Re: [Freeipa-devel] [PATCH] 528 Remove option added by mistake
Hi, Dne 23.6.2015 v 22:37 Simo Sorce napsal(a): An option was added by mistake to ipa-replica-install during the refactoring. ACK. Pushed to master: 49d708f00fd13903dbd96193aac2c608e3512398 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 528 Remove option added by mistake
An option was added by mistake to ipa-replica-install during the refactoring. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 8665d4c9122db296855d82d200dc8df811f57427 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 23 Jun 2015 16:33:34 -0400 Subject: [PATCH] Replicas cannot define their own master password. Seem like this slipped in during the refactoring of the install tools. Signed-off-by: Simo Sorce --- ipaserver/install/server/replicainstall.py | 8 1 file changed, 8 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 303d0bcf2907165b9cb7044945bdb3bd330e508d..54d1ede1340afddeca6e1de453aadd166fb19444 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -742,14 +742,6 @@ class Replica(common.Installable, common.Interactive, core.Composite): cli_short_name='p', ) -master_password = Knob( -str, None, -sensitive=True, -deprecated=True, -description="kerberos master password (normally autogenerated)", -cli_short_name='P', -) - admin_password = Knob( str, None, sensitive=True, -- 2.4.2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] IPA Python API
Resurrecting this thread, because the problem is getting me again. If I go through the python interpreter and import the code that calls the ipalib, and then manually call it myself the way the webserver does, the code works. If the same code is run in the course of the web server process, I get the error: Traceback (most recent call last): File "/home/derny/freeipa/env/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/home/derny/freeipa/env/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/home/derny/freeipa/env/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "freeipa_community_portal/app.py", line 39, in POST errors = user.save() File "freeipa_community_portal/model/user.py", line 33, in save self._call_api() File "freeipa_community_portal/model/user.py", line 45, in _call_api mail=self.email File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'CP Server Thread-6' The error shows up whether the server is run from within the python interpreter or by itself. I kinit and have a TGT from the IPA server. The client machine is registered with the IPA server. When I run the commands "by hand", an HTTP ticket can be seen in the klist. When I run the webserver, no HTTP ticket is ever recieved, so the code is failing on the client side before it even gets to the server. Which is obviously not what should be happening. It's the same error I got when I was using Flask, and now I'm using cherrypy and it's still broken. Could this have something to do with the web server being a multithreaded environment? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
> On Jun 23, 2015, at 2:55 PM, Simo Sorce wrote: > > On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: >> +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ >> + process-group=kdcproxy application-group=kdcproxy >> +WSGIScriptAlias /KdcProxy >> /usr/lib/python2.7/site-packages/kdcproxy/__init__.py > > I find sticking an application in __init__.py a bit questionable, but > that's in kdcproxy and not your code. > Nathaniel, can you chnage that in future ? Or maybe we can do it now ? > > We should really have something like /usr/sbin/wsgi_kscproxy.py > or /usr/libexec/kdcproxy/kdcproxy.py or similar, not something snook > into a __init__.py file down there. > > Everything else looks ok to me. I think it is a valid upstream question. If we change that upstream, we can update FreeIPA. Alright, let’s ride this patch all the way to ACK-town. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: > +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ > + process-group=kdcproxy application-group=kdcproxy > +WSGIScriptAlias /KdcProxy > /usr/lib/python2.7/site-packages/kdcproxy/__init__.py I find sticking an application in __init__.py a bit questionable, but that's in kdcproxy and not your code. Nathaniel, can you chnage that in future ? Or maybe we can do it now ? We should really have something like /usr/sbin/wsgi_kscproxy.py or /usr/libexec/kdcproxy/kdcproxy.py or similar, not something snook into a __init__.py file down there. Everything else looks ok to me. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
I’m sold. ACK Simo, speak now or forever hold your peace (or patch it later). > On Jun 23, 2015, at 2:20 PM, Christian Heimes wrote: > > On 2015-06-23 19:55, Nathaniel McCallum wrote: >> The behavior I'm worried about here is this: >> 1. Admin installs or updates FreeIPA (w/ kdcproxy) >> 2. Admin disables kdcproxy >> 3. Admin updates to the next version >> >> After step #3, is kdcproxy enabled or disabled? I don't have a clear answer >> to this (or at least I'm not seeing it). >> >> Other than this, I'm happy. So if we can answer this, it is an ack from me. > > That is covered by the check is_kdcproxy_configured(). It checks for the > presence of a file. That file is created during installation or at the > first update. > > > Let's see if the check works. At first I'm disabling kdcproxy: > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif > Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif' > Updating existing entry: > cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example > Done > Update complete > The ipa-ldap-updater command was successful > > # systemctl restart httpd.service > > # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy > > > 404 Not Found > > Not Found > The requested URL /KdcProxy was not found on this server. > > > # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf > stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file > or directory > > > Next I'm running the updater and check the feature again: > > # ipa-server-upgrade > ... > # systemctl restart httpd.service > > # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy > > > 404 Not Found > > Not Found > The requested URL /KdcProxy was not found on this server. > > > # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf > stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file > or directory > > > KDC proxy is still disable. Let's enable it and check again. > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif > Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif' > Updating existing entry: > cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example > Done > Update complete > The ipa-ldap-updater command was successful > > # systemctl restart httpd.service > > # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy > Method not allowed (GET) > > # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf > File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ -> > ‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’ > Size: 36 Blocks: 0 IO Block: 4096 symbolic link > Device: fd01h/64769dInode: 398238 Links: 1 > ... > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 19:55, Nathaniel McCallum wrote: > The behavior I'm worried about here is this: > 1. Admin installs or updates FreeIPA (w/ kdcproxy) > 2. Admin disables kdcproxy > 3. Admin updates to the next version > > After step #3, is kdcproxy enabled or disabled? I don't have a clear answer > to this (or at least I'm not seeing it). > > Other than this, I'm happy. So if we can answer this, it is an ack from me. That is covered by the check is_kdcproxy_configured(). It checks for the presence of a file. That file is created during installation or at the first update. Let's see if the check works. At first I'm disabling kdcproxy: # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif' Updating existing entry: cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example Done Update complete The ipa-ldap-updater command was successful # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy 404 Not Found Not Found The requested URL /KdcProxy was not found on this server. # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file or directory Next I'm running the updater and check the feature again: # ipa-server-upgrade ... # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy 404 Not Found Not Found The requested URL /KdcProxy was not found on this server. # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file or directory KDC proxy is still disable. Let's enable it and check again. # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif' Updating existing entry: cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example Done Update complete The ipa-ldap-updater command was successful # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy Method not allowed (GET) # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ -> ‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’ Size: 36 Blocks: 0 IO Block: 4096 symbolic link Device: fd01h/64769dInode: 398238 Links: 1 ... signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
The behavior I'm worried about here is this: 1. Admin installs or updates FreeIPA (w/ kdcproxy) 2. Admin disables kdcproxy 3. Admin updates to the next version After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to this (or at least I'm not seeing it). Other than this, I'm happy. So if we can answer this, it is an ack from me. - Original Message - > head -> desk! > Of course you are right. The old code ran the update code. I fixed it. > > Rob also suggested that I use .uldif as prefix. My LDIFs aren't strictly > LDIFs because they use dynamic templates. > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 17:35, Nathaniel McCallum wrote:
> typo: is_kdcprox_configured
>
> You need to update the commit message (don't do changes since last patch).
>
> Also, I'm pretty sure this is the case, but the code in
> ipaserver/install/httpinstance.py only executes during initial installation,
> right?
head -> desk!
Of course you are right. The old code ran the update code. I fixed it.
Rob also suggested that I use .uldif as prefix. My LDIFs aren't strictly
LDIFs because they use dynamic templates.
From 93cc97a9ffdf0d76c377b731d418999d95fe299a Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
---
freeipa.spec.in | 25 +
init/systemd/httpd.service | 2 +
install/conf/Makefile.am | 1 +
install/conf/ipa-kdc-proxy.conf.template | 30 ++
install/conf/ipa.conf| 6 +-
install/share/Makefile.am| 3 +
install/share/kdcproxy-disable.uldif | 3 +
install/share/kdcproxy-enable.uldif | 6 ++
install/share/kdcproxy.conf | 4 +
install/tools/Makefile.am| 5 +
install/tools/ipa-httpd-kdcproxy | 180 +++
ipaplatform/base/paths.py| 4 +-
ipaserver/install/httpinstance.py| 65 ++-
ipaserver/install/ipa_backup.py | 1 +
ipaserver/install/server/upgrade.py | 5 +
15 files changed, 335 insertions(+), 5 deletions(-)
create mode 100644 install/conf/ipa-kdc-proxy.conf.template
create mode 100644 install/share/kdcproxy-disable.uldif
create mode 100644 install/share/kdcproxy-enable.uldif
create mode 100644 install/share/kdcproxy.conf
create mode 100755 install/tools/ipa-httpd-kdcproxy
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..caacf4bda0611c31880933e8e05db6518886eb65 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@
%define _hardened_build 1
+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
Name: freeipa
Version:__VERSION__
Release:__RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.4-1
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
+BuildRequires: python-kdcproxy >= 0.3
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
+Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.3
Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
@@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
@@ -458,6 +466,10 @@ install daemons/dnss
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
typo: is_kdcprox_configured You need to update the commit message (don't do changes since last patch). Also, I'm pretty sure this is the case, but the code in ipaserver/install/httpinstance.py only executes during initial installation, right? - Original Message - > This is hopefully the final patch. I've tested a fresh installation and > upgrade from 4.2 alpha 1. > > Christian > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Announcing bind-dyndb-ldap version 8.0
The FreeIPA team is proud to announce bind-dyndb-ldap version 8.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 23+ (rawhide). This version is also available from FreeIPA 4.2 COPR repo: https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/ Latest news: 8.0 [1] Unknown record types can be stored in LDAP using generic syntax (RFC 3597). LDAP schema was extended for this purpose with the UnknownRecord attribute. https://fedorahosted.org/bind-dyndb-ldap/ticket/157 [2] PTR record synchronization was improved. - New PTR records now inherit the TTL value from the respective A/ records. - SERVFAIL error is no longer returned to clients if A/ record update succeeded but PTR record synchronization failed because of misconfiguration. Such errors are only logged. - PTR record synchronization was reworked to reduce the probability of race condition occurrences. https://fedorahosted.org/bind-dyndb-ldap/ticket/155 [3] LDAP rename (MODRDN) for DNS records is now supported. Renaming of whole DNS zones is not supported and will lead to errors. https://fedorahosted.org/bind-dyndb-ldap/ticket/123 [4] Data changed in LDAP while connection to server was down are now refreshed properly. https://fedorahosted.org/bind-dyndb-ldap/ticket/128 [5] Crash caused by object class and DN format mismatch were fixed. https://fedorahosted.org/bind-dyndb-ldap/ticket/148 [6] Compatibility with BIND 9.9.4 was improved. [7] Documentation and schema were fixed and improved. The doc/schema.ldif file is now properly formatted as LDIF and contains instructions for OpenLDAP and 389 DS. 7.0 [1] Support for BIND 9.10 was added. https://fedorahosted.org/bind-dyndb-ldap/ticket/139 == Upgrading == A server can be upgraded by installing updated RPM. BIND has to be restarted manually after the RPM installation. Downgrading back to any 7.x version is supported if user is not relying on support for unknown attribute types or LDAP MODRDN operation. == Feedback == Please provide comments, report bugs and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
This is hopefully the final patch. I've tested a fresh installation and
upgrade from 4.2 alpha 1.
Christian
From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
Changes since the last patch:
- WSGI shim module was removed in favor of the symlink approach.
- Since the ExecStartPre scripts runs as root user, EXTERNAL GSSAPI
bind can be used. This eliminates the need for a keytab, service
principal and additional permission.
- Require python-kdcproxy 0.3
- Set env var in httpd.service instead of SetEnv
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
---
freeipa.spec.in | 26 +
init/systemd/httpd.service | 2 +
install/conf/Makefile.am | 1 +
install/conf/ipa-kdc-proxy.conf.template | 30 ++
install/conf/ipa.conf| 6 +-
install/share/Makefile.am| 3 +
install/share/kdcproxy-disable.ldif | 3 +
install/share/kdcproxy-enable.ldif | 6 ++
install/share/kdcproxy.conf | 4 +
install/tools/Makefile.am| 5 +
install/tools/ipa-httpd-kdcproxy | 180 +++
ipaplatform/base/paths.py| 4 +-
ipaserver/install/httpinstance.py| 65 ++-
ipaserver/install/ipa_backup.py | 1 +
14 files changed, 331 insertions(+), 5 deletions(-)
create mode 100644 install/conf/ipa-kdc-proxy.conf.template
create mode 100644 install/share/kdcproxy-disable.ldif
create mode 100644 install/share/kdcproxy-enable.ldif
create mode 100644 install/share/kdcproxy.conf
create mode 100755 install/tools/ipa-httpd-kdcproxy
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..80331e60006829c77c7994d600318fc331a6b711 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@
%define _hardened_build 1
+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
Name: freeipa
Version:__VERSION__
Release:__RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.4-1
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
+BuildRequires: python-kdcproxy >= 0.3
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
+Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.3
Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
@@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
@@ -458,6 +466,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroo
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 16:55, Nathaniel McCallum wrote: > > > - Original Message - >> Ah, got it! >> >> What's the simplest way to download and test the new package on my VM? > > Download the package from koji. > http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 Ah, that's much simpler than my approach. I used rhpkg, spectool, wget and rpmbuild to build my own package. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 23.6.2015 15:16, Christian Heimes wrote: > On 2015-06-23 15:14, Nathaniel McCallum wrote: >> On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: >>> On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA build. >>> >>> I don't see python-kdcproxy 0.3 on my F22 test VM. It's still >>> python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any >>> updates >>> either. >> >> ... because it hasn't been pushed. >> >> Updates are a two-step process. First you build the new package, then >> you push it. It is currently built, just not pushed. We will push >> FreeIPA and kdcproxy together. > > Ah, got it! > > What's the simplest way to download and test the new package on my VM? For Fedora go to http://koji.fedoraproject.org/koji/ and use search box to find the package you are interested in. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
- Original Message - > Ah, got it! > > What's the simplest way to download and test the new package on my VM? Download the package from koji. http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 11:37, Christian Heimes wrote: > Hi, > > I've created a new patch that implements the KDC switch as a > ExecStartPre hook in httpd.service. My patch has a bug. Apache's SetEnv doesn't set an operating system env var. The information is only available as WSGI env var. I'm going to set it in httpd.service. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Hide traceback in ipa-dnskeysyncd if kinit failed
On 06/23/2015 02:15 PM, Petr Spacek wrote: Hello, Hide traceback in ipa-dnskeysyncd if kinit failed. https://fedorahosted.org/freeipa/ticket/4657 ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] topology-related issues
On 06/23/2015 03:43 PM, Oleg Fayans wrote:
On 06/23/2015 02:27 PM, Ludwig Krispenz wrote:
On 06/23/2015 11:44 AM, Oleg Fayans wrote:
It looks like the second issue was caused by not running ipa service
on vm-244.idm.lab.eng.brq.redhat.com.
However, after manual start of the ipa service on thios node, I was
still unable to setup the segment:
[11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-244.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code
may provide more information', 851968)/('Ticket not yet valid',
-1765328351)
I don't know, what this specific error is, but in the dirsrv log,
which seems to be from vm-244, we have:
set_krb5_creds - Could not get initial credentials for principal
[ldap/vm-244.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
so is your kdc running ?
The weirdest thing is: I actually deleted this replica on master
before. This host is not shown among hosts, but the corresponding
topology segment was not deleted. This is how it looks on master:
[15:40:59]ofayans@vm-069:~]$ ipa host-find
---
2 hosts matched
---
Host name: vm-069.idm.lab.eng.brq.redhat.com
Principal name:
host/vm-069.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com
Password: False
Keytab: True
Managed by: vm-069.idm.lab.eng.brq.redhat.com
SSH public key fingerprint:
EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519),
B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
Host name: vm-086.idm.lab.eng.brq.redhat.com
Principal name:
host/vm-086.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com
Password: False
Keytab: True
Managed by: vm-086.idm.lab.eng.brq.redhat.com
SSH public key fingerprint:
EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519),
B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
Number of entries returned 2
[15:41:07]ofayans@vm-069:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
[15:41:19]ofayans@vm-069:~]$
I'll re-build the packages and try to record all the steps to
reproduce this issue today.
yes, please.
I don't know
The dirsrv error log of this node is attached.
On 06/23/2015 11:27 AM, Oleg Fayans wrote:
Hi Ludwig, team,
I have a couple of issues with the topology plugin.
1. I was able to remove the middle node in a line topology, which
resulted in disconnecting a segment. I had
master - replica1 - replica2 - replica3 - replica4
I removed replica2 with a standard `ipa-replica-manage del`
And it resulted in the following topology:
[13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
We should probably prohibit such scenarios.
2. When I subsequently tried to create a link between the two
segments manually, I bumped into the following error:
[[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-069.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]:
069-to-244
ipa: ERROR: invalid 'rightnode': right node is not a topology node:
vm-244.idm.lab.eng.brq.redhat.com
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] topology-related issues
On 06/23/2015 02:27 PM, Ludwig Krispenz wrote:
On 06/23/2015 11:44 AM, Oleg Fayans wrote:
It looks like the second issue was caused by not running ipa service
on vm-244.idm.lab.eng.brq.redhat.com.
However, after manual start of the ipa service on thios node, I was
still unable to setup the segment:
[11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-244.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code
may provide more information', 851968)/('Ticket not yet valid',
-1765328351)
I don't know, what this specific error is, but in the dirsrv log,
which seems to be from vm-244, we have:
set_krb5_creds - Could not get initial credentials for principal
[ldap/vm-244.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
so is your kdc running ?
The weirdest thing is: I actually deleted this replica on master before.
This host is not shown among hosts, but the corresponding topology
segment was not deleted. This is how it looks on master:
[15:40:59]ofayans@vm-069:~]$ ipa host-find
---
2 hosts matched
---
Host name: vm-069.idm.lab.eng.brq.redhat.com
Principal name:
host/vm-069.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com
Password: False
Keytab: True
Managed by: vm-069.idm.lab.eng.brq.redhat.com
SSH public key fingerprint:
EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519),
B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
Host name: vm-086.idm.lab.eng.brq.redhat.com
Principal name:
host/vm-086.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com
Password: False
Keytab: True
Managed by: vm-086.idm.lab.eng.brq.redhat.com
SSH public key fingerprint:
EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519),
B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
Number of entries returned 2
[15:41:07]ofayans@vm-069:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
[15:41:19]ofayans@vm-069:~]$
I'll re-build the packages and try to record all the steps to reproduce
this issue today.
I don't know
The dirsrv error log of this node is attached.
On 06/23/2015 11:27 AM, Oleg Fayans wrote:
Hi Ludwig, team,
I have a couple of issues with the topology plugin.
1. I was able to remove the middle node in a line topology, which
resulted in disconnecting a segment. I had
master - replica1 - replica2 - replica3 - replica4
I removed replica2 with a standard `ipa-replica-manage del`
And it resulted in the following topology:
[13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
We should probably prohibit such scenarios.
2. When I subsequently tried to create a link between the two
segments manually, I bumped into the following error:
[[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-069.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]:
069-to-244
ipa: ERROR: invalid 'rightnode': right node is not a topology node:
vm-244.idm.lab.eng.brq.redhat.com
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 14:56, Simo Sorce wrote: > Why are you using "#!/usr/bin/env python2.7" ? > We do not use this idiom, as it breaks in some cases, at most in some > sources that are v2 only we use "#!/usr/bin/python2", please change it. Force of habit. I'm used to use /usr/bin/env in my own packages. Otherwise the code isn't compatible with virtual envs. For FreeIPA it makes more sense to stick to python2. I'm going to change it. > I am not sure you should really have a completely separate > KDCProxyInstance, if I read it right that will cause httpd to be > restarted twice. If you put KDCProxy enablement as one step of the > httpdinstance then you will have much less code and httpd can be > restarted only once. > KDCProxy in general is not a separate service so instantiating it as a > full service seem wrong to me. IMO it should be just one of the many > steps of the http instance. Correct, the KDCProxyInstance restarts the HTTPD service a second time. The instance used to do much more work. In the last patch it created a service principal with keytab and assigned a permission to the service principal. With the new design, the code has been simplified so much, that it actually makes sense to move it into HTTPInstance. It's going to take me just a couple of minutes to remove the instance. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 15:14, Nathaniel McCallum wrote: > On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: >> On 2015-06-23 14:58, Nathaniel McCallum wrote: >>> I agree. One other small nitpick is that the python-kdcproxy >>> dependency >>> is still wrong. Please make it depend on 0.3. 0.3 is already in >>> RHEL >>> and Fedora. The only remaining step here is to push python-kdcproxy >>> in >>> the same update as the next FreeIPA build. >> >> I don't see python-kdcproxy 0.3 on my F22 test VM. It's still >> python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any >> updates >> either. > > ... because it hasn't been pushed. > > Updates are a two-step process. First you build the new package, then > you push it. It is currently built, just not pushed. We will push > FreeIPA and kdcproxy together. Ah, got it! What's the simplest way to download and test the new package on my VM? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: > On 2015-06-23 14:58, Nathaniel McCallum wrote: > > I agree. One other small nitpick is that the python-kdcproxy > > dependency > > is still wrong. Please make it depend on 0.3. 0.3 is already in > > RHEL > > and Fedora. The only remaining step here is to push python-kdcproxy > > in > > the same update as the next FreeIPA build. > > I don't see python-kdcproxy 0.3 on my F22 test VM. It's still > python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any > updates > either. ... because it hasn't been pushed. Updates are a two-step process. First you build the new package, then you push it. It is currently built, just not pushed. We will push FreeIPA and kdcproxy together. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 14:58, Nathaniel McCallum wrote: > I agree. One other small nitpick is that the python-kdcproxy dependency > is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL > and Fedora. The only remaining step here is to push python-kdcproxy in > the same update as the next FreeIPA build. I don't see python-kdcproxy 0.3 on my F22 test VM. It's still python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any updates either. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 08:56 -0400, Simo Sorce wrote: > On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote: > > Hi, > > > > I've created a new patch that implements the KDC switch as a > > ExecStartPre hook in httpd.service. > > > > Testing: > > If you are doing an upgrade of an existing installation, then you > > have > > to run ipa-server-update first. The update creates the config file > > /etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template. > > > > /usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink > > /etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by > > default. > > > > Disable KDC Proxy on the current host: > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif > > # systemctl restart httpd.service > > > > Enable KDC Proxy on the current host: > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif > > # systemctl restart httpd.service > > > > Regards, > > Christian > > A few questions. > > Why are you using "#!/usr/bin/env python2.7" ? > We do not use this idiom, as it breaks in some cases, at most in some > sources that are v2 only we use "#!/usr/bin/python2", please change > it. > > I am not sure you should really have a completely separate > KDCProxyInstance, if I read it right that will cause httpd to be > restarted twice. If you put KDCProxy enablement as one step of the > httpdinstance then you will have much less code and httpd can be > restarted only once. > KDCProxy in general is not a separate service so instantiating it as > a > full service seem wrong to me. IMO it should be just one of the many > steps of the http instance. > > The rest looks good. I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA build. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote: > Hi, > > I've created a new patch that implements the KDC switch as a > ExecStartPre hook in httpd.service. > > Testing: > If you are doing an upgrade of an existing installation, then you have > to run ipa-server-update first. The update creates the config file > /etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template. > > /usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink > /etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by default. > > Disable KDC Proxy on the current host: > # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif > # systemctl restart httpd.service > > Enable KDC Proxy on the current host: > # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif > # systemctl restart httpd.service > > Regards, > Christian A few questions. Why are you using "#!/usr/bin/env python2.7" ? We do not use this idiom, as it breaks in some cases, at most in some sources that are v2 only we use "#!/usr/bin/python2", please change it. I am not sure you should really have a completely separate KDCProxyInstance, if I read it right that will cause httpd to be restarted twice. If you put KDCProxy enablement as one step of the httpdinstance then you will have much less code and httpd can be restarted only once. KDCProxy in general is not a separate service so instantiating it as a full service seem wrong to me. IMO it should be just one of the many steps of the http instance. The rest looks good. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0386-0389] Release 8.0
Hello,
Pushed to master:
5c59bb14e4ec2f66b16062f83edc04b9df59b744 Update URL pointing to dyndb API repo.
1cf4d03cee4452d67bdf409ac2fe8d201c19c922 Update NEWS for upcoming 8.0 release.
c0be113f6365abb7c77541129ffd086c80ea9fc3 releng/bumpver: Always create signed
commits.
15bc8f7b54f15d994c6cc2145fd705734474f78b Bump NVR to 8.0.
--
Petr^2 Spacek
From 5c59bb14e4ec2f66b16062f83edc04b9df59b744 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Tue, 23 Jun 2015 14:34:22 +0200
Subject: [PATCH] Update URL pointing to dyndb API repo.
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 0b1a47402a70df16239d33134c62f4905be1651f..72505b42fb622b3582a26c922462a0ded003 100644
--- a/README
+++ b/README
@@ -6,7 +6,7 @@ database back-end capabilities. For now, it requires that BIND is patched
to support dynamic loading of database back-ends. You can get a patch
for your version here:
- https://github.com/spacekpe/bind-dynamic_db
+ https://github.com/pspacek/bind-dynamic_db
Hopefully, the patch will once be included in the official BIND release.
--
2.1.0
From 1cf4d03cee4452d67bdf409ac2fe8d201c19c922 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Tue, 23 Jun 2015 14:37:48 +0200
Subject: [PATCH] Update NEWS for upcoming 8.0 release.
---
NEWS | 33 +
1 file changed, 33 insertions(+)
diff --git a/NEWS b/NEWS
index fb1e8b8d6758c755dcb31a529389dacf0425f91e..86b621620e4809f746a0d731847b4633569ec767 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,36 @@
+8.0
+
+[1] Unknown record types can be stored in LDAP using generic syntax (RFC 3597).
+LDAP schema was extended for this purpose with the UnknownRecord attribute.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/157
+
+[2] PTR record synchronization was improved.
+- New PTR records now inherit the TTL value from the respective A/
+ records.
+- SERVFAIL error is no longer returned to clients if A/ record update
+ succeeded but PTR record synchronization failed because of
+ misconfiguration. Such errors are only logged.
+- PTR record synchronization was reworked to reduce the probability
+ of race condition occurrences.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/155
+
+[3] LDAP rename (MODRDN) for DNS records is now supported.
+Renaming of whole DNS zones is not supported and will lead to errors.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/123
+
+[4] Data changed in LDAP while connection to server was down are now refreshed
+properly.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/128
+
+[5] Crash caused by object class and DN format mismatch were fixed.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/148
+
+[6] Compatibility with BIND 9.9.4 was improved.
+
+[7] Documentation and schema were fixed and improved. The doc/schema.ldif file
+is now properly formatted as LDIF and contains instructions
+for OpenLDAP and 389 DS.
+
7.0
[1] Support for BIND 9.10 was added.
--
2.1.0
From c0be113f6365abb7c77541129ffd086c80ea9fc3 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Tue, 23 Jun 2015 14:45:12 +0200
Subject: [PATCH] releng/bumpver: Always create signed commits.
---
releng/bumpver.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/releng/bumpver.py b/releng/bumpver.py
index d0ac5ff452a4b50d039c8548e10a7b6f92b00a85..0a33b2f464f0fae01d2f5ce01413958712a25454 100755
--- a/releng/bumpver.py
+++ b/releng/bumpver.py
@@ -78,7 +78,7 @@ file_version.minor = new_version.minor
# commit version bump
log.debug('Add modified files to git index')
log.info(check_output(['git', 'add'] + file_version.files))
-log.info(check_output(['git', 'commit', '-m', 'Bump NVR to %s.' % file_version]))
+log.info(check_output(['git', 'commit', '-S', '-m', 'Bump NVR to %s.' % file_version]))
check_call(['git', 'show'])
# working directory should be clean if we did not mess things up
--
2.1.0
From 15bc8f7b54f15d994c6cc2145fd705734474f78b Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Tue, 23 Jun 2015 14:45:42 +0200
Subject: [PATCH] Bump NVR to 8.0.
---
configure.ac | 2 +-
contrib/bind-dyndb-ldap.spec | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index d7e64772e43a743d75d1b63b05fabe45acefb12d..a06708b1a5ee64bb64c80272c10ed1a35670c8d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [7.0], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [8.0], [freeipa-devel@redhat.com])
AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 1ef5bcffb1d3f91291d9ac0510a892b3b75e4820..97adc5e56cb61693bb018d1162d0e6b15314ce23 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
%define VERSION %{version}
Name: bind-dyndb-ldap
-Version:7.
Re: [Freeipa-devel] topology-related issues
On 06/23/2015 02:27 PM, Ludwig Krispenz wrote:
On 06/23/2015 11:44 AM, Oleg Fayans wrote:
It looks like the second issue was caused by not running ipa service
on vm-244.idm.lab.eng.brq.redhat.com.
However, after manual start of the ipa service on thios node, I was
still unable to setup the segment:
[11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-244.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code
may provide more information', 851968)/('Ticket not yet valid',
-1765328351)
I don't know, what this specific error is, but in the dirsrv log,
which seems to be from vm-244, we have:
set_krb5_creds - Could not get initial credentials for principal
[ldap/vm-244.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
so is your kdc running ?
an additional observation, there are lines like:
csngen_new_csn - Warning: too much time skew (-3146 secs). Current seqnum=1
so looks like the time on your vms is not in sync, replication should
handle this (so it is a warning), but don't know about other components
I don't know
The dirsrv error log of this node is attached.
On 06/23/2015 11:27 AM, Oleg Fayans wrote:
Hi Ludwig, team,
I have a couple of issues with the topology plugin.
1. I was able to remove the middle node in a line topology, which
resulted in disconnecting a segment. I had
master - replica1 - replica2 - replica3 - replica4
I removed replica2 with a standard `ipa-replica-manage del`
And it resulted in the following topology:
[13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
We should probably prohibit such scenarios.
2. When I subsequently tried to create a link between the two
segments manually, I bumped into the following error:
[[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-069.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]:
069-to-244
ipa: ERROR: invalid 'rightnode': right node is not a topology node:
vm-244.idm.lab.eng.brq.redhat.com
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] topology-related issues
On 06/23/2015 11:44 AM, Oleg Fayans wrote:
It looks like the second issue was caused by not running ipa service
on vm-244.idm.lab.eng.brq.redhat.com.
However, after manual start of the ipa service on thios node, I was
still unable to setup the segment:
[11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-244.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may
provide more information', 851968)/('Ticket not yet valid', -1765328351)
I don't know, what this specific error is, but in the dirsrv log, which
seems to be from vm-244, we have:
set_krb5_creds - Could not get initial credentials for principal
[ldap/vm-244.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
so is your kdc running ?
I don't know
The dirsrv error log of this node is attached.
On 06/23/2015 11:27 AM, Oleg Fayans wrote:
Hi Ludwig, team,
I have a couple of issues with the topology plugin.
1. I was able to remove the middle node in a line topology, which
resulted in disconnecting a segment. I had
master - replica1 - replica2 - replica3 - replica4
I removed replica2 with a standard `ipa-replica-manage del`
And it resulted in the following topology:
[13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
We should probably prohibit such scenarios.
2. When I subsequently tried to create a link between the two
segments manually, I bumped into the following error:
[[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-069.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 069-to-244
ipa: ERROR: invalid 'rightnode': right node is not a topology node:
vm-244.idm.lab.eng.brq.redhat.com
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter
On 23.6.2015 14:18, Tomas Hozza wrote: > On 23.06.2015 11:32, Petr Spacek wrote: >> On 10.6.2015 19:07, Petr Spacek wrote: >>> Hello, >>> >>> Replace isc_atomic_* in MetaLDAP with reference counter abstraction. >>> + >>> Replace isc_atomic_* in instance tainting with reference counter >>> abstraction. >>> >>> Reference counters are used as abstraction which hides missing >>> isc_atomic_*() >>> functions on some architectures. >>> >>> >>> This change is necessary for architectures like s390x and ppc64le where BIND >>> does not provide isc_atomic_* abstractions. >> >> Fixed version of the patch is attached. >> >> The same code is also on Github: >> https://github.com/pspacek/bind-dyndb-ldap/commits/atomic_to_refcnt >> >> Thank you for review! >> > I did formal review of patches 384 and 385. The fixed version looks good. > > ACK. Thanks, pushed to master: 1f167ee3366d7cc65038141640670dd0771c333f 0946ef7d9e15ad46b603ef10fb352d9743d06ee6 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0036] Bump minimal BIND version for CentOS
Hello, Bump minimal BIND version for CentOS. DNSSEC support added dependency on bind-pkcs11 sub-package. https://fedorahosted.org/freeipa/ticket/4657 -- Petr^2 Spacek From 3c2b78b46870d3692b502db4468e70a190d6958f Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Tue, 23 Jun 2015 14:13:14 +0200 Subject: [PATCH] Bump minimal BIND version for CentOS. DNSSEC support added dependency on bind-pkcs11 sub-package. https://fedorahosted.org/freeipa/ticket/4657 --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..477dd7d8023a2aeee25eaa76ca4d14a00784e736 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -168,8 +168,8 @@ Conflicts: bind-dyndb-ldap < 6.0-4 Conflicts: bind < 9.9.6-3 Conflicts: bind-utils < 9.9.6-3 %else -Conflicts: bind < 9.9.4-19 -Conflicts: bind-utils < 9.9.4-19 +Conflicts: bind < 9.9.4-21 +Conflicts: bind-utils < 9.9.4-21 %endif # DNSSEC Conflicts: opendnssec < 1.4.6-4 -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0037] Hide traceback in ipa-dnskeysyncd if kinit failed
Hello,
Hide traceback in ipa-dnskeysyncd if kinit failed.
https://fedorahosted.org/freeipa/ticket/4657
--
Petr^2 Spacek
From 1b27dc0c667569f4bbe653b350e0f95a43b6b341 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Tue, 23 Jun 2015 14:14:33 +0200
Subject: [PATCH] Hide traceback in ipa-dnskeysyncd if kinit failed.
https://fedorahosted.org/freeipa/ticket/4657
---
daemons/dnssec/ipa-dnskeysyncd | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd
index 31027cb0ce10496c17a6c4b500525d2e5b8b2e93..7213168b4423aad15bc031c7cd425d0ce17e9e24 100755
--- a/daemons/dnssec/ipa-dnskeysyncd
+++ b/daemons/dnssec/ipa-dnskeysyncd
@@ -66,7 +66,12 @@ signal.signal(signal.SIGINT, commenceShutdown)
PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
log.debug('Kerberos principal: %s', PRINCIPAL)
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
-ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename)
+try:
+ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename)
+except Exception as ex:
+log.critical(ex)
+# signal failure and let init system to restart the daemon
+sys.exit(1)
os.environ['KRB5CCNAME'] = ccache_filename
# LDAP initialization
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter
On 23.06.2015 11:32, Petr Spacek wrote: > On 10.6.2015 19:07, Petr Spacek wrote: > > Hello, > > > > Replace isc_atomic_* in MetaLDAP with reference counter abstraction. > > + > > Replace isc_atomic_* in instance tainting with reference counter > > abstraction. > > > > Reference counters are used as abstraction which hides missing > > isc_atomic_*() > > functions on some architectures. > > > > > > This change is necessary for architectures like s390x and ppc64le where BIND > > does not provide isc_atomic_* abstractions. > > Fixed version of the patch is attached. > > The same code is also on Github: > https://github.com/pspacek/bind-dyndb-ldap/commits/atomic_to_refcnt > > Thank you for review! > I did formal review of patches 384 and 385. The fixed version looks good. ACK. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries
This patchset implements new API commands for manipulating
user/host/service userCertificate attribute alongside some underlying
plumbing.
PATCH 0045 is a small test suite that I slapped together since manual
testing of this stuff is very cumbersome. It requires my PATCH 0040 to
apply and work which was pushed to master recently
(commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28).
The work is related to http://www.freeipa.org/page/V4/User_Certificates
and https://fedorahosted.org/freeipa/ticket/4238
--
Martin^3 Babinsky
From 54836ffd7b1fb69fbe687aba16418ee5f27fe8ac Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 23 Jun 2015 13:42:45 +0200
Subject: [PATCH 4/4] test suite for user/host/service certificate management
API commands
These tests excercise various scenarios when using new class of API commands
to add or remove certificates to user/service/host entries.
Part of http://www.freeipa.org/page/V4/User_Certificates
---
ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 352 +++
1 file changed, 352 insertions(+)
create mode 100644 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
new file mode 100644
index ..48863468e3344084ad7211ec296bb7d113a49f44
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -0,0 +1,352 @@
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
+
+import base64
+
+from ipalib import api, errors
+
+from ipatests.util import assert_deepequal, raises
+from xmlrpc_test import XMLRPC_test
+from ipapython.dn import DN
+from testcert import get_testcert
+
+
+class CertManipCmdTestBase(XMLRPC_test):
+entity_class = ''
+entity_pkey = None
+entity_subject = None
+entity_principal = None
+non_existent_entity = None
+
+profile_store_orig = True
+default_profile_id = u'caIPAserviceCert'
+default_caacl = u'hosts_services_%s' % default_profile_id
+cmd_options = dict(
+entity_add=None,
+caacl=None,
+)
+cert_add_cmd = None
+cert_del_cmd = None
+
+cert_add_summary = u''
+cert_del_summary = u''
+
+entity_attrs = None
+
+@classmethod
+def disable_profile_store(cls):
+try:
+api.Command.certprofile_mod(cls.default_profile_id,
+ipacertprofilestoreissued=False)
+except errors.EmptyModlist:
+cls.profile_store_orig = False
+else:
+cls.profile_store_orig = True
+
+@classmethod
+def restore_profile_store(cls):
+if cls.profile_store_orig:
+api.Command.certprofile_mod(
+cls.default_profile_id,
+ipacertprofilestoreissued=cls.profile_store_orig)
+
+@classmethod
+def add_entity(cls):
+api.Command['%s_add' % cls.entity_class](
+cls.entity_pkey,
+**cls.cmd_options['entity_add'])
+
+@classmethod
+def delete_entity(cls):
+try:
+api.Command['%s_del' % cls.entity_class](cls.entity_pkey)
+except errors.NotFound:
+pass
+
+# optional methods which implement adding CA ACL rule so that we can
+# request cert for the entity. Currently used only for users.
+@classmethod
+def add_caacl(cls):
+pass
+
+@classmethod
+def remove_caacl(cls):
+pass
+
+@classmethod
+def setup_class(cls):
+super(CertManipCmdTestBase, cls).setup_class()
+
+cls.delete_entity()
+
+cls.add_entity()
+cls.add_caacl()
+
+cls.disable_profile_store()
+
+# list of certificates to add to entry
+cls.certs = [
+get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
+for i in xrange(3)
+]
+
+# list of certificates for testing of removal of non-existent certs
+cls.nonexistent_certs = [
+get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
+for j in xrange(2)
+]
+
+# cert subset to remove from entry
+cls.certs_subset = cls.certs[:2]
+
+# remaining subset
+cls.certs_remainder = cls.certs[2:]
+
+# mixture of certs which exist and do not exists in the entry
+cls.mixed_certs = cls.certs[:2] + cls.nonexistent_certs[:1]
+
+# store entity info for the final test
+cls.entity_attrs = api.Command['%s_show' % cls.entity_class](
+cls.entity_pkey)
+
+@classmethod
+def teardown_class(cls):
+cls.delete_entity()
+cls.remove_caacl()
+
+cls.restore_profile_store()
+super(CertManipCmdTestBase, cls).teardown_class()
+
+def test_01_add_cert_to_nonexistent_entity(self):
+"""
+Tests whether trying to add certificates to a non-existent entry
+raises NotFound error.
+"""
+
Re: [Freeipa-devel] topology-related issues
On 06/23/2015 11:27 AM, Oleg Fayans wrote: Hi Ludwig, team, I have a couple of issues with the topology plugin. 1. I was able to remove the middle node in a line topology, which resulted in disconnecting a segment. I had master - replica1 - replica2 - replica3 - replica4 I removed replica2 with a standard `ipa-replica-manage del` And it resulted in the following topology: [13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm -- 2 segments matched -- Segment name: 086-to-069 Left node: vm-086.idm.lab.eng.brq.redhat.com Right node: vm-069.idm.lab.eng.brq.redhat.com Connectivity: both Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both Number of entries returned 2 We should probably prohibit such scenarios. Should be fixed with patch 878. It's still on review. 2. When I subsequently tried to create a link between the two segments manually, I bumped into the following error: [[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm Left node: vm-069.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity [both]: Segment name [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 069-to-244 ipa: ERROR: invalid 'rightnode': right node is not a topology node: vm-244.idm.lab.eng.brq.redhat.com -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] topology-related issues
It looks like the second issue was caused by not running ipa service on
vm-244.idm.lab.eng.brq.redhat.com.
However, after manual start of the ipa service on thios node, I was
still unable to setup the segment:
[11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-244.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may
provide more information', 851968)/('Ticket not yet valid', -1765328351)
The dirsrv error log of this node is attached.
On 06/23/2015 11:27 AM, Oleg Fayans wrote:
Hi Ludwig, team,
I have a couple of issues with the topology plugin.
1. I was able to remove the middle node in a line topology, which
resulted in disconnecting a segment. I had
master - replica1 - replica2 - replica3 - replica4
I removed replica2 with a standard `ipa-replica-manage del`
And it resulted in the following topology:
[13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm
--
2 segments matched
--
Segment name: 086-to-069
Left node: vm-086.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity: both
Segment name: 127-to-244
Left node: vm-127.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity: both
Number of entries returned 2
We should probably prohibit such scenarios.
2. When I subsequently tried to create a link between the two segments
manually, I bumped into the following error:
[[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-069.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name
[vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]:
069-to-244
ipa: ERROR: invalid 'rightnode': right node is not a topology node:
vm-244.idm.lab.eng.brq.redhat.com
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
389-Directory/1.3.4.a1 B2015.132.1526
vm-244.idm.lab.eng.brq.redhat.com:389
(/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM)
[22/Jun/2015:13:19:14 +0200] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access the
database
[22/Jun/2015:13:19:14 +0200] - check_and_set_import_cache: pagesize: 4096,
pages: 373666, procpages: 54753
[22/Jun/2015:13:19:14 +0200] - WARNING: After allocating import cache 597864KB,
the available memory is 896800KB, which is less than the soft limit 1048576KB.
You may want to decrease the import cache size and rerun import.
[22/Jun/2015:13:19:14 +0200] - Import allocates 597864KB import cache.
[22/Jun/2015:13:19:14 +0200] - import userRoot: Beginning import job...
[22/Jun/2015:13:19:14 +0200] - import userRoot: Index buffering enabled with
bucket size 100
[22/Jun/2015:13:19:14 +0200] - import userRoot: Processing file
"/var/lib/dirsrv/boot.ldif"
[22/Jun/2015:13:19:14 +0200] - import userRoot: Finished scanning file
"/var/lib/dirsrv/boot.ldif" (1 entries)
[22/Jun/2015:13:19:15 +0200] - import userRoot: Workers finished; cleaning up...
[22/Jun/2015:13:19:15 +0200] - import userRoot: Workers cleaned up.
[22/Jun/2015:13:19:15 +0200] - import userRoot: Cleaning up producer thread...
[22/Jun/2015:13:19:15 +0200] - import userRoot: Indexing complete.
Post-processing...
[22/Jun/2015:13:19:15 +0200] - import userRoot: Generating numsubordinates
(this may take several minutes to complete)...
[22/Jun/2015:13:19:15 +0200] - import userRoot: Generating numSubordinates
complete.
[22/Jun/2015:13:19:15 +0200] - import userRoot: Gathering ancestorid non-leaf
IDs...
[22/Jun/2015:13:19:15 +0200] - import userRoot: Finished gathering ancestorid
non-leaf IDs.
[22/Jun/2015:13:19:15 +0200] - Nothing to do to build ancestorid index
[22/Jun/2015:13:19:15 +0200] - import userRoot: Created ancestorid index (new
idl).
[22/Jun/2015:13:19:15 +0200] - import userRoot: Flushing caches...
[22/Jun/2015:13:19:15 +0200] - import userRoot: Closing files...
[22/Jun/2015:13:19:15 +0200] - All database threads now stopped
[22/Jun/2015:13:19:16 +0200] - import userRoot: Import complete. Processed 1
entries in 2 seconds. (0.50 entries/sec)
[22/Jun/2015:13:19:16 +0200] - 389-Directory/1.3.4.a1 B2015.132.1526 starting up
[22/Jun/2015:13:19:16 +0200] - Db home directory is not set. Possibly
nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the
config file.
[22/Jun/2015:13:19:16 +0200] - resizing db cache size: 612212736 -> 640
[22/Jun/2015:13:19:17 +0200] - convert_pbe_des_to_aes: Converting DES
passwords to AES...
[22/Jun/2015:13:19:17 +0200] - convert_pbe_des_to_aes: Successfully disabled
DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config)
[22/Jun/2015:13:19:17 +0200] - convert_pbe_des_to_aes: Finished -
Re: [Freeipa-devel] [PATCH 0383] Fix metadb_iterator_destroy() to accept NULL iterators
On 23.6.2015 10:43, Tomas Hozza wrote: > On 08.06.2015 14:08, Petr Spacek wrote: >> Hello, >> >> Fix metadb_iterator_destroy() to accept NULL iterators. >> >> This prevents potential crash in error handling, e.g. if memory >> allocation failed. >> > > Hi. > > I did formal review. The patch looks good. > > ACK. Thanks! Pushed to master: 158e95e38e78cdeadf6ed6605b77dbaa754c657a -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
Testing:
If you are doing an upgrade of an existing installation, then you have
to run ipa-server-update first. The update creates the config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template.
/usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink
/etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by default.
Disable KDC Proxy on the current host:
# ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif
# systemctl restart httpd.service
Enable KDC Proxy on the current host:
# ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif
# systemctl restart httpd.service
Regards,
Christian
From b860590e6859fc0edcd9543b1a0dc6e58d93afa6 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 11:09:46 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The Apache config sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
Changes since the last patch:
- WSGI shim module was removed in favor of the symlink approach.
- Since the ExecStartPre scripts runs as root user, EXTERNAL GSSAPI
bind can be used. This eliminates the need for a keytab, service
principal and additional permission.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
---
freeipa.spec.in| 26 +
init/systemd/httpd.service | 1 +
install/conf/Makefile.am | 1 +
install/conf/ipa-kdc-proxy.conf.template | 31 +
install/conf/ipa.conf | 6 +-
install/share/Makefile.am | 3 +
install/share/kdcproxy-disable.ldif| 3 +
install/share/kdcproxy-enable.ldif | 6 +
install/share/kdcproxy.conf| 4 +
install/tools/Makefile.am | 5 +
install/tools/ipa-httpd-kdcproxy | 180 +
ipaplatform/base/paths.py | 4 +-
ipaserver/install/ipa_backup.py| 1 +
ipaserver/install/kdcproxyinstance.py | 163 ++
ipaserver/install/server/install.py| 8 +-
ipaserver/install/server/replicainstall.py | 8 +-
ipaserver/install/server/upgrade.py| 8 ++
17 files changed, 452 insertions(+), 6 deletions(-)
create mode 100644 install/conf/ipa-kdc-proxy.conf.template
create mode 100644 install/share/kdcproxy-disable.ldif
create mode 100644 install/share/kdcproxy-enable.ldif
create mode 100644 install/share/kdcproxy.conf
create mode 100755 install/tools/ipa-httpd-kdcproxy
create mode 100644 ipaserver/install/kdcproxyinstance.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..6b14650600016d9fa6f5baf01379c37af9b38eef 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@
%define _hardened_build 1
+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
Name: freeipa
Version:__VERSION__
Release:__RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.4-1
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
+BuildRequires: python-kdcproxy >= 0.2.1
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
+Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.2.1
R
Re: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter
On 10.6.2015 19:07, Petr Spacek wrote:
> Hello,
>
> Replace isc_atomic_* in MetaLDAP with reference counter abstraction.
> +
> Replace isc_atomic_* in instance tainting with reference counter abstraction.
>
> Reference counters are used as abstraction which hides missing isc_atomic_*()
> functions on some architectures.
>
>
> This change is necessary for architectures like s390x and ppc64le where BIND
> does not provide isc_atomic_* abstractions.
Fixed version of the patch is attached.
The same code is also on Github:
https://github.com/pspacek/bind-dyndb-ldap/commits/atomic_to_refcnt
Thank you for review!
--
Petr^2 Spacek
From 1f167ee3366d7cc65038141640670dd0771c333f Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Wed, 10 Jun 2015 16:51:14 +0200
Subject: [PATCH] Replace isc_atomic_* in instance tainting with reference
counter abstraction.
Reference counters are used as abstraction which hides missing isc_atomic_*()
functions on some architectures.
---
src/ldap_helper.c | 49 ++---
src/ldap_helper.h | 6 ++
2 files changed, 48 insertions(+), 7 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index d6461a3e83b63555a46ff3f60761e3703d9a6b4e..415786d31776d8780f44e75f48674c47a2f61b21 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -24,7 +24,6 @@
#include
#include
-#include
#include
#include
#include
@@ -37,6 +36,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -159,10 +159,8 @@ struct ldap_instance {
isc_task_t *task;
isc_thread_t watcher;
isc_boolean_t exiting;
- /* Non-zero if this instance 'tainted' by a unrecoverable problem.
- * It should be accessed using isc_atomic_*() because it might be
- * modified from multiple threads. */
- isc_int32_t tainted;
+ /* Non-zero if this instance is 'tainted' by an unrecoverable problem. */
+ isc_refcount_t errors;
/* Settings. */
settings_set_t *local_settings;
@@ -517,6 +515,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name,
CHECKED_MEM_GET_PTR(mctx, ldap_inst);
ZERO_PTR(ldap_inst);
+ CHECK(isc_refcount_init(&ldap_inst->errors, 0));
isc_mem_attach(mctx, &ldap_inst->mctx);
ldap_inst->db_name = db_name;
@@ -663,6 +662,10 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
settings_set_free(&ldap_inst->local_settings);
sync_ctx_free(&ldap_inst->sctx);
+ /* zero out error counter (and do nothing other than that) */
+ ldap_instance_untaint_finish(ldap_inst,
+ ldap_instance_untaint_start(ldap_inst));
+ isc_refcount_destroy(&ldap_inst->errors);
MEM_PUT_AND_DETACH(ldap_inst);
@@ -4684,10 +4687,42 @@ ldap_instance_isexiting(ldap_instance_t *ldap_inst)
* (if it is even possible). */
void
ldap_instance_taint(ldap_instance_t *ldap_inst) {
- isc_atomic_store(&ldap_inst->tainted, 1);
+ isc_refcount_increment0(&ldap_inst->errors, NULL);
}
isc_boolean_t
ldap_instance_istained(ldap_instance_t *ldap_inst) {
- return ISC_TF(isc_atomic_cmpxchg(&ldap_inst->tainted, 0, 0) != 0);
+ return ISC_TF(isc_refcount_current(&ldap_inst->errors) != 0);
+}
+
+/**
+ * Get number of errors from LDAP instance. This function should be called
+ * before re-synchronization with LDAP is started.
+ * When the re-synchronization is finished, the result of this function
+ * has to be passed to ldap_instance_untaint_finish() to detect if any other
+ * error occurred during the re-synchronization.
+ */
+unsigned int
+ldap_instance_untaint_start(ldap_instance_t *ldap_inst) {
+ return isc_refcount_current(&ldap_inst->errors);
+}
+
+/**
+ * @retval DNS_R_CONTINUE An error occurred during re-synchronization,
+ *it is necessary to start again.
+ * @retval ISC_R_SUCCESS Number of errors at the beginning and the end of
+ *re-sychronization matches so no new errors occurred
+ *during re-synchronization.
+ */
+isc_result_t
+ldap_instance_untaint_finish(ldap_instance_t *ldap_inst, unsigned int count) {
+ unsigned int remaining = 0;
+ while (count > 0) {
+ isc_refcount_decrement(&ldap_inst->errors, &remaining);
+ count--;
+ }
+ if (remaining != 0)
+ return DNS_R_CONTINUE;
+ else
+ return ISC_R_SUCCESS;
}
diff --git a/src/ldap_helper.h b/src/ldap_helper.h
index e81b8aa59d3518b80afec2ad357e859bcb7eac20..b4b1ee59edb3414b305888271dc425980a1fd3df 100644
--- a/src/ldap_helper.h
+++ b/src/ldap_helper.h
@@ -90,4 +90,10 @@ isc_boolean_t ldap_instance_isexiting(ldap_instance_t *ldap_inst) ATTR_NONNULLS
void ldap_instance_taint(ldap_instance_t *ldap_inst) ATTR_NONNULLS;
+unsigned int
+ldap_instance_untaint_start(ldap_instance_t *ldap_inst);
+
+isc_result_t
+ldap_instance_untaint_finish(ldap_instance_t *ldap_inst, unsigned int count);
+
#endif /* !_LD_LDAP_HELPER_H_ */
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page
[Freeipa-devel] topology-related issues
Hi Ludwig, team, I have a couple of issues with the topology plugin. 1. I was able to remove the middle node in a line topology, which resulted in disconnecting a segment. I had master - replica1 - replica2 - replica3 - replica4 I removed replica2 with a standard `ipa-replica-manage del` And it resulted in the following topology: [13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm -- 2 segments matched -- Segment name: 086-to-069 Left node: vm-086.idm.lab.eng.brq.redhat.com Right node: vm-069.idm.lab.eng.brq.redhat.com Connectivity: both Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both Number of entries returned 2 We should probably prohibit such scenarios. 2. When I subsequently tried to create a link between the two segments manually, I bumped into the following error: [[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm Left node: vm-069.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity [both]: Segment name [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 069-to-244 ipa: ERROR: invalid 'rightnode': right node is not a topology node: vm-244.idm.lab.eng.brq.redhat.com -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0383] Fix metadb_iterator_destroy() to accept NULL iterators
On 08.06.2015 14:08, Petr Spacek wrote: > Hello, > > Fix metadb_iterator_destroy() to accept NULL iterators. > > This prevents potential crash in error handling, e.g. if memory > allocation failed. > Hi. I did formal review. The patch looks good. ACK. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0003] Fix for a typo in certprofile mod command.
On 06/19/2015 12:27 PM, Fraser Tweedale wrote: On Fri, Jun 19, 2015 at 12:04:43PM +0200, Milan Kubik wrote: Patch attached. Milan ACK Pushed to master: b3c7805e881c250db061c44a3b5061f3f7030c5f -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0040] generalize certificate creation during testing
On 06/16/2015 10:35 AM, Milan Kubik wrote: On 06/09/2015 01:14 PM, Martin Babinsky wrote: A slight hack to ipatests/test_xmlrpc/testcert.py module in order to enable generation of multiple host/service/user certificates. It should make writing tests for new CA profile/sub-CA/user certificate functionality easier. Hi, looks good to me, ACK. Milan Pushed to master: 74883bbc959058c8bfafd9f63e8fad0e3792ac28 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
