Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:
+if instance_name != :
+srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be moved to
patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
But we have schema conflict:
[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
invalid, error code 20 (Type or value exists) - object class
ipaOverrideTarget: The name does not match the OID
2.16.840.1.113730.3.8.12.34. Another object class is already using the
name or OID.
git grep -n 2.16.840.1.113730.3.8.12.34
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
storage for encoded key material' SUP top AUXILIARY MUST (
ipaSecretKeyRef ) X-...
install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
Updated patches atached.
2.16.840.1.113730.3.8.12.35 is not used, I change it in patch mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On Tue, 21 Oct 2014, Jan Cholasta wrote:
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:
+if instance_name != :
+srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be moved to
patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
But we have schema conflict:
[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
invalid, error code 20 (Type or value exists) - object class
ipaOverrideTarget: The name does not match the OID
2.16.840.1.113730.3.8.12.34. Another object class is already using the
name or OID.
git grep -n 2.16.840.1.113730.3.8.12.34
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
storage for encoded key material' SUP top AUXILIARY MUST (
ipaSecretKeyRef ) X-...
install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
Updated patches atached.
2.16.840.1.113730.3.8.12.35 is not used, I change it in patch mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.
We were meaning to reserve .34 for ipaOverrideTarget for long time. As
ipaOverrideTarget is already in git, it makes sense to change dnssec
OIDs instead. Yes, we've got to step over each other's toes but that's
life. I've already have slapi-nis 0.54 released which relies on
ipaOverrideTarget definition.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):
On Tue, 21 Oct 2014, Jan Cholasta wrote:
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:
+if instance_name != :
+srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be moved to
patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
But we have schema conflict:
[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
invalid, error code 20 (Type or value exists) - object class
ipaOverrideTarget: The name does not match the OID
2.16.840.1.113730.3.8.12.34. Another object class is already using the
name or OID.
git grep -n 2.16.840.1.113730.3.8.12.34
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
storage for encoded key material' SUP top AUXILIARY MUST (
ipaSecretKeyRef ) X-...
install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
Updated patches atached.
2.16.840.1.113730.3.8.12.35 is not used, I change it in patch
mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.
We were meaning to reserve .34 for ipaOverrideTarget for long time. As
ipaOverrideTarget is already in git, it makes sense to change dnssec
OIDs instead. Yes, we've got to step over each other's toes but that's
life. I've already have slapi-nis 0.54 released which relies on
ipaOverrideTarget definition.
That's unreleased code and it surely does not rely on it's OID, does it?
It's *your* mess and *you* should clean it up. That's life.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
Dne 21.10.2014 v 08:33 Jan Cholasta napsal(a):
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:
+if instance_name != :
+srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be moved to
patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
Patch attached.
--
Jan Cholasta
From 588769b2d57b99c385485eb30259ea6ea48dfa2e Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 21 Oct 2014 09:09:08 +0200
Subject: [PATCH] DNSSEC: remove container_dnssec_keys
---
daemons/dnssec/ipa-dnskeysync-replica | 3 ++-
daemons/dnssec/ipa-ods-exporter | 3 ++-
ipalib/constants.py | 1 -
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 4d3e660..23c95a0 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -152,7 +152,8 @@ log.debug('Connected')
### DNSSEC master: key synchronization
ldapkeydb = LdapKeyDB(log, ldap,
-DN(ipalib.api.env.container_dnssec_keys, ipalib.api.env.basedn))
+DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
+ ipalib.api.env.basedn))
# TODO: slot number could be configurable
localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 4ae0d99..2285891 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -412,7 +412,8 @@ log.debug('Connected')
### DNSSEC master: key synchronization
-ldapkeydb = LdapKeyDB(log, ldap, DN(ipalib.api.env.container_dnssec_keys,
+ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
+ipalib.api.env.container_dns,
ipalib.api.env.basedn))
localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
open(paths.DNSSEC_SOFTHSM_PIN).read())
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f931482..1eed7ca 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -97,7 +97,6 @@ DEFAULT_CONFIG = (
('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
Re: [Freeipa-devel] [PATCH 0001] migrate-ds: Fix to exclude attrs with uppercase characters from migration
Just realized that I sent the email without body. Mea culpa. Here we go: Fix entry_attr case to make migrate-ds work again Migration of a OpenLDAP based directory to FreeIPA with some objectclasses removed failed because of --user-ignore-attribute didn't work. Fixed that by making LDAPEntry object entry_attry lowercased. https://fedorahosted.org/freeipa/ticket/4620 On [Mon, 20.10.2014 11:57], Thorsten Scherf wrote: From 6dd24dc6f08f01997bf3d7ccc06d77a7fd239e61 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Mon, 20 Oct 2014 11:47:18 +0200 Subject: [PATCH] Fix entry_attr case to make migrate-ds work again Migration of a OpenLDAP based directory to FreeIPA with some objectclasses removed failed because of --user-ignore-attribute didn't work. Fixed that by making LDAPEntry object entry_attry lowercased. https://fedorahosted.org/freeipa/ticket/4620 --- ipalib/plugins/migration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6b630a464f0be163e82de95afe3a74b22889574b..2500186d26d16d14b7b87dd6902ea385a40ca87b 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -197,7 +197,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs # do not migrate all attributes for attr in entry_attrs.keys(): -if attr in attr_blacklist: +if attr.lower() in attr_blacklist: del entry_attrs[attr] # do not migrate all object classes -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel pgp2vx5te7ufg.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On 10/21/2014 08:50 AM, Jan Cholasta wrote:
Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):
On Tue, 21 Oct 2014, Jan Cholasta wrote:
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:
+if instance_name != :
+srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be moved to
patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
But we have schema conflict:
[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
invalid, error code 20 (Type or value exists) - object class
ipaOverrideTarget: The name does not match the OID
2.16.840.1.113730.3.8.12.34. Another object class is already using the
name or OID.
git grep -n 2.16.840.1.113730.3.8.12.34
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
storage for encoded key material' SUP top AUXILIARY MUST (
ipaSecretKeyRef ) X-...
install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
Updated patches atached.
2.16.840.1.113730.3.8.12.35 is not used, I change it in patch
mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.
We were meaning to reserve .34 for ipaOverrideTarget for long time. As
ipaOverrideTarget is already in git, it makes sense to change dnssec
OIDs instead. Yes, we've got to step over each other's toes but that's
life. I've already have slapi-nis 0.54 released which relies on
ipaOverrideTarget definition.
That's unreleased code and it surely does not rely on it's OID, does it?
It's *your* mess and *you* should clean it up. That's life.
If the code was released, I would give +1 for Alexander as we really cannot
changed *released* OIDs.
But this is not the case so I think that fixing the OID that was not properly
registered is a good practice.
Martin
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On Tue, 21 Oct 2014, Martin Kosek wrote:
On 10/21/2014 08:50 AM, Jan Cholasta wrote:
Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):
On Tue, 21 Oct 2014, Jan Cholasta wrote:
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:
+if instance_name != :
+srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be moved to
patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
But we have schema conflict:
[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
invalid, error code 20 (Type or value exists) - object class
ipaOverrideTarget: The name does not match the OID
2.16.840.1.113730.3.8.12.34. Another object class is already using the
name or OID.
git grep -n 2.16.840.1.113730.3.8.12.34
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
storage for encoded key material' SUP top AUXILIARY MUST (
ipaSecretKeyRef ) X-...
install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
Updated patches atached.
2.16.840.1.113730.3.8.12.35 is not used, I change it in patch
mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.
We were meaning to reserve .34 for ipaOverrideTarget for long time. As
ipaOverrideTarget is already in git, it makes sense to change dnssec
OIDs instead. Yes, we've got to step over each other's toes but that's
life. I've already have slapi-nis 0.54 released which relies on
ipaOverrideTarget definition.
That's unreleased code and it surely does not rely on it's OID, does it?
It's *your* mess and *you* should clean it up. That's life.
If the code was released, I would give +1 for Alexander as we really cannot
changed *released* OIDs.
But this is not the case so I think that fixing the OID that was not properly
registered is a good practice.
I did push a one-liner to master and ipa-4-1 that changes OID to .35.
You will need to
Re: [Freeipa-devel] [PATCH] 131-132 extdom: add support for sss_nss_getorigbyname()
On 10/20/2014 03:49 PM, Martin Kosek wrote: On 10/20/2014 03:30 PM, Jakub Hrozek wrote: On Mon, Oct 20, 2014 at 10:43:07AM +0200, Sumit Bose wrote: On Sun, Oct 19, 2014 at 10:04:29PM +0200, Jakub Hrozek wrote: On Fri, Oct 17, 2014 at 11:53:44AM +0200, Sumit Bose wrote: Hi, the first patch replaces sss_nss_getsidbyname() by sss_nss_getorigbyname() for the new version of the extdom interface. The new call returns more data about the original object and allows the IPA client to have the same information about the object in the SSSD cache as the IPA servers. The second patch just removes an obsolete dependency. bye, Sumit Hi, I was unable to send the patches through Coverity, the RH server seems to be having issues. I'll wait until tomorrow, if the problems persist, we'll just skip Coverity and fix any potential problems post-push. From 928c04c35601b7bc1c57c1320e4a746abc35e947 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 10 Oct 2014 10:56:37 +0200 Subject: [PATCH 131/132] extdom: add support for sss_nss_getorigbyname() [...] @@ -576,13 +613,14 @@ static int handle_gid_request(enum request_types request_type, gid_t gid, enum sss_id_type id_type; size_t buf_len; char *buf = NULL; +struct sss_nss_kv *kv_list; Please set kv_list to NULL here, you're freeing the pointer unconditionally in the done handler, but in some cases (request_type == REQ_SIMPLE) kv_list is not set at all. Thank you for the review. I fixed it here and at the two other places. Thanks. Since sss_nss_getorigbyname() will only be available in the upcoming SSSD release I added 'BuildRequires: libsss_nss_idmap-devel = 1.12.2' to freeipa.spec.in. oops, nice catch, that's what I get for building from source.. New version attached. ACK! I found an unrelated SSSD bug, but this patch is fine. Thanks! But we should wait with pushing until the Requires is at least in mkosek/freeipa Copr so that other 4.1 development builds are not broken. Martin Pushed to: master: 43f8de0c7661c4cc6102bed905535a6143e77995 ipa-4-1: 99b10e506720dc7b3c76fc011352af90b7660b48 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0285] spec: Bump SSSD requires to 1.12.2
Hi, this bumps the required SSSD version for the upcoming release. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From a1a3110f6b31b1ad00551dc0c3beb8d00e829cf9 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 21 Oct 2014 10:10:39 +0200 Subject: [PATCH] spec: Bump SSSD requires to 1.12.2 --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 282982a4f609ce9c4439b6ce001c6e2cc4562f28..3c06191a46821b8b0a870f831e305184db7f76d2 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -212,7 +212,7 @@ Requires: pam_krb5 Requires: wget Requires: libcurl = 7.21.7-2 Requires: xmlrpc-c = 1.27.4 -Requires: sssd = 1.11.1 +Requires: sssd = 1.12.2 Requires: certmonger = 0.75.6 Requires: nss-tools Requires: bind-utils -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 779 webui: do not show closed dialog
On 20.10.2014 22:07, Endi Sukma Dewata wrote: On 10/20/2014 12:22 PM, Petr Vobornik wrote: Fixes issues when dialog is not removed from `IPA.opened_dialogs` registry when dialog.close() is called while the dialog is not shown, i.e., while other dialog is shown. Without it, the dialog is could be incorrectly displayed. New dialog's property `opened` handles whether dialog is intended to be opened. How to test: Add new host with IP address outside of managed reverse zones to get error 4304. Didn't have a chance to test it, but the code looks fine. ACK. Perhaps the 'opened' property can be renamed to 'enabled' or something like that to avoid confusions with 'is_shown'. I've added ticket to commit message: https://fedorahosted.org/freeipa/ticket/4656 Pushed to: master: 41a7d0bf472b21018715eedf0b4c56ccbeace1f1 ipa-4-1: d3de9c0ca1844a99b1d54952f6b4355e8c8188f8 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 780 webui: update combobox input on list click
On 20.10.2014 22:07, Endi Sukma Dewata wrote: On 10/20/2014 12:22 PM, Petr Vobornik wrote: Change event of combobox is not triggered when there is only one value. Calling it's handler even for option's 'click' event makes sure that value of input gets always updated. ACK. added ticket: https://fedorahosted.org/freeipa/ticket/4655 Pushed to: master: 34d3f99aae7783c4c91c29b427d412a7a85d2647 ipa-4-1: 905367334260336c33f2ae8caf5a4a2f6596094a -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On 10/21/2014 08:41 AM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. Ok, reviewing the patch now. I found 2 issues: 1) It is missing in plugins' Makefile.am so it won't be built properly 2) Instead of +if len(entries) == 0: use +if entries: 3) I think we should force uid uniqueness plugin creation in all cases so that we can expect it is there in future and for example do simple updates for it. So if existing active UID uniqueness is there, should we just remove uid from it's list of watched attributes, give warning and add our own controlled plugin? I am just trying to get rid of clashes with custom user configuration. 4) Because of 3), when I enabled attribute uniqueness plugin before upgrade, it did a strange franken-update and now I have an update plugin with DN cn=attribute uniqueness,cn=plugins,cn=config but cn: uid uniqueness: inside. (BTW these concerns is where my simplicity expectations came from ;-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello Alexander, In case the DS instance has an already enabled uniqueness 'uid' plugin. I wonder if there is a risk if the configuration of the plugin contains former attributes like nsslapd-pluginarg0. My understanding is that ldap.update_entry will keep those former attributes and add new config attribute like uniqueness-across-all-subtrees. If this is the case, DS will incorrectly configure the plugin because it does not support mixed configuration style. In that case it will consider only former attributes. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On Tue, 21 Oct 2014, thierry bordaz wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello Alexander, In case the DS instance has an already enabled uniqueness 'uid' plugin. I wonder if there is a risk if the configuration of the plugin contains former attributes like nsslapd-pluginarg0. My understanding is that ldap.update_entry will keep those former attributes and add new config attribute like uniqueness-across-all-subtrees. If this is the case, DS will incorrectly configure the plugin because it does not support mixed configuration style. In that case it will consider only former attributes. Yes, this is why I'm saying the support for it will be added with a patch to master. We don't have uid uniqueness enabled in anything prior FreeIPA 4.1 and the code in git master is the only place where wrong config could come. I want to establish clear base from which the conversion will come. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/21/2014 08:41 AM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. Ok, reviewing the patch now. I found 2 issues: 1) It is missing in plugins' Makefile.am so it won't be built properly 2) Instead of +if len(entries) == 0: use +if entries: You mean 'if not entries:'? Will fix. 3) I think we should force uid uniqueness plugin creation in all cases so that we can expect it is there in future and for example do simple updates for it. It does enforce it creating already. The only case that is not handled right now is the case of already existing multiple uid uniqueness plugin instances which I explicitly want to handle in git master and then merge back to 4.1 as a backport -- we only have any chance to encounter this case with current git master. So if existing active UID uniqueness is there, should we just remove uid from it's list of watched attributes, give warning and add our own controlled plugin? No. There could be multiple uid uniqueness plugin instances, looking for different subtrees, potentially with different top level object classes and different object class filtering. I am just trying to get rid of clashes with custom user configuration. I understand that, I'll handle it in git master version. Right now we didn't set up any of uid uniqueness and chances touching any custom configuration like that are low, looking into my experience with existing deployments. 4) Because of 3), when I enabled attribute uniqueness plugin before upgrade, it did a strange franken-update and now I have an update plugin with DN cn=attribute uniqueness,cn=plugins,cn=config but cn: uid uniqueness: inside. Good catch. I'll fix this part. (BTW these concerns is where my simplicity expectations came from ;-) Note that now you realize the whole deal is not that simple as you thought. ;) New patch attached. -- / Alexander Bokovoy From 0d5529634b16b948f997dc9855e0036b6be14595 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 20 Oct 2014 21:01:33 +0300 Subject: [PATCH] updater: enable uid uniqueness plugin for posixAccounts https://fedorahosted.org/freeipa/ticket/4636 --- ipaserver/install/plugins/update_uniqueness.py | 115 + 1 file changed, 115 insertions(+) create mode 100644 ipaserver/install/plugins/update_uniqueness.py diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py new file mode 100644 index 000..a1b4638 --- /dev/null +++ b/ipaserver/install/plugins/update_uniqueness.py @@ -0,0 +1,115 @@ +# Authors: +# Alexander Bokovoy aboko...@redhat.com +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On 10/21/2014 10:57 AM, Martin Basti wrote: snip IPA-4-1 patches attached jcholast-357 patch should be applied last If there is no objections I will rebase to master branch after ack Works good for me but I didn't read the code. ACK for functionality. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On 10/21/2014 12:14 PM, David Kupka wrote: On 10/21/2014 10:57 AM, Martin Basti wrote: snip IPA-4-1 patches attached jcholast-357 patch should be applied last If there is no objections I will rebase to master branch after ack Works good for me but I didn't read the code. ACK for functionality. Honza also gave me an offline ACK for his way to lunch :-) So: Pushed to ipa-4-1: b84fc92fd7321ed249d0d7fc4d5bd29c111536fd MartinB, please also provide rebase for master branch. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On 10/21/2014 12:21 PM, Martin Basti wrote: On 21/10/14 12:14, David Kupka wrote: On 10/21/2014 10:57 AM, Martin Basti wrote: snip IPA-4-1 patches attached jcholast-357 patch should be applied last If there is no objections I will rebase to master branch after ack Works good for me but I didn't read the code. ACK for functionality. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patches for master branch atached As before jcholast patch last You were faster than me :-) Pushed to master: 10725033c66cfd89340dcc95085cf1daaa18b4c0 Thanks! Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On Tue, 21 Oct 2014, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/21/2014 08:41 AM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. Ok, reviewing the patch now. I found 2 issues: 1) It is missing in plugins' Makefile.am so it won't be built properly 2) Instead of +if len(entries) == 0: use +if entries: You mean 'if not entries:'? Will fix. 3) I think we should force uid uniqueness plugin creation in all cases so that we can expect it is there in future and for example do simple updates for it. It does enforce it creating already. The only case that is not handled right now is the case of already existing multiple uid uniqueness plugin instances which I explicitly want to handle in git master and then merge back to 4.1 as a backport -- we only have any chance to encounter this case with current git master. So if existing active UID uniqueness is there, should we just remove uid from it's list of watched attributes, give warning and add our own controlled plugin? No. There could be multiple uid uniqueness plugin instances, looking for different subtrees, potentially with different top level object classes and different object class filtering. I am just trying to get rid of clashes with custom user configuration. I understand that, I'll handle it in git master version. Right now we didn't set up any of uid uniqueness and chances touching any custom configuration like that are low, looking into my experience with existing deployments. 4) Because of 3), when I enabled attribute uniqueness plugin before upgrade, it did a strange franken-update and now I have an update plugin with DN cn=attribute uniqueness,cn=plugins,cn=config but cn: uid uniqueness: inside. Good catch. I'll fix this part. (BTW these concerns is where my simplicity expectations came from ;-) Note that now you realize the whole deal is not that simple as you thought. ;) New patch attached. Missed Makefile.am part. -- / Alexander Bokovoy From 7951e57ca52d38497b0a87610685f173ebb558a3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 20 Oct 2014 21:01:33 +0300 Subject: [PATCH] updater: enable uid uniqueness plugin for posixAccounts https://fedorahosted.org/freeipa/ticket/4636 --- ipaserver/install/plugins/Makefile.am | 1 + ipaserver/install/plugins/update_uniqueness.py | 115 + 2 files changed, 116 insertions(+) create mode 100644 ipaserver/install/plugins/update_uniqueness.py diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 7cf0495..635877d 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -12,6 +12,7 @@ app_PYTHON = \ update_anonymous_aci.py \ update_pacs.py \ ca_renewal_master.py\ + update_uniqueness.py\ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_uniqueness.py
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On 10/21/2014 12:41 PM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/21/2014 08:41 AM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. Ok, reviewing the patch now. I found 2 issues: 1) It is missing in plugins' Makefile.am so it won't be built properly 2) Instead of +if len(entries) == 0: use +if entries: You mean 'if not entries:'? Will fix. 3) I think we should force uid uniqueness plugin creation in all cases so that we can expect it is there in future and for example do simple updates for it. It does enforce it creating already. The only case that is not handled right now is the case of already existing multiple uid uniqueness plugin instances which I explicitly want to handle in git master and then merge back to 4.1 as a backport -- we only have any chance to encounter this case with current git master. So if existing active UID uniqueness is there, should we just remove uid from it's list of watched attributes, give warning and add our own controlled plugin? No. There could be multiple uid uniqueness plugin instances, looking for different subtrees, potentially with different top level object classes and different object class filtering. I am just trying to get rid of clashes with custom user configuration. I understand that, I'll handle it in git master version. Right now we didn't set up any of uid uniqueness and chances touching any custom configuration like that are low, looking into my experience with existing deployments. 4) Because of 3), when I enabled attribute uniqueness plugin before upgrade, it did a strange franken-update and now I have an update plugin with DN cn=attribute uniqueness,cn=plugins,cn=config but cn: uid uniqueness: inside. Good catch. I'll fix this part. (BTW these concerns is where my simplicity expectations came from ;-) Note that now you realize the whole deal is not that simple as you thought. ;) New patch attached. Missed Makefile.am part. The +if not entries: path works looks ok. However, I am still concerned about the situation when you detect existing UID plugin. You basically create a new LDAP entry with the same DN and then try to overwrite the original one. I do not think this is how the LDAP framework works. Petr/Honza, is it? I thought the right way for this branch would be to just update selected attributes of the LDAPEntry read from LDAP (entries[0] in your case) and then call ldap.update_entry(). This way, the entry gets just partially updated, for example nsslapd-pluginVersion stays the same. BTW, I do not think that + 'nsslapd-pluginId' : 'none', + 'nsslapd-pluginVersion' : 'none', + 'nsslapd-pluginVendor' : 'none', + 'nsslapd-pluginDescription' : 'none', should be left to be none even in the first branch. Given this is the last patch we are waiting for before 4.1 release, I still think we should
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On 10/20/2014 05:21 PM, Martin Basti wrote: Hello! Hold your hats, DNSSEC patches are here. Martin^2, Petr^2 New compiler warnings: library.c:72: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic] p11helper.c:500: passing argument 1 of 'loadLibrary' discards 'const' qualifier from pointer target type [enabled by default] p11helper.c:1667: pointer targets in passing argument 3 of 'PyString_AsStringAndSize' differ in signedness [-Wpointer-sign] Should I file a ticket for these? -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
Dne 21.10.2014 v 13:10 Martin Kosek napsal(a): On 10/21/2014 12:41 PM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/21/2014 08:41 AM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. Ok, reviewing the patch now. I found 2 issues: 1) It is missing in plugins' Makefile.am so it won't be built properly 2) Instead of +if len(entries) == 0: use +if entries: You mean 'if not entries:'? Will fix. 3) I think we should force uid uniqueness plugin creation in all cases so that we can expect it is there in future and for example do simple updates for it. It does enforce it creating already. The only case that is not handled right now is the case of already existing multiple uid uniqueness plugin instances which I explicitly want to handle in git master and then merge back to 4.1 as a backport -- we only have any chance to encounter this case with current git master. So if existing active UID uniqueness is there, should we just remove uid from it's list of watched attributes, give warning and add our own controlled plugin? No. There could be multiple uid uniqueness plugin instances, looking for different subtrees, potentially with different top level object classes and different object class filtering. I am just trying to get rid of clashes with custom user configuration. I understand that, I'll handle it in git master version. Right now we didn't set up any of uid uniqueness and chances touching any custom configuration like that are low, looking into my experience with existing deployments. 4) Because of 3), when I enabled attribute uniqueness plugin before upgrade, it did a strange franken-update and now I have an update plugin with DN cn=attribute uniqueness,cn=plugins,cn=config but cn: uid uniqueness: inside. Good catch. I'll fix this part. (BTW these concerns is where my simplicity expectations came from ;-) Note that now you realize the whole deal is not that simple as you thought. ;) New patch attached. Missed Makefile.am part. The +if not entries: path works looks ok. However, I am still concerned about the situation when you detect existing UID plugin. You basically create a new LDAP entry with the same DN and then try to overwrite the original one. I do not think this is how the LDAP framework works. Petr/Honza, is it? It will work, but updating the old entry object and calling update_entry on it would be nicer. The difference is that with the current approach, the generated modlist will contain MOD_REPLACE for every attribute in the entry, whereas updating the original entry will result in a modlist with MOD_ADD/MOD_DELETE only for the attributes which were actually modified. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
On 10/21/2014 01:28 PM, Jan Cholasta wrote: Dne 21.10.2014 v 13:10 Martin Kosek napsal(a): On 10/21/2014 12:41 PM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/21/2014 08:41 AM, Alexander Bokovoy wrote: On Tue, 21 Oct 2014, Martin Kosek wrote: On 10/20/2014 08:25 PM, Alexander Bokovoy wrote: Hi! This patch is for ipa-4-1 branch to enable uniqueness plugin for uid attribute for entries with objectclass posixAccount. We don't have uid uniqueness enforced in FreeIPA 4.1 yet but for posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries enforces uniqueness as MODRDN will fail if entry with the same uid already exists. However, it is not enough for ID views -- we should be able to allow ID view overrides for the same uid across multiple views and we should be able to protect uid uniqueness more generally too. Implementation is done via update plugin that checks for existing uid uniqueness plugin and if it is missing, it will be added. If plugin exists, its configuration will be updated. I haven't added update specific to git master where staging subtree is added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet have the staging subtree. Currently master has broken setup for uid uniqueness plugin that doesn't actually work anyway so it will be easier to add upgrade over properly configured entry. https://fedorahosted.org/freeipa/ticket/4636 Hi Alexander, Thanks for the patch! However, I am personally not very confident with merging it right before 4.1 release, I thought it will be a simple update definition while this is a complex upgrade script which needs to be properly tested. I would rather wait for 4.1.x, especially given it does not block any 4.1 major feature in any way. I disagree on it for multiple reasons and one of them is that 'a simple update definition' is not right here. Attribute uniqueness plugin supports three different types of setting its own arguments. These types aren't mixable, you have to do switch from one to another. That's why update plugin is the correct approach here. The update plugin I've wrote is very simple by itself. Ok, reviewing the patch now. I found 2 issues: 1) It is missing in plugins' Makefile.am so it won't be built properly 2) Instead of +if len(entries) == 0: use +if entries: You mean 'if not entries:'? Will fix. 3) I think we should force uid uniqueness plugin creation in all cases so that we can expect it is there in future and for example do simple updates for it. It does enforce it creating already. The only case that is not handled right now is the case of already existing multiple uid uniqueness plugin instances which I explicitly want to handle in git master and then merge back to 4.1 as a backport -- we only have any chance to encounter this case with current git master. So if existing active UID uniqueness is there, should we just remove uid from it's list of watched attributes, give warning and add our own controlled plugin? No. There could be multiple uid uniqueness plugin instances, looking for different subtrees, potentially with different top level object classes and different object class filtering. I am just trying to get rid of clashes with custom user configuration. I understand that, I'll handle it in git master version. Right now we didn't set up any of uid uniqueness and chances touching any custom configuration like that are low, looking into my experience with existing deployments. 4) Because of 3), when I enabled attribute uniqueness plugin before upgrade, it did a strange franken-update and now I have an update plugin with DN cn=attribute uniqueness,cn=plugins,cn=config but cn: uid uniqueness: inside. Good catch. I'll fix this part. (BTW these concerns is where my simplicity expectations came from ;-) Note that now you realize the whole deal is not that simple as you thought. ;) New patch attached. Missed Makefile.am part. The +if not entries: path works looks ok. However, I am still concerned about the situation when you detect existing UID plugin. You basically create a new LDAP entry with the same DN and then try to overwrite the original one. I do not think this is how the LDAP framework works. Petr/Honza, is it? It will work, but updating the old entry object and calling update_entry on it would be nicer. The difference is that with the current approach, the generated modlist will contain MOD_REPLACE for every attribute in the entry, whereas updating the original entry will result in a modlist with MOD_ADD/MOD_DELETE only for the attributes which were actually modified. Ok. I also found out that the attributes I objected about are controlled by DS, so there is no problem with the none values. ACK then. Pushed to: master:
[Freeipa-devel] [PATCH 0151] Fix DNS validation
Blocker for ipa-4-1
Patch attached
--
Martin Basti
From d0bb0cc66f8d26c99bd5f9afaf9403f20e4424e2 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 21 Oct 2014 13:59:42 +0200
Subject: [PATCH] fix forwarder validation errors
Fix tests, validation in dnsconfig mod, wuser warning
---
ipalib/plugins/dns.py | 14 --
ipaserver/install/bindinstance.py | 6 --
ipatests/test_xmlrpc/test_dns_plugin.py | 6 ++
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 61b9e3d7a515ef4bc5c6c35390efd6142af430de..dd1e640f4062a32921bf1edf316e122b81a6d485 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -3942,12 +3942,14 @@ class dnsconfig_mod(LDAPUpdate):
# test dnssec forwarders
non_dnssec_forwarders = []
not_responding_forwarders = []
-for forwarder in options.get('idnsforwarders', []):
-dnssec_status = validate_dnssec_forwarder(forwarder)
-if dnssec_status is None:
-not_responding_forwarders.append(forwarder)
-elif dnssec_status is False:
-non_dnssec_forwarders.append(forwarder)
+forwarders = options.get('idnsforwarders')
+if forwarders:
+for forwarder in forwarders:
+dnssec_status = validate_dnssec_forwarder(forwarder)
+if dnssec_status is None:
+not_responding_forwarders.append(forwarder)
+elif dnssec_status is False:
+non_dnssec_forwarders.append(forwarder)
result = super(dnsconfig_mod, self).execute(*keys, **options)
self.obj.postprocess_result(result)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index bcc670b0f5337820a1c17a8fff42ba55294caa39..bee64d70bf1dcdc12ce4b4cd5c16e6b514630690 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -464,8 +464,10 @@ def check_forwarders(dns_forwarders, logger):
logger.warning(DNS forwarder %s does not return DNSSEC signatures in answers, forwarder)
logger.warning(Please fix forwarder configuration to enable DNSSEC support.\n
(For BIND 9 add directive \dnssec-enable yes;\ to \options {}\))
-print (WARNING: DNS forwarder %s is not configured to support
- DNSSEC % forwarder)
+print (WARNING: DNS forwarder %s does not return DNSSEC
+ signatures in answers % forwarder)
+print Please fix forwarder configuration to enable DNSSEC support.
+print (For BIND 9 add directive \dnssec-enable yes;\ to \options {}\)
return forwarders_dnssec_valid
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 0f9b16ba7e9c1ff58f0ae0f270172cb610e4f631..a34d11a3278c67a3d00ca8f59bb8d8d19cf8a46e 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -1662,6 +1662,12 @@ class test_dns(Declarative):
expected={
'value': None,
'summary': None,
+u'messages': (
+{u'message': u'DNS server 172.16.31.80 not responding.',
+ u'code': 13006,
+ u'type':u'warning',
+ u'name': u'DNSServerNotRespondingWarning'},
+),
'result': {
'idnsforwarders': [fwd_ip],
},
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On 21.10.2014 13:11, Petr Viktorin wrote: On 10/20/2014 05:21 PM, Martin Basti wrote: Hello! Hold your hats, DNSSEC patches are here. Martin^2, Petr^2 New compiler warnings: library.c:72: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic] p11helper.c:500: passing argument 1 of 'loadLibrary' discards 'const' qualifier from pointer target type [enabled by default] p11helper.c:1667: pointer targets in passing argument 3 of 'PyString_AsStringAndSize' differ in signedness [-Wpointer-sign] Should I file a ticket for these? We have it already: https://fedorahosted.org/freeipa/ticket/4657 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0152] Fix DNSSEC restored value
Patch attached -- Martin Basti From d32a6c982383a26980bbe464d8968fe7f681ca59 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 21 Oct 2014 14:13:29 +0200 Subject: [PATCH] fix DNSSEC restore named state --- ipaserver/install/bindinstance.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index bee64d70bf1dcdc12ce4b4cd5c16e6b514630690..6cf018e9cda3734a99a8ac5ac1df134e9e4c2293 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -1161,8 +1161,8 @@ class BindInstance(service.Service): running = self.restore_state(running) enabled = self.restore_state(enabled) -named_regular_running = self.restore_state(named_regular_running) -named_regular_enabled = self.restore_state(named_regular_enabled) +named_regular_running = self.restore_state(named-regular-running) +named_regular_enabled = self.restore_state(named-regular-enabled) self.dns_backup.clear_records(api.Backend.ldap2.isconnected()) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0151] Fix DNS validation
On 10/21/2014 02:03 PM, Martin Basti wrote: Blocker for ipa-4-1 This and the uninstall issue I found: # ipa-server-install --uninstall --unattended Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unconfiguring ipa_memcached Unconfiguring ipa-otpd ipa : ERRORSome installation state for named has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state ipa : ERRORSome installation state has not been restored. This may cause re-installation to fail. It should be safe to remove /var/lib/ipa/sysrestore/sysrestore.state but it may mean your system hasn't be restored to its pre-installation state. # cat /var/lib/ipa/sysrestore/sysrestore.state [named] named-regular-running = False named-regular-enabled = False Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0151] Fix DNS validation
On 21/10/14 14:18, Martin Kosek wrote: On 10/21/2014 02:03 PM, Martin Basti wrote: Blocker for ipa-4-1 This and the uninstall issue I found: # ipa-server-install --uninstall --unattended Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unconfiguring ipa_memcached Unconfiguring ipa-otpd ipa : ERRORSome installation state for named has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state ipa : ERRORSome installation state has not been restored. This may cause re-installation to fail. It should be safe to remove /var/lib/ipa/sysrestore/sysrestore.state but it may mean your system hasn't be restored to its pre-installation state. # cat /var/lib/ipa/sysrestore/sysrestore.state [named] named-regular-running = False named-regular-enabled = False Martin I sent patch 152 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0167: default to TLSv1.0/1.1 for IPA server side
Hi! See the commit message for the details. -- / Alexander Bokovoy From c01dd6af8054dbc1f7ff753be64084f5f5ba797c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 21 Oct 2014 15:59:04 +0300 Subject: [PATCH 2/2] Default to use TLSv1.0 and TLSv1.1 on the IPA server side We only will be changing the setting on the install. For modifying existing configurations please follow instructions at https://access.redhat.com/solutions/1232413 --- ipaserver/install/httpinstance.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e340347..14efa5b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -115,6 +115,7 @@ class HTTPInstance(service.Service): self.step(setting mod_nss port to 443, self.__set_mod_nss_port) +self.step(setting mod_nss protocol list to TLSv1.0 and TLSv1.1, self.__set_mod_nss_protocol) self.step(setting mod_nss password file, self.__set_mod_nss_passwordfile) self.step(enabling mod_nss renegotiate, self.enable_mod_nss_renegotiate) self.step(adding URL rewriting rules, self.__add_include) @@ -204,6 +205,9 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname) +def __set_mod_nss_protocol(self): +installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False) + def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
On Tue, 21 Oct 2014 10:50:37 +0300
Alexander Bokovoy aboko...@redhat.com wrote:
On Tue, 21 Oct 2014, Martin Kosek wrote:
On 10/21/2014 08:50 AM, Jan Cholasta wrote:
Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):
On Tue, 21 Oct 2014, Jan Cholasta wrote:
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
On 20/10/14 18:28, Jan Cholasta wrote:
Hi,
Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
On 20.10.2014 17:21, Martin Basti wrote:
Hello! Hold your hats, DNSSEC patches are here.
Martin^2, Petr^2
For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
From me, functional self-ACK :-)
Patch 117:
1)
As we discussed off-line, this code is wrong and a ticket
should be opened to fix it to properly handle service files
conflicting with the mask command:
+if instance_name != :
+srv_tgt =
os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR, instance_name)
+# remove instance file or link before masking
+if os.path.islink(srv_tgt):
+os.unlink(srv_tgt)
Patch 137:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Patch 138:
1)
There is a whitespace error:
Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54:
new blank line at EOF.
+
warning: 1 line adds whitespace errors.
Patch 140:
1)
Unless there is a dnssec_keys ipalib plugins, I don't think
there should be container_dnssec_keys. Use DN(('cn', 'keys'),
('cn', 'sec'), api.env.container_dns, ...) instead of
DN(api.env.container_dnssec_keys, ...).
2)
The masking method definitions in PlatformService should be
moved to patch 117.
3)
The changes in dnskeysyncinstance.py, odsexportedinstance.py
and opendnssecinstance.py should be moved to patches 138 and
139.
Patch 147:
1)
There are some whitespace errors:
Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
# synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873:
new blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126:
new blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.
Honza
Whitespaces fixed,
mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a
new configuration option and deprecate it right away and it's a
change in just 3 lines of code.
But we have schema conflict:
[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry
cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif
(lineno: 1) is invalid, error code 20 (Type or value exists) -
object class ipaOverrideTarget: The name does not match the OID
2.16.840.1.113730.3.8.12.34. Another object class is already
using the name or OID.
git grep -n 2.16.840.1.113730.3.8.12.34
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC
'Indirect storage for encoded key material' SUP top AUXILIARY
MUST ( ipaSecretKeyRef ) X-...
install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top
STRUCTURAL MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
Updated patches atached.
2.16.840.1.113730.3.8.12.35 is not used, I change it in patch
mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for
ipaOverrideTarget, so it's ipaOverrideTarget which should be
fixed.
We were meaning to reserve .34 for ipaOverrideTarget for long
time. As ipaOverrideTarget is already in git, it makes sense to
change dnssec OIDs instead. Yes, we've got to step over each
other's toes but that's life. I've already have slapi-nis 0.54
released which relies on ipaOverrideTarget definition.
That's unreleased code and it surely does not rely on it's OID,
does it?
It's
Re: [Freeipa-devel] [PATCH 0152] Fix DNSSEC restored value
On 21.10.2014 14:18, Martin Basti wrote: Patch attached ACK -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0151] Fix DNS validation
On 21.10.2014 14:19, Martin Basti wrote: On 21/10/14 14:18, Martin Kosek wrote: On 10/21/2014 02:03 PM, Martin Basti wrote: Blocker for ipa-4-1 This and the uninstall issue I found: # ipa-server-install --uninstall --unattended Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unconfiguring ipa_memcached Unconfiguring ipa-otpd ipa : ERRORSome installation state for named has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state ipa : ERRORSome installation state has not been restored. This may cause re-installation to fail. It should be safe to remove /var/lib/ipa/sysrestore/sysrestore.state but it may mean your system hasn't be restored to its pre-installation state. # cat /var/lib/ipa/sysrestore/sysrestore.state [named] named-regular-running = False named-regular-enabled = False Martin I sent patch 152 ACK -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0152] Fix DNSSEC restored value
On 21.10.2014 15:45, Petr Spacek wrote: On 21.10.2014 14:18, Martin Basti wrote: Patch attached ACK Pushed to: master: 3eec7e1f53f298d752204f6268b8228ebb1ef55e ipa-4-1: 27290bf32d722e4494feb7a235b52ebfeb5c1023 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0167: default to TLSv1.0/1.1 for IPA server side
On 10/21/2014 03:02 PM, Alexander Bokovoy wrote: Hi! See the commit message for the details. Works for me. I tested client from Fedora or RHEL-6 and it worked fine. ACK! Pushed to: master: 20761f7fcd86dbfad53af78bce2bd3892dfe8232 ipa-4-1: 77b5a81da8f777c65e7a21823a29598804f64cf9 ipa-4-0: c44bdeb7713d4d8b8b74690cc16fd40f48f9c115 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0151] Fix DNS validation
On 21.10.2014 15:45, Petr Spacek wrote: On 21.10.2014 14:19, Martin Basti wrote: On 21/10/14 14:18, Martin Kosek wrote: On 10/21/2014 02:03 PM, Martin Basti wrote: Blocker for ipa-4-1 This and the uninstall issue I found: # ipa-server-install --uninstall --unattended Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unconfiguring ipa_memcached Unconfiguring ipa-otpd ipa : ERRORSome installation state for named has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state ipa : ERRORSome installation state has not been restored. This may cause re-installation to fail. It should be safe to remove /var/lib/ipa/sysrestore/sysrestore.state but it may mean your system hasn't be restored to its pre-installation state. # cat /var/lib/ipa/sysrestore/sysrestore.state [named] named-regular-running = False named-regular-enabled = False Martin I sent patch 152 ACK Pushed to: master: 5e1172f560f4a63ed8398f326c158e9c8c1f91a8 ipa-4-1: 04816e7654fb5119c9f62b4ad16b03113fce81a8 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] issues with Debian port
On 20.10.2014 09:47, Martin Kosek wrote: As usual, let us know if you hit problems with porting FreeIPA there or extending our platform-independent code. Right, so I've hit a blocker issue I'm not so sure about.. client install will fail with: 2014-10-21T08:29:30Z INFO trying https://sid.tyrell/ipa/json 2014-10-21T08:29:30Z DEBUG Created connection context.rpcclient 2014-10-21T08:29:30Z DEBUG Try RPC connection 2014-10-21T08:29:30Z INFO Forwarding 'ping' to json server 'https://sid.tyrell/ipa/json' 2014-10-21T08:29:30Z ERROR Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: argument 2 must be string or None, not int I see that 3.3.x still used the old xml method and that worked just fine. Guess I could patch things to use xmlclient again.. Also, I'm reusing the RedHatService() stuff for services that have native systemd jobs, but in the later phases of install (and during uninstall) ipactl is trying to (re)start 'dirsv@.service' and not 'dirsrv@REALM.service' like in the dirsrv phase.. any hints here would be welcome as well. Otherwise I'll just use DebianSysvService() for dirsrv too.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
