12/2014 05:43 PM, Martin Kosek wrote:

On 09/12/2014 05:35 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4537

See commit message for the story behind this one.



Thanks. Works as a charm, so ACK.
just for my understanding. what was install/share/referint-conf.ldif 
good for, why isn't adding the membership attrs needed there ?


Pushed to:
master: d61fb40542abb0aa66c49d987813099fda356adf
ipa-4-1: f8771db202bcca4419be847c00f167362311e28e
ipa-4-0: c6baecec1ec866d77f9a476d01c7931fce6d95da

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0644 Update referential integrity config for DS 1.3.3

[Petr Viktorin]

On 09/12/2014 05:47 PM, Ludwig Krispenz wrote:


On 09/12/2014 05:43 PM, Martin Kosek wrote:

On 09/12/2014 05:35 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4537

See commit message for the story behind this one.



Thanks. Works as a charm, so ACK.

just for my understanding. what was install/share/referint-conf.ldif
good for, why isn't adding the membership attrs needed there ?


The ldif files are put in place on initial install only.
The update files are applied both on initial install and on upgrades, 
and allow greater control over what gets done on update.


At one point the policy was to put everything in both places, so ther 
would be a LDIF representation of what IPA puts in the directory. But 
that goal doesn't play well with updater plugins, and also the copies 
inevitably got out of sync.


Now we prefer the update files for all new changes. One day we might get 
rid of the ldifs altogether.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn timestamp entries to individual permissions

[Petr Viktorin]

On 09/12/2014 05:02 PM, Martin Kosek wrote:

On 09/12/2014 04:46 PM, Petr Viktorin wrote:

On 09/12/2014 04:25 PM, Martin Kosek wrote:

On 09/12/2014 01:53 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now
automatically added
to every read permission that targets objectclass, whether managed or
user-created.

The 'System: Read Timestamp and USN Operational Attributes', which was
added
for 4.0.2, is removed on upgrade.




This looks good to me. deref search now return expected results:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof:
objectclass=top;objectclass=groupofnames;objectclass=posixgr

oup;objectclass=ipausergroup;objectclass=ipaobject;objectclass=nestedG


roup;entryusn=16719;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc

  =test

# memberof:
objectclass=top;objectclass=ipaobject;objectclass=groupofnam

es;objectclass=ipausergroup;objectclass=nestedgroup;entryusn=375;cn=t

  rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person
...


I.e. only the memberof objects that the host has access to are
dereferenced. Updated permissions also look OK.

Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?


1 permission matched

   Permission name: System: Read Creator and Modifier Operational
Attributes
   Granted rights: read, compare, search
   Effective attributes: creatorsname, modifiersname
   Default attributes: modifiersname, creatorsname
   Bind rule type: all
   Subtree: dc=mkosek-fedora20,dc=test
   Extra target filter: (objectclass=*)

Number of entries returned 1

? Any host can still use deref to for example find creatorsname or
modifiersname of memberof entries.

I would personally rather delete the permission and keep the attributes
only for DM (and admin) or make it permission-based as SSSD does not use
it anyway, AFAIK.

Martin


This version removes 'System: Read Creator and Modifier Operational
Attributes'
as well.



Works fine. ACK.


Thanks! Pushed to:
ipa-4-0: f47da6a761a97134668cf674c78f5f9271c98e8b
ipa-4-1: a0e23ce210506be84716343982ef43099841177b
master: 4fac4f4cf65b54bc0b194928341b31e3c67d63a5


(You will need to regenerate ACI.txt for each merged branch as there are
conflicts).


(Yeah, whoever invented this ACI.txt thing, I need to have a talk with him)


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] FreeIPA 4.0.3 ?

[Petr Viktorin]

There were some critical issues in 4.0.2, mainly with integration:

https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades
https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix
https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers
https://fedorahosted.org/freeipa/ticket/4534 - operational attribute ACIs
https://fedorahosted.org/freeipa/ticket/4537 - referential integrity 
configuration


All the fixes are pushed now. Please test!
If nothing else shows up, I will release 4.0.3 today.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3 ?

[Martin Kosek]

On 09/12/2014 06:36 PM, Petr Viktorin wrote:

There were some critical issues in 4.0.2, mainly with integration:

https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades
https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix
https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers
https://fedorahosted.org/freeipa/ticket/4534 - operational attribute ACIs
https://fedorahosted.org/freeipa/ticket/4537 - referential integrity 
configuration

All the fixes are pushed now. Please test!


+1.


If nothing else shows up, I will release 4.0.3 today.


I also sent fixed 389-ds-base-1.3.3.2-2.fc21.src.rpm to our Copr to have it 
ready for F20.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.

[Martin Basti]

snip /

Be careful, reviewed on friday! :-)

1)
whitespace error + pep8 error
patch:76: trailing whitespace.
# there is reverse zone for every ip address
warning: 1 line adds whitespace errors.

./ipaserver/install/bindinstance.py:640:9: E265 block comment should 
start with '# '



2) (server install)
+for ip in ip_addresses:
+for rev_zone in reverse_zones:
+if bindinstance.verify_reverse_zone(rev_zone, str(ip)):
+break
+else:
+sys.exit(1)

Please add there error message instead 1 to exit function

3) (server install)
Code above, bindinstance.verify_reverse_zone(rev_zone, str(ip)):
IMHO this will cause errors (not tested) try:
rev-zones: [10.10.10.in-addr.arpa., 16.172.in-addr.arpa.]
ip_addreses: [10.10.10.1, 172.16.0.1]

it should be any() of zone can handle ip

4) (replica-install)
I'm not sure about behavior of combination ip addresses, and reverse zones,
In original code, if user specify reverse zone, the ip address must match.

In patched version, you just add new zones for ip-addresses which 
doesn't math the user zones.


IMO we should check if all addresses belongs to user specified zones, 
otherwise raise an error.

But I'm open to suggestions.

5)
Code for ipa-replica-install, and ipa-server-install, differs in parts 
where we expecting same behavior

  - ip addresses and reverse zones

6)
https://engineering.redhat.com/irc-services.txt+# there is at 
least one ip address in every zone

+if options.reverse_zones:
+for reverse_zone in options.reverse_zones:
+for ip in config.ips: 
-- 
A

+if bindinstance.verify_reverse_zone(reverse_zone, ip):
+ reverse_zones.append(bindinstance.normalize_zone(reverse_zone))
+break
+else:
+sys.exit(1) 
*

+# there is reverse zone for every ip address
+for ip in config.ips:
+for reverse_zone in options.reverse_zones: 
--- B

+if bindinstance.verify_reverse_zone(reverse_zone, ip):
+if reverse_zone not in reverse_zones:
+ reverse_zones.append(bindinstance.normalize_zone(reverse_zone))
+break
+else: 
 
C

+reverse_zone = bindinstance.find_reverse_zone(ip)
+if reverse_zone is None and not options.no_reverse:
+reverse_zone = util.get_reverse_zone_default(ip) 
- D1
+if not options.unattended and 
bindinstance.create_reverse(): - D
+reverse_zone = 
bindinstance.read_reverse_zone(reverse_zone, ip)
+ reverse_zones.append(bindinstance.normalize_zone(reverse_zone)) 
- D2


You added all possible zones in step A,  B step is not needed.
If user doesn't specify reverse_zones you can just jump to C step
*add error message
C: elif not options.no_reverse
D: you asked user if wants to create zone, but you don't care about 
answer, and in step D2 append zone from D1
note: --no-reverse and --reverse-zones cant be used together, you can 
use it in new code, test it before cycle


7)
 # Always use force=True as named is not set up yet
 add_zone(self.domain, self.zonemgr, dns_backup=self.dns_backup,
-ns_hostname=api.env.host, 
ns_ip_address=nameserver_ip_address,

-force=True)
+ ns_hostname=api.env.host, ns_ip_address=None, force=True)
+#for ns_ip_address in nameserver_ip_address:
+#add_zone(self.domain, self.zonemgr, 
dns_backup=self.dns_backup,

+#ns_hostname=api.env.host, ns_ip_address=ns_ip_address,
+#force=True)

Please remove commented section

You can remove 'ns_ip_address=None' from function

8)
+if set(options.ip_addresses) = set(ips):
+ips = options.ip_addresses
+else:
+print sys.stderr, Error: the hostname resolves to an 
IP address that is different
+print sys.stderr, from the one provided on the 
command line.  Please fix your DNS
+print sys.stderr, or /etc/hosts file and restart the 
installation.

+sys.exit(1)

Could you write those extra addresses to output? We need to improve 
usability of our error messages



--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Announcing FreeIPA 4.0.3

[Petr Viktorin]

The FreeIPA team would like to announce FreeIPA v4.0.3 bugfix release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The 
builds will be available for Fedora 21 Beta. Builds for Fedora 20 are 
available in the official 
[https://copr.fedoraproject.org/coprs/mkosek/freeipa/ COPR repository].


== Bug fixes in 4.0.3 ==
* Several issues concerning integration with 389 Directory Server 1.3.3 
were fixed.

* An upgrade crash was fixed.

== Known Issues ==
* On Fedora 21 Alpha, FreeIPA server configuration should be done after 
upgrading packages from updates-testing.


== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The 
server does not need to be shut down in advance.


Please note that if you are doing the upgrade in special environment 
(e.g. FedUp) which does not allow running the LDAP server during upgrade 
process, upgrade scripts need to be run manually after the first boot:


 # ipa-ldap-updater --upgrade
 # ipa-upgradeconfig

Also note that the performance improvements require an extended set of 
indexes to be configured. RPM update for an IPA server with a excessive 
number of users may require several minutes to finish.


If you have multiple servers you may upgrade them one at a time. It is 
expected that all servers will be upgraded in a relatively short period 
(days or weeks, not months). They should be able to co-exist peacefully 
but new features will not be available on old servers and enrolling a 
new client against an old server will result in the SSH keys not being 
uploaded.


Downgrading a server once upgraded is not supported.

Upgrading from 3.3.0 and later versions is supported. Upgrading from 
previous versions is not supported and has not been tested.


An enrolled client does not need the new packages installed unless you 
want to re-enroll it. SSH keys for already installed clients are not 
uploaded, you will have to re-enroll the client or manually upload the keys.


== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.


== Detailed Changelog since 4.0.2 ==
=== David Kupka (1) ===
* Fix typo causing ipa-upgradeconfig to fail.

=== Ludwig Krispenz (1) ===
* Update SSL ciphers configured in 389-ds-base

=== Nathaniel McCallum (1) ===
* Update qrcode support for newer python-qrcode

=== Petr Viktorin (4) ===
* Update referential integrity config for DS 1.3.3
* permission plugin: Auto-add operational atttributes to read permissions
* Allow deleting obsolete permissions; remove operational attribute 
permissions

* Become IPA 4.0.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel