Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable
On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
This patch gives the administrator variables to control the size of
the authentication and synchronization windows for OTP tokens.
https://fedorahosted.org/freeipa/ticket/4511
NOTE: There is one known issue with this patch which I don't know how to
solve. This patch changes the schema in install/share/60ipaconfig.ldif.
On an upgrade, all of the new attributeTypes appear correctly. However,
the modifications to the pre-existing objectClass do not show up on the
server. What am I doing wrong?
After modifying ipaGuiConfig manually, everything in this patch works
just fine.
This new version takes into account the new (proper) OIDs and attribute
names. The above known issue still remains.
Nathaniel
From 70c85c066316acb7b15739c608c90ba1c0c38cbc Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 23 Oct 2014 15:18:26 -0400
Subject: [PATCH] Make token window sizes configurable
This patch gives the administrator variables to control the size of
the authentication and synchronization windows for OTP tokens.
https://fedorahosted.org/freeipa/ticket/4511
---
API.txt | 6 +-
VERSION | 4 +-
daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c | 195 +-
daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h | 17 ++
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 77 +++--
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c | 5 +-
daemons/ipa-slapi-plugins/libotp/libotp.c | 133 +++
daemons/ipa-slapi-plugins/libotp/libotp.h | 30 ++--
install/share/60ipaconfig.ldif| 7 +-
install/ui/src/freeipa/serverconfig.js| 10 ++
install/ui/test/data/ipa_init.json| 3 +-
install/updates/40-otp.update | 6 +
ipalib/plugins/config.py | 31 +++-
ipalib/plugins/internal.py| 1 +
14 files changed, 334 insertions(+), 191 deletions(-)
diff --git a/API.txt b/API.txt
index 491d7a76fd1d2d50208d314d1600839ce295..4f204d0fa2e33dc4c9202645e111c25d2a545d70 100644
--- a/API.txt
+++ b/API.txt
@@ -514,7 +514,7 @@ args: 0,1,1
option: Str('version?', exclude='webui')
output: Output('result', None, None)
command: config_mod
-args: 0,25,3
+args: 0,29,3
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
@@ -525,6 +525,8 @@ option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='
option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False)
option: IA5Str('ipagroupsearchfields', attribute=True, autofill=False, cli_name='groupsearch', multivalue=False, required=False)
option: IA5Str('ipahomesrootdir', attribute=True, autofill=False, cli_name='homedirectory', multivalue=False, required=False)
+option: Int('ipahotpauthwindow', attribute=True, autofill=False, cli_name='hotp_auth_window', maxvalue=1000, minvalue=1, multivalue=False, required=False)
+option: Int('ipahotpsyncwindow', attribute=True, autofill=False, cli_name='hotp_sync_window', maxvalue=1000, minvalue=1, multivalue=False, required=False)
option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD', u'nfs:NONE'))
option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False)
option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', multivalue=False, required=False)
@@ -533,6 +535,8 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s
option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False)
option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
+option: Int('ipatotpauthwindow', attribute=True, autofill=False, cli_name='totp_auth_window', maxvalue=2678400, minvalue=30, multivalue=False, required=False)
+option: Int('ipatotpsyncwindow', attribute=True, autofill=False, cli_name='totp_sync_window', maxvalue=2678400, minvalue=30, multivalue=False, required=False)
option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp'))
option: Str('ipauserobjectclasses', attribute=True, autofill=False,
[Freeipa-devel] [PATCH, slapi-nis] ID view-related patches to slapi-nis
Hi,
two patches to slapi-nis are attached:
- make sure only DNs from the schema-compat trees are targeted for ID
view replacement. This solves issue of
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
found by Sumit.
- support ID overrides in the BIND callback. So far the only thing we
need is overriding uid.
They need to be applied in this order, on top of 0.54 release version of
slapi-nis.
--
/ Alexander Bokovoy
From 4645af44d48c81d8332020eb390db877ab179b3b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 28 Oct 2014 10:09:47 +0200
Subject: [PATCH 1/2] ID views: ignore searches for views outside the subtrees
of schema-compat sets
schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a
cn=name of view,cn=views,subtree suffix
As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.
This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
---
src/back-sch-idview.c | 11 +--
src/back-sch.c| 83 +--
2 files changed, 83 insertions(+), 11 deletions(-)
diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c
index 5a2b450..a56a9e9 100644
--- a/src/back-sch-idview.c
+++ b/src/back-sch-idview.c
@@ -334,6 +334,10 @@ idview_process_filter_cb(Slapi_Filter *filter, const char
*filter_type, struct b
slapi_ber_bvdone(bval);
slapi_ber_bvcpy(bval,
slapi_value_get_berval(anchor_val));
config-override_found = TRUE;
+
slapi_log_error(SLAPI_LOG_PLUGIN, cbdata-state-plugin_desc-spd_id,
+ Overriding the
filter %s with %s=%*s from the override %s\n.,
+ filter_type,
filter_type, bval-bv_len, bval-bv_val,
+
slapi_entry_get_dn_const(cbdata-overrides[i]));
break;
}
}
@@ -346,6 +350,11 @@ idview_process_filter_cb(Slapi_Filter *filter, const char
*filter_type, struct b
slapi_ber_bvdone(bval);
slapi_ber_bvcpy(bval,
slapi_value_get_berval(anchor_val));
config-override_found = TRUE;
+ slapi_log_error(SLAPI_LOG_PLUGIN,
cbdata-state-plugin_desc-spd_id,
+ Overriding the filter
%s with %s=%*s from the override %s\n.,
+ filter_type,
IPA_IDVIEWS_ATTR_ANCHORUUID,
+ bval-bv_len,
bval-bv_val,
+
slapi_entry_get_dn_const(cbdata-overrides[i]));
break;
}
@@ -366,8 +375,6 @@ idview_process_filter_cb(Slapi_Filter *filter, const char
*filter_type, struct b
*
* Note that in reality we don't use original value of the uid/cn attribue.
Instead, we use ipaAnchorUUID
* to refer to the original entry. */
-extern char *
-slapi_filter_to_string( const struct slapi_filter *f, char *buf, size_t
bufsize );
void
idview_replace_filter(struct backend_search_cbdata *cbdata)
{
diff --git a/src/back-sch.c b/src/back-sch.c
index 27d5101..902adb2 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -1166,6 +1166,44 @@ backend_search_set_cb(const char *group, const char
*set, bool_t flag,
return TRUE;
}
+/* Routines to search if a target DN is within any of the sets we handle */
+static bool_t
+backend_search_find_set_dn_in_group_cb(const char *group, const char *set,
bool_t flag,
+void *backend_data, void *cb_data)
+{
+ struct backend_search_cbdata *cbdata;
+ struct backend_set_data *set_data;
+
+ cbdata = cb_data;
+ set_data = backend_data;
+
+ if (slapi_sdn_scope_test(cbdata-target_dn,
+set_data-container_sdn,
+cbdata-scope) == 1) {
+ cbdata-answer = TRUE;
+ }
+
+ if (slapi_sdn_compare(set_data-container_sdn,
+
Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.
Thanks for the review. New patch attached.
On 10/23/2014 3:59 AM, Petr Viktorin wrote:
In IPA we usually include the full ticket URL, not just the number.
Fixed.
The build fails with a lint message:
* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg),
kra.get_client] Unexpected keyword argument 'password_file' in
constructor call)
ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter),
kra.get_client] No value for argument 'certdb_password' in constructor
call)
I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed
takes password and not password_file. If a newer version is required you
should put it in the spec.
Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my
COPR repo:
dnf copr enable edewata/pki
ipaserver.install.certs.CertDB.install_pem_from_p12:
If p12_passwd is missing and pwd_fname is None, this will crash.
Please document how the method should be called. And assert that exactly
one of p12_passwd and pwd_fname is given.
I reverted this change because the KRA backend actually no longer uses
install_pem_from_p12(). The KRA backend is now using the CLI from the
new Dogtag which generates the proper PEM format for client
authentication, so I'll leave install_pem_from_p12() unmodified because
it's still used by KrbInstance.
ipaserver.plugins.dogtag.kra.get_client:
Should every caller check if this returns None?
If not, raise an exception instead.
If yes, at least mention it in a docstring.
Fixed. It's now raising a generic exception.
Is there an existing exception that is more appropriate for backend
issues like this?
Typo in commit message: modified to use Dogtag's CLI *go* create
Fixed.
--
Endi S. Dewata
From 6f1f289f32dd68c85c09a41422e5b2e0c204ee4c Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
---
freeipa.spec.in | 4 +-
install/conf/ipa-pki-proxy.conf | 2 +-
ipaplatform/base/paths.py| 4 +-
ipaserver/install/cainstance.py | 4 +-
ipaserver/install/ipa_backup.py | 3 +-
ipaserver/install/krainstance.py | 83 +++---
ipaserver/plugins/dogtag.py | 122 ++-
7 files changed, 101 insertions(+), 121 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
8fcb535e229db4f7a8eaaee3c99b18446eef7f1e..dc04be48b2bb52ff05f9fab371c4b333a15d24ca
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -130,8 +130,8 @@ Requires(post): systemd-units
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54-1
-Requires: pki-ca = 10.2.0-3
-Requires: pki-kra = 10.2.0
+Requires: pki-ca = 10.2.1-0.1
+Requires: pki-kra = 10.2.1-0.1
%if 0%{?rhel}
Requires: subscription-manager
%endif
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
/LocationMatch
# matches for agent port and eeca port
-LocationMatch
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
+LocationMatch
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch
Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.
On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote: The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. Ticket #4638 New patch attached. It's identical except for the ticket URL in the commit log. -- Endi S. Dewata From 34bd77959687673db9fbf71c443b6ffe5ed4ca71 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 16 Sep 2014 20:11:35 -0400 Subject: [PATCH] Modififed NSSConnection not to shutdown existing database. The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 --- ipalib/rpc.py | 34 +++--- ipapython/nsslib.py | 35 +++ 2 files changed, 42 insertions(+), 27 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 5934f0c26e4b7c0a44adbab978c1f9b319d72e9f..001b7f1ca06edadfc7aad635d9d564e517008a63 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -63,6 +63,7 @@ from ipaplatform.paths import paths from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ +import ipapython.nsslib from ipapython.nsslib import NSSHTTPS, NSSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE @@ -450,14 +451,10 @@ class LanguageAwareTransport(MultiProtocolTransport): class SSLTransport(LanguageAwareTransport): Handles an HTTPS transaction to an XML-RPC server. -def __nss_initialized(self, dbdir): +def get_connection_dbdir(self): -If there is another connections open it may have already -initialized NSS. This is likely to lead to an NSS shutdown -failure. One way to mitigate this is to tell NSS to not -initialize if it has already been done in another open connection. - -Returns True if another connection is using the same db. +If there is a connections open it may have already initialized +NSS database. Return the database location used by the connection. for value in context.__dict__.values(): if not isinstance(value, Connection): @@ -466,25 +463,32 @@ class SSLTransport(LanguageAwareTransport): getattr(value.conn, '_ServerProxy__transport', None), SSLTransport): continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \ - value.conn._ServerProxy__transport.dbdir == dbdir: -return True -return False +if hasattr(value.conn._ServerProxy__transport, 'dbdir'): +return value.conn._ServerProxy__transport.dbdir +return None def make_connection(self, host): host, self._extra_headers, x509 = self.get_host_info(host) # Python 2.7 changed the internal class used in xmlrpclib from # HTTP to HTTPConnection. We need to use the proper subclass -# If we an existing connection exists using the same NSS database -# there is no need to re-initialize. Pass thsi into the NSS -# connection creator. if sys.version_info = (2, 7): if self._connection and host == self._connection[0]: return self._connection[1] dbdir = getattr(context, 'nss_dir', paths.IPA_NSSDB_DIR) -no_init = self.__nss_initialized(dbdir) +connection_dbdir = self.get_connection_dbdir() + +if connection_dbdir: +# If an existing connection is already using the same NSS +# database there is no need to re-initialize. +no_init = dbdir == connection_dbdir + +else: +# If the NSS database is already being used there is no +# need to re-initialize. +no_init = dbdir == ipapython.nsslib.current_dbdir + if sys.version_info (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 93b0c56fcff4fc69841a6823aae8f694c1f76ff0..1452a2a5844a5fb017d4408aadf56f7fcfc7fa25 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -31,6 +31,9 @@ import nss.ssl as ssl import nss.error as error from ipaplatform.paths import paths +# NSS database currently open +current_dbdir = None + def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -184,19 +187,27 @@ class NSSConnection(httplib.HTTPConnection,
Re: [Freeipa-devel] [PATCH] 353 Added initial vault implementation.
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote:
On 10/16/2014 4:12 PM, Endi Sukma Dewata wrote:
On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote:
The NSSConnection class has to be modified not to shutdown existing
database because some of the vault clients (e.g. vault-archive and
vault-retrieve) also use a database to encrypt/decrypt the secret.
The problem is described in more detail in this ticket:
https://fedorahosted.org/freeipa/ticket/4638
The changes to the NSSConnection in the first patch caused the
installation to fail. Attached is a new patch that uses the solution
proposed by jdennis.
New patch attached. It's now using the correct OID's for the schema. It
also has been rebased on top of #352-1 and #354.
New patch attached to fix the ticket URL. It depends on #352-2 and #354-1.
--
Endi S. Dewata
From cd3daa901f7139801ea61ae1e2716810da131bcc Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Tue, 21 Oct 2014 10:57:08 -0400
Subject: [PATCH] Added initial vault implementation.
This patch provides the initial vault implementation which allows
the admin to create a vault, archive a secret, and retrieve the
secret using a standard vault. It also included the initial LDAP
schema.
It currently has limitations including:
- The vault only supports the standard vault type.
- The vault can only be used by the admin user.
- The transport certificate has to be installed manually.
These limitations, other vault features, schema and ACL changes will
be addressed in subsequent patches.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt| 160
VERSION| 4 +-
install/share/60basev4.ldif| 3 +
install/share/Makefile.am | 1 +
install/share/copy-schema-to-ca.py | 1 +
install/updates/40-vault.update| 27 ++
install/updates/Makefile.am| 1 +
ipa-client/man/default.conf.5 | 1 +
ipalib/constants.py| 1 +
ipalib/plugins/user.py | 9 +
ipalib/plugins/vault.py| 724 +
ipaserver/install/dsinstance.py| 1 +
12 files changed, 931 insertions(+), 2 deletions(-)
create mode 100644 install/share/60basev4.ldif
create mode 100644 install/updates/40-vault.update
create mode 100644 ipalib/plugins/vault.py
diff --git a/API.txt b/API.txt
index
491d7a76fd1d2d50208d314d1600839ce295..cfa6558fcf678e5915a90407da517f9a591a41bf
100644
--- a/API.txt
+++ b/API.txt
@@ -4475,6 +4475,166 @@ option: Str('version?', exclude='webui')
output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_add
+args: 1,8,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('description', attribute=True, cli_name='desc', multivalue=False,
required=False)
+option: Str('in?', cli_name='in')
+option: Str('parent', attribute=False, cli_name='parent', multivalue=False,
required=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Bytes('secret', attribute=True, cli_name='secret', multivalue=False,
required=False)
+option: Str('version?', exclude='webui')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value', None, None)
+command: vault_archive
+args: 1,10,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Bytes('encrypted_data?', cli_name='encrypted_data')
+option: Str('in?', cli_name='in')
+option: Bytes('nonce?', cli_name='nonce')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Bytes('secret?', cli_name='secret')
+option: Str('version?', exclude='webui')
+option: Bytes('wrapped_session_key?', cli_name='wrapped_session_key')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value', None, None)
+command: vault_del
+args: 1,3,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=True,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
Re: [Freeipa-devel] [PATCH] 355 Added vault access control.
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote:
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
Ticket #3872
This patch depends on #353-2.
New patch attached to fix the ticket URL. It depends on #353-3.
--
Endi S. Dewata
From 6f464581e4e30e6105522ff25047764ec97e5a53 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt | 134 +--
VERSION | 4 +-
install/share/60basev4.ldif | 4 +-
install/updates/40-vault.update | 7 ++
ipalib/plugins/vault.py | 233 +++-
5 files changed, 366 insertions(+), 16 deletions(-)
diff --git a/API.txt b/API.txt
index
cfa6558fcf678e5915a90407da517f9a591a41bf..a46592ec9e82e618154bf09393c83d4b854315c5
100644
--- a/API.txt
+++ b/API.txt
@@ -4476,11 +4476,12 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,8,3
+args: 1,9,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('description', attribute=True, cli_name='desc', multivalue=False,
required=False)
option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('parent', attribute=False, cli_name='parent', multivalue=False,
required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Flag('rights', autofill=True, default=False)
@@ -4489,12 +4490,39 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.
On 10/23/2014 6:18 AM, Jan Cholasta wrote:
Hi,
Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):
A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.
As part of the CA certificate renewal feature in 4.1, I have added a
LDAP certificate store to IPA, see
http://www.freeipa.org/page/V4/CA_certificate_renewal. Currently it
supports only CA certificates, but can be extended to support end entity
certificates rather easily. If you use it for the vault transport
certificate, it can be added to the client NSS database automatically on
install.
Honza
I'm attaching a new patch that's identical to the previous one with
ticket URL updated. I'm thinking we should check this patch in first
because it's already done, and then investigate the use of CA cert
management utility as a separate enhancement since the it seems to need
to be generalized before it can be used to manage KRA transport cert.
I'll also need to investigate the KRA transport cert replacement process
to make sure it can be accommodated via IPA's cert management utility.
--
Endi S. Dewata
From 1bffa29d35fee0ac06cb1bc943f9de8beee58d05 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.
A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt | 5 +++
VERSION | 4 +--
ipalib/plugins/vault.py | 85 +++--
3 files changed, 89 insertions(+), 5 deletions(-)
diff --git a/API.txt b/API.txt
index
a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e
100644
--- a/API.txt
+++ b/API.txt
@@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
command: vaultcontainer_add
args: 1,8,3
arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index
c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9
100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=110
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=111
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index
95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01
100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -24,6 +24,8 @@ import shutil
import string
import tempfile
+import nss.nss as nss
+
import pki
import pki.account
import pki.crypto
@@ -109,7 +111,7 @@ EXAMPLES:
)
register = Registry()
-transport_cert_nickname = KRA Transport Certificate
+transport_cert_filename = vault-transport.pem
@register()
class vaultcontainer(LDAPObject):
@@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve):
@register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['takes_options'] = list(self.get_json_options())
+return json_dict
+
+def execute(self, *args, **options):
+
+
