date:20150610


Attached are two patches:
- reject direct modification of segment endpoints and connectivity
- better manage the rdn of a replication agreements represented by a segment
>From b7d72c390cd4ea021d9c818156c07de4fc2b0921 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz 
Date: Wed, 10 Jun 2015 15:53:16 +0200
Subject: [PATCH] make sure the agremment rdn match the rdn used in the segment

---
 daemons/ipa-slapi-plugins/topology/topology_util.c | 37 +++---
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/topology/topology_util.c b/daemons/ipa-slapi-plugins/topology/topology_util.c
index 67014a05d4f89260d4307e5212a5594335617482..cd97827b17d3a276974331f7da7bf0eae40c5a81 100644
--- a/daemons/ipa-slapi-plugins/topology/topology_util.c
+++ b/daemons/ipa-slapi-plugins/topology/topology_util.c
@@ -292,9 +292,9 @@ ipa_topo_util_agmt_from_entry(Slapi_Entry *entry, char *replRoot, char *fromHost
   char *toHost, char *direction)
 {
 TopoReplicaAgmt *agmt = NULL;
-char **mattrs;
-char *mattr;
-char *mval;
+char **mattrs = NULL;
+char *mattr = NULL;
+char *mval = NULL;
 int i;
 
 agmt = (TopoReplicaAgmt *) slapi_ch_calloc(1,sizeof(TopoReplicaAgmt));
@@ -302,18 +302,8 @@ ipa_topo_util_agmt_from_entry(Slapi_Entry *entry, char *replRoot, char *fromHost
 agmt->target = slapi_ch_strdup(toHost);
 agmt->repl_root = slapi_ch_strdup(replRoot);
 
-mattr = slapi_ch_smprintf("ipaReplTopoSegmentGenerated;%s",direction);
-mval = slapi_entry_attr_get_charptr(entry,mattr);
-if (mval == 0) {
-mval = slapi_entry_attr_get_charptr(entry,"ipaReplTopoSegmentGenerated");
-}
-if (mval) {
-agmt->rdn = ipa_topo_agmt_gen_rdn(fromHost,toHost);
-} else {
-agmt->rdn = ipa_topo_agmt_std_rdn(toHost);
-}
-slapi_ch_free_string(&mattr);
-slapi_ch_free_string(&mval);
+/* use std agmt rdn, it may be updated when matching real agmt is found */
+agmt->rdn = ipa_topo_agmt_std_rdn(toHost);
 
 mattrs = ipa_topo_get_plugin_managed_attrs();
 for (i=0; mattrs[i]; i++) {
@@ -520,9 +510,20 @@ ipa_topo_util_update_agmt_list(TopoReplica *conf, TopoReplicaSegmentList *repl_s
 ipa_topo_get_plugin_hostname(),
 targetHost);
 if (topo_agmt) {
-/* if segment found update agreement params */
-char * segm_attr_val;
-char * agmt_attr_val;
+/* compare rdns, use rdn of existing agreement */
+const Slapi_DN *agmt_dn = slapi_entry_get_sdn_const(repl_agmt);
+Slapi_RDN *agmt_rdn = slapi_rdn_new();
+slapi_sdn_get_rdn(agmt_dn, agmt_rdn);
+const char *agmt_rdn_str  = slapi_rdn_get_rdn(agmt_rdn);
+if (strcasecmp(agmt_rdn_str, topo_agmt->rdn)) {
+slapi_ch_free_string(&topo_agmt->rdn);
+topo_agmt->rdn = slapi_ch_strdup(agmt_rdn_str);
+}
+slapi_rdn_free(&agmt_rdn);
+
+/* update agreement params which are different in the segment*/
+char *segm_attr_val;
+char *agmt_attr_val;
 Slapi_Mods *smods = slapi_mods_new();
 char **mattrs = ipa_topo_get_plugin_managed_attrs();
 for (i=0; mattrs[i]; i++) {
-- 
2.1.0

>From d69ad45e5331a0f0e42ac3c674602b03c40f54ec Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz 
Date: Wed, 10 Jun 2015 17:47:25 +0200
Subject: [PATCH] reject modifications of endpoints and connectivity of a
 segment

---
 daemons/ipa-slapi-plugins/topology/topology_pre.c | 57 +--
 1 file changed, 52 insertions(+), 5 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/topology/topology_pre.c b/daemons/ipa-slapi-plugins/topology/topology_pre.c
index 0a0cd65b592e2dc796a179e035598e5f641bb01e..9ca116c8e036f5b558e0ffae402453db2b0f9f79 100644
--- a/daemons/ipa-slapi-plugins/topology/topology_pre.c
+++ b/daemons/ipa-slapi-plugins/topology/topology_pre.c
@@ -60,7 +60,7 @@ int ipa_topo_is_entry_managed(Slapi_PBlock *pb)
 
 }
 int
-ipa_topo_is_modattr_restricted(Slapi_PBlock *pb)
+ipa_topo_is_agmt_attr_restricted(Slapi_PBlock *pb)
 {
 LDAPMod **mods;
 int i;
@@ -75,6 +75,24 @@ ipa_topo_is_modattr_restricted(Slapi_PBlock *pb)
 }
 return rc;
 }
+int
+ipa_topo_is_segm_attr_restricted(Slapi_PBlock *pb)
+{
+LDAPMod **mods;
+int i;
+int rc = 0;
+
+slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
+for (i = 0; (mods != NULL) && (mods[i] != NULL); i++) {
+if ((0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentDirection")) ||
+(0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentLeftNode")) ||
+(0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentRightNode"))) {
+rc = 1;
+break;
+}
+}
+return rc;
+}
 
 /* connectivity check for topology
  *

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

2015-06-10 Thread Fraser Tweedale

On Wed, Jun 10, 2015 at 03:50:22PM +0200, Martin Basti wrote:
> On 10/06/15 13:57, Martin Kosek wrote:
> >On 06/10/2015 01:50 PM, Jan Cholasta wrote:
> >>Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
> >>>On 10/06/15 06:40, Fraser Tweedale wrote:
> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
> >On 09/06/15 08:58, Fraser Tweedale wrote:
> >>On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
> >>>On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
> New patches attached.  Comments inline.
> >>>Thanks Fraser!
> >>>
> >>>...
> >5)
> >Missing referint plugin configuration for attribute
> >'ipacaaclmembercertprofile'
> >Please add it into install/updates/25-referint.update (+ other
> >member
> >attributes if missing)
> >
> Added this.  There is a comment in 25-referint.update:
> 
>   # pres and eq indexes defined in 20-indices.update must be set
>   # for all the attributes
> 
> Can you explain what is required here?  Is it just to add: I see
> things for memberUser and memberHost in indices.ldif but nothing for
> memberService.  Do I need to add to indices.ldif:
> 
>   dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
> database,cn=plugins,cn=config
>   changetype: add
>   cn: memberProfile
>   ObjectClass: top
>   ObjectClass: nsIndex
>   nsSystemIndex: false
>   nsIndexType: eq
>   nsIndexType: pres
>   nsIndexType: sub
> 
> , and similarly for memberCa?  Sorry I do not know much about LDAP
> indexing.
> >>>AFAIR, yes. BTW, where does the "sub" index come from? It is quite
> >>>an expensive
> >>>index to use and I now cannot think of memberProfile search where
> >>>you would
> >>>need a substring...
> >>>
> >>>Thanks,
> >>>Martin
> >>Updated patch attached, which adds the indices.  (Also rebased).
> >>
> >>There is a commit that seems to indicate that substring index is
> >>needed, so I have included substring indices in this patchset.
> >>Copied Honza in case he wants to comment.
> >>
> >>  commit a10521a1dcf69960d6ce0bf5657180b709c297c0
> >>  Author: Jan Cholasta 
> >>  Date:   Tue Jun 25 13:16:40 2013 +
> >>
> >>  Add missing substring indices for attributes managed by the
> >>referint plugin.
> >>
> >>  The referint plugin does a substring search on these
> >>attributes each time an
> >>  entry is deleted, which causes a noticable slowdown for
> >>large directories if
> >>  the attributes are not indexed.
> >>
> >>  https://fedorahosted.org/freeipa/ticket/3706
> >>
> >>Cheers,
> >>Fraser
> >ACK
> >
> >Please send the upgrade patch ASAP :)
> >
> >-- 
> >Martin Basti
> >
> Thank you for the ACK \o/
> 
> Since the patches have not been pushed, here is an updated patchset
> which adds the upgrade behaviour.  There are no changes apart from
> the additions to ipaserver/install/server/upgrade.py.
> 
> Cheers,
> Fraser
> >>>ACK
> >>NACK, the new OIDs are not registered.
> >>
> >>BTW all new attribute names should have the "ipa" prefix. Also I would 
> >>prefer
> >>"CertProfile" instead of just "Profile" in certificate profile related 
> >>names.
> >>Please rename the attributes as follows:
> >>
> >> memberCa -> ipaMemberCa
> >> memberProfile -> ipaMemberCertProfile
> >> caCategory -> ipaCaCategory
> >> profileCategory -> ipaCertProfileCategory
> >>
> >>Honza
> >>
> >+1. I see that other attributes from this feature use the ipa prefix already:
> >
> >dn: cn=schema
> >attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 
> >'ipaCertProfileStoreIssued'
> >DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
> >SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
> >objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
> >STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 
> >'IPA
> >v4.2' )
> >
> >Those OIDs should be BTW registered as well, if not already
> OID registered.
> 
Thanks!

> Patches with updated names attached.
> Can you Fraser check if I didn't break anything? :)
> 
Everything LGTM.  Did some simple tessting.  There were conflicts;
rebased patches attached (no other changes).

Cheers,
Fraser
From 1900b9bf4dd30c56615fe12547fd6faee35cee87 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 25 May 2015 08:39:07 -0400
Subject: [PATCH 12/13] Add CA ACL plugin

Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs ar

Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands


On 06/10/2015 04:39 PM, Petr Vobornik wrote:

On 06/10/2015 04:06 PM, Petr Vobornik wrote:

On 06/02/2015 02:24 PM, Ludwig Krispenz wrote:

hi,

is there a real replacement for "del", it is not in the scope of the
topology commands, the removal of teh agreement is rejected and later
done by the plugin, but what about removal of the host, services,
cleanruv ?

Ludwig
On 06/02/2015 02:10 PM, Tomas Babej wrote:

Hi,

With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect
* del

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Part of: https://fedorahosted.org/freeipa/ticket/4302




Tomas is on vacation. I've removed 'del' from his patch and will create
a new one for handling of 'del'.

If that's OK, we can push this one.




NACK

'connect' and 'disconnect' serve also for setting up/removing of winsync
replication agreements. This patch forbids it.


attaching patch which addresses this issue and replaces Tomas' 
patch(which was used as a basis). Patch for 'del' will follow.




I've not tested if topology plugin ignores winsync agreements. Does it?


--
Petr Vobornik
From 5a1ff2debb2b529e03a668d15aabc2cb40cd9f8d Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 10 Jun 2015 18:23:37 +0200
Subject: [PATCH] ipa-replica-manage: Do not allow topology altering commands
 from DL 1

With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Exception is creation/deletion of winsync agreement.

Part of: https://fedorahosted.org/freeipa/ticket/4302
---
 install/tools/ipa-replica-manage | 53 
 1 file changed, 37 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 0d2688e6d73b1591c5e386656b7198c20d71558a..36efda88cf24c5692faf6d948270622350cbd56e 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -241,23 +241,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
 """
 
 repl2 = None
+what = "Removal of IPA replication agreement"
+managed_topology = has_managed_topology()
 
 try:
 repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
-
 type1 = repl1.get_agreement_type(replica2)
-
-repl_list = repl1.find_ipa_replication_agreements()
-if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
-print "Cannot remove the last replication link of '%s'" % replica1
-print "Please use the 'del' command to remove it from the domain"
-return False
-
 except errors.NotFound:
-print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
+# it's possible that the agreement could not have been found because of
+# the new topology plugin naming convention: -to- instead of
+# meTo.
+if managed_topology:
+print "'%s' has no winsync replication agreement for '%s'" % (replica1, replica2)
+exit_on_managed_topology(what)
+else:
+print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
 return False
 except Exception, e:
-print "Failed to determine agreement type for '%s': %s" % (replica1, e)
+print "Failed to determine agreement type for '%s': %s" % (replica2, e)
+
+if type1 == replication.IPA_REPLICA and managed_topology:
+exit_on_managed_topology(what)
+
+repl_list = repl1.find_ipa_replication_agreements()
+if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
+print "Cannot remove the last replication link of '%s'" % replica1
+print "Please use the 'del' command to remove it from the domain"
 return False
 
 if type1 == replication.IPA_REPLICA:
@@ -747,12 +756,6 @@ def del_master(realm, hostname, options):
 try:
 if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
  dm_password=options.dirman_passwd):
-if options.dirman_passwd:
-api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-  bind_pw=options.dirman_passwd)
-else:
-ccache = krbV.default_context().default_ccache()
-api.Backend.ldap2.connect(ccache=ccache)
 bind = bindinstance.BindInstance()
 bind.remove_master_dns_records(hostname, realm, realm.lower())
 bind.remove_ipa_ca_dns_records(hostname, realm.lower())
@@ -777,6 +780,8 @@ def add_link(realm, replica1, r

[Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter

2015-06-10 Thread Petr Spacek

Hello,

Replace isc_atomic_* in MetaLDAP with reference counter abstraction.
+
Replace isc_atomic_* in instance tainting with reference counter abstraction.

Reference counters are used as abstraction which hides missing isc_atomic_*()
functions on some architectures.


This change is necessary for architectures like s390x and ppc64le where BIND
does not provide isc_atomic_* abstractions.

-- 
Petr^2 Spacek
From 1221199b195c39143ce9d193163241739e93354f Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 10 Jun 2015 16:51:14 +0200
Subject: [PATCH] Replace isc_atomic_* in instance tainting with reference
 counter abstraction.

Reference counters are used as abstraction which hides missing isc_atomic_*()
functions on some architectures.
---
 src/ldap_helper.c | 40 
 src/ldap_helper.h |  6 ++
 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index d6461a3e83b63555a46ff3f60761e3703d9a6b4e..6804acf95b74528277093f26236f57f4aa0b7d05 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -24,7 +24,6 @@
 #include 
 #include 
 
-#include 
 #include 
 #include 
 #include 
@@ -37,6 +36,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -162,7 +162,7 @@ struct ldap_instance {
 	/* Non-zero if this instance 'tainted' by a unrecoverable problem.
 	 * It should be accessed using isc_atomic_*() because it might be
 	 * modified from multiple threads. */
-	isc_int32_t		tainted;
+	isc_refcount_t		errors;
 
 	/* Settings. */
 	settings_set_t		*local_settings;
@@ -517,6 +517,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
 
 	CHECKED_MEM_GET_PTR(mctx, ldap_inst);
 	ZERO_PTR(ldap_inst);
+	CHECK(isc_refcount_init(&ldap_inst->errors, 0));
 	isc_mem_attach(mctx, &ldap_inst->mctx);
 
 	ldap_inst->db_name = db_name;
@@ -663,6 +664,10 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
 	settings_set_free(&ldap_inst->local_settings);
 
 	sync_ctx_free(&ldap_inst->sctx);
+	/* zero out error counter (and do nothing other than that) */
+	ldap_instance_untaint_finish(ldap_inst,
+ ldap_instance_untaint_start(ldap_inst));
+	isc_refcount_destroy(&ldap_inst->errors);
 
 	MEM_PUT_AND_DETACH(ldap_inst);
 
@@ -4684,10 +4689,37 @@ ldap_instance_isexiting(ldap_instance_t *ldap_inst)
  * (if it is even possible). */
 void
 ldap_instance_taint(ldap_instance_t *ldap_inst) {
-	isc_atomic_store(&ldap_inst->tainted, 1);
+	isc_refcount_increment0(&ldap_inst->errors, NULL);
 }
 
 isc_boolean_t
 ldap_instance_istained(ldap_instance_t *ldap_inst) {
-	return ISC_TF(isc_atomic_cmpxchg(&ldap_inst->tainted, 0, 0) != 0);
+	return ISC_TF(isc_refcount_current(&ldap_inst->errors) != 0);
+}
+
+/**
+ * Pass result of this function to ldap_instance_untaint_finish().
+ */
+unsigned int
+ldap_instance_untaint_start(ldap_instance_t *ldap_inst) {
+	unsigned int errors;
+	errors = isc_refcount_current(&ldap_inst->errors);
+
+	return ISC_TF(errors != 0);
+}
+
+/**
+ * DNS_R_CONTINUE: untainting was not finished - start again.
+ */
+isc_result_t
+ldap_instance_untaint_finish(ldap_instance_t *ldap_inst, unsigned int count) {
+	unsigned int remaining = 0;
+	while (count > 0) {
+		isc_refcount_decrement(&ldap_inst->errors, &remaining);
+		count--;
+	}
+	if (remaining != 0)
+		return DNS_R_CONTINUE;
+	else
+		return ISC_R_SUCCESS;
 }
diff --git a/src/ldap_helper.h b/src/ldap_helper.h
index e81b8aa59d3518b80afec2ad357e859bcb7eac20..b4b1ee59edb3414b305888271dc425980a1fd3df 100644
--- a/src/ldap_helper.h
+++ b/src/ldap_helper.h
@@ -90,4 +90,10 @@ isc_boolean_t ldap_instance_isexiting(ldap_instance_t *ldap_inst) ATTR_NONNULLS
 
 void ldap_instance_taint(ldap_instance_t *ldap_inst) ATTR_NONNULLS;
 
+unsigned int
+ldap_instance_untaint_start(ldap_instance_t *ldap_inst);
+
+isc_result_t
+ldap_instance_untaint_finish(ldap_instance_t *ldap_inst, unsigned int count);
+
 #endif /* !_LD_LDAP_HELPER_H_ */
-- 
2.1.0

From f91cfee843dab9adac2626d88f11566993f58562 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 10 Jun 2015 18:25:19 +0200
Subject: [PATCH] Replace isc_atomic_* in MetaLDAP with reference counter
 abstraction.

Reference counters are used as abstraction which hides missing isc_atomic_*()
functions on some architectures.
---
 src/mldap.c | 47 +--
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/src/mldap.c b/src/mldap.c
index 0c8327ccd7be802c9ee97838d19efb57715328fc..8cffe8a1fbf8eaa20aae79c28ad8d7a305494f19 100644
--- a/src/mldap.c
+++ b/src/mldap.c
@@ -11,6 +11,7 @@
 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -47,7 +48,7 @@ static dns_name_t uuid_rootname =
 struct mldapdb {
 	isc_mem_t	*mctx;
 	metadb_t	*mdb;
-	isc_uint32_t	generation;
+	isc_refcount_t	generation;
 };
 
 
@@ -62,8 +63,8 @@ mldap_new(isc_mem_t *mctx, mldapdb_t **mldapp) {
 	ZERO_PTR(mldap);
 	isc_mem_attach(mctx, &mldap->mctx);
 
+	CHECK(isc_refcount_init(&mldap->g

Re: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install


Dne 10.6.2015 v 18:14 David Kupka napsal(a):

Dne 10.6.2015 v 18:08 David Kupka napsal(a):

Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a):

Hi,

the attached patches fix several shortcomings in ipa-kra-install, see
commit messages.



(Patch 434 was introduced in
.)


Honza



There are two issues:
1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing
check and can be fixed later.

2) kra.install() was called before http_install() but kra installation
needs httpd running. This is fixed in attached patch.




I accidentally included change in Makefile, updated patch attached.
Also I forget to explicitly write 'ACK' to fulfill the process
requirements, so: Works for me, ACK.


Thanks.

Pushed to master: e7ac57e1390c76c3d7fdb2710808def107d21d6d

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install


Dne 10.6.2015 v 18:08 David Kupka napsal(a):

Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a):

Hi,

the attached patches fix several shortcomings in ipa-kra-install, see
commit messages.



(Patch 434 was introduced in
.)

Honza



There are two issues:
1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing
check and can be fixed later.

2) kra.install() was called before http_install() but kra installation
needs httpd running. This is fixed in attached patch.




I accidentally included change in Makefile, updated patch attached.
Also I forget to explicitly write 'ACK' to fulfill the process 
requirements, so: Works for me, ACK.

--
David Kupka
From a56cee4c6e0fc9fa246f5d7c053218a21819eae7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 10 Jun 2015 08:50:42 +
Subject: [PATCH] vault: Fix ipa-kra-install

Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt|  6 +++
 VERSION|  4 +-
 ipalib/plugins/vault.py| 38 -
 ipaplatform/base/paths.py  |  4 +-
 ipaserver/install/installutils.py  | 16 
 ipaserver/install/ipa_kra_install.py   | 22 ++
 ipaserver/install/kra.py   | 65 +-
 ipaserver/install/server/install.py|  7 ++--
 ipaserver/install/server/replicainstall.py | 33 +++
 ipaserver/install/service.py   |  1 +
 ipaserver/plugins/dogtag.py|  2 +-
 11 files changed, 102 insertions(+), 96 deletions(-)

diff --git a/API.txt b/API.txt
index 9e3f223b7ac338840d7090299f9108e951ea920a..9e41ece74c94d5d1f9ee2900461b02b56a6f562b 100644
--- a/API.txt
+++ b/API.txt
@@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
 output: Output('commands', , None)
 output: Output('methods', , None)
 output: Output('objects', , None)
+command: kra_is_enabled
+args: 0,1,3
+option: Str('version?', exclude='webui')
+output: Output('result', , None)
+output: Output('summary', (, ), None)
+output: PrimaryKey('value', None, None)
 command: krbtpolicy_mod
 args: 1,9,3
 arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
diff --git a/VERSION b/VERSION
index 535b3e228a3500f2013ea793b19a97d9fbd05021..a8d484cce2a79ed97826a24e06ea0564e99acaa6 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: jcholast - add kra_is_enabled
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index e1e64aa40331067e610661142fc7e4c1340a56dd..f80ecfdfa72671a68822f9f87599d8d5f2898728 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -33,7 +33,7 @@ from ipalib import output
 from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
-LDAPSearch, LDAPUpdate, LDAPRetrieve
+LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
  **options):
 assert isinstance(dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
 def pre_callback(self, ldap, dn, *keys, **options):
 assert isinstance(dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
  **options):
 assert isinstance(base_dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
 
 assert isinstance(dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
 def pre_callback

Re: [Freeipa-devel] Community Portal Milestone


On 06/10/2015 04:55 PM, Drew Erny wrote:



On 06/10/2015 10:16 AM, Martin Kosek wrote:

AFAIK, this work would form some standalone page utilizing the FreeIPA
Web UI framework we have already, to get the same look and feel. Using
FreeIPA API to store/manipulate user entries should be thus much
easier, then taking care of separate database. Also, if Stage user
tree is used, the admins doing the validation of user entries may also
have other responsibilities in FreeIPA, so they may welcome having
these entries in Stage User in the FreeIPA Web UI without going to
special application. Just my thoughts, I would welcome other feedback.

I'm worried if I try to fit this into the existing WebUI framework, I'm
gonna end up wrangling with the fact that the WebUI expects to have an
authenticated LDAP user, but we need anonymous access for both
self-service registration and (eventually) for password reset. I'm not
sure what kind of changes would be needed to make this work. I'll use
the stageuser tree either way, though; your argument on that is
definitely correct.



https://ipa.demo1.freeipa.org/ipa/ui/sync_otp.html is an example of such 
standalone page.


Web UI framework doesn't need authentication until it talks to IPA API.
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install


Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a):

Hi,

the attached patches fix several shortcomings in ipa-kra-install, see
commit messages.



(Patch 434 was introduced in
.)

Honza



There are two issues:
1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing 
check and can be fixed later.


2) kra.install() was called before http_install() but kra installation 
needs httpd running. This is fixed in attached patch.



--
David Kupka
From 3e7b2e6e96c9568a453ae48e72762c8e1bb51684 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 10 Jun 2015 08:50:42 +
Subject: [PATCH] vault: Fix ipa-kra-install

Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt|  6 +++
 Makefile   |  4 +-
 VERSION|  4 +-
 ipalib/plugins/vault.py| 38 -
 ipaplatform/base/paths.py  |  4 +-
 ipaserver/install/installutils.py  | 16 
 ipaserver/install/ipa_kra_install.py   | 22 ++
 ipaserver/install/kra.py   | 65 +-
 ipaserver/install/server/install.py|  7 ++--
 ipaserver/install/server/replicainstall.py | 33 +++
 ipaserver/install/service.py   |  1 +
 ipaserver/plugins/dogtag.py|  2 +-
 12 files changed, 104 insertions(+), 98 deletions(-)

diff --git a/API.txt b/API.txt
index 9e3f223b7ac338840d7090299f9108e951ea920a..9e41ece74c94d5d1f9ee2900461b02b56a6f562b 100644
--- a/API.txt
+++ b/API.txt
@@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
 output: Output('commands', , None)
 output: Output('methods', , None)
 output: Output('objects', , None)
+command: kra_is_enabled
+args: 0,1,3
+option: Str('version?', exclude='webui')
+output: Output('result', , None)
+output: Output('summary', (, ), None)
+output: PrimaryKey('value', None, None)
 command: krbtpolicy_mod
 args: 1,9,3
 arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
diff --git a/Makefile b/Makefile
index abf58382960099a54b8920dd0e741b9fda17682f..d2b2f28e79478b46e6233b2d89a89e9d4b1a9585 100644
--- a/Makefile
+++ b/Makefile
@@ -116,8 +116,8 @@ client-dirs:
 	fi
 
 lint: bootstrap-autogen
-	./make-lint $(LINT_OPTIONS)
-	$(MAKE) -C install/po validate-src-strings
+#	./make-lint $(LINT_OPTIONS)
+#	$(MAKE) -C install/po validate-src-strings
 
 
 test:
diff --git a/VERSION b/VERSION
index 535b3e228a3500f2013ea793b19a97d9fbd05021..a8d484cce2a79ed97826a24e06ea0564e99acaa6 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: jcholast - add kra_is_enabled
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index e1e64aa40331067e610661142fc7e4c1340a56dd..f80ecfdfa72671a68822f9f87599d8d5f2898728 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -33,7 +33,7 @@ from ipalib import output
 from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
-LDAPSearch, LDAPUpdate, LDAPRetrieve
+LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
  **options):
 assert isinstance(dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
 def pre_callback(self, ldap, dn, *keys, **options):
 assert isinstance(dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
  **options):
 assert isinstance(base_dn, DN)
 
-if not self.api.env.enable_kra:
+if not self.api.Command.kra_is_enabled()['result']:
 raise errors.InvocationError(
 format=_('KRA service is not enabled'))
 
@@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
 
 assert isinstance(dn, DN)
 
-if not self.api.env.enable_kra:
+if

Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands



On 06/10/2015 04:39 PM, Petr Vobornik wrote:

On 06/10/2015 04:06 PM, Petr Vobornik wrote:

On 06/02/2015 02:24 PM, Ludwig Krispenz wrote:

hi,

is there a real replacement for "del", it is not in the scope of the
topology commands, the removal of teh agreement is rejected and later
done by the plugin, but what about removal of the host, services,
cleanruv ?

Ludwig
On 06/02/2015 02:10 PM, Tomas Babej wrote:

Hi,

With Domain Level 1 and above, the usage of ipa-replica-manage 
commands

that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect
* del

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Part of: https://fedorahosted.org/freeipa/ticket/4302




Tomas is on vacation. I've removed 'del' from his patch and will create
a new one for handling of 'del'.

If that's OK, we can push this one.




NACK

'connect' and 'disconnect' serve also for setting up/removing of 
winsync replication agreements. This patch forbids it.


I've not tested if topology plugin ignores winsync agreements. Does it?

yes. it only manages "normal" agreements

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Community Portal Milestone

2015-06-10 Thread Drew Erny




On 06/10/2015 10:16 AM, Martin Kosek wrote:
AFAIK, this work would form some standalone page utilizing the FreeIPA 
Web UI framework we have already, to get the same look and feel. Using 
FreeIPA API to store/manipulate user entries should be thus much 
easier, then taking care of separate database. Also, if Stage user 
tree is used, the admins doing the validation of user entries may also 
have other responsibilities in FreeIPA, so they may welcome having 
these entries in Stage User in the FreeIPA Web UI without going to 
special application. Just my thoughts, I would welcome other feedback. 
I'm worried if I try to fit this into the existing WebUI framework, I'm 
gonna end up wrangling with the fact that the WebUI expects to have an 
authenticated LDAP user, but we need anonymous access for both 
self-service registration and (eventually) for password reset. I'm not 
sure what kind of changes would be needed to make this work. I'll use 
the stageuser tree either way, though; your argument on that is 
definitely correct.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands


On 06/10/2015 04:06 PM, Petr Vobornik wrote:

On 06/02/2015 02:24 PM, Ludwig Krispenz wrote:

hi,

is there a real replacement for "del", it is not in the scope of the
topology commands, the removal of teh agreement is rejected and later
done by the plugin, but what about removal of the host, services,
cleanruv ?

Ludwig
On 06/02/2015 02:10 PM, Tomas Babej wrote:

Hi,

With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect
* del

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Part of: https://fedorahosted.org/freeipa/ticket/4302




Tomas is on vacation. I've removed 'del' from his patch and will create
a new one for handling of 'del'.

If that's OK, we can push this one.




NACK

'connect' and 'disconnect' serve also for setting up/removing of winsync 
replication agreements. This patch forbids it.


I've not tested if topology plugin ignores winsync agreements. Does it?
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Community Portal Milestone

On 06/10/2015 04:09 PM, Drew Erny wrote:
> On 06/10/2015 02:52 AM, Martin Kosek wrote:
>> On 06/10/2015 05:11 AM, Adam Young wrote:
>>> On 06/09/2015 06:34 PM, Simo Sorce wrote:
 On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote:
> Hey, Freeipa, same thread new subtopic.
>
> So, I was bouncing some ideas around with another developer (ayoung) and
> I think I have a pretty good idea for self-service user registration.
>
> The idea is that I put self-service user registration into its own
> application that calls out to ipa user-add after getting admin approval.
>
> Workflow goes like this:
>
> 1.) User goes to registration page, inputs details into form.
> Registration page and application are not part of FreeIPA.
> 2.) User's registration goes into a non-FreeIPA database, something like
> SQLite.
> 3.) Admin gets a notification email with a link to approve/deny
> registration.
>A.) Admin clicks approval link, registration application (which has
> limited privileges) makes call out to ipa user-add command, adding the
> new user to FreeIPA.
>B.) Admin click deny link, user is not added.
> 4.) User's registration information, approved or denied, is deleted from
> the external database.
>
> This has a couple of advantages. For starters, it provides a layer of
> protection against the creation of spam accounts. Accounts do not add
> directly to LDAP (inserting to LDAP is a slow operation), instead sit in
> intermediate area waiting approval. Second, we don't have to write a big
> extension to ipa user-add or staginguser-add that allows anonymous
> access to that command. Third, it can be bundled into its own package
> and given to the community separate from FreeIPA proper. Finally, it
> would allow me to gracefully defer becoming buried up to my neck in
> D-Bus notifications and whatever other fanciness we want to send email,
> because FreeIPA won't be sending the email.
>
> Opinions?
 You could avoid using an external database by using the new USer
 Lifecycle management feature [1]. This will allow you to do a simple
 ldapadd, but the user will not be enabled until an admin logs into the
 FreeIPA interface to enable the user.
 This manes your app never needs to see the admin's credentials or use
 s4u2proxy and will pose a lower risk to the system.
>>> The big issue was having an unauthentiucated user add o the datastore;  I 
>>> don't
>>> think you want to push new values directly into LDAP.  A separate Databse 
>>> makes
>>> a lot of sense, and using SQLite for a proof of concept allows us to 
>>> migrate up
>>> to MySQL for a live deployment.
>> The separate database does not make lot of sense to me, why not using the 
>> Stage
>> User tree when it's there, ready for you? I would like to know what is the
>> motivation and reasoning for using completely separate DB. Besides others, I
>> think Stage Users area for example checks for login name or UID/GID 
>> collisions.
>>
>> The Selfservice just needs to operate under an identity that has a Stage User
>> Administrator privilege or we can create more contained privilege that could
>> just add the staged users and not modify/remove them.
>>
> Well, I'm led to believe that LDAP modifications are a slow operation.

Yes. With LDAP, reads are quick, writes are slow.

> My
> concern is that if a site got hit with a load of spam, it could slow down a
> lot. Enforcing a separation between verified users (who are in the LDAP
> database) and the unwashed masses (who sit isolated in a small relational
> database, good performance) might be a good thing in a public environment.
> We're not talking about much of a database, either; it should top out at a
> couple dozen entries on a massive site if the admins are diligent in clearing
> it out. If the possible performance hit isn't a concern (and LDAP databases 
> are
> not as slow as I'd guessed) then I'll just the user staging area. Is
> performance a concern?

I do not see that the performance should be the main decision point for this
work. Maybe we would get there later, right now this may be just premature
optimization. LDAP database should not be *that* slow. My naive guess is that
if the user registration portal contains some decent Captcha or other
mechanism, the number of wrong new user entries should be low.

AFAIK, this work would form some standalone page utilizing the FreeIPA Web UI
framework we have already, to get the same look and feel. Using FreeIPA API to
store/manipulate user entries should be thus much easier, then taking care of
separate database.

Also, if Stage user tree is used, the admins doing the validation of user
entries may also have other responsibilities in FreeIPA, so they may welcome
having these entries in Stage User in the FreeIPA Web UI without going to
special application.

Just my thoughts, I would welc

Re: [Freeipa-devel] Community Portal Milestone

2015-06-10 Thread Drew Erny


On 06/10/2015 02:52 AM, Martin Kosek wrote:

On 06/10/2015 05:11 AM, Adam Young wrote:

On 06/09/2015 06:34 PM, Simo Sorce wrote:

On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote:

Hey, Freeipa, same thread new subtopic.

So, I was bouncing some ideas around with another developer (ayoung) and
I think I have a pretty good idea for self-service user registration.

The idea is that I put self-service user registration into its own
application that calls out to ipa user-add after getting admin approval.

Workflow goes like this:

1.) User goes to registration page, inputs details into form.
Registration page and application are not part of FreeIPA.
2.) User's registration goes into a non-FreeIPA database, something like
SQLite.
3.) Admin gets a notification email with a link to approve/deny
registration.
   A.) Admin clicks approval link, registration application (which has
limited privileges) makes call out to ipa user-add command, adding the
new user to FreeIPA.
   B.) Admin click deny link, user is not added.
4.) User's registration information, approved or denied, is deleted from
the external database.

This has a couple of advantages. For starters, it provides a layer of
protection against the creation of spam accounts. Accounts do not add
directly to LDAP (inserting to LDAP is a slow operation), instead sit in
intermediate area waiting approval. Second, we don't have to write a big
extension to ipa user-add or staginguser-add that allows anonymous
access to that command. Third, it can be bundled into its own package
and given to the community separate from FreeIPA proper. Finally, it
would allow me to gracefully defer becoming buried up to my neck in
D-Bus notifications and whatever other fanciness we want to send email,
because FreeIPA won't be sending the email.

Opinions?

You could avoid using an external database by using the new USer
Lifecycle management feature [1]. This will allow you to do a simple
ldapadd, but the user will not be enabled until an admin logs into the
FreeIPA interface to enable the user.
This manes your app never needs to see the admin's credentials or use
s4u2proxy and will pose a lower risk to the system.

The big issue was having an unauthentiucated user add o the datastore;  I don't
think you want to push new values directly into LDAP.  A separate Databse makes
a lot of sense, and using SQLite for a proof of concept allows us to migrate up
to MySQL for a live deployment.

The separate database does not make lot of sense to me, why not using the Stage
User tree when it's there, ready for you? I would like to know what is the
motivation and reasoning for using completely separate DB. Besides others, I
think Stage Users area for example checks for login name or UID/GID collisions.

The Selfservice just needs to operate under an identity that has a Stage User
Administrator privilege or we can create more contained privilege that could
just add the staged users and not modify/remove them.

Well, I'm led to believe that LDAP modifications are a slow operation. 
My concern is that if a site got hit with a load of spam, it could slow 
down a lot. Enforcing a separation between verified users (who are in 
the LDAP database) and the unwashed masses (who sit isolated in a small 
relational database, good performance) might be a good thing in a public 
environment. We're not talking about much of a database, either; it 
should top out at a couple dozen entries on a massive site if the admins 
are diligent in clearing it out. If the possible performance hit isn't a 
concern (and LDAP databases are not as slow as I'd guessed) then I'll 
just the user staging area. Is performance a concern?


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands


On 06/02/2015 02:24 PM, Ludwig Krispenz wrote:

hi,

is there a real replacement for "del", it is not in the scope of the
topology commands, the removal of teh agreement is rejected and later
done by the plugin, but what about removal of the host, services,
cleanruv ?

Ludwig
On 06/02/2015 02:10 PM, Tomas Babej wrote:

Hi,

With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect
* del

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Part of: https://fedorahosted.org/freeipa/ticket/4302




Tomas is on vacation. I've removed 'del' from his patch and will create 
a new one for handling of 'del'.


If that's OK, we can push this one.
--
Petr Vobornik
From 0d49c689c69acffa060934589090f246b2342d2c Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 2 Jun 2015 14:06:26 +0200
Subject: [PATCH] ipa-replica-manage: Do not allow topology altering commands
 from DL 1

With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Part of: https://fedorahosted.org/freeipa/ticket/4302
---
 install/tools/ipa-replica-manage | 22 --
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 0d2688e6d73b1591c5e386656b7198c20d71558a..a55ca7a89435aa79733b6edbf72d7c51b219d23c 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -747,12 +747,6 @@ def del_master(realm, hostname, options):
 try:
 if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
  dm_password=options.dirman_passwd):
-if options.dirman_passwd:
-api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-  bind_pw=options.dirman_passwd)
-else:
-ccache = krbV.default_context().default_ccache()
-api.Backend.ldap2.connect(ccache=ccache)
 bind = bindinstance.BindInstance()
 bind.remove_master_dns_records(hostname, realm, realm.lower())
 bind.remove_ipa_ca_dns_records(hostname, realm.lower())
@@ -1209,6 +1203,22 @@ def main():
 
 options.dirman_passwd = dirman_passwd
 
+# Initialize the LDAP connection
+if options.dirman_passwd:
+api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+  bind_pw=options.dirman_passwd)
+else:
+ccache = krbV.default_context().default_ccache()
+api.Backend.ldap2.connect(ccache=ccache)
+
+# Check the domain level
+if args[0] in ("connect", "disconnect"):
+domainlevel = api.Command['domainlevel_get']().get('result', 0)
+if domainlevel > 0:
+sys.exit("The {0} command is deprecated with domain level 1. "
+ "Please use ipa topologysegment-* commands to manage "
+ "IPA replication topology.".format(args[0]))
+
 if args[0] == "list":
 replica = None
 if len(args) == 2:
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40


On 08/06/15 16:18, Petr Spacek wrote:

Hello,

Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.

SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with
Blowfish mechanisms.


Older code *cannot* work SoftHSM 2.0.0rc1 and newer.

Symptoms include errors like this:

On DNSSEC key master:
ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer
length: 0x70

On DNSSEC replicas:
ipa-dnskeysyncd: subprocess.CalledProcessError: Command
''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1


ACK

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0051] Use 389-ds centralized scripts.


On 09/06/15 16:43, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4051

ACK

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs


On 10/06/15 13:57, Martin Kosek wrote:

On 06/10/2015 01:50 PM, Jan Cholasta wrote:

Dne 10.6.2015 v 13:44 Martin Basti napsal(a):

On 10/06/15 06:40, Fraser Tweedale wrote:

On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:

On 09/06/15 08:58, Fraser Tweedale wrote:

On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:

On 06/08/2015 03:31 AM, Fraser Tweedale wrote:

New patches attached.  Comments inline.

Thanks Fraser!

...

5)
Missing referint plugin configuration for attribute
'ipacaaclmembercertprofile'
Please add it into install/updates/25-referint.update (+ other
member
attributes if missing)


Added this.  There is a comment in 25-referint.update:

  # pres and eq indexes defined in 20-indices.update must be set
  # for all the attributes

Can you explain what is required here?  Is it just to add: I see
things for memberUser and memberHost in indices.ldif but nothing for
memberService.  Do I need to add to indices.ldif:

  dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config
  changetype: add
  cn: memberProfile
  ObjectClass: top
  ObjectClass: nsIndex
  nsSystemIndex: false
  nsIndexType: eq
  nsIndexType: pres
  nsIndexType: sub

, and similarly for memberCa?  Sorry I do not know much about LDAP
indexing.

AFAIR, yes. BTW, where does the "sub" index come from? It is quite
an expensive
index to use and I now cannot think of memberProfile search where
you would
need a substring...

Thanks,
Martin

Updated patch attached, which adds the indices.  (Also rebased).

There is a commit that seems to indicate that substring index is
needed, so I have included substring indices in this patchset.
Copied Honza in case he wants to comment.

  commit a10521a1dcf69960d6ce0bf5657180b709c297c0
  Author: Jan Cholasta 
  Date:   Tue Jun 25 13:16:40 2013 +

  Add missing substring indices for attributes managed by the
referint plugin.

  The referint plugin does a substring search on these
attributes each time an
  entry is deleted, which causes a noticable slowdown for
large directories if
  the attributes are not indexed.

  https://fedorahosted.org/freeipa/ticket/3706

Cheers,
Fraser

ACK

Please send the upgrade patch ASAP :)

--
Martin Basti


Thank you for the ACK \o/

Since the patches have not been pushed, here is an updated patchset
which adds the upgrade behaviour.  There are no changes apart from
the additions to ipaserver/install/server/upgrade.py.

Cheers,
Fraser

ACK

NACK, the new OIDs are not registered.

BTW all new attribute names should have the "ipa" prefix. Also I would prefer
"CertProfile" instead of just "Profile" in certificate profile related names.
Please rename the attributes as follows:

 memberCa -> ipaMemberCa
 memberProfile -> ipaMemberCertProfile
 caCategory -> ipaCaCategory
 profileCategory -> ipaCertProfileCategory

Honza


+1. I see that other attributes from this feature use the ipa prefix already:

dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
v4.2' )

Those OIDs should be BTW registered as well, if not already

OID registered.

Patches with updated names attached.
Can you Fraser check if I didn't break anything? :)

--
Martin Basti

From e026cbfeb750d359ac2783b3ff3f88fbf3e7e5e3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 25 May 2015 08:39:07 -0400
Subject: [PATCH 1/2] Add CA ACL plugin

Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ACI.txt   |  10 +
 API.txt   | 184 
 VERSION   |   4 +-
 install/share/60certificate-profiles.ldif |   5 +
 install/share/Makefile.am |   1 +
 install/share/bootstrap-template.ldif |   6 +
 install/share/default-caacl.ldif  |  11 +
 install/share/indices.ldif|  20 ++
 install/updates/20-indices.update |  18 ++
 install/updates/25-referint.update|   2 +
 install/updates/41-caacl.update   |   4 +
 install/updates/Makefile.am   |

Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands


Dne 20.5.2015 v 11:26 Jan Cholasta napsal(a):

Dne 18.5.2015 v 10:33 thierry bordaz napsal(a):

On 05/15/2015 04:44 PM, David Kupka wrote:

Hello Thierry,
thanks for the patch set. Overall functionality of ULC feature looks
good to
me and is definitely "alpha ready".

I found following issues but don't insist on fixing it right now:

1) When stageuser-activate fails due to already existent
active/deleted user.
DN is show instead of user name that's used in other commands (user-add,
stageuser-add).
$ ipa user-add tuser --first Test --last User
$ ipa stageuser-add tuser --first Test --last User
$ ipa stageuser-activate tuser
ipa: ERROR: Active user
uid=tuser,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com


already exists


Hi David, Jan,

Thanks you so much for all those tests and feedback. I agree, some minor
bugs can be fixed separatly from this main patches.

You are right, It should return the user ID not the DN.



2) According to the design there should be '--only-delete' and
'--also-delete'
options for user-find command instead there is '--preserved' option.
Honza proposed adding virtual boolean attribute 'deleted' to user
entry and
filter on it.
The 'deleted' attribute would be useful also in user-show where is no
way to
tell if the displayed user is active or deleted. (Except running with
--all
and looking on the dn).


Yes a bit late to resynch the design.
The final option is 'preserved' for user-find and 'preserve' for
user-del. '--only-delete' or 'also-delete' are old name that I need to
replace in the design.

About the 'deleted' attribute, do you think adding a DS cos virtual
attribute ?


See the attached patch.





3) uidNumber and gidNumber can't be set back to '-1' once set to other
value.
This would be useful when admin changes its mind and want IPA to
assign them.
IIUC, there should be no validation in cn=staged user container. All
validation should be done during stageuser-activate.


Yes that comes from user plugin that enforce the number to be >0.
That is a good point giving the ability to reset uidNumber/gidNumber.
I will check if it is possible, how (give a value or an option to
reset), and also if it would not create other issue.


4) Support for deleted -> stage workflow is still missing. But I'm
unsure if we
agreed to finish it now or later.


Yes thanks


5) Twice deleting user with '--preserve' deletes him permanently.
$ ipa user-add tuser --first Test --last User
$ ipa user-del tuser --preserve
$ ipa user-del tuser --preserve
$ ipa user-find --preserved

0 (delete) users matched


Number of entries returned 0



Deleting a deleted (preserved) entry, should permanently remove the
entry.
Now if the second time the preserve option is present, it makes sense to
not delete it.


BTW: I might be stating the obvious here, but it would be better to use
one boolean parameter rather than two mutually exclusive flags in user-del.




thanks
theirry




Overall, LGTM,

Just 2 nitpicks:
1) preserved attribute label: 'Preserved deleted user' -> 'Preserved user'
2) 'preserved' attribute should be shown in user-{find,show} when 
'--all' is specified


Updated patch attached.

--
David Kupka
From 7c6e3869ceb64177169b360b21b0af5d73e0405c Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 20 May 2015 08:12:07 +
Subject: [PATCH] User life cycle: provide preserved user virtual attribute

https://fedorahosted.org/freeipa/ticket/3813
---
 API.txt|  2 +-
 VERSION|  4 +--
 ipalib/plugins/user.py | 78 +++---
 3 files changed, 51 insertions(+), 33 deletions(-)

diff --git a/API.txt b/API.txt
index 9e3f223b7ac338840d7090299f9108e951ea920a..b892eff8bf95c79b7ffdb98738710a7c54000f93 100644
--- a/API.txt
+++ b/API.txt
@@ -5023,7 +5023,7 @@ option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalu
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, query=True, required=False)
 option: Str('preferredlanguage', attribute=True, autofill=False, cli_name='preferredlanguage', multivalue=False, pattern='^(([a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\\=((0(\\.[0-9]{0,3})?)|(1(\\.0{0,3})?)))?(\\s*,\\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\\=((0(\\.[0-9]{0,3})?)|(1(\\.0{0,3})?)))?)*)|(\\*))$', query=True, required=False)
-option: Flag('preserved?', autofill=True, cli_name='preserved', default=False)
+option: Bool('preserved', attribute=False, autofill=False, cli_name='preserved', default=False, multivalue=False, query=True, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Int('sizelimit?', autofill=False, minvalue=0)
 option: Str('sn', attribute=True, autofill=False, cli_name='last', multivalue=False, query=True, required=False)
diff -

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

On 04/06/15 17:28, Petr Spacek wrote:

On 3.6.2015 17:14, Martin Basti wrote:

On 03/06/15 14:57, Petr Spacek wrote:

On 18.5.2015 13:48, Martin Basti wrote:

On 15/05/15 18:11, Petr Spacek wrote:

On 7.5.2015 18:12, Martin Basti wrote:

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.

Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several instances
of 'ends'.

Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling

Fixed tests (again)

Updated patches attached

The code looks good to me and tests are no longer broken. (I would prefer
better fix of the tests but given that the priorities are different now
it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
350, in
wsgi_execute
result = self.Command[name](*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
443, in
__call__
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760,
in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
, in
execute
**options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
4405, in
_warning_if_forwarders_do_not_work
log=self.log)
File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 715, in
validate_dnssec_zone_forwarder_step2
timeout=timeout)
File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 610, in
_resolve_record
assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(, idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if you
want to
take a look.

I'm attaching little response.patch which improves compatibility with older
python-dns packages. This patch allows IPA to work while error messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using 'print' and
others using logger? I would prefer to use logger for everything to make
sure
that logs contain all the information, including warnings.

Thank you for your time!

Thank you, fixed.

I added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
forward zone 'ptr.test': loaded
validating ./SOA: got insecure response; parent indicates it should be
secure

Sometimes I get SERVFAIL from IPA server, too.

Unfortunately this check was the main reason for writing this patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that it could
trigger some false positives because NXDOMAIN may simply be caused by a delay
somewhere.

Any ideas?

I add catch block for NXDOMAIN

By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name "ptr.test." already exists

Is it actually doing the check even if the forward zone exists already? (This
is just nitpick, not a blocker!)

The first part is written by IPA client, it is not response from server.
It is just written when user use --forwarder option.

Updated patch attached.

NACK, it does not work for me - it explodes when I try to add a forward zone:

$ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1

ipa: E

Re: [Freeipa-devel] [PATCH] 871 webui: make topology suffices UI readonly


On 06/10/2015 03:24 PM, Petr Vobornik wrote:

Admins should not modify topology suffices. They are created on
install/upgrade.

part of: https://fedorahosted.org/freeipa/ticket/4997


and with patch...

--
Petr Vobornik
From 3cb93f113aa67ee458e5b4ff422e255f7d0bd64d Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 10 Jun 2015 15:20:50 +0200
Subject: [PATCH] webui: make topology suffices UI readonly

Admins should not modify topology suffices. They are created on
install/upgrade.

part of: https://fedorahosted.org/freeipa/ticket/4997
---
 install/ui/src/freeipa/topology.js | 15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js
index f0d44f66d12a350828d653809ac9dee5ad078cb9..3548e23bd632e69e93039ac650b2c1152da2a0a4 100644
--- a/install/ui/src/freeipa/topology.js
+++ b/install/ui/src/freeipa/topology.js
@@ -52,6 +52,7 @@ return {
 $type: 'search',
 disable_facet_tabs: false,
 tabs_in_sidebar: true,
+no_update: true,
 tab_label: '@mo:topologysuffix.label',
 facet_groups: [topology.search_facet_group],
 facet_group: 'search',
@@ -77,23 +78,21 @@ return {
 },
 {
 $type: 'details',
+no_update: true,
 sections: [
 {
 name: 'details',
 fields: [
 'cn',
-'iparepltopoconfroot'
+{
+name: 'iparepltopoconfroot',
+read_only: true
+}
 ]
 }
 ]
 }
-],
-adder_dialog: {
-fields: [
-'cn',
-'iparepltopoconfroot'
-]
-}
+]
 };};
 
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 871 webui: make topology suffices UI readonly


Admins should not modify topology suffices. They are created on
install/upgrade.

part of: https://fedorahosted.org/freeipa/ticket/4997
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 870 disallow mod of topology segment nodes


Mod of segment end will be disallowed in topology plugin.

Reasoning (by Ludwig):  if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
  A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.

part of: https://fedorahosted.org/freeipa/ticket/4302
--
Petr Vobornik
From 62576685d63c0295000d6982b479358fff7b50fc Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 10 Jun 2015 15:03:44 +0200
Subject: [PATCH] disallow mod of topology segment nodes

Mod of segment end will be disallowed in topology plugin.

Reasoning (by Ludwig):  if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
  A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.

part of: https://fedorahosted.org/freeipa/ticket/4302
---
 API.txt| 4 +---
 VERSION| 4 ++--
 ipalib/plugins/topology.py | 2 ++
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 08abdc3494c5b4c037a168cf4fe952fb374862ff..5d219040a12d801d2cafbc52d05fe04f16bc4e5f 100644
--- a/API.txt
+++ b/API.txt
@@ -4614,15 +4614,13 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: topologysegment_mod
-args: 2,15,3
+args: 2,13,3
 arg: Str('topologysuffixcn', cli_name='topologysuffix', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=False, cli_name='direction', default=u'both', multivalue=False, required=False, values=(u'both', u'left-right', u'right-left'))
-option: Str('iparepltoposegmentleftnode', attribute=True, autofill=False, cli_name='leftnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=False)
-option: Str('iparepltoposegmentrightnode', attribute=True, autofill=False, cli_name='rightnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=False)
 option: StrEnum('nsds5replicaenabled', attribute=True, autofill=False, cli_name='enabled', multivalue=False, required=False, values=(u'on', u'off'))
 option: Str('nsds5replicastripattrs', attribute=True, autofill=False, cli_name='stripattrs', multivalue=False, required=False)
 option: Str('nsds5replicatedattributelist', attribute=True, autofill=False, cli_name='replattrs', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index 346af80582b78904a6f274a40897db65f170531d..e325c90cae1cbdc1f1e705ff9c078a4f5242eb14 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=128
-# Last change: pvoborni - toposegment direction restrictions
+IPA_API_VERSION_MINOR=129
+# Last change: pvoborni - disallow mod of topologysegment nodes
diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index 6aa77c1f673da18e71fd9d5a7a7674ba5c446574..647c829689d3eba0a782d38d0d67b7179ec5e413 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -81,6 +81,7 @@ class topologysegment(LDAPObject):
 label=_('Left node'),
 normalizer=lambda value: value.lower(),
 doc=_('Left replication node - an IPA server'),
+flags={'no_update'},
 ),
 Str(
 'iparepltoposegmentrightnode',
@@ -91,6 +92,7 @@ class topologysegment(LDAPObject):
 label=_('Right node'),
 normalizer=lambda value: value.lower(),
 doc=_('Right replication node - an IPA server'),
+flags={'no_update'},
 ),
 StrEnum(
 'iparepltoposegmentdirection',
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 869 topology: restrict direction changes


topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
  direction
- downgrade of direction

These situations are now forbidden in API.

part of: https://fedorahosted.org/freeipa/ticket/4302
--
Petr Vobornik
From 89703bf789885ef4919e5ca4d647537752f3f5c3 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 10 Jun 2015 14:44:09 +0200
Subject: [PATCH] topology: restrict direction changes

topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
  direction
- downgrade of direction

These situations are now forbidden in API.

part of: https://fedorahosted.org/freeipa/ticket/4302
---
 API.txt|  6 +++---
 VERSION|  5 ++---
 install/ui/src/freeipa/topology.js |  4 ++--
 ipalib/plugins/topology.py | 10 +-
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/API.txt b/API.txt
index beb3891eff5de0eab72878a87435a02187ee36af..08abdc3494c5b4c037a168cf4fe952fb374862ff 100644
--- a/API.txt
+++ b/API.txt
@@ -4567,7 +4567,7 @@ arg: Str('topologysuffixcn', cli_name='topologysuffix', multivalue=False, primar
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
-option: StrEnum('iparepltoposegmentdirection', attribute=True, cli_name='direction', default=u'both', multivalue=False, required=True, values=(u'both', u'left-right', u'right-left', u'none'))
+option: StrEnum('iparepltoposegmentdirection', attribute=True, cli_name='direction', default=u'both', multivalue=False, required=True, values=(u'both', u'left-right', u'right-left'))
 option: Str('iparepltoposegmentleftnode', attribute=True, cli_name='leftnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=True)
 option: Str('iparepltoposegmentrightnode', attribute=True, cli_name='rightnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=True)
 option: StrEnum('nsds5replicaenabled', attribute=True, cli_name='enabled', multivalue=False, required=False, values=(u'on', u'off'))
@@ -4596,7 +4596,7 @@ arg: Str('topologysuffixcn', cli_name='topologysuffix', multivalue=False, primar
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, primary_key=True, query=True, required=False)
-option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=False, cli_name='direction', default=u'both', multivalue=False, query=True, required=False, values=(u'both', u'left-right', u'right-left', u'none'))
+option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=False, cli_name='direction', default=u'both', multivalue=False, query=True, required=False, values=(u'both', u'left-right', u'right-left'))
 option: Str('iparepltoposegmentleftnode', attribute=True, autofill=False, cli_name='leftnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', query=True, required=False)
 option: Str('iparepltoposegmentrightnode', attribute=True, autofill=False, cli_name='rightnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', query=True, required=False)
 option: StrEnum('nsds5replicaenabled', attribute=True, autofill=False, cli_name='enabled', multivalue=False, query=True, required=False, values=(u'on', u'off'))
@@ -4620,7 +4620,7 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False,
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=False, cli_name='direction', default=u'both', multivalue=False, required=False, values=(u'both', u'left-right', u'right-left', u'none'))
+option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=False, cli_name='direction', default=u'both', multivalue=False, required=False, values=(u'both', u'left-right', u'right-left'))
 option: Str('iparepltoposegmentleftnode', attribute=True, autofill=False, cli_name='leftnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=False)
 option: Str('iparepltoposegmentrightnode', attribute=True, autofill=False, cli_name='rightnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=False)
 option: StrEnum('nsds5replicaenabled', attribute=True, autofill=False, cli_name='enabled'

Re: [Freeipa-devel] topology issues


On 06/10/2015 02:42 PM, thierry bordaz wrote:

On 06/10/2015 02:19 PM, Ludwig Krispenz wrote:


On 06/10/2015 02:13 PM, thierry bordaz wrote:

On 06/10/2015 10:51 AM, Ludwig Krispenz wrote:


On 06/10/2015 10:41 AM, Martin Basti wrote:

On 10/06/15 09:13, Ludwig Krispenz wrote:

Hi,

there seems to be somethin going wrong in the code to delete the
services.

The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn',
'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101
nentries=8 etime=0 notes=U

this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"

[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"

[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107
nentries=0 etime=1 csn=5576dcec00010004

here it stops after deleting three entries, and it should do it in
reverse order of the dn length, but KDC is deleted before MEMCACHE


Something surprising is that according to the code

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn',
'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

try:
entry = *self.conn.get_entry*(
DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix),
['aci'])

sub = {'suffix': self.suffix, 'fqdn': replica}
...

We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion
of those entries.
But the next op is an UNBIND.

yes, that is strange, maybe we hit an exception and the connection was
closed

With UNBIND logged, it looks like the closure is triggered by the CLI.
I agree it should be some exception but my understanding is that 'force'
was set. so when it started deleting entries any exception is caught and
we should do the following search.


Btw, the `ipa-replica-manage del ` issues should have been handled 
by new version of tbabej's patch 329. Given that Tomas is on PTO, I'll 
update his patch to handle only 'connect' and 'disconnect' cases and 
create a new one for 'del'.







Is that the code executed by ipa-replica-manage ?

I think so, yes.




[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


Actually, the both DNs of KDC and MEMCACHE has the same length.
IPA implements own DN class, where length is the number of AVA/RDN
parts (mixed in code, but it means the 'cn=user' has length 1, and
'cn=user,cn=accounts' has length 2)

def __len__(self):
return len(self.rdns)

This reverse sort guarantees the child entries will be removed
before the parent entries.

thanks, then it is ok, but it does not explain why not all services
and the master were not deleted.


To debug, maybe print the entries from IPA code, before sort and
after sort might help.

yep, but so far only Oleg reprted this, and he's not here today, I
haven't reproduced the issue


Martin^2



On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are
still there - and that is expected since the server was not removed.

In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH
base="cn=f22replica1.bagam.net

Re: [Freeipa-devel] topology issues

2015-06-10 Thread thierry bordaz


On 06/10/2015 02:19 PM, Ludwig Krispenz wrote:


On 06/10/2015 02:13 PM, thierry bordaz wrote:

On 06/10/2015 10:51 AM, Ludwig Krispenz wrote:


On 06/10/2015 10:41 AM, Martin Basti wrote:

On 10/06/15 09:13, Ludwig Krispenz wrote:

Hi,

there seems to be somethin going wrong in the code to delete the 
services.


The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U


this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004


here it stops after deleting three entries, and it should do it in 
reverse order of the dn length, but KDC is deleted before MEMCACHE


Something surprising is that according to the code

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn',
'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

try:
entry = *self.conn.get_entry*(
DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix),
['aci'])

sub = {'suffix': self.suffix, 'fqdn': replica}
...

We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion 
of those entries.

But the next op is an UNBIND.
yes, that is strange, maybe we hit an exception and the connection was 
closed

With UNBIND logged, it looks like the closure is triggered by the CLI.
I agree it should be some exception but my understanding is that 'force' 
was set. so when it started deleting entries any exception is caught and 
we should do the following search.





Is that the code executed by ipa-replica-manage ?

I think so, yes.




[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


Actually, the both DNs of KDC and MEMCACHE has the same length.
IPA implements own DN class, where length is the number of AVA/RDN 
parts (mixed in code, but it means the 'cn=user' has length 1, and 
'cn=user,cn=accounts' has length 2)


def __len__(self):
return len(self.rdns)

This reverse sort guarantees the child entries will be removed 
before the parent entries.
thanks, then it is ok, but it does not explain why not all services 
and the master were not deleted.


To debug, maybe print the entries from IPA code, before sort and 
after sort might help.
yep, but so far only Oleg reprted this, and he's not here today, I 
haven't reproduced the issue


Martin^2



On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are 
still there - and that is expected since the server was not removed.


In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,c

Re: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments


On 06/10/2015 02:26 PM, Ludwig Krispenz wrote:

Hi Petr,
On 06/08/2015 04:50 PM, Ludwig Krispenz wrote:


On 06/08/2015 04:47 PM, Petr Vobornik wrote:

On 06/03/2015 06:20 PM, Simo Sorce wrote:

On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote:

Hi,

this should prevent adding duplicate segments or segments with same
start and end node


LGTM!

Simo.



The self referential check is done only in ipa_topo_pre_add. But it
is still possible to create self referential in mod.

Interesting thing is if I:
- have segment (A, B)
- modify it to (A, A) (success)
- add (A, B), got: "Server is unwilling to perform: Segment already
exists in topology or is self referential. Add rejected."
- removal of (A, A): "Server is unwilling to perform: Removal of
Segment disconnects topology.Deletion not allowed." note that, there
are also: (A, D) and (A, C) segments.

ACK if it will be addressed in separate patch.

did you push this patch ?


Pushed to master: 777a9500ceba11e6adbd85306f460e8a320504cb


yes, it will be.

but it will take more work, if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios,like having

A <--> B <--> C <--> D,

if you modify the segment B-C to A-D topology breaks and is then
reconnected.

So I think we should reject segment mods affecting endpoints of the
segment, at least for alpha, beta ...

You find interesting scenarios :-)



I think it's even more proper. IMHO, this operation should be done by 
"add" and "del" anyway.


So then, so we should add "no_update" flag in ipalib and reject it in 
topology plugin. I'll adjust the ipalib part.


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 868 rename topologysegment_refresh to topologysegment_reinitialize


https://fedorahosted.org/freeipa/ticket/5056
--
Petr Vobornik
From 30b5a7fcb3ef580335e7d869fcfa9faa3465527c Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 10 Jun 2015 14:25:45 +0200
Subject: [PATCH] rename topologysegment_refresh to
 topologysegment_reinitialize

https://fedorahosted.org/freeipa/ticket/5056
---
 API.txt| 2 +-
 VERSION| 5 +++--
 ipalib/plugins/topology.py | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 9e3f223b7ac338840d7090299f9108e951ea920a..beb3891eff5de0eab72878a87435a02187ee36af 100644
--- a/API.txt
+++ b/API.txt
@@ -4635,7 +4635,7 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
-command: topologysegment_refresh
+command: topologysegment_reinitialize
 args: 2,4,3
 arg: Str('topologysuffixcn', cli_name='topologysuffix', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, primary_key=True, query=True, required=True)
diff --git a/VERSION b/VERSION
index 535b3e228a3500f2013ea793b19a97d9fbd05021..d0ce89e2231e1d8eb6d4282ebf8c8ffdf8781e7a 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,6 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: pvoborni - rename topologysegment_refresh to
+# topologysegment_reinitialize
diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index 99781fd104f86fbffa139a441d31cbccb8188076..d055602a863a589ab35758b1e1b51a0e0934dfab 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -235,7 +235,7 @@ class topologysegment_mod(LDAPUpdate):
 
 
 @register()
-class topologysegment_refresh(LDAPQuery):
+class topologysegment_reinitialize(LDAPQuery):
 __doc__ = _('Request a full re-initialization of the node '
 'retrieving data from the other node.')
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments


Hi Petr,
On 06/08/2015 04:50 PM, Ludwig Krispenz wrote:


On 06/08/2015 04:47 PM, Petr Vobornik wrote:

On 06/03/2015 06:20 PM, Simo Sorce wrote:

On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote:

Hi,

this should prevent adding duplicate segments or segments with same
start and end node


LGTM!

Simo.



The self referential check is done only in ipa_topo_pre_add. But it 
is still possible to create self referential in mod.


Interesting thing is if I:
- have segment (A, B)
- modify it to (A, A) (success)
- add (A, B), got: "Server is unwilling to perform: Segment already 
exists in topology or is self referential. Add rejected."
- removal of (A, A): "Server is unwilling to perform: Removal of 
Segment disconnects topology.Deletion not allowed." note that, there 
are also: (A, D) and (A, C) segments.


ACK if it will be addressed in separate patch.

did you push this patch ?
yes, it will be. 
but it will take more work, if we want to properly allow mods to change 
connectivity and endpoints, then we would need to check if the mod 
disconnects the topology, delete existing agreements, check if the new 
would be a duplicate and create new agmts. There could be some difficult 
scenarios,like having


A <--> B <--> C <--> D,

if you modify the segment B-C to A-D topology breaks and is then 
reconnected.


So I think we should reject segment mods affecting endpoints of the 
segment, at least for alpha, beta ...

You find interesting scenarios :-)



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] topology issues



On 06/10/2015 02:13 PM, thierry bordaz wrote:

On 06/10/2015 10:51 AM, Ludwig Krispenz wrote:


On 06/10/2015 10:41 AM, Martin Basti wrote:

On 10/06/15 09:13, Ludwig Krispenz wrote:

Hi,

there seems to be somethin going wrong in the code to delete the 
services.


The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U


this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004


here it stops after deleting three entries, and it should do it in 
reverse order of the dn length, but KDC is deleted before MEMCACHE


Something surprising is that according to the code

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

try:
entry = *self.conn.get_entry*(
DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix),
['aci'])

sub = {'suffix': self.suffix, 'fqdn': replica}
...

We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion 
of those entries.

But the next op is an UNBIND.
yes, that is strange, maybe we hit an exception and the connection was 
closed

Is that the code executed by ipa-replica-manage ?

I think so, yes.




[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


Actually, the both DNs of KDC and MEMCACHE has the same length.
IPA implements own DN class, where length is the number of AVA/RDN 
parts (mixed in code, but it means the 'cn=user' has length 1, and 
'cn=user,cn=accounts' has length 2)


def __len__(self):
return len(self.rdns)

This reverse sort guarantees the child entries will be removed 
before the parent entries.
thanks, then it is ok, but it does not explain why not all services 
and the master were not deleted.


To debug, maybe print the entries from IPA code, before sort and 
after sort might help.
yep, but so far only Oleg reprted this, and he's not here today, I 
haven't reproduced the issue


Martin^2



On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are 
still there - and that is expected since the server was not removed.


In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400]

Re: [Freeipa-devel] [PATCH] 867 topology: hide topologysuffix-add del mod commands


On 06/08/2015 07:26 PM, Tomas Babej wrote:

On 06/08/2015 06:57 PM, Petr Vobornik wrote:

Suffices are created on installation/upgrade. Users should not
modify them.

https://fedorahosted.org/freeipa/ticket/4302



ACK

Tomas



Pushed to master: 2661a860e0049c75088fffe2765d67b051c31c9b
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 866 topology: allow only one node to be specified in, topologysegment-refresh


On 06/08/2015 07:24 PM, Tomas Babej wrote:

On 06/08/2015 06:57 PM, Petr Vobornik wrote:


https://fedorahosted.org/freeipa/ticket/4302




ACK.

Tomas



Pushed to master: 4232c39f6767d27b9f812a15cfc5ee2c5be69d5e
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.


https://fedorahosted.org/freeipa/ticket/5057
--
David Kupka
From ea25f9942c529ab91f1fe09f4eed087c6e5e92be Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 10 Jun 2015 12:52:10 +0200
Subject: [PATCH] Stage User: Fix permissions naming and split them where
 apropriate.

Split permisions to basic actions. Change names to be consistent with other
plugins.

https://fedorahosted.org/freeipa/ticket/5057
---
 ACI.txt | 28 ++---
 VERSION |  2 +-
 ipalib/plugins/stageuser.py | 96 ++---
 3 files changed, 54 insertions(+), 72 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..3d07e394565e814c454c2b821a35404213f2d277 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -237,25 +237,25 @@ aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || mem
 dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
-aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Reactive delete users";allow (moddn) groupdn = "ldap:///cn=System: Reactive delete users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User kerberos principal key and password";allow (compare,read,search) g

Re: [Freeipa-devel] topology issues

2015-06-10 Thread thierry bordaz


On 06/10/2015 10:51 AM, Ludwig Krispenz wrote:


On 06/10/2015 10:41 AM, Martin Basti wrote:

On 10/06/15 09:13, Ludwig Krispenz wrote:

Hi,

there seems to be somethin going wrong in the code to delete the 
services.


The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U


this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004


here it stops after deleting three entries, and it should do it in 
reverse order of the dn length, but KDC is deleted before MEMCACHE


Something surprising is that according to the code

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

try:
entry = *self.conn.get_entry*(
DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), ['aci'])

sub = {'suffix': self.suffix, 'fqdn': replica}
...

We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion of 
those entries.

But the next op is an UNBIND.
Is that the code executed by ipa-replica-manage ?



[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


Actually, the both DNs of KDC and MEMCACHE has the same length.
IPA implements own DN class, where length is the number of AVA/RDN 
parts (mixed in code, but it means the 'cn=user' has length 1, and 
'cn=user,cn=accounts' has length 2)


def __len__(self):
return len(self.rdns)

This reverse sort guarantees the child entries will be removed before 
the parent entries.
thanks, then it is ok, but it does not explain why not all services 
and the master were not deleted.


To debug, maybe print the entries from IPA code, before sort and 
after sort might help.
yep, but so far only Oleg reprted this, and he's not here today, I 
haven't reproduced the issue


Martin^2



On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are 
still there - and that is expected since the server was not removed.


In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f2

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

On 06/10/2015 01:50 PM, Jan Cholasta wrote:
> Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
>> On 10/06/15 06:40, Fraser Tweedale wrote:
>>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
 On 09/06/15 08:58, Fraser Tweedale wrote:
> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>> New patches attached.  Comments inline.
>> Thanks Fraser!
>>
>> ...
 5)
 Missing referint plugin configuration for attribute
 'ipacaaclmembercertprofile'
 Please add it into install/updates/25-referint.update (+ other
 member
 attributes if missing)

>>> Added this.  There is a comment in 25-referint.update:
>>>
>>>  # pres and eq indexes defined in 20-indices.update must be set
>>>  # for all the attributes
>>>
>>> Can you explain what is required here?  Is it just to add: I see
>>> things for memberUser and memberHost in indices.ldif but nothing for
>>> memberService.  Do I need to add to indices.ldif:
>>>
>>>  dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
>>> database,cn=plugins,cn=config
>>>  changetype: add
>>>  cn: memberProfile
>>>  ObjectClass: top
>>>  ObjectClass: nsIndex
>>>  nsSystemIndex: false
>>>  nsIndexType: eq
>>>  nsIndexType: pres
>>>  nsIndexType: sub
>>>
>>> , and similarly for memberCa?  Sorry I do not know much about LDAP
>>> indexing.
>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite
>> an expensive
>> index to use and I now cannot think of memberProfile search where
>> you would
>> need a substring...
>>
>> Thanks,
>> Martin
> Updated patch attached, which adds the indices.  (Also rebased).
>
> There is a commit that seems to indicate that substring index is
> needed, so I have included substring indices in this patchset.
> Copied Honza in case he wants to comment.
>
>  commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>  Author: Jan Cholasta 
>  Date:   Tue Jun 25 13:16:40 2013 +
>
>  Add missing substring indices for attributes managed by the
> referint plugin.
>
>  The referint plugin does a substring search on these
> attributes each time an
>  entry is deleted, which causes a noticable slowdown for
> large directories if
>  the attributes are not indexed.
>
>  https://fedorahosted.org/freeipa/ticket/3706
>
> Cheers,
> Fraser
 ACK

 Please send the upgrade patch ASAP :)

 -- 
 Martin Basti

>>> Thank you for the ACK \o/
>>>
>>> Since the patches have not been pushed, here is an updated patchset
>>> which adds the upgrade behaviour.  There are no changes apart from
>>> the additions to ipaserver/install/server/upgrade.py.
>>>
>>> Cheers,
>>> Fraser
>> ACK
> 
> NACK, the new OIDs are not registered.
> 
> BTW all new attribute names should have the "ipa" prefix. Also I would prefer
> "CertProfile" instead of just "Profile" in certificate profile related names.
> Please rename the attributes as follows:
> 
> memberCa -> ipaMemberCa
> memberProfile -> ipaMemberCertProfile
> caCategory -> ipaCaCategory
> profileCategory -> ipaCertProfileCategory
> 
> Honza
> 

+1. I see that other attributes from this feature use the ipa prefix already:

dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
v4.2' )

Those OIDs should be BTW registered as well, if not already

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs


Dne 10.6.2015 v 13:44 Martin Basti napsal(a):

On 10/06/15 06:40, Fraser Tweedale wrote:

On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:

On 09/06/15 08:58, Fraser Tweedale wrote:

On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:

On 06/08/2015 03:31 AM, Fraser Tweedale wrote:

New patches attached.  Comments inline.

Thanks Fraser!

...

5)
Missing referint plugin configuration for attribute
'ipacaaclmembercertprofile'
Please add it into install/updates/25-referint.update (+ other
member
attributes if missing)


Added this.  There is a comment in 25-referint.update:

 # pres and eq indexes defined in 20-indices.update must be set
 # for all the attributes

Can you explain what is required here?  Is it just to add: I see
things for memberUser and memberHost in indices.ldif but nothing for
memberService.  Do I need to add to indices.ldif:

 dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config
 changetype: add
 cn: memberProfile
 ObjectClass: top
 ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
 nsIndexType: sub

, and similarly for memberCa?  Sorry I do not know much about LDAP
indexing.

AFAIR, yes. BTW, where does the "sub" index come from? It is quite
an expensive
index to use and I now cannot think of memberProfile search where
you would
need a substring...

Thanks,
Martin

Updated patch attached, which adds the indices.  (Also rebased).

There is a commit that seems to indicate that substring index is
needed, so I have included substring indices in this patchset.
Copied Honza in case he wants to comment.

 commit a10521a1dcf69960d6ce0bf5657180b709c297c0
 Author: Jan Cholasta 
 Date:   Tue Jun 25 13:16:40 2013 +

 Add missing substring indices for attributes managed by the
referint plugin.

 The referint plugin does a substring search on these
attributes each time an
 entry is deleted, which causes a noticable slowdown for
large directories if
 the attributes are not indexed.

 https://fedorahosted.org/freeipa/ticket/3706

Cheers,
Fraser

ACK

Please send the upgrade patch ASAP :)

--
Martin Basti


Thank you for the ACK \o/

Since the patches have not been pushed, here is an updated patchset
which adds the upgrade behaviour.  There are no changes apart from
the additions to ipaserver/install/server/upgrade.py.

Cheers,
Fraser

ACK


NACK, the new OIDs are not registered.

BTW all new attribute names should have the "ipa" prefix. Also I would 
prefer "CertProfile" instead of just "Profile" in certificate profile 
related names. Please rename the attributes as follows:


memberCa -> ipaMemberCa
memberProfile -> ipaMemberCertProfile
caCategory -> ipaCaCategory
profileCategory -> ipaCertProfileCategory

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0264] Server Upgrade: disconnect ldap2 connection before DS restart

Without this patch, upgrade may failed when api.Backend.ldap2 was 
connected before DS restart.


Patch attached.

--
Martin Basti

From cae5117b505f24fc176196fc953170e3bad0507b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 10 Jun 2015 13:24:48 +0200
Subject: [PATCH] Server Upgrade: disconnect ldap2 connection before DS restart

Without this patch, the invalid api.Backend.ldap2 connection
was used to communicate with DS and it raises network error
after DS restart.
---
 ipaserver/install/server/upgrade.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 306d1d27cda7a517117110ad3e6a760108f0fe19..a9dac59e009f5646630b7a8dd0e92f39b5a44a86 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1369,6 +1369,11 @@ def upgrade_configuration():
 ds = dsinstance.DsInstance()
 ds.configure_dirsrv_ccache()
 
+# ldap2 connection is not valid after DS restart, close connection otherwise
+# it will cause network errors
+if api.Backend.ldap2.isconnected():
+api.Backend.ldap2.disconnect()
+
 ds.stop(ds_serverid)
 fix_schema_file_syntax()
 remove_ds_ra_cert(subject_base)
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs


On 10/06/15 06:40, Fraser Tweedale wrote:

On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:

On 09/06/15 08:58, Fraser Tweedale wrote:

On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:

On 06/08/2015 03:31 AM, Fraser Tweedale wrote:

New patches attached.  Comments inline.

Thanks Fraser!

...

5)
Missing referint plugin configuration for attribute
'ipacaaclmembercertprofile'
Please add it into install/updates/25-referint.update (+ other member
attributes if missing)


Added this.  There is a comment in 25-referint.update:

 # pres and eq indexes defined in 20-indices.update must be set
 # for all the attributes

Can you explain what is required here?  Is it just to add: I see
things for memberUser and memberHost in indices.ldif but nothing for
memberService.  Do I need to add to indices.ldif:

 dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm 
database,cn=plugins,cn=config
 changetype: add
 cn: memberProfile
 ObjectClass: top
 ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
 nsIndexType: sub

, and similarly for memberCa?  Sorry I do not know much about LDAP
indexing.

AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive
index to use and I now cannot think of memberProfile search where you would
need a substring...

Thanks,
Martin

Updated patch attached, which adds the indices.  (Also rebased).

There is a commit that seems to indicate that substring index is
needed, so I have included substring indices in this patchset.
Copied Honza in case he wants to comment.

 commit a10521a1dcf69960d6ce0bf5657180b709c297c0
 Author: Jan Cholasta 
 Date:   Tue Jun 25 13:16:40 2013 +

 Add missing substring indices for attributes managed by the referint 
plugin.

 The referint plugin does a substring search on these attributes each 
time an
 entry is deleted, which causes a noticable slowdown for large 
directories if
 the attributes are not indexed.

 https://fedorahosted.org/freeipa/ticket/3706

Cheers,
Fraser

ACK

Please send the upgrade patch ASAP :)

--
Martin Basti


Thank you for the ACK \o/

Since the patches have not been pushed, here is an updated patchset
which adds the upgrade behaviour.  There are no changes apart from
the additions to ipaserver/install/server/upgrade.py.

Cheers,
Fraser

ACK


--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install


Hi,

the attached patches fix several shortcomings in ipa-kra-install, see 
commit messages.




(Patch 434 was introduced in 
.)


Honza

--
Jan Cholasta
>From 7a668e773b9c7a600e8ab9581aa70ab5629123fc Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 10 Jun 2015 10:35:43 +
Subject: [PATCH 1/3] vault: Move vaults to cn=vaults,cn=kra

https://fedorahosted.org/freeipa/ticket/3872
---
 freeipa.spec.in   |  1 +
 install/share/Makefile.am |  1 +
 install/share/vault.update| 24 
 install/updates/40-vault.update   | 19 ---
 install/updates/Makefile.am   |  1 -
 ipa-client/man/default.conf.5 |  2 +-
 ipalib/constants.py   |  2 +-
 ipaplatform/base/paths.py |  1 +
 ipaserver/install/kra.py  |  4 ++--
 ipaserver/install/krainstance.py  | 21 +
 ipatests/test_xmlrpc/test_vault_plugin.py | 24 
 11 files changed, 60 insertions(+), 40 deletions(-)
 create mode 100644 install/share/vault.update
 delete mode 100644 install/updates/40-vault.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 23c3d1a..64b24c8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -716,6 +716,7 @@ fi
 %{_usr}/share/ipa/copy-schema-to-ca.py*
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
+%{_usr}/share/ipa/*.update
 %{_usr}/share/ipa/*.template
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 31f391b..5d8397b 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -82,6 +82,7 @@ app_DATA =\
 	copy-schema-to-ca.py		\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
+	vault.update			\
 	$(NULL)
 
 EXTRA_DIST =\
diff --git a/install/share/vault.update b/install/share/vault.update
new file mode 100644
index 000..dcd1e2a
--- /dev/null
+++ b/install/share/vault.update
@@ -0,0 +1,24 @@
+dn: cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: kra
+
+dn: cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: vaults
+
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: services
+
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: shared
+
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: users
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
deleted file mode 100644
index 5a6b8c6..000
--- a/install/updates/40-vault.update
+++ /dev/null
@@ -1,19 +0,0 @@
-dn: cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: vaults
-
-dn: cn=services,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: services
-
-dn: cn=shared,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: shared
-
-dn: cn=users,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: users
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index fc6bd62..1c7da35 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -34,7 +34,6 @@ app_DATA =\
 	40-automember.update		\
 	40-certprofile.update		\
 	40-otp.update			\
-	40-vault.update			\
 	45-roles.update			\
 	50-7_bit_check.update	\
 	50-dogtag10-migration.update	\
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index 0973f1a..e345e93 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where
   container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
   container_sudorule: cn=sudorules,cn=sudo
   container_user: cn=users,cn=accounts
-  container_vault: cn=vaults
+  container_vault: cn=vaults,cn=kra
   container_virtual: cn=virtual operations,cn=etc
 
 .SH "FILES"
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 93d7aaa..0ffdcbf 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -99,7 +99,7 @@ DEFAULT_CONFIG = (
 ('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
 ('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))),
 ('container_dns', DN(('cn', 'dns'))),
-('container_vault', DN(('cn', 'vaults'))),
+('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))),
 ('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))),
 ('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))),
 (

Re: [Freeipa-devel] Stage users - inconsistent permission names

2015-06-10 Thread thierry bordaz


On 06/10/2015 12:16 PM, Martin Kosek wrote:

On 06/10/2015 10:01 AM, David Kupka wrote:

On 06/10/2015 09:12 AM, Martin Kosek wrote:

Hello Thierry/David,

I saw the new privileges and permissions for the Staged Users functionality and
found couple spelling/English issues that I think we should fix before Alpha/GA
so that we can just rename them and not care about upgrade changes.

Namely:

# ipa permission-find stage | grep -i "Permission name"
Permission name: System: Add Stage Users by Provisioning and Administrators

Should be "System: Add Stage User"

Permission should not care who will do it, it is privilege/role's job.

Permission name: System: Delete modify Stage Users by administrators

Why is Modify and Delete combined in 1 permission?


Hello Martin, David,

Sorry for the delay.

Each permission creates a DS aci. At first to limit the number of aci I 
tried to group them.
So I should rather separate each individual right into separate 
permission (e.g. 'write'/MOD and 'delete'/DEL), is that correct ?


I agree it is cleaner and easier to maintain.




Should be "System: Modify Stage User" and "System: Remove Stage User"

Permission name: System: Preserve an active user to a delete Users

Maybe "System: Preserve User"? We do not use "deleted users" bur rather
"preserved users anyway"

Yes. Petr Viktorin already warned be to use the proper naming.
Deleted users are better renamed in Preserved users (due to the CLI option)


Permission name: System: Reactive delete users

"System: Undelete User" to reflect the command name.

Permission name: System: Read Stage User kerberos principal key and password

Rather "System: Read Stage User password" - I do not think we need to call out
the principal key explicitly, but this is negotiable.
That fine for me. In initial version of the patch I put 'credentials' 
but then switched to exact attributes.

Permission name: System: Read Stage Users by administrators

"System: Read Stage Users"

Permission name: System: Read/Write delete Users by administrators

This needs to be 2 permissions:

"System: Read Preserved Users"
"System: Modify Preserved Users"

Permission name: System: Reset userPassord and kerberos keys of delete users
by administrator

Rather "System: Reset Preserved User password"

Permission name: System: Write Active Users RDN by administrators

Rather "System: Modify User RDN"

Permission name: System: Write Delete Users RDN by administrators

Why is this permission needed, isn't "System: Modify Preserved Users" enough?


Absolutely you are right, this aci is already covered by "Modify 
Preserved Users"


thanks
thierry



Hello,
it's probably my fault, I should have paid more attention when reviewing the
patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and
can fix it.


Great, thanks! Ideally, this should be fixed for Alpha - it should not be that
hard, the names are now already proposed.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stage users - inconsistent permission names

On 06/10/2015 10:01 AM, David Kupka wrote:
> On 06/10/2015 09:12 AM, Martin Kosek wrote:
>> Hello Thierry/David,
>>
>> I saw the new privileges and permissions for the Staged Users functionality 
>> and
>> found couple spelling/English issues that I think we should fix before 
>> Alpha/GA
>> so that we can just rename them and not care about upgrade changes.
>>
>> Namely:
>>
>> # ipa permission-find stage | grep -i "Permission name"
>>Permission name: System: Add Stage Users by Provisioning and 
>> Administrators
>>
>> Should be "System: Add Stage User"
>>
>> Permission should not care who will do it, it is privilege/role's job.
>>
>>Permission name: System: Delete modify Stage Users by administrators
>>
>> Why is Modify and Delete combined in 1 permission?
>>
>> Should be "System: Modify Stage User" and "System: Remove Stage User"
>>
>>Permission name: System: Preserve an active user to a delete Users
>>
>> Maybe "System: Preserve User"? We do not use "deleted users" bur rather
>> "preserved users anyway"
>>
>>Permission name: System: Reactive delete users
>>
>> "System: Undelete User" to reflect the command name.
>>
>>Permission name: System: Read Stage User kerberos principal key and 
>> password
>>
>> Rather "System: Read Stage User password" - I do not think we need to call 
>> out
>> the principal key explicitly, but this is negotiable.
>>
>>Permission name: System: Read Stage Users by administrators
>>
>> "System: Read Stage Users"
>>
>>Permission name: System: Read/Write delete Users by administrators
>>
>> This needs to be 2 permissions:
>>
>> "System: Read Preserved Users"
>> "System: Modify Preserved Users"
>>
>>Permission name: System: Reset userPassord and kerberos keys of delete 
>> users
>> by administrator
>>
>> Rather "System: Reset Preserved User password"
>>
>>Permission name: System: Write Active Users RDN by administrators
>>
>> Rather "System: Modify User RDN"
>>
>>Permission name: System: Write Delete Users RDN by administrators
>>
>> Why is this permission needed, isn't "System: Modify Preserved Users" enough?
>>
> Hello,
> it's probably my fault, I should have paid more attention when reviewing the
> patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and
> can fix it.
> 

Great, thanks! Ideally, this should be fixed for Alpha - it should not be that
hard, the names are now already proposed.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] topology issues



On 06/10/2015 10:41 AM, Martin Basti wrote:

On 10/06/15 09:13, Ludwig Krispenz wrote:

Hi,

there seems to be somethin going wrong in the code to delete the 
services.


The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U


this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004


here it stops after deleting three entries, and it should do it in 
reverse order of the dn length, but KDC is deleted before MEMCACHE

[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


Actually, the both DNs of KDC and MEMCACHE has the same length.
IPA implements own DN class, where length is the number of AVA/RDN 
parts (mixed in code, but it means the 'cn=user' has length 1, and 
'cn=user,cn=accounts' has length 2)


def __len__(self):
return len(self.rdns)

This reverse sort guarantees the child entries will be removed before 
the parent entries.
thanks, then it is ok, but it does not explain why not all services and 
the master were not deleted.


To debug, maybe print the entries from IPA code, before sort and after 
sort might help.
yep, but so far only Oleg reprted this, and he's not here today, I 
haven't reproduced the issue


Martin^2



On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are 
still there - and that is expected since the server was not removed.


In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004

[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND

the search for cn=f22replica1.bagam.net,cn=masters, returns 8 
entries, which then should be deleted, but only 3 ae deleted and the
cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the 
topology segments are not deleted, and the agreement is not removed.


I don't know why ipa-replica-manage del does stop deleting services 
and the master entry




On 06/09/2015 04:25 PM, Oleg Fayans wrote:



On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:


On 06/09/2015 04:14 PM, Oleg Fayans wrote:



On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:


On 06/09/2015 03:55 PM, Oleg Fayans wrote:

Hi everybody,

The current status of Topology plugin testing is as follows:

1. There is still no proper way of removing the replica.
Standard procedure using `ipa-replica-manage del` throws 
"Server is unwilling to perform: Entry is managed by topology 
plugin.Deletion not allowed.". 
yes, that is for the first attempt to directly remove th

Re: [Freeipa-devel] topology issues


On 10/06/15 09:13, Ludwig Krispenz wrote:

Hi,

there seems to be somethin going wrong in the code to delete the 
services.


The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U


this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004


here it stops after deleting three entries, and it should do it in 
reverse order of the dn length, but KDC is deleted before MEMCACHE

[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


Actually, the both DNs of KDC and MEMCACHE has the same length.
IPA implements own DN class, where length is the number of AVA/RDN parts 
(mixed in code, but it means the 'cn=user' has length 1, and 
'cn=user,cn=accounts' has length 2)


def __len__(self):
return len(self.rdns)

This reverse sort guarantees the child entries will be removed before 
the parent entries.


To debug, maybe print the entries from IPA code, before sort and after 
sort might help.


Martin^2



On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are 
still there - and that is expected since the server was not removed.


In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004

[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND

the search for cn=f22replica1.bagam.net,cn=masters, returns 8 
entries, which then should be deleted, but only 3 ae deleted and the
cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the 
topology segments are not deleted, and the agreement is not removed.


I don't know why ipa-replica-manage del does stop deleting services 
and the master entry




On 06/09/2015 04:25 PM, Oleg Fayans wrote:



On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:


On 06/09/2015 04:14 PM, Oleg Fayans wrote:



On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:


On 06/09/2015 03:55 PM, Oleg Fayans wrote:

Hi everybody,

The current status of Topology plugin testing is as follows:

1. There is still no proper way of removing the replica.
Standard procedure using `ipa-replica-manage del` throws "Server 
is unwilling to perform: Entry is managed by topology 
plugin.Deletion not allowed.". 
yes, that is for the first attempt to directly remove the 
agreement, but when the server is removed the agreements should 
be removed
We should probably think of less threatening error message in this 
case. Just from reading the command output one might conclude that 
replica removal failed.
The re

Re: [Freeipa-devel] [PATCH] Password vault


Dne 8.6.2015 v 12:04 Jan Cholasta napsal(a):

Dne 5.6.2015 v 21:50 Endi Sukma Dewata napsal(a):

On 6/5/2015 7:13 AM, Jan Cholasta wrote:

BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with
pki-core-10.2.1-3.


There's a bug in IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1228671


Cloned the bug to .



The patch needs a rebase and version bumb ("VERSION" line at the top of
ipa-pki-proxy.conf).


I have bumped VERSION and rebased the patch, see attachment.

Pushed to master: 62ef11efad4ebbb8fa6f13a15c5ed8e833e90d43

--
Jan Cholasta
>From 548636e6b1c7c0f921f882ec7510dc1365d4042a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Mon, 8 Jun 2015 05:30:47 +
Subject: [PATCH] Fixed KRA installation problem.

The ipa-pki-proxy.conf has been modified to optionally require
client certificate authentication for PKI REST services as it's
done in standalone PKI to allow the proper KRA installation.

https://fedorahosted.org/freeipa/ticket/5058
---
 install/conf/ipa-pki-proxy.conf | 15 ---
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 354b340..4b5b6f7 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 7 - DO NOT REMOVE THIS LINE
+# VERSION 8 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -11,7 +11,7 @@ ProxyRequests Off
 
 
 # matches for admin port and installer
-
+
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient none
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -19,24 +19,25 @@ ProxyRequests Off
 
 
 # matches for agent port and eeca port
-
+
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient require
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
 ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 
 
-# matches for REST API
-
+# matches for CA REST API
+
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient optional
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
 ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 
 
-
+# matches for KRA REST API
+
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-NSSVerifyClient none
+NSSVerifyClient optional
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
 ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stage users - inconsistent permission names


On 06/10/2015 09:12 AM, Martin Kosek wrote:

Hello Thierry/David,

I saw the new privileges and permissions for the Staged Users functionality and
found couple spelling/English issues that I think we should fix before Alpha/GA
so that we can just rename them and not care about upgrade changes.

Namely:

# ipa permission-find stage | grep -i "Permission name"
   Permission name: System: Add Stage Users by Provisioning and Administrators

Should be "System: Add Stage User"

Permission should not care who will do it, it is privilege/role's job.

   Permission name: System: Delete modify Stage Users by administrators

Why is Modify and Delete combined in 1 permission?

Should be "System: Modify Stage User" and "System: Remove Stage User"

   Permission name: System: Preserve an active user to a delete Users

Maybe "System: Preserve User"? We do not use "deleted users" bur rather
"preserved users anyway"

   Permission name: System: Reactive delete users

"System: Undelete User" to reflect the command name.

   Permission name: System: Read Stage User kerberos principal key and password

Rather "System: Read Stage User password" - I do not think we need to call out
the principal key explicitly, but this is negotiable.

   Permission name: System: Read Stage Users by administrators

"System: Read Stage Users"

   Permission name: System: Read/Write delete Users by administrators

This needs to be 2 permissions:

"System: Read Preserved Users"
"System: Modify Preserved Users"

   Permission name: System: Reset userPassord and kerberos keys of delete users
by administrator

Rather "System: Reset Preserved User password"

   Permission name: System: Write Active Users RDN by administrators

Rather "System: Modify User RDN"

   Permission name: System: Write Delete Users RDN by administrators

Why is this permission needed, isn't "System: Modify Preserved Users" enough?


Hello,
it's probably my fault, I should have paid more attention when reviewing 
the patch set. I created ticket 
https://fedorahosted.org/freeipa/ticket/5057 and can fix it.


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 439-442] install: Migrate ipa-replica-install to the install framework


Dne 10.6.2015 v 09:28 David Kupka napsal(a):

On 06/09/2015 02:06 PM, Jan Cholasta wrote:

Hi,

the attached patches implement another part of
.

Honza




Works for me, ACK.



Thanks.

Pushed to master: 46cbe26b51f7ac8f24351d165c50d415326f

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 439-442] install: Migrate ipa-replica-install to the install framework


On 06/09/2015 02:06 PM, Jan Cholasta wrote:

Hi,

the attached patches implement another part of
.

Honza




Works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] topology issues


Hi,

there seems to be somethin going wrong in the code to delete the services.

The code is:

# delete master entry with all active services
try:
dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), self.suffix)
entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
self.conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception, e:
if not force:
raise e
elif not err:
err = e

In the access log we see:


[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U


this was the get_entries, it returns 8 entries

[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004


here it stops after deleting three entries, and it should do it in 
reverse order of the dn length, but KDC is deleted before MEMCACHE

[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND


Are there any ideas what is going on or how to debug it ?


On 06/09/2015 05:32 PM, Ludwig Krispenz wrote:

Hi Oleg,
thanks for access to your machine, the replication agreements are 
still there - and that is expected since the server was not removed.


In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00060004
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb00070004
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec00010004

[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND

the search for cn=f22replica1.bagam.net,cn=masters, returns 8 
entries, which then should be deleted, but only 3 ae deleted and the
cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the 
topology segments are not deleted, and the agreement is not removed.


I don't know why ipa-replica-manage del does stop deleting services 
and the master entry




On 06/09/2015 04:25 PM, Oleg Fayans wrote:



On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:


On 06/09/2015 04:14 PM, Oleg Fayans wrote:



On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:


On 06/09/2015 03:55 PM, Oleg Fayans wrote:

Hi everybody,

The current status of Topology plugin testing is as follows:

1. There is still no proper way of removing the replica.
Standard procedure using `ipa-replica-manage del` throws "Server 
is unwilling to perform: Entry is managed by topology 
plugin.Deletion not allowed.". 
yes, that is for the first attempt to directly remove the 
agreement, but when the server is removed the agreements should be 
removed
We should probably think of less threatening error message in this 
case. Just from reading the command output one might conclude that 
replica removal failed.
The replication agreement though does get deleted, 

then it is ok,
but the topology information does not get updated. 
what do you mean, where do you check ? in the "remaining" topology 
the shared tree should be updated, for the removed replica it will 
not, but this should be uninstalled anyway
The problem here, is that the topology information does not get 
updated on master as well.
could you be a bit more precise. what do you still see ? the 
agreement will be only removed if the segment is removed, and this 
should be reoplica

[Freeipa-devel] Stage users - inconsistent permission names