Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

[Andreas Calminder]

Can confirm, works well for me too. Thanks!

On 09/10/2015 05:06 PM, Petr Vobornik wrote:

On 09/10/2015 05:00 PM, Rob Crittenden wrote:

Martin Kosek wrote:
Hmm, does this mean we need to update our HowTo on migrating FreeIPA 
to FreeIPA
via migrate-ds? It is already quite long command, mostly due to the 
need of

removing Kerberos attributes:

http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA 



I think it should. I haven't updated it because I never actually tested
it to see that it worked as expected. It seems to be working for Andreas
though.

rob


It works for me. I have updated the page.





Martin

On 09/09/2015 09:40 PM, Andreas Calminder wrote:

Hi,
I just wanted to post the solution for this, I've reported this to 
Redhat and a bug has been filed 
(https://bugzilla.redhat.com/1261536). The problem was that 
migrate-ds copied the attribute mepManagedEntry on migration, the 
suggested workaround, running migrate-ds with 
--user-ignore-attribute=mepManagedEntry 
--user-ignore-objectclass=mepOriginEntry worked like a charm 
(Thanks Rob!), deleting users in active directory doesn't break the 
winsync agreement and I'm able to delete migrated users directly in 
ipa. As mentioned in the bug comments, migrate-ds isn't really for 
ipa to ipa migration. However, it kind of worked...


/andreas

From: freeipa-devel-boun...@redhat.com 
[mailto:freeipa-devel-boun...@redhat.com] On Behalf Of Andreas 
Calminder

Sent: den 9 september 2015 17:16
To: freeipa-devel@redhat.com
Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break 
winsync agreement when deleted in active directory


Yes, kind of. I wanted a new environment with a proper certificate 
authority setup with only the old users and groups from the IPA 3.0 
environment. The old environment use a self signed ca, I thought it 
would be easier to just migrate my users and groups.

On 9 Sep 2015 4:49 pm, Rob Crittenden  wrote:
Andreas Calminder wrote:

Hi,
thanks for your reply, I'm able to list the user with ldapsearch 
and I

can't find any conflict entries described in the article. The 4.1
environment is only 1 server connected to active directory. Forgot to
reply to the list before, doh!

I've noticed a difference between users in 3.0 and 4.1 though, 
migrated

users in the 4.1 does not have an entry in "
cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 
have this.

Example:

FreeIPA 4.1 environment:
# ldapsearch -xLLL -D "cn=directory manager" -W
-b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
Enter LDAP Password:
No such object (32) Matched DN:
cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld

FreeIPA 3.0 environment:
# ldapsearch -xLLL -D "cn=directory manager" -W -b
"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
Enter LDAP Password:
dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: batman
gidNumber: 1486600065
description: User private group for batman
mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c


Migrated users don't get user-private groups created.

Is there a reason you migrated from 3.0 to 4.1 rather than just 
adding a

4.1 master to the existing pool?

rob



/andreas

On 09/09/2015 04:29 PM, Rich Megginson wrote:

On 09/09/2015 03:39 AM, Martin Basti wrote:



On 09/09/2015 10:50 AM, Andreas Calminder wrote:
Forgot to write that deleting users in active directory not 
migrated

with the migrate-ds command works fine, it's only migrated users
present in the ad that breaks the winsync agreement on deletion.

On 09/09/2015 10:35 AM, Andreas Calminder wrote:

Hi,
I've asked in #freeipa on freenode but to no avail, figured I'll
ask here as well, since I think I've actually hit a bug or 
(quite)
possibly I've done something moronic configuration/migration 
-wise.


I've got an existing FreeIPA 3.0.0 environment running with a 
fully
functioning winsync agreement and passsync service with the 
windows

environments active directory, I'm trying to migrate the 3.0.0
environments users into a freshly installed 4.1 (rhel7)
environment, after migration I setup a winsync agreement and make
it bi-directional  (one-way sync from windows) everything 
seems to

be working alright until I delete a migrated user from the Active
Directory, after the winsync picks up on the change it'll 
break and
suggests a re-initialize. After the re-initialization the 
agreement
seems to be fine, however the deleted user are still present 
in the

ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
says: ipauser1: user not found. ipa user-find ipauser1 finds the
user and it's visible in the ui.

Anyone had the same problem or anything similar or any 
pointers on

where to start looking?

Regards,
Andreas





Hello, this might be a replication conflict.

Can you list that user via ldapsearch t

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Oops.. replied without the list.

Reason I said -1 is because users might be confused if they enter `ipa
config-mod --searchtimelimit=0`, and both `ipa user-show` and the webui
show -1 instead of 0. I wonder if -1 makes more sense in that regard?
Thoughts? Does "<= 0 is unlimited" make more sense?

Thanks,

Gabe


On Thu, Sep 10, 2015 at 8:15 AM, Jan Cholasta  wrote:

> I'm not sure about that, I think it should still say 0, because that's
> what we want to use as the unlimited value. If you insist on including -1
> in the docs, maybe we can say "<= 0 is unlimited"?
>
> On 10.9.2015 16:08, Gabe Alford wrote:
>
>> Makes sense. I also changed the doc string to reflect -1 as well.
>> Updated patch attached.
>>
>> Thanks,
>>
>> Gabe
>>
>> On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta > > wrote:
>>
>> On 4.9.2015 14:43, Gabe Alford wrote:
>>
>> Bump for review.
>>
>> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford
>> mailto:redhatri...@gmail.com>
>> >>
>> wrote:
>>
>>  On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta
>> mailto:jchol...@redhat.com>
>>  >>
>>
>> wrote:
>>
>>  On 6.8.2015 21:43, Gabe Alford wrote:
>>
>>  Hello,
>>
>>  Updated patch attached.
>>
>>  - Time limit is -1 for unlimited. I found this
>>
>> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
>>  in reference to keeping the time limit as -1 for
>> unlimited.
>>
>>
>>  This patch does two conflicting things: it coerces time
>> limit of
>>  0 to -1 and at the same time prohibits the user to use
>> 0 for
>>  time limit. We should do just one of these and IMHO it
>> should be
>>  the coercion of 0 to -1.
>>
>>  Sure enough, testing time limit at 0 did not work for
>>  unlimited as well
>>  as appeared to have negative effects on IPA.
>>
>>
>>  This is because the time limit read from ipa config is
>> not
>>  converted to int in ldap2.find_entries(), so the
>> coercion does
>>  not work. Fix this and 0 will work just fine.
>>
>>  Also, I believe that
>>
>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
>>  specifies unlimited for time limit as -1. (Please
>> correct me
>>  if I am wrong.)
>>
>>
>>  python-ldap is layers below our API and should not
>> determine
>>  what we use for unlimited time limit. I would prefer if
>> we were
>>  self-consistent and use 0 for both time limit and size
>> limit.
>>
>>
>>  A misunderstanding on my part as I thought it was higher up
>> in the
>>  API for some reason. Updated patch attached.
>>
>>
>> Thanks, this is better, but it turns out I was wrong about coercing
>> -1 to 0 in config-mod: in a topology with different versions of IPA
>> servers, setting the limits in LDAP to 0 on a newer server with your
>> patch will break older servers without your patch:
>>
>>  [user@old]$ ipa user-find
>>  --
>>  1 user matched
>>  --
>>User login: admin
>>Last name: Administrator
>>Home directory: /home/admin
>>Login shell: /bin/bash
>>UID: 136480
>>GID: 136480
>>Account disabled: False
>>Password: True
>>Kerberos keys available: True
>>  
>>  Number of entries returned 1
>>  
>>
>>  [user@new]$ ipa config-mod --searchtimelimit=0
>> --searchrecordslimit=0
>>  ...
>>
>>  [user@old]$ ipa user-find
>>  ---
>>  0 users matched
>>  ---
>>  
>>  Number of entries returned 0
>>  
>>
>> To fix this, we actually need to do the opposite and store -1 in
>> LDAP when 0 is specified in config-mod options.
>>
>> Honza
>>
>> --
>> Jan Cholasta
>>
>>
>>
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0314] Server Upgrade: backup CS.cfg when dogtag is turnend off

[Martin Basti]

https://fedorahosted.org/freeipa/ticket/5287

Patch attached.
From ea3ccb19cf326efb1a2f6cb44d9047d0169b6643 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 10 Sep 2015 18:46:00 +0200
Subject: [PATCH] Server Upgrade: backup CS.cfg when dogtag is turned off

Is unable to made CS.cfg when dogtag is running.

https://fedorahosted.org/freeipa/ticket/5287
---
 ipaserver/install/server/upgrade.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 093aee878be797b853202be8907598f4f9adaff1..ed1241befdcce2a04666248d3362e26a78bfa25d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1355,10 +1355,13 @@ def upgrade_configuration():
 sub_dict['SUBJECT_BASE'] = subject_base
 
 ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
-ca.backup_config()
 
 with installutils.stopped_service(configured_constants.SERVICE_NAME,
 configured_constants.PKI_INSTANCE_NAME):
+
+# Dogtag must be stopped to be able to backup CS.cfg config
+ca.backup_config()
+
 # migrate CRL publish dir before the location in ipa.conf is updated
 ca_restart = migrate_crl_publish_dir(ca)
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

[Milan Kubík]

On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:

On Thu, 10 Sep 2015, Milan Kubík wrote:

Hi list,

before my PTO, I was trying to write a functional test for CA ACLs 
with the tracker along all other acceptance/functional tests.


I wasn't successful, the approach doesn't seem to work for CA ACLs as 
they have specific requirements for kerberos credentials
that none of my attempts were able to met. I have tried several 
approaches and the memo I got out of this is that currently, there
seems to be no way how to conveniently run a test that changes the 
user identity during the functional test (xmlrpc tests).


I haven't had much time to write an integration test that should 
solve these problems with changing identity.


The approaches I have tried include, in no particular order:

* switch the default ccache to the identity desired, before calls 
made on an API object

   - in case of FILE ccache, moving it back and forth
   - in case of kernel keyring, using kswitch

* instantiating another API instance in the process running the test, 
while the other ccache is active
   - the API object internals seem to prevent this as there is still 
a lot of shared state between the API instances


* running the command supposed to have different identity as a 
subprocess after switching the identity
   - this attempt seemed to have inherited the opened connection to 
the backend from the parent python process,

 creating a conflict during the client bootstrap

* injecting the KRB5CCNAME environment variable with second identity 
into the python process
   - the API instance doesn't seem to be affected by this value half 
of the times.

   - randomly, the new credentials are used, breaking all the things.

Unable to change the user during the test, the code I wrote for this 
wasn't doing what I intended it to do

because the admin user used in the tests overrides all CA ACLs.

One way to do it is to use keyctl to create subsessions for different
authenticated users and switch between subsessions for the separate
calls.

See keyctl manual page and 'keyctl session ' part.

Thanks, I'll take a look at this next week.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

[Alexander Bokovoy]

On Thu, 10 Sep 2015, Milan Kubík wrote:

Hi list,

before my PTO, I was trying to write a functional test for CA ACLs 
with the tracker along all other acceptance/functional tests.


I wasn't successful, the approach doesn't seem to work for CA ACLs as 
they have specific requirements for kerberos credentials
that none of my attempts were able to met. I have tried several 
approaches and the memo I got out of this is that currently, there
seems to be no way how to conveniently run a test that changes the 
user identity during the functional test (xmlrpc tests).


I haven't had much time to write an integration test that should solve 
these problems with changing identity.


The approaches I have tried include, in no particular order:

* switch the default ccache to the identity desired, before calls made 
on an API object

   - in case of FILE ccache, moving it back and forth
   - in case of kernel keyring, using kswitch

* instantiating another API instance in the process running the test, 
while the other ccache is active
   - the API object internals seem to prevent this as there is still 
a lot of shared state between the API instances


* running the command supposed to have different identity as a 
subprocess after switching the identity
   - this attempt seemed to have inherited the opened connection to 
the backend from the parent python process,

 creating a conflict during the client bootstrap

* injecting the KRB5CCNAME environment variable with second identity 
into the python process
   - the API instance doesn't seem to be affected by this value half 
of the times.

   - randomly, the new credentials are used, breaking all the things.

Unable to change the user during the test, the code I wrote for this 
wasn't doing what I intended it to do

because the admin user used in the tests overrides all CA ACLs.

One way to do it is to use keyctl to create subsessions for different
authenticated users and switch between subsessions for the separate
calls.

See keyctl manual page and 'keyctl session ' part.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

[Milan Kubík]

Hi list,

before my PTO, I was trying to write a functional test for CA ACLs with 
the tracker along all other acceptance/functional tests.


I wasn't successful, the approach doesn't seem to work for CA ACLs as 
they have specific requirements for kerberos credentials
that none of my attempts were able to met. I have tried several 
approaches and the memo I got out of this is that currently, there
seems to be no way how to conveniently run a test that changes the user 
identity during the functional test (xmlrpc tests).


I haven't had much time to write an integration test that should solve 
these problems with changing identity.


The approaches I have tried include, in no particular order:

* switch the default ccache to the identity desired, before calls made 
on an API object

- in case of FILE ccache, moving it back and forth
- in case of kernel keyring, using kswitch

* instantiating another API instance in the process running the test, 
while the other ccache is active
- the API object internals seem to prevent this as there is still a 
lot of shared state between the API instances


* running the command supposed to have different identity as a 
subprocess after switching the identity
- this attempt seemed to have inherited the opened connection to 
the backend from the parent python process,

  creating a conflict during the client bootstrap

* injecting the KRB5CCNAME environment variable with second identity 
into the python process
- the API instance doesn't seem to be affected by this value half 
of the times.

- randomly, the new credentials are used, breaking all the things.

Unable to change the user during the test, the code I wrote for this 
wasn't doing what I intended it to do

because the admin user used in the tests overrides all CA ACLs.

The patches implement the CA ACL tracker and, at the moment, one simple 
test. This can (and will) be extended
to full CRUD test that will be run as a part of the acceptance suite, 
while functional test will be written as an integration test.


I include the code that doesn't work as an example of what will be in 
the integration test.


The patch 0013 needs to be applied after the certprofile tracker patch 
(0008).


Cheers,
Milan
From 894c3692bf96d3ddf0431cadb86dea8c39b610a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Fri, 17 Jul 2015 14:42:23 +0200
Subject: [PATCH 3/5] ipatests: add fuzzy instances for CA ACL DN and RDN

---
 ipatests/test_xmlrpc/xmlrpc_test.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 56ddad9b8a0a1164c29f38970e0a97513d1a8d1f..c8be6160bdca0a95622ce5f8e4752e609f73dec5 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -77,6 +77,14 @@ fuzzy_sudocmddn = Fuzzy(
 '(?i)ipauniqueid=%s,cn=sudocmds,cn=sudo,%s' % (uuid_re, api.env.basedn)
 )
 
+# Matches caacl dn
+fuzzy_caacldn = Fuzzy(
+'(?i)ipauniqueid=%s,cn=caacls,cn=ca,%s' % (uuid_re, api.env.basedn)
+)
+
+# Matches fuzzy ipaUniqueID DN group (RDN)
+fuzzy_ipauniqueid = Fuzzy('(?i)ipauniqueid=%s' % uuid_re)
+
 # Matches a hash signature, not enforcing length
 fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_types)
 
-- 
2.5.1

From a2eef3966d297c1e90327f994de8ee47b8e30fd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Tue, 30 Jun 2015 17:00:18 +0200
Subject: [PATCH 4/5] ipatests: Add initial CAACLTracker implementation

The patch implements the tracker for CA ACL feature.
The basic CRUD checkers has been implemented. The methods
for adding and removing the association of the resources
with the ACL do not have the check methods. These will be provided
as a separate test suite.
---
 ipatests/test_xmlrpc/objectclasses.py |   5 +
 ipatests/test_xmlrpc/test_caacl_plugin.py | 318 ++
 2 files changed, 323 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_caacl_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1cd77c7f885fe408d0d9d48fc6d8284900c91b7f..134a08803f3abca1124c4d26274d9e3fc981b941 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -217,3 +217,8 @@ certprofile = [
 u'top',
 u'ipacertprofile',
 ]
+
+caacl = [
+u'ipaassociation',
+u'ipacaacl'
+]
diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py
new file mode 100644
index ..ba3408813d5d47f7f6261f187129fbee645c5ef7
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_caacl_plugin.py
@@ -0,0 +1,318 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+"""
+Test the `ipalib.plugins.caacl` module.
+"""
+
+import os
+
+import pytest
+
+from ipapython import ipautil
+from ipalib import errors, x509
+from ipapython.dn import DN

[Freeipa-devel] [PATCH 0313] IPA Restore: allow to specify dirs/files which should be removed before restore

[Martin Basti]

https://fedorahosted.org/freeipa/ticket/5293

Patch attached.
From 1436a83909d808e7f81e91dc2d992b8f1e39ed84 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 10 Sep 2015 16:35:54 +0200
Subject: [PATCH] IPA Restore: allows to specify files that should be removed

Some files/directories should be removed before backup files are copied
to filesystem.

In case of DNSSEC, the /var/lib/ipa/dnssec/tokens directory has to be
removed, otherwise tokens that are backed up and existing tokens will be
mixed and SOFTHSM log in will not work

https://fedorahosted.org/freeipa/ticket/5293
---
 ipaserver/install/ipa_restore.py | 24 
 1 file changed, 24 insertions(+)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index e8820b99ede4bb8eaa95bb8f25d946cb369f3048..8e5f4d4beaf353bc61bd286ecfc459b7fdea450f 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -50,6 +50,15 @@ except ImportError:
 adtrustinstance = None
 
 
+# directories and files listed here will be removed from filesystem before
+# files from backup are copied
+DIRS_TO_BE_REMOVED = [
+paths.DNSSEC_TOKENS_DIR,
+]
+
+FILES_TO_BE_REMOVED = []
+
+
 def recursive_chown(path, uid, gid):
 '''
 Change ownership of all files and directories in a path.
@@ -365,6 +374,7 @@ class Restore(admintool.AdminTool):
 
 # We do either a full file restore or we restore data.
 if restore_type == 'FULL':
+self.remove_old_files()
 if 'CA' in self.backup_services:
 create_ca_user()
 self.cert_restore_prepare()
@@ -648,6 +658,20 @@ class Restore(admintool.AdminTool):
 os.chdir(cwd)
 
 
+def remove_old_files(self):
+"""
+Removes all directories, files or temporal files that should be
+removed before backup files are copied, to prevent errors.
+"""
+for d in DIRS_TO_BE_REMOVED:
+shutil.rmtree(d, ignore_errors=True)
+
+for f in FILES_TO_BE_REMOVED:
+try:
+os.remove(f)
+except OSError:
+pass
+
 def file_restore(self, nologs=False):
 '''
 Restore all the files in the tarball.
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

[Petr Vobornik]

On 09/10/2015 05:00 PM, Rob Crittenden wrote:

Martin Kosek wrote:

Hmm, does this mean we need to update our HowTo on migrating FreeIPA to FreeIPA
via migrate-ds? It is already quite long command, mostly due to the need of
removing Kerberos attributes:

http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA


I think it should. I haven't updated it because I never actually tested
it to see that it worked as expected. It seems to be working for Andreas
though.

rob


It works for me. I have updated the page.





Martin

On 09/09/2015 09:40 PM, Andreas Calminder wrote:

Hi,
I just wanted to post the solution for this, I've reported this to Redhat and a 
bug has been filed (https://bugzilla.redhat.com/1261536). The problem was that 
migrate-ds copied the attribute mepManagedEntry on migration, the suggested 
workaround, running migrate-ds with --user-ignore-attribute=mepManagedEntry 
--user-ignore-objectclass=mepOriginEntry worked like a charm (Thanks Rob!), 
deleting users in active directory doesn't break the winsync agreement and I'm 
able to delete migrated users directly in ipa. As mentioned in the bug 
comments, migrate-ds isn't really for ipa to ipa migration. However, it kind of 
worked...

/andreas

From: freeipa-devel-boun...@redhat.com 
[mailto:freeipa-devel-boun...@redhat.com] On Behalf Of Andreas Calminder
Sent: den 9 september 2015 17:16
To: freeipa-devel@redhat.com
Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync 
agreement when deleted in active directory

Yes, kind of. I wanted a new environment with a proper certificate authority 
setup with only the old users and groups from the IPA 3.0 environment. The old 
environment use a self signed ca, I thought it would be easier to just migrate 
my users and groups.
On 9 Sep 2015 4:49 pm, Rob Crittenden  wrote:
Andreas Calminder wrote:

Hi,
thanks for your reply, I'm able to list the user with ldapsearch and I
can't find any conflict entries described in the article. The 4.1
environment is only 1 server connected to active directory. Forgot to
reply to the list before, doh!

I've noticed a difference between users in 3.0 and 4.1 though, migrated
users in the 4.1 does not have an entry in "
cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this.
Example:

FreeIPA 4.1 environment:
# ldapsearch -xLLL -D "cn=directory manager" -W
-b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
Enter LDAP Password:
No such object (32) Matched DN:
cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld

FreeIPA 3.0 environment:
# ldapsearch -xLLL -D "cn=directory manager" -W -b
"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
Enter LDAP Password:
dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: batman
gidNumber: 1486600065
description: User private group for batman
mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c


Migrated users don't get user-private groups created.

Is there a reason you migrated from 3.0 to 4.1 rather than just adding a
4.1 master to the existing pool?

rob



/andreas

On 09/09/2015 04:29 PM, Rich Megginson wrote:

On 09/09/2015 03:39 AM, Martin Basti wrote:



On 09/09/2015 10:50 AM, Andreas Calminder wrote:

Forgot to write that deleting users in active directory not migrated
with the migrate-ds command works fine, it's only migrated users
present in the ad that breaks the winsync agreement on deletion.

On 09/09/2015 10:35 AM, Andreas Calminder wrote:

Hi,
I've asked in #freeipa on freenode but to no avail, figured I'll
ask here as well, since I think I've actually hit a bug or (quite)
possibly I've done something moronic configuration/migration -wise.

I've got an existing FreeIPA 3.0.0 environment running with a fully
functioning winsync agreement and passsync service with the windows
environments active directory, I'm trying to migrate the 3.0.0
environments users into a freshly installed 4.1 (rhel7)
environment, after migration I setup a winsync agreement and make
it bi-directional  (one-way sync from windows) everything seems to
be working alright until I delete a migrated user from the Active
Directory, after the winsync picks up on the change it'll break and
suggests a re-initialize. After the re-initialization the agreement
seems to be fine, however the deleted user are still present in the
ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
says: ipauser1: user not found. ipa user-find ipauser1 finds the
user and it's visible in the ui.

Anyone had the same problem or anything similar or any pointers on
where to start looking?

Regards,
Andreas





Hello, this might be a replication conflict.

Can you list that user via ldapsearch to check if this is replication
conflict?

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Adm

Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

[Rob Crittenden]

Martin Kosek wrote:
> Hmm, does this mean we need to update our HowTo on migrating FreeIPA to 
> FreeIPA
> via migrate-ds? It is already quite long command, mostly due to the need of
> removing Kerberos attributes:
> 
> http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA

I think it should. I haven't updated it because I never actually tested
it to see that it worked as expected. It seems to be working for Andreas
though.

rob

> 
> Martin
> 
> On 09/09/2015 09:40 PM, Andreas Calminder wrote:
>> Hi,
>> I just wanted to post the solution for this, I've reported this to Redhat 
>> and a bug has been filed (https://bugzilla.redhat.com/1261536). The problem 
>> was that migrate-ds copied the attribute mepManagedEntry on migration, the 
>> suggested workaround, running migrate-ds with 
>> --user-ignore-attribute=mepManagedEntry 
>> --user-ignore-objectclass=mepOriginEntry worked like a charm (Thanks Rob!), 
>> deleting users in active directory doesn't break the winsync agreement and 
>> I'm able to delete migrated users directly in ipa. As mentioned in the bug 
>> comments, migrate-ds isn't really for ipa to ipa migration. However, it kind 
>> of worked...
>>
>> /andreas
>>
>> From: freeipa-devel-boun...@redhat.com 
>> [mailto:freeipa-devel-boun...@redhat.com] On Behalf Of Andreas Calminder
>> Sent: den 9 september 2015 17:16
>> To: freeipa-devel@redhat.com
>> Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync 
>> agreement when deleted in active directory
>>
>> Yes, kind of. I wanted a new environment with a proper certificate authority 
>> setup with only the old users and groups from the IPA 3.0 environment. The 
>> old environment use a self signed ca, I thought it would be easier to just 
>> migrate my users and groups.
>> On 9 Sep 2015 4:49 pm, Rob Crittenden  wrote:
>> Andreas Calminder wrote:
>>> Hi,
>>> thanks for your reply, I'm able to list the user with ldapsearch and I
>>> can't find any conflict entries described in the article. The 4.1
>>> environment is only 1 server connected to active directory. Forgot to
>>> reply to the list before, doh!
>>>
>>> I've noticed a difference between users in 3.0 and 4.1 though, migrated
>>> users in the 4.1 does not have an entry in "
>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this.
>>> Example:
>>>
>>> FreeIPA 4.1 environment:
>>> # ldapsearch -xLLL -D "cn=directory manager" -W
>>> -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>> Enter LDAP Password:
>>> No such object (32) Matched DN:
>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
>>>
>>> FreeIPA 3.0 environment:
>>> # ldapsearch -xLLL -D "cn=directory manager" -W -b
>>> "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>> Enter LDAP Password:
>>> dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
>>> objectClass: posixgroup
>>> objectClass: ipaobject
>>> objectClass: mepManagedEntry
>>> objectClass: top
>>> cn: batman
>>> gidNumber: 1486600065
>>> description: User private group for batman
>>> mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
>>> ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c
>>
>> Migrated users don't get user-private groups created.
>>
>> Is there a reason you migrated from 3.0 to 4.1 rather than just adding a
>> 4.1 master to the existing pool?
>>
>> rob
>>
>>>
>>> /andreas
>>>
>>> On 09/09/2015 04:29 PM, Rich Megginson wrote:
 On 09/09/2015 03:39 AM, Martin Basti wrote:
>
>
> On 09/09/2015 10:50 AM, Andreas Calminder wrote:
>> Forgot to write that deleting users in active directory not migrated
>> with the migrate-ds command works fine, it's only migrated users
>> present in the ad that breaks the winsync agreement on deletion.
>>
>> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>>> Hi,
>>> I've asked in #freeipa on freenode but to no avail, figured I'll
>>> ask here as well, since I think I've actually hit a bug or (quite)
>>> possibly I've done something moronic configuration/migration -wise.
>>>
>>> I've got an existing FreeIPA 3.0.0 environment running with a fully
>>> functioning winsync agreement and passsync service with the windows
>>> environments active directory, I'm trying to migrate the 3.0.0
>>> environments users into a freshly installed 4.1 (rhel7)
>>> environment, after migration I setup a winsync agreement and make
>>> it bi-directional  (one-way sync from windows) everything seems to
>>> be working alright until I delete a migrated user from the Active
>>> Directory, after the winsync picks up on the change it'll break and
>>> suggests a re-initialize. After the re-initialization the agreement
>>> seems to be fine, however the deleted user are still present in the
>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>>> user a

Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

[Martin Kosek]

Hmm, does this mean we need to update our HowTo on migrating FreeIPA to FreeIPA
via migrate-ds? It is already quite long command, mostly due to the need of
removing Kerberos attributes:

http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA

Martin

On 09/09/2015 09:40 PM, Andreas Calminder wrote:
> Hi,
> I just wanted to post the solution for this, I've reported this to Redhat and 
> a bug has been filed (https://bugzilla.redhat.com/1261536). The problem was 
> that migrate-ds copied the attribute mepManagedEntry on migration, the 
> suggested workaround, running migrate-ds with 
> --user-ignore-attribute=mepManagedEntry 
> --user-ignore-objectclass=mepOriginEntry worked like a charm (Thanks Rob!), 
> deleting users in active directory doesn't break the winsync agreement and 
> I'm able to delete migrated users directly in ipa. As mentioned in the bug 
> comments, migrate-ds isn't really for ipa to ipa migration. However, it kind 
> of worked...
> 
> /andreas
> 
> From: freeipa-devel-boun...@redhat.com 
> [mailto:freeipa-devel-boun...@redhat.com] On Behalf Of Andreas Calminder
> Sent: den 9 september 2015 17:16
> To: freeipa-devel@redhat.com
> Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync 
> agreement when deleted in active directory
> 
> Yes, kind of. I wanted a new environment with a proper certificate authority 
> setup with only the old users and groups from the IPA 3.0 environment. The 
> old environment use a self signed ca, I thought it would be easier to just 
> migrate my users and groups.
> On 9 Sep 2015 4:49 pm, Rob Crittenden  wrote:
> Andreas Calminder wrote:
>> Hi,
>> thanks for your reply, I'm able to list the user with ldapsearch and I
>> can't find any conflict entries described in the article. The 4.1
>> environment is only 1 server connected to active directory. Forgot to
>> reply to the list before, doh!
>>
>> I've noticed a difference between users in 3.0 and 4.1 though, migrated
>> users in the 4.1 does not have an entry in "
>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this.
>> Example:
>>
>> FreeIPA 4.1 environment:
>> # ldapsearch -xLLL -D "cn=directory manager" -W
>> -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>> Enter LDAP Password:
>> No such object (32) Matched DN:
>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
>>
>> FreeIPA 3.0 environment:
>> # ldapsearch -xLLL -D "cn=directory manager" -W -b
>> "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>> Enter LDAP Password:
>> dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
>> objectClass: posixgroup
>> objectClass: ipaobject
>> objectClass: mepManagedEntry
>> objectClass: top
>> cn: batman
>> gidNumber: 1486600065
>> description: User private group for batman
>> mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
>> ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c
> 
> Migrated users don't get user-private groups created.
> 
> Is there a reason you migrated from 3.0 to 4.1 rather than just adding a
> 4.1 master to the existing pool?
> 
> rob
> 
>>
>> /andreas
>>
>> On 09/09/2015 04:29 PM, Rich Megginson wrote:
>>> On 09/09/2015 03:39 AM, Martin Basti wrote:


 On 09/09/2015 10:50 AM, Andreas Calminder wrote:
> Forgot to write that deleting users in active directory not migrated
> with the migrate-ds command works fine, it's only migrated users
> present in the ad that breaks the winsync agreement on deletion.
>
> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>> Hi,
>> I've asked in #freeipa on freenode but to no avail, figured I'll
>> ask here as well, since I think I've actually hit a bug or (quite)
>> possibly I've done something moronic configuration/migration -wise.
>>
>> I've got an existing FreeIPA 3.0.0 environment running with a fully
>> functioning winsync agreement and passsync service with the windows
>> environments active directory, I'm trying to migrate the 3.0.0
>> environments users into a freshly installed 4.1 (rhel7)
>> environment, after migration I setup a winsync agreement and make
>> it bi-directional  (one-way sync from windows) everything seems to
>> be working alright until I delete a migrated user from the Active
>> Directory, after the winsync picks up on the change it'll break and
>> suggests a re-initialize. After the re-initialization the agreement
>> seems to be fine, however the deleted user are still present in the
>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>> user and it's visible in the ui.
>>
>> Anyone had the same problem or anything similar or any pointers on
>> where to start looking?
>>
>> Regards,
>> Andreas
>>
>

 Hello, this might be a replication conflict.

 Can you list that user via ldapsearch

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Jan Cholasta]

I'm not sure about that, I think it should still say 0, because that's 
what we want to use as the unlimited value. If you insist on including 
-1 in the docs, maybe we can say "<= 0 is unlimited"?


On 10.9.2015 16:08, Gabe Alford wrote:

Makes sense. I also changed the doc string to reflect -1 as well.
Updated patch attached.

Thanks,

Gabe

On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta mailto:jchol...@redhat.com>> wrote:

On 4.9.2015 14:43, Gabe Alford wrote:

Bump for review.

On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford
mailto:redhatri...@gmail.com>
>>
wrote:

 On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta
mailto:jchol...@redhat.com>
 >>
wrote:

 On 6.8.2015 21:43, Gabe Alford wrote:

 Hello,

 Updated patch attached.

 - Time limit is -1 for unlimited. I found this
https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
 in reference to keeping the time limit as -1 for
unlimited.


 This patch does two conflicting things: it coerces time
limit of
 0 to -1 and at the same time prohibits the user to use
0 for
 time limit. We should do just one of these and IMHO it
should be
 the coercion of 0 to -1.

 Sure enough, testing time limit at 0 did not work for
 unlimited as well
 as appeared to have negative effects on IPA.


 This is because the time limit read from ipa config is not
 converted to int in ldap2.find_entries(), so the
coercion does
 not work. Fix this and 0 will work just fine.

 Also, I believe that

http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
 specifies unlimited for time limit as -1. (Please
correct me
 if I am wrong.)


 python-ldap is layers below our API and should not
determine
 what we use for unlimited time limit. I would prefer if
we were
 self-consistent and use 0 for both time limit and size
limit.


 A misunderstanding on my part as I thought it was higher up
in the
 API for some reason. Updated patch attached.


Thanks, this is better, but it turns out I was wrong about coercing
-1 to 0 in config-mod: in a topology with different versions of IPA
servers, setting the limits in LDAP to 0 on a newer server with your
patch will break older servers without your patch:

 [user@old]$ ipa user-find
 --
 1 user matched
 --
   User login: admin
   Last name: Administrator
   Home directory: /home/admin
   Login shell: /bin/bash
   UID: 136480
   GID: 136480
   Account disabled: False
   Password: True
   Kerberos keys available: True
 
 Number of entries returned 1
 

 [user@new]$ ipa config-mod --searchtimelimit=0
--searchrecordslimit=0
 ...

 [user@old]$ ipa user-find
 ---
 0 users matched
 ---
 
 Number of entries returned 0
 

To fix this, we actually need to do the opposite and store -1 in
LDAP when 0 is specified in config-mod options.

Honza

--
Jan Cholasta





--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Makes sense. I also changed the doc string to reflect -1 as well. Updated
patch attached.

Thanks,

Gabe

On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta  wrote:

> On 4.9.2015 14:43, Gabe Alford wrote:
>
>> Bump for review.
>>
>> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford > > wrote:
>>
>> On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta > > wrote:
>>
>> On 6.8.2015 21:43, Gabe Alford wrote:
>>
>> Hello,
>>
>> Updated patch attached.
>>
>> - Time limit is -1 for unlimited. I found this
>>
>> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
>> in reference to keeping the time limit as -1 for unlimited.
>>
>>
>> This patch does two conflicting things: it coerces time limit of
>> 0 to -1 and at the same time prohibits the user to use 0 for
>> time limit. We should do just one of these and IMHO it should be
>> the coercion of 0 to -1.
>>
>> Sure enough, testing time limit at 0 did not work for
>> unlimited as well
>> as appeared to have negative effects on IPA.
>>
>>
>> This is because the time limit read from ipa config is not
>> converted to int in ldap2.find_entries(), so the coercion does
>> not work. Fix this and 0 will work just fine.
>>
>> Also, I believe that
>>
>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
>> specifies unlimited for time limit as -1. (Please correct me
>> if I am wrong.)
>>
>>
>> python-ldap is layers below our API and should not determine
>> what we use for unlimited time limit. I would prefer if we were
>> self-consistent and use 0 for both time limit and size limit.
>>
>>
>> A misunderstanding on my part as I thought it was higher up in the
>> API for some reason. Updated patch attached.
>>
>
> Thanks, this is better, but it turns out I was wrong about coercing -1 to
> 0 in config-mod: in a topology with different versions of IPA servers,
> setting the limits in LDAP to 0 on a newer server with your patch will
> break older servers without your patch:
>
> [user@old]$ ipa user-find
> --
> 1 user matched
> --
>   User login: admin
>   Last name: Administrator
>   Home directory: /home/admin
>   Login shell: /bin/bash
>   UID: 136480
>   GID: 136480
>   Account disabled: False
>   Password: True
>   Kerberos keys available: True
> 
> Number of entries returned 1
> 
>
> [user@new]$ ipa config-mod --searchtimelimit=0 --searchrecordslimit=0
> ...
>
> [user@old]$ ipa user-find
> ---
> 0 users matched
> ---
> 
> Number of entries returned 0
> 
>
> To fix this, we actually need to do the opposite and store -1 in LDAP when
> 0 is specified in config-mod options.
>
> Honza
>
> --
> Jan Cholasta
>
From 715dfae42bbe9e1ca93dee902b100672d6dafc39 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 10 Sep 2015 07:51:58 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 install/ui/test/data/ipa_init_commands.json |  4 ++--
 install/ui/test/data/ipa_init_objects.json  |  4 ++--
 install/ui/test/data/json_metadata.json |  2 +-
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 19 ---
 ipaserver/plugins/ldap2.py  |  4 ++--
 6 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..13e3cfe87549b0b58cb86db1e34a8f6e2cfbb7e8 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,7 +2446,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)",
+"doc": "Maximum amount of time (seconds) for a search (-1 is unlimited)",
 "flags": [
 "nonempty"
 ],
@@ -24018,4 +24018,4 @@
 "methods": {},
 "objects": {}
 }
-}
\ No newline at end of file
+}
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index c8c836926d94dd4c1903aa9a62fa91c11a238e75..e6b00f0335295d9c1ecfecf90bf470c63511 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_i

Re: [Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy

[Christian Heimes]

On 2015-09-10 14:58, Rob Crittenden wrote:
> Christian Heimes wrote:
>> The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
>> A timeout does no longer result into an Apache startup error.
>>
>> https://fedorahosted.org/freeipa/ticket/5292
>>
>>
>>
>>
> 
> 
> Since this is related to IPA not being configured yet would it make
> sense to call ipaserver.install.installutils.is_ipa_configured() and
> exit early and gracefully, doing no work, if it isn't? IMHO it should
> happen before the api is initialized.

That sounds like a very good idea! I didn't know about that API function.

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy

[Rob Crittenden]

Christian Heimes wrote:
> The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
> A timeout does no longer result into an Apache startup error.
> 
> https://fedorahosted.org/freeipa/ticket/5292
> 
> 
> 
> 


Since this is related to IPA not being configured yet would it make
sense to call ipaserver.install.installutils.is_ipa_configured() and
exit early and gracefully, doing no work, if it isn't? IMHO it should
happen before the api is initialized.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] cert profiles - test plan + patches

[Milan Kubík]

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:


Hi,



there's no traceback in the file you mentioned, but I'm running it

through lite-server, so here's the traceback from there:

http://pastebin.test.redhat.com/310598



I can't really get to the problem. What I forgot to mention in the

previous email was that the tests fail when attempting to add a

certprofile, but if I try to do is manually using 'ipa

certprofile-import' command with the exact same data as used in the

test, it works fine.



Lenka




Do you get the traceback also when you run the tests using
'ipa-run-tests' with installed IPA master?






Hello,

I don't think it is possible to run these tests against the lite server. 
Please do it on regular installation.


Anyway, sorry for the long delay. I send the updated patches.
I updated them to reflect the fix for rename option and extended about 
test with importing a profile from XML file. The test case may need to 
be updated, based on the resolution of [1].
This at the moment raises remote retrieve error (400 from dogtag), I 
think there should be more clear message (detecting xml).


[1]: https://fedorahosted.org/freeipa/ticket/5294


Cheers,
Milan
From 9525be865f96b6dff2b6d4e229b88a04bf6f9ff0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Wed, 10 Jun 2015 14:48:33 +0200
Subject: [PATCH 1/5] ipatests: Add Certprofile tracker class implementation

https://fedorahosted.org/freeipa/ticket/57
---
 ipatests/test_xmlrpc/objectclasses.py   |   5 +
 ipatests/test_xmlrpc/test_certprofile_plugin.py | 140 
 2 files changed, 145 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certprofile_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index a5c1b4c501cd28049b29cfc5e55ae745d91dc5bf..1cd77c7f885fe408d0d9d48fc6d8284900c91b7f 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -212,3 +212,8 @@ servicedelegationtarget = [
 u'top',
 u'groupofprincipals',
 ]
+
+certprofile = [
+u'top',
+u'ipacertprofile',
+]
diff --git a/ipatests/test_xmlrpc/test_certprofile_plugin.py b/ipatests/test_xmlrpc/test_certprofile_plugin.py
new file mode 100644
index ..8fd81bc3f0cc7896adb9fdb6904ace1e7ebc52b3
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certprofile_plugin.py
@@ -0,0 +1,140 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+"""
+Test the `ipalib.plugins.certprofile` module.
+"""
+
+import os
+
+import pytest
+
+from ipalib import errors
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.ldaptracker import Tracker
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
+from ipatests.test_xmlrpc import objectclasses
+from ipatests.util import assert_deepequal
+
+
+class CertprofileTracker(Tracker):
+"""Tracker class for certprofile plugin.
+"""
+
+retrieve_keys = {
+'dn', 'cn', 'description', 'ipacertprofilestoreissued'
+}
+retrieve_all_keys = retrieve_keys | {'objectclass'}
+create_keys = retrieve_keys | {'objectclass'}
+update_keys = retrieve_keys - {'dn'}
+managedby_keys = retrieve_keys
+allowedto_keys = retrieve_keys
+
+def __init__(self, name, store=False, desc='dummy description',
+ profile=None, default_version=None):
+super(CertprofileTracker, self).__init__(
+default_version=default_version
+)
+
+self.store = store
+self.description = desc
+self._profile_path = profile
+
+self.dn = DN(('cn', name), 'cn=certprofiles', 'cn=ca',
+ self.api.env.basedn)
+
+@property
+def profile(self):
+if not self._profile_path:
+return None
+
+if os.path.isabs(self._profile_path):
+path = self._profile_path
+else:
+path = os.path.join(os.path.dirname(__file__),
+self._profile_path)
+
+with open(path, 'r') as f:
+content = f.read()
+return unicode(content)
+
+def make_create_command(self, force=True):
+if not self.profile:
+raise RuntimeError('Tracker object without path to profile '
+   'cannot be used to create profile entry.')
+
+return self.make_command('certprofile_import', self.name,
+ description=self.description,
+ ipacertprofilestoreissued=self.store,
+ file=self.profile)
+
+def check_create(self, result):
+assert_deepequal(dict(
+value=self.name,
+summary=u'Imported profile "{}"'.format(self.name),
+result=dict(self.filter_attrs(self.create_keys))
+), result)
+
+def track_create(self):
+   

Re: [Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy

[Martin Basti]

On 09/10/2015 01:29 PM, Martin Basti wrote:

ACK

On 09/10/2015 11:58 AM, Christian Heimes wrote:

The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.

https://fedorahosted.org/freeipa/ticket/5292










Pushed to:
master: a3d077443fc7f15c005f86aeed40443d0a0843a1
ipa-4-2: 1464437ca2a1bb18fd6468e673ae7589e4d4216f

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy

[Martin Basti]

ACK

On 09/10/2015 11:58 AM, Christian Heimes wrote:

The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.

https://fedorahosted.org/freeipa/ticket/5292






-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy

[Christian Heimes]

The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.

https://fedorahosted.org/freeipa/ticket/5292


From 7ae756234534f0c6e750b5820733c6c5cb0682c6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 10 Sep 2015 11:54:32 +0200
Subject: [PATCH] Handle timeout error in ipa-httpd-kdcproxy

The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.

https://fedorahosted.org/freeipa/ticket/5292
---
 install/tools/ipa-httpd-kdcproxy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 60b22f2cc321d416871c74f3b4d580594c186a85..5e9863f8bd82e1628030b0b767a6697ab2a1d7bd 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -24,6 +24,7 @@ This script creates or removes the symlink from /etc/ipa/ipa-kdc-proxy.conf
 to /etc/httpd/conf.d/. It's called from ExecStartPre hook in httpd.service.
 """
 import os
+import socket
 import sys
 
 from ipalib import api, errors
@@ -81,7 +82,7 @@ class KDCProxyConfig(object):
 # EXTERNAL bind as root user
 self.con.ldapi = True
 self.con.do_bind(timeout=self.time_limit)
-except errors.NetworkError as e:
+except (errors.NetworkError, socket.timeout) as e:
 msg = 'Unable to connect to dirsrv: %s' % e
 raise CheckError(msg)
 except errors.AuthorizationError as e:
-- 
2.4.3



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0312] CI: extend backup restore tests with DNS/DNSSEC

[Martin Basti]

Self NACK

On 09/10/2015 10:21 AM, Martin Basti wrote:

Patch attached.




-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0312] CI: extend backup restore tests with DNS/DNSSEC

[Martin Basti]

Patch attached.
From 43df42f7659e25c38ad83ebf11777d4c103ceeec Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 8 Sep 2015 13:08:31 +0200
Subject: [PATCH] backup CI: test DNS/DNSSEC after backup and restore

---
 ipatests/test_integration/tasks.py | 23 ++
 .../test_integration/test_backup_and_restore.py| 81 ++
 2 files changed, 104 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 820507022e6b5e8cc7a57c66c7f9e8e8b1500c7e..06049d4ae01332e0af4d8775b745342406fc868d 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -26,6 +26,7 @@ import collections
 import itertools
 import time
 import StringIO
+import dns
 
 from ldif import LDIFWriter
 
@@ -801,3 +802,25 @@ def add_a_record(master, host):
 master.domain.name,
 host.hostname,
 '--a-rec', host.ip])
+
+
+def resolve_record(nameserver, query, rtype="SOA", retry=True, timeout=100):
+"""Resolve DNS record
+:retry: if resolution failed try again until timeout is reached
+:timeout: max period of time while method will try to resolve query
+ (requires retry=True)
+"""
+res = dns.resolver.Resolver()
+res.nameservers = [nameserver]
+res.lifetime = 10  # wait max 10 seconds for reply
+
+wait_until = time.time() + timeout
+
+while time.time() < wait_until:
+try:
+ans = res.query(query, rtype)
+return ans
+except dns.exception.DNSException:
+if not retry:
+raise
+time.sleep(1)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 0ce1aaf29f76fec207b6ac64fab81190dae12e7f..7aa42ab4c044b75aed9fda5a920b0f508dc79847 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -27,6 +27,7 @@ from ipapython.ipa_log_manager import log_mgr
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from ipatests.test_integration.test_dnssec import wait_until_record_is_signed
 from ipatests.util import assert_deepequal
 
 log = log_mgr.get_logger(__name__)
@@ -206,3 +207,83 @@ class TestBackupAndRestore(IntegrationTest):
 ])
 assert 'httpd_can_network_connect --> on' in result.stdout_text
 assert 'httpd_manage_ipa --> on' in result.stdout_text
+
+
+class TestBackupAndRestoreWithDNS(IntegrationTest):
+topology = 'star'
+
+example_test_zone = "example.test."
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, setup_dns=True)
+
+
+def test_full_backup_and_restore_with_DNS_zone(self):
+"""backup, uninstall, restore"""
+with restore_checker(self.master):
+
+self.master.run_command([
+'ipa', 'dnszone-add',
+self.example_test_zone,
+])
+
+tasks.resolve_record(self.master.ip, self.example_test_zone)
+
+backup_path = backup(self.master)
+
+self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+
+dirman_password = self.master.config.dirman_password
+self.master.run_command(['ipa-restore', backup_path],
+stdin_text=dirman_password + '\nyes')
+
+tasks.resolve_record(self.master.ip, self.example_test_zone)
+
+
+class TestBackupAndRestoreWithDNSSEC(IntegrationTest):
+topology = 'star'
+
+example_test_zone = "example.test."
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, setup_dns=True)
+args = [
+"ipa-dns-install",
+"--dnssec-master",
+"--forwarder", cls.master.config.dns_forwarder,
+"-p", cls.master.config.dirman_password,
+"-U",
+]
+cls.master.run_command(args)
+
+
+def test_full_backup_and_restore_with_DNSSEC_zone(self):
+"""backup, uninstall, restore"""
+with restore_checker(self.master):
+
+self.master.run_command([
+'ipa', 'dnszone-add',
+self.example_test_zone,
+'--dnssec', 'true',
+])
+
+assert wait_until_record_is_signed(self.master.ip,
+self.example_test_zone, self.log), "Zone is not signed"
+
+backup_path = backup(self.master)
+
+self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+
+dirman_password = self.master.config.dirman_password
+self.master.run_command(['ipa-restore', backup_path],
+

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Jan Cholasta]

On 4.9.2015 14:43, Gabe Alford wrote:

Bump for review.

On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford mailto:redhatri...@gmail.com>> wrote:

On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta mailto:jchol...@redhat.com>> wrote:

On 6.8.2015 21:43, Gabe Alford wrote:

Hello,

Updated patch attached.

- Time limit is -1 for unlimited. I found this

https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
in reference to keeping the time limit as -1 for unlimited.


This patch does two conflicting things: it coerces time limit of
0 to -1 and at the same time prohibits the user to use 0 for
time limit. We should do just one of these and IMHO it should be
the coercion of 0 to -1.

Sure enough, testing time limit at 0 did not work for
unlimited as well
as appeared to have negative effects on IPA.


This is because the time limit read from ipa config is not
converted to int in ldap2.find_entries(), so the coercion does
not work. Fix this and 0 will work just fine.

Also, I believe that

http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
specifies unlimited for time limit as -1. (Please correct me
if I am wrong.)


python-ldap is layers below our API and should not determine
what we use for unlimited time limit. I would prefer if we were
self-consistent and use 0 for both time limit and size limit.


A misunderstanding on my part as I thought it was higher up in the
API for some reason. Updated patch attached.


Thanks, this is better, but it turns out I was wrong about coercing -1 
to 0 in config-mod: in a topology with different versions of IPA 
servers, setting the limits in LDAP to 0 on a newer server with your 
patch will break older servers without your patch:


[user@old]$ ipa user-find
--
1 user matched
--
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 136480
  GID: 136480
  Account disabled: False
  Password: True
  Kerberos keys available: True

Number of entries returned 1


[user@new]$ ipa config-mod --searchtimelimit=0 --searchrecordslimit=0
...

[user@old]$ ipa user-find
---
0 users matched
---

Number of entries returned 0


To fix this, we actually need to do the opposite and store -1 in LDAP 
when 0 is specified in config-mod options.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code