Re: [Freeipa-devel] [PATCH 0038] Update default NTP Configuration

[Martin Basti]

On 01/12/14 16:16, Gabe Alford wrote:

Thanks, David. You're totally right. I am good with it.

thanks,

Gabe

ACK



On Mon, Dec 1, 2014 at 5:20 AM, David Kupka > wrote:


On 11/30/2014 02:03 AM, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/4583

Thanks,

Gabe



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello!

Thanks for patch. I guess that you wanted to add the "iburst"
option only once. Right now it will generate lines like:

server  iburst iburst

Attaching the fixed patch. Are you satisfied with it?

-- 
David Kupka





___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0173] Throw zonemgr error message before installation proceeds

[Petr Spacek]

On 1.12.2014 13:32, Jan Cholasta wrote:
> Actually, sratch that, exceptions thrown by python-dns do not have messages.

Oh yes, it is very annoying. I have asked upstream if potential patches about
this issues can be accepted:
https://github.com/rthalley/dnspython/issues/84

-- 
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0038] Update default NTP Configuration

[Martin Kosek]

I understand this as a patch from Gabe and ACK from David :-)

Pushed to master: 5f223a89adb400cfbe25231c8e6629dbf867642f

Martin

On 12/01/2014 04:16 PM, Gabe Alford wrote:
> Thanks, David. You're totally right. I am good with it.
> 
> thanks,
> 
> Gabe
> 
> On Mon, Dec 1, 2014 at 5:20 AM, David Kupka  wrote:
> 
>> On 11/30/2014 02:03 AM, Gabe Alford wrote:
>>
>>> Hello,
>>>
>>> Fix for https://fedorahosted.org/freeipa/ticket/4583
>>>
>>> Thanks,
>>>
>>> Gabe
>>>
>>>
>>>
>>> ___
>>> Freeipa-devel mailing list
>>> Freeipa-devel@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>>  Hello!
>>
>> Thanks for patch. I guess that you wanted to add the "iburst" option only
>> once. Right now it will generate lines like:
>>
>> server  iburst iburst
>>
>> Attaching the fixed patch. Are you satisfied with it?
>>
>> --
>> David Kupka
>>
> 
> 
> 
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> 

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 791 fix indentation in ipa-restore page

[Petr Viktorin]

ACK, pushed to:
master: 79d9c4943617bf57fde4a38325cbc9a14d0ff495
ipa-4-1: 250bb5cf3cf6d05fca7e99867a29ce1cfbb1da97

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

[Martin Kosek]

On 05/09/2014 04:09 AM, Gabe Alford wrote:
> Re-factored my second patch. :)
> 
> Gabe
> 
> 
> On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford  wrote:
> 
>> Updated patch to not run ntpdate if ntpd is running.
>>
>> Gabe
>>
>>
>>
>> On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford wrote:
>>
>>> Thanks Petr!
>>>
>>> Will rework patch to just skip ntpdate if ntpd is already running.
>>>
>>>
>>> On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek  wrote:
>>>
 Hello Gabe!


 On 25.4.2014 16:28, Gabe Alford wrote:

>  Here is a patch for https://fedorahosted.org/
> freeipa/ticket/3735.
> It seemed better to try to stop ntpd before running ntpdate rather than
> not
> running ntpdate if ntpd was already running. I believe this patch only
> applies to the ipa-3-3 branch as ntpdate is not used anymore in the
> master.
>

 IMHO we should never stop ntpd if it is running. Plain ntpdate opens
 potential security hole because attacker can fake NTP answers and force the
 machine to rewind it's clock to the past.

 This opens potential for replay attacks/re-suing old compromised keys
 etc.

I just noticed that
https://fedorahosted.org/freeipa/ticket/3735
has a pending patch from Gabe. David or Tomas, do we still want to go with this
approach?

IIRC, David is now working in related area in ipa-client-install, so the patch
could be reviewed/reworked as part of his job.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 3] ipa-client-install shouldn't be eager in specifying zone when doing nsupdate

[Jan Pazdziora]

Hello,

presumably explicitly specifying zone is not needed and can be
harmful.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
>From 934c5672cb0f73fc7d237cbf916707693dff9c39 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora 
Date: Tue, 2 Dec 2014 11:48:04 +0100
Subject: [PATCH] No explicit zone specification.

https://fedorahosted.org/freeipa/ticket/4780
---
 ipa-client/ipa-install/ipa-client-install | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
612ff62a12a24672e6bc390bcd5165cd20bf834a..eb9a4c2cd884d5412388b2a5c01149c40e8e2e3e
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1553,7 +1553,6 @@ def do_nsupdate(update_txt):
 
 UPDATE_TEMPLATE_A = """
 debug
-zone $ZONE.
 update delete $HOSTNAME. IN A
 show
 send
@@ -1564,7 +1563,6 @@ send
 
 UPDATE_TEMPLATE_ = """
 debug
-zone $ZONE.
 update delete $HOSTNAME. IN 
 show
 send
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Tomas Babej]

Hi,

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

https://fedorahosted.org/freeipa/ticket/4779

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 


>From dacea08e7f33451788f464907385f5ac88f1db4e Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 2 Dec 2014 13:13:51 +0100
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

https://fedorahosted.org/freeipa/ticket/4779
---
 ipaserver/install/certs.py | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..5a37acb2d2dbbd3193e59643add4c63f297ae2fe 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -238,7 +238,7 @@ class CertDB(object):
  "-k", self.passwd_fname])
 self.set_perms(self.pk12_fname)
 
-def load_cacert(self, cacert_fname, trust_flags='C,,'):
+def load_cacert(self, cacert_fname, trust_flags=None):
 """
 Load all the certificates from a given file. It is assumed that
 this file creates CA certificates.
@@ -255,11 +255,9 @@ class CertDB(object):
 (rdn, subject_dn) = get_cert_nickname(cert)
 if subject_dn == ca_dn:
 nick = get_ca_nickname(self.realm)
-tf = trust_flags
 else:
 nick = str(subject_dn)
-tf = ',,'
-self.nssdb.add_cert(cert, nick, tf, pem=True)
+self.nssdb.add_cert(cert, nick, trust_flags or "C,,", pem=True)
 except RuntimeError:
 break
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Jan Cholasta]

Hi,

Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):

Hi,

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.


For unknown CA certificates, you must keep the default ",," and 
explicitly override it where necessary. We don't want to trust *any* CA 
certificate to issue server certs.




https://fedorahosted.org/freeipa/ticket/4779


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Tomas Babej]

On 12/02/2014 01:45 PM, Jan Cholasta wrote:
> Hi,
>
> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>> Hi,
>>
>> For CA certificates that are not certificates of IPA CA, we incorrectly
>> set the trust flags to ",,", regardless what the actual trust_flags
>> parameter was passed.
>>
>> Make the load_cacert method respect trust_flags and make "C,," default
>> set of trust flags.
>
> For unknown CA certificates, you must keep the default ",," and
> explicitly override it where necessary. We don't want to trust *any*
> CA certificate to issue server certs.
>
>>
>> https://fedorahosted.org/freeipa/ticket/4779
>
> Honza

Updated patch attached.

However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From 55b5f82445c9e0ce45a8c8587fcb7d5c6c5c07b0 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 2 Dec 2014 13:13:51 +0100
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

https://fedorahosted.org/freeipa/ticket/4779
---
 ipaserver/install/certs.py  | 6 +++---
 ipaserver/install/dsinstance.py | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..6c1537b9c1aff58c56c1d10ada2dfa5deba631ca 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -238,7 +238,7 @@ class CertDB(object):
  "-k", self.passwd_fname])
 self.set_perms(self.pk12_fname)
 
-def load_cacert(self, cacert_fname, trust_flags='C,,'):
+def load_cacert(self, cacert_fname, trust_flags=None):
 """
 Load all the certificates from a given file. It is assumed that
 this file creates CA certificates.
@@ -255,10 +255,10 @@ class CertDB(object):
 (rdn, subject_dn) = get_cert_nickname(cert)
 if subject_dn == ca_dn:
 nick = get_ca_nickname(self.realm)
-tf = trust_flags
+tf = trust_flags or 'C,,'
 else:
 nick = str(subject_dn)
-tf = ',,'
+tf = trust_flags or ',,'
 self.nssdb.add_cert(cert, nick, tf, pem=True)
 except RuntimeError:
 break
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 06c13c21dd3a5ea1e15c0a797a48fd6af02c1bdf..2ca09e7e32cd423ff90c41ad6309fcf0dd099a82 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -840,7 +840,7 @@ class DsInstance(service.Service):
 certdb.cacert_name = cacert_name
 status = True
 try:
-certdb.load_cacert(cacert_fname)
+certdb.load_cacert(cacert_fname, trust_flags="C,,")
 except ipautil.CalledProcessError, e:
 root_logger.critical("Error importing CA cert file named [%s]: %s" %
  (cacert_fname, str(e)))
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Jan Cholasta]

Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):


On 12/02/2014 01:45 PM, Jan Cholasta wrote:

Hi,

Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):

Hi,

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.


For unknown CA certificates, you must keep the default ",," and
explicitly override it where necessary. We don't want to trust *any*
CA certificate to issue server certs.



https://fedorahosted.org/freeipa/ticket/4779


Honza


Updated patch attached.

However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.



OK, then we don't need a default value at all.

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[thierry bordaz]

On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:

On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:

On 11/07/2014 04:44 PM, Petr Vobornik wrote:

On 7.11.2014 08:58, Martin Kosek wrote:

On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:

On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:

On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:

On 10/29/2014 10:37 AM, Martin Kosek wrote:

On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:

This patch gives the administrator variables to control the size of
the authentication and synchronization windows for OTP tokens.

https://fedorahosted.org/freeipa/ticket/4511

NOTE: There is one known issue with this patch which I don't know
how to
solve. This patch changes the schema in
install/share/60ipaconfig.ldif.
On an upgrade, all of the new attributeTypes appear correctly.
However,
the modifications to the pre-existing objectClass do not show up
on the
server. What am I doing wrong?

After modifying ipaGuiConfig manually, everything in this patch
works
just fine.

This new version takes into account the new (proper) OIDs and
attribute
names.

Thanks Nathaniel!


The above known issue still remains.

Petr3, any idea what could have gone wrong? ObjectClass MAY list
extension
should work just fine, AFAIK.

You added a blank line to the LDIF file. This is an entry separator, so
the objectClasses after the blank line don't belong to cn=schema, so
they aren't considered in the update.
Without the blank line it works fine.

Thanks for the catch!

Here is a version without the blank line.

I forgot to remove the old steps defines. This patch performs this
cleanup.

I am now wondering, is the global config object really the nest place to
add these OTP specific settings?

I would prefer not to overload the object and instead:
- create new ipaOTPConfig objectclass
- add it to cn=otp,$SUFFIX
- create otpconfig-mod and otpconfig-show commands to follow an example
of dnsconfig-* and trustconfig-* commands

IMO, this would allow more flexibility for the OTP settings and would
also scale better for the future updates.

+1

I will comment the patch as if ^^ would not exist because it will still be
needed in the new plugin.

Because of ^^ I did not test, just read.

1. Got:
install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not
recommended in array initializers

Please run:
   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
in install/ui directory

The goal is no have no warnings and errors.

2. new attrs should be added to 'System: Read Global Configuration' managed
permission

+1. Though if we go with OTP config, it should be called

System: Read OTP Configuration

Martin

Attached is a new set of patches that replaces this single patch. This
now fixes multiple issues.

I now create two new entries:
  * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
  * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX

There are two corresponding CLI commands:
  * totpconfig-(show|mod)
  * hotpconfig-(show|mod)

There is no UI support for this yet (pointers welcome).

This is designed so that eventually tokens can grow a per-token
override, but I have not yet implemented this feature (it should be easy
in the future).

Additionally, I had to do some shared refactoring to address issues in
ipa-otp-lasttoken, which is why all of these are now merged into a
single patch set.

Nathaniel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Hello Nathaniel,

   Very few comments.

   On patch 0002:

   Is it possible that we later define a spec with 'dflt' contains
   OTP_CONFIG_AUTH_TYPE_DISABLED ? If yes it needs to be 32bits.

   When otp_config_fini is it called ?


   On patch 0003:

   In ipa-otp-lasttoken:58 you may use SLAPI_ATTR_OBJECTCLASS
   (slapi-plugin.h).
   In ipa-otp-lasttoken:preop_mod , the test is_allowed is done on the
   original entry (SLAPI_ENTRY_PRE_OP). That is the entry untouched by
   others BE_PREOP/TXN_BE_PREOP plugins. Is that the entry you want to
   check ?

   On patch 0004:
   In otp_config.c:otp_config_window you may use SLAPI_ATTR_OBJECTCLASS
   (slapi-plugin.h)
   in otp_token: bvtod if 'code' contains non digit character ,'out' is
   not reset before return.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Tomas Babej]

On 12/02/2014 02:02 PM, Jan Cholasta wrote:
> Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
>>
>> On 12/02/2014 01:45 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
 Hi,

 For CA certificates that are not certificates of IPA CA, we
 incorrectly
 set the trust flags to ",,", regardless what the actual trust_flags
 parameter was passed.

 Make the load_cacert method respect trust_flags and make "C,," default
 set of trust flags.
>>>
>>> For unknown CA certificates, you must keep the default ",," and
>>> explicitly override it where necessary. We don't want to trust *any*
>>> CA certificate to issue server certs.
>>>

 https://fedorahosted.org/freeipa/ticket/4779
>>>
>>> Honza
>>
>> Updated patch attached.
>>
>> However, this boils down to the same, so there is really no functional
>> difference between the two versions of the patches in the current code
>> base. All places where load_cacert is called, the trust flags are
>> explicitly overriden.
>>
>
> OK, then we don't need a default value at all.
>

Updated patch makes trust_flags a required argument of load_cacert.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From a087bda498e10b1e923f2882522b42fa7d8f8239 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 2 Dec 2014 13:13:51 +0100
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make it a required
argument.

https://fedorahosted.org/freeipa/ticket/4779
---
 ipaserver/install/certs.py  | 6 ++
 ipaserver/install/dsinstance.py | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..7292cbbe3574f57d32daa6f1e310669486fa5eff 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -238,7 +238,7 @@ class CertDB(object):
  "-k", self.passwd_fname])
 self.set_perms(self.pk12_fname)
 
-def load_cacert(self, cacert_fname, trust_flags='C,,'):
+def load_cacert(self, cacert_fname, trust_flags):
 """
 Load all the certificates from a given file. It is assumed that
 this file creates CA certificates.
@@ -255,11 +255,9 @@ class CertDB(object):
 (rdn, subject_dn) = get_cert_nickname(cert)
 if subject_dn == ca_dn:
 nick = get_ca_nickname(self.realm)
-tf = trust_flags
 else:
 nick = str(subject_dn)
-tf = ',,'
-self.nssdb.add_cert(cert, nick, tf, pem=True)
+self.nssdb.add_cert(cert, nick, trust_flags, pem=True)
 except RuntimeError:
 break
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 06c13c21dd3a5ea1e15c0a797a48fd6af02c1bdf..66267f4cdde548266b15594e3640bf8247c64859 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -840,7 +840,7 @@ class DsInstance(service.Service):
 certdb.cacert_name = cacert_name
 status = True
 try:
-certdb.load_cacert(cacert_fname)
+certdb.load_cacert(cacert_fname, 'C,,')
 except ipautil.CalledProcessError, e:
 root_logger.critical("Error importing CA cert file named [%s]: %s" %
  (cacert_fname, str(e)))
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0289] hosts: Display assigned ID view by default in host-find and show

[Tomas Babej]

Hi,

Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 


>From 1af1922f27a29ead65629b3919e4a2aaeacc03c9 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 2 Dec 2014 15:40:40 +0100
Subject: [PATCH] hosts: Display assigned ID view by default in host-find and
 show commands

Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774
---
 ipalib/plugins/host.py | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index c4d4bdf6473e0f34c8c68754d6c98e93d173d8fa..d53b6a06da10f8a4bcda9b7241f3e99bbb84e9b8 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -162,6 +162,17 @@ def update_sshfp_record(zone, record, entry_attrs):
 except errors.EmptyModlist:
 pass
 
+
+def convert_ipaassignedidview_post(entry_attrs, options):
+"""
+Converts the ID View DN to its name for the better looking output.
+"""
+
+if 'ipaassignedidview' in entry_attrs and not options.get('raw'):
+idview_name = entry_attrs.single_value['ipaassignedidview'][0].value
+entry_attrs['ipaassignedidview'] = idview_name
+
+
 host_output_params = (
 Flag('has_keytab',
 label=_('Keytab'),
@@ -274,7 +285,7 @@ class host(LDAPObject):
 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
 'managedby', 'memberindirect', 'memberofindirect', 'macaddress',
-'userclass', 'ipaallowedtoperform'
+'userclass', 'ipaallowedtoperform', 'ipaassignedidview',
 ]
 uuid_attribute = 'ipauniqueid'
 attribute_members = {
@@ -502,6 +513,7 @@ class host(LDAPObject):
   'local interpretation)'),
 ),
 DNParam('ipaassignedidview?',
+label=_('Assigned ID View'),
 flags=['no_option'],
 ),
 ) + ticket_flags_params
@@ -1023,6 +1035,7 @@ class host_find(LDAPSearch):
 entry_attrs['managing'] = self.obj.get_managed_hosts(entry_attrs.dn)
 
 convert_sshpubkey_post(ldap, entry_attrs.dn, entry_attrs)
+convert_ipaassignedidview_post(entry_attrs, options)
 
 return truncated
 
@@ -1058,6 +1071,7 @@ class host_show(LDAPRetrieve):
 self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
 convert_sshpubkey_post(ldap, dn, entry_attrs)
+convert_ipaassignedidview_post(entry_attrs, options)
 
 return dn
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Jan Cholasta]

Dne 2.12.2014 v 14:09 Tomas Babej napsal(a):


On 12/02/2014 02:02 PM, Jan Cholasta wrote:

Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):


On 12/02/2014 01:45 PM, Jan Cholasta wrote:

Hi,

Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):

Hi,

For CA certificates that are not certificates of IPA CA, we
incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.


For unknown CA certificates, you must keep the default ",," and
explicitly override it where necessary. We don't want to trust *any*
CA certificate to issue server certs.



https://fedorahosted.org/freeipa/ticket/4779


Honza


Updated patch attached.

However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.



OK, then we don't need a default value at all.



Updated patch makes trust_flags a required argument of load_cacert.



Thanks, ACK!

Pushed to:
master: faec4ef9de431a1b72423be8ce6cea28a7221531
ipa-4-1: db4ac4774523c1d41a606b1c0297e9eeae13ebd6

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA integration with external DNS services

[Petr Spacek]

On 1.12.2014 17:12, Simo Sorce wrote:
> On Mon, 01 Dec 2014 16:17:54 +0100
> Petr Spacek  wrote:
> 
>> On 14.11.2014 17:31, Petr Spacek wrote:
>>> On 14.11.2014 02:22, Simo Sorce wrote:
 On Tue, 11 Nov 2014 16:29:51 +0100
 Petr Spacek  wrote:

> Hello,
>
> this thread is about RFE
> "IPA servers when installed should register themselves in the
> external DNS" https://fedorahosted.org/freeipa/ticket/4424
>
> It is not a complete design, just a raw idea.
>
>
> Use case
> 
> FreeIPA installation to a network with existing DNS
> infrastructure + network administrator who is not willing to
> add/maintain new DNS servers "just for FreeIPA".
>
>
> High-level idea
> ===
> - Transform dns* commands from FreeIPA framework to equivalent
> "nsupdate" commands and send DNS updates to existing DNS servers.
> - Provide necessary encryption/signing keys to nsupdate.
>
>
> 1) Integration to FreeIPA framework
> ===
> First of all, we need to decide if "external DNS integration" can
> be used at the same time with FreeIPA-integrated DNS or not.
> Side-question is what to do if a first server is installed with
> external-DNS but another replica is being installed with
> integrated-DNS and so on.

 I think being able to integrate with an external DNS is important,
 and not just at the server level, being able to distribute TSIG
 keys to client would be nice too, though a lot less important,
 than getting server integration..
>>>
>>> Using TSIG on many clients is very problematic. Keep in mind that
>>> TSIG is basically HMAC computed using symmetric key so:
>>> a) Every client would have to use the same key - this is a security
>>> nightmare. b) We would have to distribute and maintain many keys
>>> for many^2 clients, which is an administrative nightmare.
>>>
>>> For *clients* I would rather stay with GSS-TSIG which is much more
>>> manageable because we can use Kerberos trust and Keytab
>>> distribution is already solved by ipa-client-install.
>>>
>>> Alternative for clients would be to use FreeIPA server as proxy
>>> which encapsulates TSIG keys and issues update requests on behalf
>>> of clients. This would be FreeIPA-specific but any
>>> TSIG-distribution mechanism will be FreeIPA-specific anyway.
>>>
>>> TSIG standard explicitly says that there is no standardized
>>> distribution mechanism.
>>>
> In other words, the question is if current "dns.py" plugin shipped
> with FreeIPA framework should be:
>
> a) Extended dns.py with dnsexternal-* commands
> --
> Disadvantages:
> - It complicate FreeIPA DNS interface which is a complex beast
> even now.
> - We would have add condition to every DNS API call in installers
> which would increase horribleness of the installer code even more
> (or add another layer of abstraction...).

 I agree having a special command is undesirable.
>
> - I don't see a point in using integrated-DNS with external-DNS at
> the same time. To use integrated-DNS you have to get a proper DNS
> delegation from parent domain - and if you can get the delegation
> then there is no point in using external DNS ...

 I disagree on this point, it makes a lot of sense to have some
 zones maintained by IPA and ... some not.

> Advantages:
> - You can use external & integrated DNS at the same time.

 We can achieve the same w/o a new ipa level command.
>>>
>>> This needs to be decided by FreeIPA framework experts ...
>>>
>>> Petr^3 came up with clever 'proxy' idea for IPA-commands. This
>>> proxy would provide all ipa dns* commands and dispatch user-issued
>>> commands to appropriate FreeIPA-plugin (internal-dns or
>>> external-dns). This decision could depend on some values in LDAP.
>>>
> b) Replace dns.py with another implementation of current
> dnszone-* & dnsrecord-* API.
> -
> This seems like a cleaner approach to me. It could be shipped as
> ipa-server-dns-external package (opposed to "standard"
> ipa-server-dns package).
>
> Advantages:
> - It could seamlessly work with FreeIPA client installer because
> the dns*->nsupdate command transformation would be done on
> FreeIPA server and client doesn't need to know about it.
> - Does not require re-training/not much new documentation because
> commands are the same.
>
> Disadvantages:
> - You can't use integrated & external DNS at the same time (but I
> don't think it justifies the added complexity).

 I disagree.

 One of the reason to use a mix is to allow smooth migrations where
 zones are moved into (or out of) IPA one by one.
>>>
>>> Good point, I agree. I will 

Re: [Freeipa-devel] [PATCH 0289] hosts: Display assigned ID view by default in host-find and show

[Jan Cholasta]

Hi,

Dne 2.12.2014 v 15:43 Tomas Babej napsal(a):

Hi,

Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774


Since you are converting the value from DN to primary key string, the 
type of the ipassignedview param should be changed to Str, for 
consistency with existing code.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[Nathaniel McCallum]

On Mon, 2014-12-01 at 17:46 +0100, thierry bordaz wrote:
> On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:
> 
> > On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
> > > On 11/07/2014 04:44 PM, Petr Vobornik wrote:
> > > > On 7.11.2014 08:58, Martin Kosek wrote:
> > > > > On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
> > > > > > On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
> > > > > > > On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
> > > > > > > > On 10/29/2014 10:37 AM, Martin Kosek wrote:
> > > > > > > > > On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
> > > > > > > > > > On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
> > > > > > > > > > > This patch gives the administrator variables to control 
> > > > > > > > > > > the size of
> > > > > > > > > > > the authentication and synchronization windows for OTP 
> > > > > > > > > > > tokens.
> > > > > > > > > > > 
> > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/4511
> > > > > > > > > > > 
> > > > > > > > > > > NOTE: There is one known issue with this patch which I 
> > > > > > > > > > > don't know
> > > > > > > > > > > how to
> > > > > > > > > > > solve. This patch changes the schema in
> > > > > > > > > > > install/share/60ipaconfig.ldif.
> > > > > > > > > > > On an upgrade, all of the new attributeTypes appear 
> > > > > > > > > > > correctly.
> > > > > > > > > > > However,
> > > > > > > > > > > the modifications to the pre-existing objectClass do not 
> > > > > > > > > > > show up
> > > > > > > > > > > on the
> > > > > > > > > > > server. What am I doing wrong?
> > > > > > > > > > > 
> > > > > > > > > > > After modifying ipaGuiConfig manually, everything in this 
> > > > > > > > > > > patch
> > > > > > > > > > > works
> > > > > > > > > > > just fine.
> > > > > > > > > > This new version takes into account the new (proper) OIDs 
> > > > > > > > > > and
> > > > > > > > > > attribute
> > > > > > > > > > names.
> > > > > > > > > Thanks Nathaniel!
> > > > > > > > > 
> > > > > > > > > > The above known issue still remains.
> > > > > > > > > Petr3, any idea what could have gone wrong? ObjectClass MAY 
> > > > > > > > > list
> > > > > > > > > extension
> > > > > > > > > should work just fine, AFAIK.
> > > > > > > > You added a blank line to the LDIF file. This is an entry 
> > > > > > > > separator, so
> > > > > > > > the objectClasses after the blank line don't belong to 
> > > > > > > > cn=schema, so
> > > > > > > > they aren't considered in the update.
> > > > > > > > Without the blank line it works fine.
> > > > > > > Thanks for the catch!
> > > > > > > 
> > > > > > > Here is a version without the blank line.
> > > > > > I forgot to remove the old steps defines. This patch performs this
> > > > > > cleanup.
> > > > > I am now wondering, is the global config object really the nest place 
> > > > > to
> > > > > add these OTP specific settings?
> > > > > 
> > > > > I would prefer not to overload the object and instead:
> > > > > - create new ipaOTPConfig objectclass
> > > > > - add it to cn=otp,$SUFFIX
> > > > > - create otpconfig-mod and otpconfig-show commands to follow an 
> > > > > example
> > > > > of dnsconfig-* and trustconfig-* commands
> > > > > 
> > > > > IMO, this would allow more flexibility for the OTP settings and would
> > > > > also scale better for the future updates.
> > > > +1
> > > > 
> > > > I will comment the patch as if ^^ would not exist because it will still 
> > > > be
> > > > needed in the new plugin.
> > > > 
> > > > Because of ^^ I did not test, just read.
> > > > 
> > > > 1. Got:
> > > > install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma 
> > > > is not
> > > > recommended in array initializers
> > > > 
> > > > Please run:
> > > >   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
> > > > in install/ui directory
> > > > 
> > > > The goal is no have no warnings and errors.
> > > > 
> > > > 2. new attrs should be added to 'System: Read Global Configuration' 
> > > > managed
> > > > permission
> > > +1. Though if we go with OTP config, it should be called
> > > 
> > > System: Read OTP Configuration
> > > 
> > > Martin
> > Attached is a new set of patches that replaces this single patch. This
> > now fixes multiple issues.
> > 
> > I now create two new entries:
> >  * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
> >  * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX
> > 
> > There are two corresponding CLI commands:
> >  * totpconfig-(show|mod)
> >  * hotpconfig-(show|mod)
> > 
> > There is no UI support for this yet (pointers welcome).
> > 
> > This is designed so that eventually tokens can grow a per-token
> > override, but I have not yet implemented this feature (it should be easy
> > in the future).
> > 
> > Additionally, I had to do some shared refactoring to address issues in
> > ipa-otp-lasttoken, which is why all of these are now merged into a
> > single patch set.
> > 
> > Nathaniel
> > 
> > 
> > ___
> > Freeipa

Re: [Freeipa-devel] [PATCH 0289] hosts: Display assigned ID view by default in host-find and show

[Petr Vobornik]

On 12/02/2014 04:14 PM, Jan Cholasta wrote:

Hi,

Dne 2.12.2014 v 15:43 Tomas Babej napsal(a):

Hi,

Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774


Since you are converting the value from DN to primary key string, the
type of the ipassignedview param should be changed to Str, for
consistency with existing code.

Honza



1. the output is no longer a list:
it was changed from:
"ipaassignedidview": [

"cn=foo,cn=views,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
],

to:
"ipaassignedidview": "foo",

2. the value is not normalized in host-mod command
--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0289] hosts: Display assigned ID view by default in host-find and show

[Tomas Babej]

On 12/02/2014 04:14 PM, Jan Cholasta wrote:
> Hi,
>
> Dne 2.12.2014 v 15:43 Tomas Babej napsal(a):
>> Hi,
>>
>> Makes ipaassignedidview a default attribute and takes care about the
>> conversion from the DN to the proper ID view name.
>>
>> https://fedorahosted.org/freeipa/ticket/4774
>
> Since you are converting the value from DN to primary key string, the
> type of the ipassignedview param should be changed to Str, for
> consistency with existing code.
>
> Honza
>

I see. Actually during the development, I craved for simple
output_normalizer option in the Param itself, which would apply the
output normalization funtion after the post_callback,
instead of having to mangle the entry_attrs in the post callback of each
command (and could potentionally apply on the client). Would there a be
not-so-hard way to do this in the framework? My understanding is that
Output classes are quite decoupled from the Params they resulted from,
and at the point we're printing the information via the textui, we're no
longer aware what Param instance it originated from.

Updated patch attached.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From c51fb6b2086678cdc931b01bf263d3ca4e814414 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 2 Dec 2014 15:40:40 +0100
Subject: [PATCH] hosts: Display assigned ID view by default in host-find and
 show commands

Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774
---
 API.txt|  6 +++---
 VERSION|  4 ++--
 ipalib/plugins/host.py | 21 ++---
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/API.txt b/API.txt
index 2a63f1e2349f0df69433fa7cb742e269cd42d79f..dcb655d87f0495b65b8d743ab477d59ad1963b36 100644
--- a/API.txt
+++ b/API.txt
@@ -1793,7 +1793,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
-option: DNParam('ipaassignedidview', attribute=True, cli_name='ipaassignedidview', multivalue=False, required=False)
+option: Str('ipaassignedidview', attribute=True, cli_name='ipaassignedidview', multivalue=False, required=False)
 option: Bool('ipakrbokasdelegate', attribute=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Bool('ipakrbrequirespreauth', attribute=False, cli_name='requires_pre_auth', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
@@ -1901,7 +1901,7 @@ option: Str('in_hostgroup*', cli_name='in_hostgroups', csv=True)
 option: Str('in_netgroup*', cli_name='in_netgroups', csv=True)
 option: Str('in_role*', cli_name='in_roles', csv=True)
 option: Str('in_sudorule*', cli_name='in_sudorules', csv=True)
-option: DNParam('ipaassignedidview', attribute=True, autofill=False, cli_name='ipaassignedidview', multivalue=False, query=True, required=False)
+option: Str('ipaassignedidview', attribute=True, autofill=False, cli_name='ipaassignedidview', multivalue=False, query=True, required=False)
 option: Str('l', attribute=True, autofill=False, cli_name='locality', multivalue=False, query=True, required=False)
 option: Str('macaddress', attribute=True, autofill=False, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', query=True, required=False)
 option: Str('man_by_host*', cli_name='man_by_hosts', csv=True)
@@ -1937,7 +1937,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
-option: DNParam('ipaassignedidview', attribute=True, autofill=False, cli_name='ipaassignedidview', multivalue=False, required=False)
+option: Str('ipaassignedidview', attribute=True, autofill=False, cli_name='ipaassignedidview', multivalue=False, required=False)
 option: Bool('ipakrbokasdelegate', attribute=False, autofill=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Bool('ipakrbrequirespreauth', attribute=False, autofill=False, cli_name='requires_pre_auth', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
diff --git a/VERSION b/VERSION
index bae782a4ec4333f8fdb610465a7b9ea3877c990e..5b426ddf1a3b7f9e6b202fd7d9f6b6025acc0370 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 #

Re: [Freeipa-devel] [PATCH 0080] Expose the disabled User Auth Type

[Nathaniel McCallum]

On Thu, 2014-11-13 at 12:04 -0500, Nathaniel McCallum wrote:
> Additionally, fix a small bug in ipa-kdb so that the disabled User
> Auth Type is properly handled.
> 
> https://fedorahosted.org/freeipa/ticket/4720

I still need a review of this. Any takers?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Nathaniel McCallum]

On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> > 
> > - Original Message -
> > > On 3.10.2013 23:43, Nathaniel McCallum wrote:
> > > > Patch attached.
> > > 
> > > I'm curious - what is the purpose of this patch? To prevent 1 second 
> > > timeouts
> > > and re-transmits when OTP is in place?
> > > 
> > > What is the expected performance impact? Could it be configured for OTP
> > > separately - somehow? (I guess that it is not possible now ...)
> > 
> > It benefits also communication of large packets (when large MS-PAC or 
> > CAMMAC AD Data
> > are attached), so it is a better choice for IPA in general. Especially 
> > given we have
> > multiple KDC processes configured we do not want clients wasting KDC 
> > resources by
> > making multiple processes do the same operation.
> 
> So apparently this patch never got reviewed over a year ago.
> 
> It was related to a bug which was opened in SSSD. However, when it
> became clear we wanted to solve this in FreeIPA, the SSSD bug was closed
> but no corresponding FreeIPA bug was opened. The patch then fell through
> the cracks.
> 
> Without this patch, if OTP validation runs long we get retransmits and
> failures.
> 
> One question I have is how to handle this for upgrades since (I think)
> this patch only handles new installs.
> 
> Anyway, this patch is somewhat urgent now. So help is appreciated.
> 
> I have attached a rebased version which has no other changes.

I still need a review on this. Any takers?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[Martin Kosek]

On 12/02/2014 04:56 PM, Nathaniel McCallum wrote:
> On Tue, 2014-12-02 at 14:05 +0100, thierry bordaz wrote:
>> On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:
>>
>>> On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
 On 11/07/2014 04:44 PM, Petr Vobornik wrote:
> On 7.11.2014 08:58, Martin Kosek wrote:
>> On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
>>> On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
 On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
> On 10/29/2014 10:37 AM, Martin Kosek wrote:
>> On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
>>> On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
 This patch gives the administrator variables to control the size of
 the authentication and synchronization windows for OTP tokens.

 https://fedorahosted.org/freeipa/ticket/4511

 NOTE: There is one known issue with this patch which I don't know
 how to
 solve. This patch changes the schema in
 install/share/60ipaconfig.ldif.
 On an upgrade, all of the new attributeTypes appear correctly.
 However,
 the modifications to the pre-existing objectClass do not show up
 on the
 server. What am I doing wrong?

 After modifying ipaGuiConfig manually, everything in this patch
 works
 just fine.
>>> This new version takes into account the new (proper) OIDs and
>>> attribute
>>> names.
>> Thanks Nathaniel!
>>
>>> The above known issue still remains.
>> Petr3, any idea what could have gone wrong? ObjectClass MAY list
>> extension
>> should work just fine, AFAIK.
> You added a blank line to the LDIF file. This is an entry separator, 
> so
> the objectClasses after the blank line don't belong to cn=schema, so
> they aren't considered in the update.
> Without the blank line it works fine.
 Thanks for the catch!

 Here is a version without the blank line.
>>> I forgot to remove the old steps defines. This patch performs this
>>> cleanup.
>> I am now wondering, is the global config object really the nest place to
>> add these OTP specific settings?
>>
>> I would prefer not to overload the object and instead:
>> - create new ipaOTPConfig objectclass
>> - add it to cn=otp,$SUFFIX
>> - create otpconfig-mod and otpconfig-show commands to follow an example
>> of dnsconfig-* and trustconfig-* commands
>>
>> IMO, this would allow more flexibility for the OTP settings and would
>> also scale better for the future updates.
> +1
>
> I will comment the patch as if ^^ would not exist because it will still be
> needed in the new plugin.
>
> Because of ^^ I did not test, just read.
>
> 1. Got:
> install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is 
> not
> recommended in array initializers
>
> Please run:
>   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
> in install/ui directory
>
> The goal is no have no warnings and errors.
>
> 2. new attrs should be added to 'System: Read Global Configuration' 
> managed
> permission
 +1. Though if we go with OTP config, it should be called

 System: Read OTP Configuration

 Martin
>>> Attached is a new set of patches that replaces this single patch. This
>>> now fixes multiple issues.
>>>
>>> I now create two new entries:
>>>  * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
>>>  * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX
>>>
>>> There are two corresponding CLI commands:
>>>  * totpconfig-(show|mod)
>>>  * hotpconfig-(show|mod)
>>>
>>> There is no UI support for this yet (pointers welcome).
>>>
>>> This is designed so that eventually tokens can grow a per-token
>>> override, but I have not yet implemented this feature (it should be easy
>>> in the future).
>>>
>>> Additionally, I had to do some shared refactoring to address issues in
>>> ipa-otp-lasttoken, which is why all of these are now merged into a
>>> single patch set.
>>>
>>> Nathaniel
>>>
>>>
>>> ___
>>> Freeipa-devel mailing list
>>> Freeipa-devel@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> Hello Nathaniel,
>>
>> Very few comments.
> 
> Just as a reminder, patch 0001 is already ACKed.
> 
>> On patch 0002:
>> 
>> Is it possible that we later define a spec with 'dflt'
>> contains OTP_CONFIG_AUTH_TYPE_DISABLED ? If yes it needs to be
>> 32bits.
> 
> Fixed. It was just a typo.
> 
>> When otp_config_fini is it called ?
> 
> Sadly, never. I admit that I am cargo-culting the lack of calling
> otp_config_fini(). Sur

Re: [Freeipa-devel] FreeIPA integration with external DNS services

[Simo Sorce]

On Tue, 02 Dec 2014 15:56:28 +0100
Petr Spacek  wrote:

> On 1.12.2014 17:12, Simo Sorce wrote:
> > On Mon, 01 Dec 2014 16:17:54 +0100
> > Petr Spacek  wrote:
> > 
> >> On 14.11.2014 17:31, Petr Spacek wrote:
> >>> On 14.11.2014 02:22, Simo Sorce wrote:
>  On Tue, 11 Nov 2014 16:29:51 +0100
>  Petr Spacek  wrote:
> 
> > Hello,
> >
> > this thread is about RFE
> > "IPA servers when installed should register themselves in the
> > external DNS" https://fedorahosted.org/freeipa/ticket/4424
> >
> > It is not a complete design, just a raw idea.
> >
> >
> > Use case
> > 
> > FreeIPA installation to a network with existing DNS
> > infrastructure + network administrator who is not willing to
> > add/maintain new DNS servers "just for FreeIPA".
> >
> >
> > High-level idea
> > ===
> > - Transform dns* commands from FreeIPA framework to equivalent
> > "nsupdate" commands and send DNS updates to existing DNS
> > servers.
> > - Provide necessary encryption/signing keys to nsupdate.
> >
> >
> > 1) Integration to FreeIPA framework
> > ===
> > First of all, we need to decide if "external DNS integration"
> > can be used at the same time with FreeIPA-integrated DNS or not.
> > Side-question is what to do if a first server is installed with
> > external-DNS but another replica is being installed with
> > integrated-DNS and so on.
> 
>  I think being able to integrate with an external DNS is
>  important, and not just at the server level, being able to
>  distribute TSIG keys to client would be nice too, though a lot
>  less important, than getting server integration..
> >>>
> >>> Using TSIG on many clients is very problematic. Keep in mind that
> >>> TSIG is basically HMAC computed using symmetric key so:
> >>> a) Every client would have to use the same key - this is a
> >>> security nightmare. b) We would have to distribute and maintain
> >>> many keys for many^2 clients, which is an administrative
> >>> nightmare.
> >>>
> >>> For *clients* I would rather stay with GSS-TSIG which is much more
> >>> manageable because we can use Kerberos trust and Keytab
> >>> distribution is already solved by ipa-client-install.
> >>>
> >>> Alternative for clients would be to use FreeIPA server as proxy
> >>> which encapsulates TSIG keys and issues update requests on behalf
> >>> of clients. This would be FreeIPA-specific but any
> >>> TSIG-distribution mechanism will be FreeIPA-specific anyway.
> >>>
> >>> TSIG standard explicitly says that there is no standardized
> >>> distribution mechanism.
> >>>
> > In other words, the question is if current "dns.py" plugin
> > shipped with FreeIPA framework should be:
> >
> > a) Extended dns.py with dnsexternal-* commands
> > --
> > Disadvantages:
> > - It complicate FreeIPA DNS interface which is a complex beast
> > even now.
> > - We would have add condition to every DNS API call in
> > installers which would increase horribleness of the installer
> > code even more (or add another layer of abstraction...).
> 
>  I agree having a special command is undesirable.
> >
> > - I don't see a point in using integrated-DNS with external-DNS
> > at the same time. To use integrated-DNS you have to get a
> > proper DNS delegation from parent domain - and if you can get
> > the delegation then there is no point in using external DNS ...
> 
>  I disagree on this point, it makes a lot of sense to have some
>  zones maintained by IPA and ... some not.
> 
> > Advantages:
> > - You can use external & integrated DNS at the same time.
> 
>  We can achieve the same w/o a new ipa level command.
> >>>
> >>> This needs to be decided by FreeIPA framework experts ...
> >>>
> >>> Petr^3 came up with clever 'proxy' idea for IPA-commands. This
> >>> proxy would provide all ipa dns* commands and dispatch user-issued
> >>> commands to appropriate FreeIPA-plugin (internal-dns or
> >>> external-dns). This decision could depend on some values in LDAP.
> >>>
> > b) Replace dns.py with another implementation of current
> > dnszone-* & dnsrecord-* API.
> > -
> > This seems like a cleaner approach to me. It could be shipped as
> > ipa-server-dns-external package (opposed to "standard"
> > ipa-server-dns package).
> >
> > Advantages:
> > - It could seamlessly work with FreeIPA client installer because
> > the dns*->nsupdate command transformation would be done on
> > FreeIPA server and client doesn't need to know about it.
> > - Does not require re-training/not much new documentation
> > because commands are the same.
> >
> > Disadvantages:
> > - You can't u

Re: [Freeipa-devel] [PATCH 0289] hosts: Display assigned ID view by default in host-find and show

[Jan Cholasta]

Dne 2.12.2014 v 17:01 Tomas Babej napsal(a):


On 12/02/2014 04:14 PM, Jan Cholasta wrote:

Hi,

Dne 2.12.2014 v 15:43 Tomas Babej napsal(a):

Hi,

Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774


Since you are converting the value from DN to primary key string, the
type of the ipassignedview param should be changed to Str, for
consistency with existing code.

Honza



I see. Actually during the development, I craved for simple
output_normalizer option in the Param itself, which would apply the
output normalization funtion after the post_callback,
instead of having to mangle the entry_attrs in the post callback of each
command (and could potentionally apply on the client). Would there a be
not-so-hard way to do this in the framework? My understanding is that
Output classes are quite decoupled from the Params they resulted from,
and at the point we're printing the information via the textui, we're no
longer aware what Param instance it originated from.


This wouldn't solve the real problem in this case, which is that we do 
not support one-to-many relationships between objects in the framework 
(and our support for many-to-many relationships is clunky). I plan to 
fix this with .




Updated patch attached.




--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[Nathaniel McCallum]

On Tue, 2014-12-02 at 17:12 +0100, Martin Kosek wrote:
> On 12/02/2014 04:56 PM, Nathaniel McCallum wrote:
> > On Tue, 2014-12-02 at 14:05 +0100, thierry bordaz wrote:
> >> On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:
> >>
> >>> On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
>  On 11/07/2014 04:44 PM, Petr Vobornik wrote:
> > On 7.11.2014 08:58, Martin Kosek wrote:
> >> On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
> >>> On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
>  On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
> > On 10/29/2014 10:37 AM, Martin Kosek wrote:
> >> On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
> >>> On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
>  This patch gives the administrator variables to control the size 
>  of
>  the authentication and synchronization windows for OTP tokens.
> 
>  https://fedorahosted.org/freeipa/ticket/4511
> 
>  NOTE: There is one known issue with this patch which I don't know
>  how to
>  solve. This patch changes the schema in
>  install/share/60ipaconfig.ldif.
>  On an upgrade, all of the new attributeTypes appear correctly.
>  However,
>  the modifications to the pre-existing objectClass do not show up
>  on the
>  server. What am I doing wrong?
> 
>  After modifying ipaGuiConfig manually, everything in this patch
>  works
>  just fine.
> >>> This new version takes into account the new (proper) OIDs and
> >>> attribute
> >>> names.
> >> Thanks Nathaniel!
> >>
> >>> The above known issue still remains.
> >> Petr3, any idea what could have gone wrong? ObjectClass MAY list
> >> extension
> >> should work just fine, AFAIK.
> > You added a blank line to the LDIF file. This is an entry 
> > separator, so
> > the objectClasses after the blank line don't belong to cn=schema, so
> > they aren't considered in the update.
> > Without the blank line it works fine.
>  Thanks for the catch!
> 
>  Here is a version without the blank line.
> >>> I forgot to remove the old steps defines. This patch performs this
> >>> cleanup.
> >> I am now wondering, is the global config object really the nest place 
> >> to
> >> add these OTP specific settings?
> >>
> >> I would prefer not to overload the object and instead:
> >> - create new ipaOTPConfig objectclass
> >> - add it to cn=otp,$SUFFIX
> >> - create otpconfig-mod and otpconfig-show commands to follow an example
> >> of dnsconfig-* and trustconfig-* commands
> >>
> >> IMO, this would allow more flexibility for the OTP settings and would
> >> also scale better for the future updates.
> > +1
> >
> > I will comment the patch as if ^^ would not exist because it will still 
> > be
> > needed in the new plugin.
> >
> > Because of ^^ I did not test, just read.
> >
> > 1. Got:
> > install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma 
> > is not
> > recommended in array initializers
> >
> > Please run:
> >   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
> > in install/ui directory
> >
> > The goal is no have no warnings and errors.
> >
> > 2. new attrs should be added to 'System: Read Global Configuration' 
> > managed
> > permission
>  +1. Though if we go with OTP config, it should be called
> 
>  System: Read OTP Configuration
> 
>  Martin
> >>> Attached is a new set of patches that replaces this single patch. This
> >>> now fixes multiple issues.
> >>>
> >>> I now create two new entries:
> >>>  * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
> >>>  * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX
> >>>
> >>> There are two corresponding CLI commands:
> >>>  * totpconfig-(show|mod)
> >>>  * hotpconfig-(show|mod)
> >>>
> >>> There is no UI support for this yet (pointers welcome).
> >>>
> >>> This is designed so that eventually tokens can grow a per-token
> >>> override, but I have not yet implemented this feature (it should be easy
> >>> in the future).
> >>>
> >>> Additionally, I had to do some shared refactoring to address issues in
> >>> ipa-otp-lasttoken, which is why all of these are now merged into a
> >>> single patch set.
> >>>
> >>> Nathaniel
> >>>
> >>>
> >>> ___
> >>> Freeipa-devel mailing list
> >>> Freeipa-devel@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >>
> >> Hello Nathaniel,
> >>
> >> Very few comments.
> > 
> > Just as a reminder, patch 0001 is already ACKed.
> > 
> >> On patch 0002:
> >>

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Simo Sorce]

On Tue, 02 Dec 2014 11:12:11 -0500
Nathaniel McCallum  wrote:

> On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
> > On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> > > 
> > > - Original Message -
> > > > On 3.10.2013 23:43, Nathaniel McCallum wrote:
> > > > > Patch attached.
> > > > 
> > > > I'm curious - what is the purpose of this patch? To prevent 1
> > > > second timeouts and re-transmits when OTP is in place?
> > > > 
> > > > What is the expected performance impact? Could it be configured
> > > > for OTP separately - somehow? (I guess that it is not possible
> > > > now ...)
> > > 
> > > It benefits also communication of large packets (when large
> > > MS-PAC or CAMMAC AD Data are attached), so it is a better choice
> > > for IPA in general. Especially given we have multiple KDC
> > > processes configured we do not want clients wasting KDC resources
> > > by making multiple processes do the same operation.
> > 
> > So apparently this patch never got reviewed over a year ago.
> > 
> > It was related to a bug which was opened in SSSD. However, when it
> > became clear we wanted to solve this in FreeIPA, the SSSD bug was
> > closed but no corresponding FreeIPA bug was opened. The patch then
> > fell through the cracks.
> > 
> > Without this patch, if OTP validation runs long we get retransmits
> > and failures.
> > 
> > One question I have is how to handle this for upgrades since (I
> > think) this patch only handles new installs.
> > 
> > Anyway, this patch is somewhat urgent now. So help is appreciated.
> > 
> > I have attached a rebased version which has no other changes.
> 
> I still need a review on this. Any takers?

The patch looks good to me

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 4] Removing the dependency on subscription-manager

[Jan Pazdziora]

Hello,

Martin suggests dependency on subscription-manager is no longer needed.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
>From 4243c4016d5e9844e555f134ce091cf85c01fcb2 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora 
Date: Tue, 2 Dec 2014 17:33:43 +0100
Subject: [PATCH] Removing the dependency on subscription-manager.

https://fedorahosted.org/freeipa/ticket/4783
---
 freeipa.spec.in | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
9b12c20899e729cedacdee470f8f2b13250af4e0..11af2d6626cfcba60ef3e4a63edc262e6d1ca10b
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -133,9 +133,6 @@ Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.54.1-1
 Requires: pki-ca >= 10.2.1-0.1
 Requires: pki-kra >= 10.2.1-0.1
-%if 0%{?rhel}
-Requires: subscription-manager
-%endif
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns >= 1.11.1
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[thierry bordaz]

On 12/02/2014 05:24 PM, Nathaniel McCallum wrote:

On Tue, 2014-12-02 at 17:12 +0100, Martin Kosek wrote:

On 12/02/2014 04:56 PM, Nathaniel McCallum wrote:

On Tue, 2014-12-02 at 14:05 +0100, thierry bordaz wrote:

On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:


On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:

On 11/07/2014 04:44 PM, Petr Vobornik wrote:

On 7.11.2014 08:58, Martin Kosek wrote:

On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:

On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:

On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:

On 10/29/2014 10:37 AM, Martin Kosek wrote:

On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:

This patch gives the administrator variables to control the size of
the authentication and synchronization windows for OTP tokens.

https://fedorahosted.org/freeipa/ticket/4511

NOTE: There is one known issue with this patch which I don't know
how to
solve. This patch changes the schema in
install/share/60ipaconfig.ldif.
On an upgrade, all of the new attributeTypes appear correctly.
However,
the modifications to the pre-existing objectClass do not show up
on the
server. What am I doing wrong?

After modifying ipaGuiConfig manually, everything in this patch
works
just fine.

This new version takes into account the new (proper) OIDs and
attribute
names.

Thanks Nathaniel!


The above known issue still remains.

Petr3, any idea what could have gone wrong? ObjectClass MAY list
extension
should work just fine, AFAIK.

You added a blank line to the LDIF file. This is an entry separator, so
the objectClasses after the blank line don't belong to cn=schema, so
they aren't considered in the update.
Without the blank line it works fine.

Thanks for the catch!

Here is a version without the blank line.

I forgot to remove the old steps defines. This patch performs this
cleanup.

I am now wondering, is the global config object really the nest place to
add these OTP specific settings?

I would prefer not to overload the object and instead:
- create new ipaOTPConfig objectclass
- add it to cn=otp,$SUFFIX
- create otpconfig-mod and otpconfig-show commands to follow an example
of dnsconfig-* and trustconfig-* commands

IMO, this would allow more flexibility for the OTP settings and would
also scale better for the future updates.

+1

I will comment the patch as if ^^ would not exist because it will still be
needed in the new plugin.

Because of ^^ I did not test, just read.

1. Got:
install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not
recommended in array initializers

Please run:
   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
in install/ui directory

The goal is no have no warnings and errors.

2. new attrs should be added to 'System: Read Global Configuration' managed
permission

+1. Though if we go with OTP config, it should be called

System: Read OTP Configuration

Martin

Attached is a new set of patches that replaces this single patch. This
now fixes multiple issues.

I now create two new entries:
  * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
  * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX

There are two corresponding CLI commands:
  * totpconfig-(show|mod)
  * hotpconfig-(show|mod)

There is no UI support for this yet (pointers welcome).

This is designed so that eventually tokens can grow a per-token
override, but I have not yet implemented this feature (it should be easy
in the future).

Additionally, I had to do some shared refactoring to address issues in
ipa-otp-lasttoken, which is why all of these are now merged into a
single patch set.

Nathaniel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello Nathaniel,

 Very few comments.

Just as a reminder, patch 0001 is already ACKed.


 On patch 0002:
 
 Is it possible that we later define a spec with 'dflt'

 contains OTP_CONFIG_AUTH_TYPE_DISABLED ? If yes it needs to be
 32bits.

Fixed. It was just a typo.


 When otp_config_fini is it called ?

Sadly, never. I admit that I am cargo-culting the lack of calling
otp_config_fini(). Surely there must be a way to sanely tear this down
when 389 shuts down?


 On patch 0003:
 
 In ipa-otp-lasttoken:58 you may use SLAPI_ATTR_OBJECTCLASS

 (slapi-plugin.h).

Fixed.


 In ipa-otp-lasttoken:preop_mod , the test is_allowed is done
 on the original entry (SLAPI_ENTRY_PRE_OP). That is the entry
 untouched by others BE_PREOP/TXN_BE_PREOP plugins. Is that the
 entry you want to check ?

Yes, the code is correct as written. We check to see if a change to the
existing state would cause bad behavior. Then, if any such change is
attempted (ipa_otp_lasttoken.c:205) we reject it. In the future we might
improve this to be more granular regarding the values 

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Martin Kosek]

On 12/02/2014 05:36 PM, Simo Sorce wrote:
> On Tue, 02 Dec 2014 11:12:11 -0500
> Nathaniel McCallum  wrote:
> 
>> On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
>>> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:

 - Original Message -
> On 3.10.2013 23:43, Nathaniel McCallum wrote:
>> Patch attached.
>
> I'm curious - what is the purpose of this patch? To prevent 1
> second timeouts and re-transmits when OTP is in place?
>
> What is the expected performance impact? Could it be configured
> for OTP separately - somehow? (I guess that it is not possible
> now ...)

 It benefits also communication of large packets (when large
 MS-PAC or CAMMAC AD Data are attached), so it is a better choice
 for IPA in general. Especially given we have multiple KDC
 processes configured we do not want clients wasting KDC resources
 by making multiple processes do the same operation.
>>>
>>> So apparently this patch never got reviewed over a year ago.
>>>
>>> It was related to a bug which was opened in SSSD. However, when it
>>> became clear we wanted to solve this in FreeIPA, the SSSD bug was
>>> closed but no corresponding FreeIPA bug was opened. The patch then
>>> fell through the cracks.
>>>
>>> Without this patch, if OTP validation runs long we get retransmits
>>> and failures.
>>>
>>> One question I have is how to handle this for upgrades since (I
>>> think) this patch only handles new installs.
>>>
>>> Anyway, this patch is somewhat urgent now. So help is appreciated.
>>>
>>> I have attached a rebased version which has no other changes.
>>
>> I still need a review on this. Any takers?
> 
> The patch looks good to me
> 
> Simo.

This fixes the new installations. Can you please refresh the memory what is the
decision regarding the upgrades?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Nathaniel McCallum]

On Tue, 2014-12-02 at 17:48 +0100, Martin Kosek wrote:
> On 12/02/2014 05:36 PM, Simo Sorce wrote:
> > On Tue, 02 Dec 2014 11:12:11 -0500
> > Nathaniel McCallum  wrote:
> > 
> >> On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
> >>> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> 
>  - Original Message -
> > On 3.10.2013 23:43, Nathaniel McCallum wrote:
> >> Patch attached.
> >
> > I'm curious - what is the purpose of this patch? To prevent 1
> > second timeouts and re-transmits when OTP is in place?
> >
> > What is the expected performance impact? Could it be configured
> > for OTP separately - somehow? (I guess that it is not possible
> > now ...)
> 
>  It benefits also communication of large packets (when large
>  MS-PAC or CAMMAC AD Data are attached), so it is a better choice
>  for IPA in general. Especially given we have multiple KDC
>  processes configured we do not want clients wasting KDC resources
>  by making multiple processes do the same operation.
> >>>
> >>> So apparently this patch never got reviewed over a year ago.
> >>>
> >>> It was related to a bug which was opened in SSSD. However, when it
> >>> became clear we wanted to solve this in FreeIPA, the SSSD bug was
> >>> closed but no corresponding FreeIPA bug was opened. The patch then
> >>> fell through the cracks.
> >>>
> >>> Without this patch, if OTP validation runs long we get retransmits
> >>> and failures.
> >>>
> >>> One question I have is how to handle this for upgrades since (I
> >>> think) this patch only handles new installs.
> >>>
> >>> Anyway, this patch is somewhat urgent now. So help is appreciated.
> >>>
> >>> I have attached a rebased version which has no other changes.
> >>
> >> I still need a review on this. Any takers?
> > 
> > The patch looks good to me
> > 
> > Simo.
> 
> This fixes the new installations. Can you please refresh the memory what is 
> the
> decision regarding the upgrades?

The need to fix upgrades will be documented. In the future, we will
get /etc/krb.conf.d and we will ship a file there.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Martin Kosek]

On 12/02/2014 05:49 PM, Nathaniel McCallum wrote:
> On Tue, 2014-12-02 at 17:48 +0100, Martin Kosek wrote:
>> On 12/02/2014 05:36 PM, Simo Sorce wrote:
>>> On Tue, 02 Dec 2014 11:12:11 -0500
>>> Nathaniel McCallum  wrote:
>>>
 On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
>>
>> - Original Message -
>>> On 3.10.2013 23:43, Nathaniel McCallum wrote:
 Patch attached.
>>>
>>> I'm curious - what is the purpose of this patch? To prevent 1
>>> second timeouts and re-transmits when OTP is in place?
>>>
>>> What is the expected performance impact? Could it be configured
>>> for OTP separately - somehow? (I guess that it is not possible
>>> now ...)
>>
>> It benefits also communication of large packets (when large
>> MS-PAC or CAMMAC AD Data are attached), so it is a better choice
>> for IPA in general. Especially given we have multiple KDC
>> processes configured we do not want clients wasting KDC resources
>> by making multiple processes do the same operation.
>
> So apparently this patch never got reviewed over a year ago.
>
> It was related to a bug which was opened in SSSD. However, when it
> became clear we wanted to solve this in FreeIPA, the SSSD bug was
> closed but no corresponding FreeIPA bug was opened. The patch then
> fell through the cracks.
>
> Without this patch, if OTP validation runs long we get retransmits
> and failures.
>
> One question I have is how to handle this for upgrades since (I
> think) this patch only handles new installs.
>
> Anyway, this patch is somewhat urgent now. So help is appreciated.
>
> I have attached a rebased version which has no other changes.

 I still need a review on this. Any takers?
>>>
>>> The patch looks good to me
>>>
>>> Simo.
>>
>> This fixes the new installations. Can you please refresh the memory what is 
>> the
>> decision regarding the upgrades?
> 
> The need to fix upgrades will be documented. In the future, we will
> get /etc/krb.conf.d and we will ship a file there.
> 
> Nathaniel
> 

Nobody reads the documentation :-) What is the implication for users doing
client update (majority of them) and using OTP feature?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Nathaniel McCallum]

On Tue, 2014-12-02 at 17:51 +0100, Martin Kosek wrote:
> On 12/02/2014 05:49 PM, Nathaniel McCallum wrote:
> > On Tue, 2014-12-02 at 17:48 +0100, Martin Kosek wrote:
> >> On 12/02/2014 05:36 PM, Simo Sorce wrote:
> >>> On Tue, 02 Dec 2014 11:12:11 -0500
> >>> Nathaniel McCallum  wrote:
> >>>
>  On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
> > On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> >>
> >> - Original Message -
> >>> On 3.10.2013 23:43, Nathaniel McCallum wrote:
>  Patch attached.
> >>>
> >>> I'm curious - what is the purpose of this patch? To prevent 1
> >>> second timeouts and re-transmits when OTP is in place?
> >>>
> >>> What is the expected performance impact? Could it be configured
> >>> for OTP separately - somehow? (I guess that it is not possible
> >>> now ...)
> >>
> >> It benefits also communication of large packets (when large
> >> MS-PAC or CAMMAC AD Data are attached), so it is a better choice
> >> for IPA in general. Especially given we have multiple KDC
> >> processes configured we do not want clients wasting KDC resources
> >> by making multiple processes do the same operation.
> >
> > So apparently this patch never got reviewed over a year ago.
> >
> > It was related to a bug which was opened in SSSD. However, when it
> > became clear we wanted to solve this in FreeIPA, the SSSD bug was
> > closed but no corresponding FreeIPA bug was opened. The patch then
> > fell through the cracks.
> >
> > Without this patch, if OTP validation runs long we get retransmits
> > and failures.
> >
> > One question I have is how to handle this for upgrades since (I
> > think) this patch only handles new installs.
> >
> > Anyway, this patch is somewhat urgent now. So help is appreciated.
> >
> > I have attached a rebased version which has no other changes.
> 
>  I still need a review on this. Any takers?
> >>>
> >>> The patch looks good to me
> >>>
> >>> Simo.
> >>
> >> This fixes the new installations. Can you please refresh the memory what 
> >> is the
> >> decision regarding the upgrades?
> > 
> > The need to fix upgrades will be documented. In the future, we will
> > get /etc/krb.conf.d and we will ship a file there.
> > 
> > Nathaniel
> > 
> 
> Nobody reads the documentation :-) What is the implication for users doing
> client update (majority of them) and using OTP feature?

They will get spurious failures. Most will think it is a bug or a
network issue. If the failures happen consistently enough, users might
get locked out.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[Petr Vobornik]

On 12/02/2014 05:39 PM, thierry bordaz wrote:

On 12/02/2014 05:24 PM, Nathaniel McCallum wrote:

On Tue, 2014-12-02 at 17:12 +0100, Martin Kosek wrote:

On 12/02/2014 04:56 PM, Nathaniel McCallum wrote:

On Tue, 2014-12-02 at 14:05 +0100, thierry bordaz wrote:

On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:


On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:

On 11/07/2014 04:44 PM, Petr Vobornik wrote:

On 7.11.2014 08:58, Martin Kosek wrote:

On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:

On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:

On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:

On 10/29/2014 10:37 AM, Martin Kosek wrote:

On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:

On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:

This patch gives the administrator variables to control
the size of
the authentication and synchronization windows for OTP
tokens.

https://fedorahosted.org/freeipa/ticket/4511

NOTE: There is one known issue with this patch which I
don't know
how to
solve. This patch changes the schema in
install/share/60ipaconfig.ldif.
On an upgrade, all of the new attributeTypes appear
correctly.
However,
the modifications to the pre-existing objectClass do not
show up
on the
server. What am I doing wrong?

After modifying ipaGuiConfig manually, everything in this
patch
works
just fine.

This new version takes into account the new (proper) OIDs and
attribute
names.

Thanks Nathaniel!


The above known issue still remains.

Petr3, any idea what could have gone wrong? ObjectClass MAY
list
extension
should work just fine, AFAIK.

You added a blank line to the LDIF file. This is an entry
separator, so
the objectClasses after the blank line don't belong to
cn=schema, so
they aren't considered in the update.
Without the blank line it works fine.

Thanks for the catch!

Here is a version without the blank line.

I forgot to remove the old steps defines. This patch performs
this
cleanup.

I am now wondering, is the global config object really the nest
place to
add these OTP specific settings?

I would prefer not to overload the object and instead:
- create new ipaOTPConfig objectclass
- add it to cn=otp,$SUFFIX
- create otpconfig-mod and otpconfig-show commands to follow an
example
of dnsconfig-* and trustconfig-* commands

IMO, this would allow more flexibility for the OTP settings and
would
also scale better for the future updates.

+1

I will comment the patch as if ^^ would not exist because it
will still be
needed in the new plugin.

Because of ^^ I did not test, just read.

1. Got:
install/ui/src/freeipa/serverconfig.js(135): lint warning: extra
comma is not
recommended in array initializers

Please run:
   jsl -nofilelisting -nosummary -nologo -conf jsl.conf
in install/ui directory

The goal is no have no warnings and errors.

2. new attrs should be added to 'System: Read Global
Configuration' managed
permission

+1. Though if we go with OTP config, it should be called

System: Read OTP Configuration

Martin

Attached is a new set of patches that replaces this single patch.
This
now fixes multiple issues.

I now create two new entries:
  * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
  * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX

There are two corresponding CLI commands:
  * totpconfig-(show|mod)
  * hotpconfig-(show|mod)

There is no UI support for this yet (pointers welcome).

This is designed so that eventually tokens can grow a per-token
override, but I have not yet implemented this feature (it should
be easy
in the future).

Additionally, I had to do some shared refactoring to address
issues in
ipa-otp-lasttoken, which is why all of these are now merged into a
single patch set.

Nathaniel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello Nathaniel,

 Very few comments.

Just as a reminder, patch 0001 is already ACKed.


 On patch 0002:
 Is it possible that we later define a spec with 'dflt'
 contains OTP_CONFIG_AUTH_TYPE_DISABLED ? If yes it needs
to be
 32bits.

Fixed. It was just a typo.


 When otp_config_fini is it called ?

Sadly, never. I admit that I am cargo-culting the lack of calling
otp_config_fini(). Surely there must be a way to sanely tear this down
when 389 shuts down?


 On patch 0003:
 In ipa-otp-lasttoken:58 you may use SLAPI_ATTR_OBJECTCLASS
 (slapi-plugin.h).

Fixed.


 In ipa-otp-lasttoken:preop_mod , the test is_allowed is done
 on the original entry (SLAPI_ENTRY_PRE_OP). That is the entry
 untouched by others BE_PREOP/TXN_BE_PREOP plugins. Is that
the
 entry you want to check ?

Yes, the code is correct as written. We check to see if a change to the
existing state would cause bad behavior. Then, if any such change is
attempted (ipa_otp_lasttoken.c:205) we reject it. In the future we
might
improve this to be more granu

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[Nathaniel McCallum]

On Tue, 2014-12-02 at 17:56 +0100, Petr Vobornik wrote:
> On 12/02/2014 05:39 PM, thierry bordaz wrote:
> > On 12/02/2014 05:24 PM, Nathaniel McCallum wrote:
> >> On Tue, 2014-12-02 at 17:12 +0100, Martin Kosek wrote:
> >>> On 12/02/2014 04:56 PM, Nathaniel McCallum wrote:
>  On Tue, 2014-12-02 at 14:05 +0100, thierry bordaz wrote:
> > On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:
> >
> >> On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
> >>> On 11/07/2014 04:44 PM, Petr Vobornik wrote:
>  On 7.11.2014 08:58, Martin Kosek wrote:
> > On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
> >> On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
> >>> On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
>  On 10/29/2014 10:37 AM, Martin Kosek wrote:
> > On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
> >> On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
> >>> This patch gives the administrator variables to control
> >>> the size of
> >>> the authentication and synchronization windows for OTP
> >>> tokens.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/4511
> >>>
> >>> NOTE: There is one known issue with this patch which I
> >>> don't know
> >>> how to
> >>> solve. This patch changes the schema in
> >>> install/share/60ipaconfig.ldif.
> >>> On an upgrade, all of the new attributeTypes appear
> >>> correctly.
> >>> However,
> >>> the modifications to the pre-existing objectClass do not
> >>> show up
> >>> on the
> >>> server. What am I doing wrong?
> >>>
> >>> After modifying ipaGuiConfig manually, everything in this
> >>> patch
> >>> works
> >>> just fine.
> >> This new version takes into account the new (proper) OIDs and
> >> attribute
> >> names.
> > Thanks Nathaniel!
> >
> >> The above known issue still remains.
> > Petr3, any idea what could have gone wrong? ObjectClass MAY
> > list
> > extension
> > should work just fine, AFAIK.
>  You added a blank line to the LDIF file. This is an entry
>  separator, so
>  the objectClasses after the blank line don't belong to
>  cn=schema, so
>  they aren't considered in the update.
>  Without the blank line it works fine.
> >>> Thanks for the catch!
> >>>
> >>> Here is a version without the blank line.
> >> I forgot to remove the old steps defines. This patch performs
> >> this
> >> cleanup.
> > I am now wondering, is the global config object really the nest
> > place to
> > add these OTP specific settings?
> >
> > I would prefer not to overload the object and instead:
> > - create new ipaOTPConfig objectclass
> > - add it to cn=otp,$SUFFIX
> > - create otpconfig-mod and otpconfig-show commands to follow an
> > example
> > of dnsconfig-* and trustconfig-* commands
> >
> > IMO, this would allow more flexibility for the OTP settings and
> > would
> > also scale better for the future updates.
>  +1
> 
>  I will comment the patch as if ^^ would not exist because it
>  will still be
>  needed in the new plugin.
> 
>  Because of ^^ I did not test, just read.
> 
>  1. Got:
>  install/ui/src/freeipa/serverconfig.js(135): lint warning: extra
>  comma is not
>  recommended in array initializers
> 
>  Please run:
> jsl -nofilelisting -nosummary -nologo -conf jsl.conf
>  in install/ui directory
> 
>  The goal is no have no warnings and errors.
> 
>  2. new attrs should be added to 'System: Read Global
>  Configuration' managed
>  permission
> >>> +1. Though if we go with OTP config, it should be called
> >>>
> >>> System: Read OTP Configuration
> >>>
> >>> Martin
> >> Attached is a new set of patches that replaces this single patch.
> >> This
> >> now fixes multiple issues.
> >>
> >> I now create two new entries:
> >>   * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
> >>   * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX
> >>
> >> There are two corresponding CLI commands:
> >>   * totpconfig-(show|mod)
> >>   * hotpconfig-(show|mod)
> >>
> >> There is no UI support for this yet (pointers welcome).
> >>
> >> This is designed so that eventually tokens can grow a per-token
> >> override,

[Freeipa-devel] Announcing bind-dyndb-ldap version 6.1

[Petr Spacek]

The FreeIPA team is proud to announce bind-dyndb-ldap version 6.1.

It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/

The new version has also been built for Fedora 21+ and and is on its way to
updates-testing:
https://admin.fedoraproject.org/updates/bind-dyndb-ldap-6.1-1.fc21

This version is also available from FreeIPA COPR repo:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/


6.1

[1] Crash caused by interaction between forward and master zones was fixed.
https://fedorahosted.org/bind-dyndb-ldap/ticket/145

[2] DNS NOTIFY messages are sent after any modification to the zone.
https://fedorahosted.org/bind-dyndb-ldap/ticket/144

[3] Misleading error message about forward zones during reconnect was fixed.


== Upgrading ==
A server can be upgraded by installing updated RPM. BIND has to be restarted
manually after the RPM installation.

Downgrading back to any 5.x version is supported if idnsZoneActive is always
set to TRUE.


== Feedback ==
Please provide comments, report bugs and send any other feedback via the
freeipa-users mailing list:
http://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable

[Nathaniel McCallum]

On Tue, 2014-12-02 at 12:20 -0500, Nathaniel McCallum wrote:
> On Tue, 2014-12-02 at 17:56 +0100, Petr Vobornik wrote:
> > On 12/02/2014 05:39 PM, thierry bordaz wrote:
> > > On 12/02/2014 05:24 PM, Nathaniel McCallum wrote:
> > >> On Tue, 2014-12-02 at 17:12 +0100, Martin Kosek wrote:
> > >>> On 12/02/2014 04:56 PM, Nathaniel McCallum wrote:
> >  On Tue, 2014-12-02 at 14:05 +0100, thierry bordaz wrote:
> > > On 11/12/2014 11:37 PM, Nathaniel McCallum wrote:
> > >
> > >> On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote:
> > >>> On 11/07/2014 04:44 PM, Petr Vobornik wrote:
> >  On 7.11.2014 08:58, Martin Kosek wrote:
> > > On 11/04/2014 05:17 PM, Nathaniel McCallum wrote:
> > >> On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote:
> > >>> On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote:
> >  On 10/29/2014 10:37 AM, Martin Kosek wrote:
> > > On 10/28/2014 09:59 PM, Nathaniel McCallum wrote:
> > >> On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote:
> > >>> This patch gives the administrator variables to control
> > >>> the size of
> > >>> the authentication and synchronization windows for OTP
> > >>> tokens.
> > >>>
> > >>> https://fedorahosted.org/freeipa/ticket/4511
> > >>>
> > >>> NOTE: There is one known issue with this patch which I
> > >>> don't know
> > >>> how to
> > >>> solve. This patch changes the schema in
> > >>> install/share/60ipaconfig.ldif.
> > >>> On an upgrade, all of the new attributeTypes appear
> > >>> correctly.
> > >>> However,
> > >>> the modifications to the pre-existing objectClass do not
> > >>> show up
> > >>> on the
> > >>> server. What am I doing wrong?
> > >>>
> > >>> After modifying ipaGuiConfig manually, everything in this
> > >>> patch
> > >>> works
> > >>> just fine.
> > >> This new version takes into account the new (proper) OIDs and
> > >> attribute
> > >> names.
> > > Thanks Nathaniel!
> > >
> > >> The above known issue still remains.
> > > Petr3, any idea what could have gone wrong? ObjectClass MAY
> > > list
> > > extension
> > > should work just fine, AFAIK.
> >  You added a blank line to the LDIF file. This is an entry
> >  separator, so
> >  the objectClasses after the blank line don't belong to
> >  cn=schema, so
> >  they aren't considered in the update.
> >  Without the blank line it works fine.
> > >>> Thanks for the catch!
> > >>>
> > >>> Here is a version without the blank line.
> > >> I forgot to remove the old steps defines. This patch performs
> > >> this
> > >> cleanup.
> > > I am now wondering, is the global config object really the nest
> > > place to
> > > add these OTP specific settings?
> > >
> > > I would prefer not to overload the object and instead:
> > > - create new ipaOTPConfig objectclass
> > > - add it to cn=otp,$SUFFIX
> > > - create otpconfig-mod and otpconfig-show commands to follow an
> > > example
> > > of dnsconfig-* and trustconfig-* commands
> > >
> > > IMO, this would allow more flexibility for the OTP settings and
> > > would
> > > also scale better for the future updates.
> >  +1
> > 
> >  I will comment the patch as if ^^ would not exist because it
> >  will still be
> >  needed in the new plugin.
> > 
> >  Because of ^^ I did not test, just read.
> > 
> >  1. Got:
> >  install/ui/src/freeipa/serverconfig.js(135): lint warning: extra
> >  comma is not
> >  recommended in array initializers
> > 
> >  Please run:
> > jsl -nofilelisting -nosummary -nologo -conf jsl.conf
> >  in install/ui directory
> > 
> >  The goal is no have no warnings and errors.
> > 
> >  2. new attrs should be added to 'System: Read Global
> >  Configuration' managed
> >  permission
> > >>> +1. Though if we go with OTP config, it should be called
> > >>>
> > >>> System: Read OTP Configuration
> > >>>
> > >>> Martin
> > >> Attached is a new set of patches that replaces this single patch.
> > >> This
> > >> now fixes multiple issues.
> > >>
> > >> I now create two new entries:
> > >>   * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX
> > >>   * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX
> > >>
> > >>

Re: [Freeipa-devel] [PATCH 0036] Add missing python files to Makefile

[Gabe Alford]

This patch removes the changelog and Makefile.am for ipaclient as well.

Thanks,

Gabe

On Mon, Dec 1, 2014 at 8:28 AM, Martin Kosek  wrote:

> On 12/01/2014 04:25 PM, Rob Crittenden wrote:
> > Gabe Alford wrote:
> >>
> >> On Mon, Dec 1, 2014 at 6:05 AM, Martin Kosek  >> > wrote:
> >>
> >> On 11/30/2014 03:28 AM, Gabe Alford wrote:
> >> > Ignore the last patch. Updated patch attached.
> >> >
> >> > On Sat, Nov 29, 2014 at 6:03 PM, Gabe Alford
> >> mailto:redhatri...@gmail.com>> wrote:
> >> >
> >> >> This patch removes the app_PYTHON usage.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Gabe
> >> >>
> >> >> On Thu, Nov 27, 2014 at 9:40 AM, Martin Kosek  >> > wrote:
> >> >>
> >> >>> Exactly, this was the message from Martin :-) I did not test it
> >> myself,
> >> >>> but
> >> >>> removing all app_PYTHON should be benign given we use Python
> >> setup.py
> >> >>> packaging.
> >> >>>
> >> >>> On 11/27/2014 04:27 PM, Gabe Alford wrote:
> >>  Thanks guys. Sounds like it would be better to submit a patch
> that
> >> >>> removes
> >>  app_PYTHON if it is considered dead code.
> >> 
> >>  Gabe
> >> 
> >>  On Thursday, November 27, 2014, Petr Spacek <
> pspa...@redhat.com
> >> > wrote:
> >> 
> >> > On 27.11.2014 11:00, Martin Basti wrote:
> >> >> On 27/11/14 00:50, Gabe Alford wrote:
> >> >>> Hello,
> >> >>>
> >> >>>Wondering if I could get a review. Updated patch
> >> attached.
> >> >>>
> >> >>> Thanks,
> >> >>> Gabe
> >> >>>
> >> >>> On Tue, Nov 11, 2014 at 7:21 AM, Gabe Alford
> >> mailto:redhatri...@gmail.com>
> >> > 
> >> >>>  >
> >> >> wrote:
> >> >>>
> >> >>> Hello,
> >> >>>
> >> >>> Fix for https://fedorahosted.org/freeipa/ticket/4700
> >> >>>
> >> >>> Thanks,
> >> >>>
> >> >>> Gabe
> >> >>>
> >> >>>
> >> >>>
> >> >> Hello,
> >> >>
> >> >> sorry for late response.
> >> >>
> >> >> We push this ticket to backlog, as it would be part of build
> >> system
> >> > refactoring.
> >> >> The "app_PYTHON" statement is not used anymore in IPA, the
> better
> >> > solution is
> >> >> remove it, instead of keeping dead code up-to-date.
> >> >
> >> > Just to clarify:
> >> > It can be pushed if it works, there is no need to postpone
> >> accepting
> >> >>> patch
> >> > if
> >> > the patch seems okay and doesn't break anything.
> >> >
> >> > Martin, please keep in mind that contributions are welcome at
> >> any time.
> >> >
> >> > Milestones in Trac reflect our view of priorities but it
> doesn't
> >> >>> prevent us
> >> > from accepting correct patches from contributions at any
> time, no
> >> >>> matter
> >> > which
> >> > priority is stated in Trac (or even if there is no ticket for
> >> it ...).
> >> >
> >> > --
> >> > Petr^2 Spacek
> >>
> >> Worked in my tests, I did not see any breakage. I guess we can also
> >> remove the
> >> ipa-client/ipaclient/Makefile.am while we are at it.
> >>
> >> Martin
> >>
> >>
> >> It looks like the ipaclient/Makefile.am is still being used. I tried
> >> removing it and there were errors in the build, but maybe I am wrong?
> >
> > It is needed to build ipa-join, ipa-getkeytab and ipa-rmkeytab.
> >
> > Feel free to rip out the outdated hg ChangeLog stuff though.
> >
> > rob
>
> I think Gabe was asking about ipa-client/ipaclient/Makefile.am and not
> about
> ipa-client/Makefile.am - we still need this one as Rob correctly said.
>
> The failure that Gabe hit in build probably comes from the the SUBDIR
> reference
> in ipa-client/Makefile.am file. I assume that if the reference is removed,
> the
> removal should work.
>
> And yes, you can remove the Changelog too if you are OK with it :)
>
> Martin
>
From d2e3176b6f6f2abb2ffbdfc198814bd1a845b876 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 2 Dec 2014 14:43:57 -0700
Subject: [PATCH] Remove usage of app_PYTHON in ipaserver Makefiles

https://fedorahosted.org/freeipa/ticket/4700
---
 ipa-client/Makefile.am| 21 -
 ipa-client/ipaclient/Makefile.am  | 17 -
 ipaserver/install/Makefile.am | 27 ---
 ipaserver/install/plugins/Makefile.am | 24 
 4 files changed, 89 deletions(-)
 delete mode 100644 ipa-client/ipaclient/Makefile.am
 delete mode 100644 ipaserver/install/Makefile.am
 delete mode 100644 ipaserver/i

[Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise

[Gabe Alford]

Hello,

I was going to try my hand at attempting a patch for ipa-tests. However in
wanting to test my patch, I am not sure how to run ipa-tests to check if it
works or not. Documentation is not really clear on what needs to be done to
start a test and run a test. This is for
https://fedorahosted.org/freeipa/ticket/4029

I have attached the patch that I have yet to really test with ipa-test. Any
help on how to test the patch running ipa-tests would be great. Of course,
if one of the reviewers looks at the patch and looks good, then I would be
happy with that as well.

Thanks,

Gabe
From e049c030ef1320332bfc2d67cf026efe8ad91fa6 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 2 Dec 2014 20:57:11 -0700
Subject: [PATCH] Add test case for unsupported argument for ipa-advise

https://fedorahosted.org/freeipa/ticket/4029
---
 ipatests/test_integration/test_legacy_clients.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
index 49ad2801927bfffd36bd80e400173d5b86b3b856..cc40e9eaa7b06bc7ce756ba1c25f21482d3937b7 100644
--- a/ipatests/test_integration/test_legacy_clients.py
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -71,6 +71,13 @@ class BaseTestLegacyClient(object):
 # Restart SSHD to load new PAM configuration
 self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
 
+def test_invalid_advice(self):
+result = self.master.run_command(['ipa-advise', 'config-invalid-param'])
+invalid_advice_regex = "invalid[\s]+\'advice\'.*"
+
+assert re.search(invalid_advice_regex, result.stdout_text)
+
+
 def clear_sssd_caches(self):
 tasks.clear_sssd_cache(self.master)
 tasks.clear_sssd_cache(self.legacy_client)
-- 
2.0.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel