Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 10/5/2015 9:33 AM, Endi Sukma Dewata wrote: On 10/5/2015 8:47 AM, Simo Sorce wrote: 2. The second attempt after re-enrolling client resulted in the error of CA installation: This is due to the known bug with authentication in Dogtag. Endy fixed it upstream. Endy, do you know when the bug will be released in a package we can use for testing ? Here is the bug: https://fedorahosted.org/pki/ticket/1580 I don't think we're ready for a Dogtag 10.3 build, so we may need to cherry-pick it to 10.2.x. I'll check with Matt. The fix is now available in the following build: http://koji.fedoraproject.org/koji/buildinfo?buildID=689985 Please also provide a feedback: https://bodhi.fedoraproject.org/updates/FEDORA-2015-cea85c052a Thanks! -- Endi S. Dewata -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization
On 10/07/2015 05:29 PM, Simo Sorce wrote: On 07/10/15 11:06, thierry bordaz wrote: On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David Kupka wrote: On 05/10/15 16:12, Simo Sorce wrote: On 05/10/15 09:00, Martin Babinsky wrote: These patches implement the plumbing required to properly support canonicalization of Kerberos principals ( https://fedorahosted.org/freeipa/ticket/3864). Setting multiple principal aliases on hosts/services is beyond the scope of this patchset and should be done after these patches are pushed. I will try to send some tests for the patches later this week. Please review the hell out of them. LGTM, I do not see any issue at quick visual inspection. What about the performance regression with the indexes ? Is that bug fixed in 389ds ? Simo. The issue is still there. Thierry investigated this in 389 DS and IIUC he is not sure if it's bug or completely missing feature. Therefore we still don't know how much time is needed there. Hi, that is correct. I can reproduce the problem. Although the matching rule (in my test caseIgnoreIA5Match) is found, it has no registered indexing function, so the setting (nsMatchingRule) is ignored. I do not know if the indexing function is missing or there is a bug so that the matching rule "forget" to register it. This feature is documented but I can not find any QA test around it, so I do not know yet if it is a regression or if it was not enabled at all. I do not expect rapid progress on it. How urgent is it ? 7.3 ? For the moment I can think to only two workarounds: * use filtered matching rule (preferred) * change the attribute syntax/matching rule, in the schema (I would discourage this one because changing the schema is risky) We can't change the syntax at this point. Well this patchset is blocked until the 389 ds bug is fixed (the performance regression is too big to just put it in and hope) so I guess we'll have to negotiate a time for the fix. Simo. I agree that we really shouldn't change schema. But I don't think the patches're necessary blocked by this issue. Canonicalization was never supported in FreeIPA and when it is not requested the performance is not effected at all. We could merge patches as soon as they're carefully reviewed and tested to avoid tedious rebasing and start using the new functionality when 389 DS gets fixed. The fact we didn't do canonicalization this way doesn't mean clients aren't asking for it. I think Windows clients ask for canonicalization by default, and in SSSD I see we turn on by default krb5_canonicalize in the IPA nd LDAP case (oddly enough not in the AD case ?) So SSSD's authentication requests would end up hitting this case all the time if I am reading the code correctly (CCed Jakub to confirm/dispel this). We ask for canonicalization always in IPA and LDAP, but also whenever enterprise principals are used, which is true for AD provider. Then SSSD will hit this every time it requests ticket on behalf of user. But to be sure what the impact would be I've once again set up FreeIPA server with 10K users and run some tests. 1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match, without specifying the matching rule). Results (http://fpaste.org/275847/44221770/raw/) shows that unindexed search takes ~100 times longer than indexed. 2) kinit with and without requested canonicalization. As we use kinit to get the ticket it makes sense to check what will the performance hit be when we run kinit as a whole and not just an isolated LDAP search. The results (http://fpaste.org/275848/21793144/raw/) shows that with canonicalization it takes ~2 times longer than without it. While this is nothing to be happy about it's certainly better than I would expect. Clearly we need to make the search indexed. In your deployment you defined: dn: uid=user198,cn=users,cn=accounts,dc=example,dc=test uid: user198 givenName: Test sn: User198 cn: Test User198 initials: TU homeDirectory: /home/user198 gecos: Test User198 loginShell: /bin/sh mail: user1000...@example.test uidNumber: 761100198 gidNumber: 761100198 displayName: Test User198 *krbPrincipalName: user1000...@example.test* *krbCanonicalName: user1000...@example.test* memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry ip
Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization
On 07/10/15 11:06, thierry bordaz wrote: On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David Kupka wrote: On 05/10/15 16:12, Simo Sorce wrote: On 05/10/15 09:00, Martin Babinsky wrote: These patches implement the plumbing required to properly support canonicalization of Kerberos principals ( https://fedorahosted.org/freeipa/ticket/3864). Setting multiple principal aliases on hosts/services is beyond the scope of this patchset and should be done after these patches are pushed. I will try to send some tests for the patches later this week. Please review the hell out of them. LGTM, I do not see any issue at quick visual inspection. What about the performance regression with the indexes ? Is that bug fixed in 389ds ? Simo. The issue is still there. Thierry investigated this in 389 DS and IIUC he is not sure if it's bug or completely missing feature. Therefore we still don't know how much time is needed there. Hi, that is correct. I can reproduce the problem. Although the matching rule (in my test caseIgnoreIA5Match) is found, it has no registered indexing function, so the setting (nsMatchingRule) is ignored. I do not know if the indexing function is missing or there is a bug so that the matching rule "forget" to register it. This feature is documented but I can not find any QA test around it, so I do not know yet if it is a regression or if it was not enabled at all. I do not expect rapid progress on it. How urgent is it ? 7.3 ? For the moment I can think to only two workarounds: * use filtered matching rule (preferred) * change the attribute syntax/matching rule, in the schema (I would discourage this one because changing the schema is risky) We can't change the syntax at this point. Well this patchset is blocked until the 389 ds bug is fixed (the performance regression is too big to just put it in and hope) so I guess we'll have to negotiate a time for the fix. Simo. I agree that we really shouldn't change schema. But I don't think the patches're necessary blocked by this issue. Canonicalization was never supported in FreeIPA and when it is not requested the performance is not effected at all. We could merge patches as soon as they're carefully reviewed and tested to avoid tedious rebasing and start using the new functionality when 389 DS gets fixed. The fact we didn't do canonicalization this way doesn't mean clients aren't asking for it. I think Windows clients ask for canonicalization by default, and in SSSD I see we turn on by default krb5_canonicalize in the IPA nd LDAP case (oddly enough not in the AD case ?) So SSSD's authentication requests would end up hitting this case all the time if I am reading the code correctly (CCed Jakub to confirm/dispel this). We ask for canonicalization always in IPA and LDAP, but also whenever enterprise principals are used, which is true for AD provider. Then SSSD will hit this every time it requests ticket on behalf of user. But to be sure what the impact would be I've once again set up FreeIPA server with 10K users and run some tests. 1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match, without specifying the matching rule). Results (http://fpaste.org/275847/44221770/raw/) shows that unindexed search takes ~100 times longer than indexed. 2) kinit with and without requested canonicalization. As we use kinit to get the ticket it makes sense to check what will the performance hit be when we run kinit as a whole and not just an isolated LDAP search. The results (http://fpaste.org/275848/21793144/raw/) shows that with canonicalization it takes ~2 times longer than without it. While this is nothing to be happy about it's certainly better than I would expect. Clearly we need to make the search indexed. In your deployment you defined: dn: uid=user198,cn=users,cn=accounts,dc=example,dc=test uid: user198 givenName: Test sn: User198 cn: Test User198 initials: TU homeDirectory: /home/user198 gecos: Test User198 loginShell: /bin/sh mail: user1000...@example.test uidNumber: 761100198 gidNumber: 761100198 displayName: Test User198 *krbPrincipalName: user1000...@example.test* *krbCanonicalName: user1000...@example.test* memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry ipaUniqueID: 6048c4ac-6cdd-11e5-a0af-080027987dcb
Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization
On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David Kupka wrote: On 05/10/15 16:12, Simo Sorce wrote: On 05/10/15 09:00, Martin Babinsky wrote: These patches implement the plumbing required to properly support canonicalization of Kerberos principals ( https://fedorahosted.org/freeipa/ticket/3864). Setting multiple principal aliases on hosts/services is beyond the scope of this patchset and should be done after these patches are pushed. I will try to send some tests for the patches later this week. Please review the hell out of them. LGTM, I do not see any issue at quick visual inspection. What about the performance regression with the indexes ? Is that bug fixed in 389ds ? Simo. The issue is still there. Thierry investigated this in 389 DS and IIUC he is not sure if it's bug or completely missing feature. Therefore we still don't know how much time is needed there. Hi, that is correct. I can reproduce the problem. Although the matching rule (in my test caseIgnoreIA5Match) is found, it has no registered indexing function, so the setting (nsMatchingRule) is ignored. I do not know if the indexing function is missing or there is a bug so that the matching rule "forget" to register it. This feature is documented but I can not find any QA test around it, so I do not know yet if it is a regression or if it was not enabled at all. I do not expect rapid progress on it. How urgent is it ? 7.3 ? For the moment I can think to only two workarounds: * use filtered matching rule (preferred) * change the attribute syntax/matching rule, in the schema (I would discourage this one because changing the schema is risky) We can't change the syntax at this point. Well this patchset is blocked until the 389 ds bug is fixed (the performance regression is too big to just put it in and hope) so I guess we'll have to negotiate a time for the fix. Simo. I agree that we really shouldn't change schema. But I don't think the patches're necessary blocked by this issue. Canonicalization was never supported in FreeIPA and when it is not requested the performance is not effected at all. We could merge patches as soon as they're carefully reviewed and tested to avoid tedious rebasing and start using the new functionality when 389 DS gets fixed. The fact we didn't do canonicalization this way doesn't mean clients aren't asking for it. I think Windows clients ask for canonicalization by default, and in SSSD I see we turn on by default krb5_canonicalize in the IPA nd LDAP case (oddly enough not in the AD case ?) So SSSD's authentication requests would end up hitting this case all the time if I am reading the code correctly (CCed Jakub to confirm/dispel this). We ask for canonicalization always in IPA and LDAP, but also whenever enterprise principals are used, which is true for AD provider. Then SSSD will hit this every time it requests ticket on behalf of user. But to be sure what the impact would be I've once again set up FreeIPA server with 10K users and run some tests. 1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match, without specifying the matching rule). Results (http://fpaste.org/275847/44221770/raw/) shows that unindexed search takes ~100 times longer than indexed. 2) kinit with and without requested canonicalization. As we use kinit to get the ticket it makes sense to check what will the performance hit be when we run kinit as a whole and not just an isolated LDAP search. The results (http://fpaste.org/275848/21793144/raw/) shows that with canonicalization it takes ~2 times longer than without it. While this is nothing to be happy about it's certainly better than I would expect. Clearly we need to make the search indexed. In your deployment you defined: dn: uid=user198,cn=users,cn=accounts,dc=example,dc=test uid: user198 givenName: Test sn: User198 cn: Test User198 initials: TU homeDirectory: /home/user198 gecos: Test User198 loginShell: /bin/sh mail: user1000...@example.test uidNumber: 761100198 gidNumber: 761100198 displayName: Test User198 *krbPrincipalName: user1000...@example.test* *krbCanonicalName: user1000...@example.test* memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry ipaUniqueID: 6048c4ac-6cdd-11e5-a0af-080027987dcb mepManagedEntry: cn=user19
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/07/2015 04:13 PM, Oleg Fayans wrote: subj Workaround looks good, but I prefer not to push it in upstream tests, because it is not test failure. Why is there this sleep, this might be useful in upstream tests too, but what is the reason to add sleep there? # verify signatures +time.sleep(1) args = [ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/07/2015 04:13 PM, Oleg Fayans wrote: > subj I would suggest using standard FreeIPA format of refering to tickets, i.e. URL. I would also suggest including ticket URL in patch description so that people can easily find it: http://www.freeipa.org/page/Contribute/Patch_Format Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006-0010] Low hanging fruit for #5343 -- platform abstractions
thanks comments inline
On 10/07/2015 12:51 PM, Tomas Babej wrote:
On Tue, Oct 06, 2015 at 09:58:04PM +0300, Timo Aaltonen wrote:
Hi
So here's the first batch of quick patches for ticket #5343. They're
only compile-tested so far (so no stupid mistakes I hope), as I don't
have 4.2+ working yet. Wonder how the quotes in the last patch work, but
at least make-lint didn't laugh too hard..
--
t
Hi,
overall this looks good, couple of comments inline.
From 15b30829c53a7e02ddc997c17559d755b751c9d6 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen
Date: Tue, 6 Oct 2015 16:02:37 +0300
Subject: [PATCH 1/2] ipaplatform: Add HTTPD_USER to constants
https://fedorahosted.org/freeipa/ticket/5343
---
ipaplatform/base/constants.py | 1 +
ipaserver/install/cainstance.py | 3 ++-
ipaserver/install/certs.py | 3 ++-
ipaserver/install/httpinstance.py | 11 ++-
ipaserver/install/ipa_server_certinstall.py | 3 ++-
5 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index
cef829e2d3886db00ae6d0299ddcf325d1add80e..3f78822f99d9fbe815901301f4e6855105e73eea
100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -8,4 +8,5 @@ This base platform module exports platform dependant constants.
class BaseConstantsNamespace(object):
+HTTPD_USER = "apache"
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index
c4788816ab702e9409c9bc44a91fcbd95dce018d..6deaef57c025cb55da9fcaf7620a54565f6701c7
100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -48,6 +48,7 @@ from ipalib import pkcs10, x509
from ipalib import errors
from ipaplatform import services
+from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
@@ -1103,7 +1104,7 @@ class CAInstance(DogtagInstance):
os.chmod(self.ra_agent_db + "/key3.db", 0o640)
os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
-pent = pwd.getpwnam("apache")
+pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index
3e07ee398fa47beb02f54940a0246d58ae2267ae..d85344ede993840845af63c377525699425a9382
100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -42,6 +42,7 @@ from ipalib import pkcs10, x509, api
from ipalib.errors import CertificateOperationError
from ipalib.text import _
from ipaplatform import services
+from ipaplatform.constants import constants
from ipaplatform.paths import paths
# Apache needs access to this database so we need to create it
@@ -519,7 +520,7 @@ class CertDB(object):
f.close()
pwdfile.close()
# TODO: replace explicit uid by a platform-specific one
This TODO can be removed with this patch
-self.set_perms(self.pwd_conf, uid="apache")
+self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
def find_root_cert(self, nickname):
"""
diff --git a/ipaserver/install/httpinstance.py
b/ipaserver/install/httpinstance.py
index
ee4853a3f9a8a42bd050fd8b208fc2419c323512..a7fdfb1a21a8c62f57503cfaca68b30e4f26244f
100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -41,6 +41,7 @@ import ipapython.errors
from ipaserver.install import sysupgrade
from ipalib import api
from ipalib import errors
+from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
from ipaplatform import services
@@ -52,7 +53,7 @@ SELINUX_BOOLEAN_SETTINGS = dict(
)
KDCPROXY_USER = 'kdcproxy'
-
+HTTPD_USER = constants.HTTPD_USER
def httpd_443_configured():
"""
@@ -188,14 +189,14 @@ class HTTPInstance(service.Service):
self.move_service(self.principal)
self.add_cert_to_service()
-pent = pwd.getpwnam("apache")
+pent = pwd.getpwnam(HTTPD_USER)
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
-ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False,
env={})
+ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False,
env={})
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
@@ -324,7 +325,7 @@ class HTTPInstance(service.Service):
os.chmod(certs.NSS_DIR + "/secmod.db", 0o660)
os.chmod(certs.NSS_DIR + "/pwdfile.tx
[Freeipa-devel] [PATCH] Workaround for trac N 5348
subj -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 7ab1afe5e9a8f6b28be2d5b92423eccec61248a0 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Wed, 7 Oct 2015 16:08:30 +0200 Subject: [PATCH] Added a workaround for ticket N 5348 After creating signed root zone, the server requires named.service restart for dig requests to this zone to start displaying the key. --- ipatests/test_integration/test_dnssec.py | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index 098b227f6543fa221ed6c75d1e98e9f056761977..b63c6ce4795c53c5c2dd604783c321835d8a689b 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -280,7 +280,10 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) - +# A workaround for ticket N 5348 +time.sleep(20) +self.master.run_command(["systemctl", "restart", "named-pkcs11.service"]) +# End of workaround # test master assert wait_until_record_is_signed( self.master.ip, root_zone, self.log, timeout=100 @@ -303,8 +306,10 @@ class TestInstallDNSSECFirst(IntegrationTest): ] self.master.run_command(args) - -# wait until zone is signed +# A workaround for ticket N 5348 +time.sleep(20) +self.master.run_command(["systemctl", "restart", "named-pkcs11.service"]) +# End of workaround assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 ), "Zone %s is not signed (master)" % example_test_zone @@ -382,6 +387,7 @@ class TestInstallDNSSECFirst(IntegrationTest): root_keys_rrset.to_text() + '\n') # verify signatures +time.sleep(1) args = [ "drill", "@localhost", "-k", paths.DNSSEC_TRUSTED_KEY, "-S", -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization
On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David Kupka wrote: On 05/10/15 16:12, Simo Sorce wrote: On 05/10/15 09:00, Martin Babinsky wrote: These patches implement the plumbing required to properly support canonicalization of Kerberos principals ( https://fedorahosted.org/freeipa/ticket/3864). Setting multiple principal aliases on hosts/services is beyond the scope of this patchset and should be done after these patches are pushed. I will try to send some tests for the patches later this week. Please review the hell out of them. LGTM, I do not see any issue at quick visual inspection. What about the performance regression with the indexes ? Is that bug fixed in 389ds ? Simo. The issue is still there. Thierry investigated this in 389 DS and IIUC he is not sure if it's bug or completely missing feature. Therefore we still don't know how much time is needed there. Hi, that is correct. I can reproduce the problem. Although the matching rule (in my test caseIgnoreIA5Match) is found, it has no registered indexing function, so the setting (nsMatchingRule) is ignored. I do not know if the indexing function is missing or there is a bug so that the matching rule "forget" to register it. This feature is documented but I can not find any QA test around it, so I do not know yet if it is a regression or if it was not enabled at all. I do not expect rapid progress on it. How urgent is it ? 7.3 ? For the moment I can think to only two workarounds: * use filtered matching rule (preferred) * change the attribute syntax/matching rule, in the schema (I would discourage this one because changing the schema is risky) We can't change the syntax at this point. Well this patchset is blocked until the 389 ds bug is fixed (the performance regression is too big to just put it in and hope) so I guess we'll have to negotiate a time for the fix. Simo. I agree that we really shouldn't change schema. But I don't think the patches're necessary blocked by this issue. Canonicalization was never supported in FreeIPA and when it is not requested the performance is not effected at all. We could merge patches as soon as they're carefully reviewed and tested to avoid tedious rebasing and start using the new functionality when 389 DS gets fixed. The fact we didn't do canonicalization this way doesn't mean clients aren't asking for it. I think Windows clients ask for canonicalization by default, and in SSSD I see we turn on by default krb5_canonicalize in the IPA nd LDAP case (oddly enough not in the AD case ?) So SSSD's authentication requests would end up hitting this case all the time if I am reading the code correctly (CCed Jakub to confirm/dispel this). We ask for canonicalization always in IPA and LDAP, but also whenever enterprise principals are used, which is true for AD provider. Then SSSD will hit this every time it requests ticket on behalf of user. But to be sure what the impact would be I've once again set up FreeIPA server with 10K users and run some tests. 1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match, without specifying the matching rule). Results (http://fpaste.org/275847/44221770/raw/) shows that unindexed search takes ~100 times longer than indexed. 2) kinit with and without requested canonicalization. As we use kinit to get the ticket it makes sense to check what will the performance hit be when we run kinit as a whole and not just an isolated LDAP search. The results (http://fpaste.org/275848/21793144/raw/) shows that with canonicalization it takes ~2 times longer than without it. While this is nothing to be happy about it's certainly better than I would expect. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limit
On 10/06/2015 10:28 AM, Petr Spacek wrote: On 6.10.2015 10:10, Martin Basti wrote: On 10/06/2015 09:46 AM, Petr Spacek wrote: Hello, Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits. https://bugzilla.redhat.com/show_bug.cgi?id=1268027 NACK * Module ipa-dnskeysync-replica daemons/dnssec/ipa-dnskeysync-replica:156: [E0602(undefined-variable), ] Undefined variable 'api') * Module ipa-ods-exporter daemons/dnssec/ipa-ods-exporter:505: [E0602(undefined-variable), ] Undefined variable 'api') Sorry, I'm idiot. Fixed patch is attached. ACK Pushed to: master: 0b797da56095801bfa80653465c04bae0809df8d ipa-4-2: 5841d495f081c635394cda09abe36be020d32d84 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006-0010] Low hanging fruit for #5343 -- platform abstractions
On Wed, Oct 07, 2015 at 12:51:10PM +0200, Tomas Babej wrote: > On Tue, Oct 06, 2015 at 09:58:04PM +0300, Timo Aaltonen wrote: > > > > Hi > > > > So here's the first batch of quick patches for ticket #5343. They're > > only compile-tested so far (so no stupid mistakes I hope), as I don't > > have 4.2+ working yet. Wonder how the quotes in the last patch work, but > > at least make-lint didn't laugh too hard.. > > > > -- > > t > > Hi, > > overall this looks good, couple of comments inline. > Additionally, there are some legitimate lint failures: * Module ipaserver.install.ntpinstance ipaserver/install/ntpinstance.py:28: [E1101(no-member), ] Instance of 'FedoraConstantsNamespace' has no 'NTPD_OPTS_VAR' member) ipaserver/install/ntpinstance.py:29: [E1101(no-member), ] Instance of 'FedoraConstantsNamespace' has no 'NTPD_OPTS_QUOTE' member) * Module ipaserver.install.httpinstance ipaserver/install/httpinstance.py:252: [E1101(no-member), HTTPInstance.__add_include] Instance of 'FedoraPathNamespace' has no 'HTTPD_CONF_D' member) "NTPD*" vars are defined as "NTP*" in the Namespace and HTTPD_CONF_D should be HTTPD_CONF_D_DIR. HTH, Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006-0010] Low hanging fruit for #5343 -- platform abstractions
On Tue, Oct 06, 2015 at 09:58:04PM +0300, Timo Aaltonen wrote:
>
> Hi
>
> So here's the first batch of quick patches for ticket #5343. They're
> only compile-tested so far (so no stupid mistakes I hope), as I don't
> have 4.2+ working yet. Wonder how the quotes in the last patch work, but
> at least make-lint didn't laugh too hard..
>
> --
> t
Hi,
overall this looks good, couple of comments inline.
> From 15b30829c53a7e02ddc997c17559d755b751c9d6 Mon Sep 17 00:00:00 2001
> From: Timo Aaltonen
> Date: Tue, 6 Oct 2015 16:02:37 +0300
> Subject: [PATCH 1/2] ipaplatform: Add HTTPD_USER to constants
>
> https://fedorahosted.org/freeipa/ticket/5343
> ---
> ipaplatform/base/constants.py | 1 +
> ipaserver/install/cainstance.py | 3 ++-
> ipaserver/install/certs.py | 3 ++-
> ipaserver/install/httpinstance.py | 11 ++-
> ipaserver/install/ipa_server_certinstall.py | 3 ++-
> 5 files changed, 13 insertions(+), 8 deletions(-)
>
> diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
> index
> cef829e2d3886db00ae6d0299ddcf325d1add80e..3f78822f99d9fbe815901301f4e6855105e73eea
> 100644
> --- a/ipaplatform/base/constants.py
> +++ b/ipaplatform/base/constants.py
> @@ -8,4 +8,5 @@ This base platform module exports platform dependant
> constants.
>
>
> class BaseConstantsNamespace(object):
> +HTTPD_USER = "apache"
> IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
> diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
> index
> c4788816ab702e9409c9bc44a91fcbd95dce018d..6deaef57c025cb55da9fcaf7620a54565f6701c7
> 100644
> --- a/ipaserver/install/cainstance.py
> +++ b/ipaserver/install/cainstance.py
> @@ -48,6 +48,7 @@ from ipalib import pkcs10, x509
> from ipalib import errors
>
> from ipaplatform import services
> +from ipaplatform.constants import constants
> from ipaplatform.paths import paths
> from ipaplatform.tasks import tasks
>
> @@ -1103,7 +1104,7 @@ class CAInstance(DogtagInstance):
> os.chmod(self.ra_agent_db + "/key3.db", 0o640)
> os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
>
> -pent = pwd.getpwnam("apache")
> +pent = pwd.getpwnam(constants.HTTPD_USER)
> os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
> os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
> os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
> diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
> index
> 3e07ee398fa47beb02f54940a0246d58ae2267ae..d85344ede993840845af63c377525699425a9382
> 100644
> --- a/ipaserver/install/certs.py
> +++ b/ipaserver/install/certs.py
> @@ -42,6 +42,7 @@ from ipalib import pkcs10, x509, api
> from ipalib.errors import CertificateOperationError
> from ipalib.text import _
> from ipaplatform import services
> +from ipaplatform.constants import constants
> from ipaplatform.paths import paths
>
> # Apache needs access to this database so we need to create it
> @@ -519,7 +520,7 @@ class CertDB(object):
> f.close()
> pwdfile.close()
> # TODO: replace explicit uid by a platform-specific one
> -self.set_perms(self.pwd_conf, uid="apache")
> +self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
>
> def find_root_cert(self, nickname):
> """
> diff --git a/ipaserver/install/httpinstance.py
> b/ipaserver/install/httpinstance.py
> index
> ee4853a3f9a8a42bd050fd8b208fc2419c323512..a7fdfb1a21a8c62f57503cfaca68b30e4f26244f
> 100644
> --- a/ipaserver/install/httpinstance.py
> +++ b/ipaserver/install/httpinstance.py
> @@ -41,6 +41,7 @@ import ipapython.errors
> from ipaserver.install import sysupgrade
> from ipalib import api
> from ipalib import errors
> +from ipaplatform.constants import constants
> from ipaplatform.tasks import tasks
> from ipaplatform.paths import paths
> from ipaplatform import services
> @@ -52,7 +53,7 @@ SELINUX_BOOLEAN_SETTINGS = dict(
> )
>
> KDCPROXY_USER = 'kdcproxy'
> -
> +HTTPD_USER = constants.HTTPD_USER
>
> def httpd_443_configured():
> """
> @@ -188,14 +189,14 @@ class HTTPInstance(service.Service):
> self.move_service(self.principal)
> self.add_cert_to_service()
>
> -pent = pwd.getpwnam("apache")
> +pent = pwd.getpwnam(HTTPD_USER)
> os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
>
> def remove_httpd_ccache(self):
> # Clean up existing ccache
> # Make sure that empty env is passed to avoid passing KRB5CCNAME from
> # current env
> -ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False,
> env={})
> +ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False,
> env={})
>
> def __configure_http(self):
> target_fname = paths.HTTPD_IPA_CONF
> @@ -324,7 +325,7 @@ class HTTPInstance(service.Service):
> os.chmod(certs.NSS_DIR
Re: [Freeipa-devel] [PATCHES] More Python 3 porting
On 6.10.2015 12:04, Petr Viktorin wrote: On 10/05/2015 07:56 AM, Jan Cholasta wrote: On 2.10.2015 13:09, Petr Viktorin wrote: On 10/01/2015 03:15 PM, Jan Cholasta wrote: Hi, On 1.10.2015 13:01, Martin Basti wrote: On 09/30/2015 10:25 AM, Petr Viktorin wrote: On 09/23/2015 04:46 PM, Petr Viktorin wrote: On 09/22/2015 02:59 PM, David Kupka wrote: On 18/09/15 17:00, Petr Viktorin wrote: Hello, Here are more patches that bring IPA closer to Python 3 compatibility. [...] LGTM I ran xmlrpc tests, DNSSEC ci tests, backup and restore CI test and everything works Patches 713-719: ACK Patch 720: You missed: ipa-client/ipa-install/ipa-client-install:32:from ConfigParser import RawConfigParser Thanks, fixed. Patches 721-722: ACK Patch 723: Why the "NoneType = type(None)" in parameters.py? It is used only at: ipalib/parameters.py:388:type = NoneType # Ouch, this wont be very useful in the real world! I believe this is less confusing than `type = type(None)`, but I can change that if needed. I don't care which one is used TBH, just that it is done consistently accross the whole patch, and this seemed like the simpler thing to do. OK, changed. Patch 724: The SSHPublicKey class was written with the assumption that "str" means binary data, so unless I'm missing something, you only need to replace "str" with "bytes". It specifically did take non-binary data as str: -if isinstance(key, str) and key[:3] != '\0\0\0': -key = key.decode(encoding) I don't follow, this is quite obviously binary data. It reads: "If key is binary and does not start with 3 null bytes, decode it to text using the specified encoding." Right, it's text (non-binary) data encoded in str (bytes), so it needs to be encoded. I've removed this for Python 3, where text data shouldn't be in bytes. Since this means the '\0\0\0' check is skipped in __init__ under Python 3, I've added it also to _parse_raw. When the SSH integration feature was first introduced, SSH public keys were stored in the raw binary form in LDAP, i.e. not text data. We still need to support that, so support for binary data and the 3 null check must remain in SSHPublicKey. Changed, updated patches attached. Thanks, ACK. I took the liberty of amending patch 718 to silence this pylint false positive I was getting on F22: ipalib/plugins/otptoken.py:496: [E1101(no-member), HTTPSHandler.https_open] Instance of 'HTTPSHandler' has no 'do_open' member) Pushed to master: f82d3da1e8e5dc1d0716201af5abb724a8e78fde BTW, in patch 724, binascii.Error is handled in addition to TypeError with base64.b64decode(). There are multiple places where base64.b64decode() is used in IPA where only TypeError is handled. Are you planning on fixing this as well? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0002-0008] [RFE] Implement iCal based time managment in HBAC
Hi, The moment's here, I'd like to share my code with you now. Let me comment on some additions from my last post here in August. The methods for testing HBAC rules in hbactest module were modified so that a time zone can now also be picked in case there are some rules with the "host" time zone in the rule time policy. I also added few tests that test setting accessTime values. The most important update of the previous month is the addition of negative values to the time rules language. Most of the keywords (all, except for timeofday and year) now accept negative values and negative value ranges. This should be useful for cases when the user should only be allowed access e.g. in the last 7 days of a month, last few weeks of a year etc. Also, it is a similar behavior to what iCalendar has. The addition of negative values also made me re-think the ways the week of a year should be calculated. There are no 0th weeks of year anymore, a week of year can hold values ranging from 1 to 53 where the 1st week of a year may appear even on a date of the previous year (if 1st January is Tue-Thu) or the 52nd or 53rd week may appear on a date of the following year (when 31st December is Thu-Sat). If my explanation seems rather rough, please see https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html. The latter caused some changes to be made in my SSSD code. These changes took the most of my time last month alongside with generally polishing the code and adding comments where I thought necessary. I will push my SSSD code to the sssd-devel mailing list as a follow-up to this mail. Another thing - I updated the design page on the FreeIPA wiki, so please check it out, too (http://www.freeipa.org/page/V4/Time-Based_Account_Policies). Last thing I would like to mention - there is now a copr repo with both sssd and freeipa with time-based policies (https://copr.fedoraproject.org/coprs/stlaz/freeipa-sssd-timerules/). This was Martin K.'s idea and I think it's pretty dandy :) As the patches I am posting only contain CLI for HBAC time policies, you might be pleased that the repo includes at least basic WebUI for this purpose (although the WebUI is for some reason not updating the page on rule addition properly, I will be hopefully looking into that shortly). You will still need mkosek/freeipa-master copr repo for some dependencies. Should it not work properly for you, please, send me an email, it's my first time taking care of a copr repo. That's it from me for now, thank you for your patience with my emails, Standa From 552d23f8c900cb3ef5437f020874f968bfce35e9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 7 Jul 2015 09:44:23 +0200 Subject: [PATCH 2/8] Added time-based policies types to LDAP schema. https://fedorahosted.org/freeipa/ticket/547 --- install/share/60basev2.ldif | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index 00712ddda2c548b7f7924a012f3f68499f2f01da..c3251a4331005ade1333f9e64b57a62a89706ce9 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -37,7 +37,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.11 NAME 'externalHost' DESC 'Multivalue attributeTypes: (2.16.840.1.113730.3.8.3.12 NAME 'sourceHostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.13 NAME 'accessRuleType' DESC 'The flag to represent if it is allow or deny rule.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.14 NAME 'accessTime' DESC 'Access time' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) -objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime ) X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.11.72 NAME 'accessTimeExclude' DESC 'Access time - exclude these values' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4' ) +attributeTypes: (2.16.840.1.113730.3.8.11.73 NAME 'ipaTimeZone' DESC 'Olson database timezone name' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4' ) +objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ ipaTimeZone $ accessTime $ accessTimeExclude ) X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1
