Re: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1
Hi, On 6.1.2016 05:26, Fraser Tweedale wrote: Happy new year, all. The attached patch fixes a unicode decode error triggered in some locales, which causes failure of installation (and probably other oprations, if locale is changed under an existing server). https://fedorahosted.org/freeipa/ticket/5578 It seems like this fixes only part of the issue - the installer won't crash anymore. But what happens if the reason phrase uses characters which are not in iso-8859-1 (e.g. "č", a character commonly used in Czech)? Shouldn't we always specify the encoding in requests, so that Dogtag does not have to guess? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall
On 6.1.2016 20:37, Martin Basti wrote: On 06.01.2016 11:21, Martin Babinsky wrote: On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: On (05/01/16 12:24), Christian Heimes wrote: The combination of a bug in Dogtag's sslget command and a new feature in mod_nss causes an incomplete uninstallation of KRA. The bug has been fixed in Dogtag 10.2.6-13. and it ins in fedora 23 stable for a week https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 LS https://fedorahosted.org/freeipa/ticket/5469 https://fedorahosted.org/pki/ticket/1704 Signed-off-by: Christian Heimes ipa-kra-install can be uninstalled and XMLRPC tests are also happy. ACK. Pushed to: master: 6ac3553dde63f7d2dfab5f0118ca833b049f734b ipa-4-3: be18b70fe2b3b08fc4bd8ea1f5058128125d1f76 This is supposed to go into 4.2.4 as well, as per the last ticket triage (the ticket was not updated yet). -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall
On 06.01.2016 11:21, Martin Babinsky wrote: On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: On (05/01/16 12:24), Christian Heimes wrote: The combination of a bug in Dogtag's sslget command and a new feature in mod_nss causes an incomplete uninstallation of KRA. The bug has been fixed in Dogtag 10.2.6-13. and it ins in fedora 23 stable for a week https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 LS https://fedorahosted.org/freeipa/ticket/5469 https://fedorahosted.org/pki/ticket/1704 Signed-off-by: Christian Heimes ipa-kra-install can be uninstalled and XMLRPC tests are also happy. ACK. Pushed to: master: 6ac3553dde63f7d2dfab5f0118ca833b049f734b ipa-4-3: be18b70fe2b3b08fc4bd8ea1f5058128125d1f76 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0400] update_uniqueness plugin: fix possible referenced before assignment error
Variable 'update' might be undefined if a plugin configuration cannot be
migrated to new format.
Patch attached.
From 3226a3a1753c7d53cc4d03bc4e98085fe18ba316 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 6 Jan 2016 20:26:09 +0100
Subject: [PATCH] update_uniqueness plugin: fix referenced before assigment
error
This error may potentially happen when plugin migration is skipped due
an error. In that case variable 'update' was undefined.
---
ipaserver/install/plugins/update_uniqueness.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py
index b4c0c81a09c7fa03c7b420fbdc3fd6025636b11b..ea1c6753cdf02f85c595f663b80b615097e931d2 100644
--- a/ipaserver/install/plugins/update_uniqueness.py
+++ b/ipaserver/install/plugins/update_uniqueness.py
@@ -214,8 +214,8 @@ class update_uniqueness_plugins_to_new_syntax(Updater):
root_logger.error("Unable to migrate configuration of "
"plugin %s (%s)",
entry.dn, e)
-
-update_list.append(update)
+else:
+update_list.append(update)
return False, update_list
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
https://fedorahosted.org/freeipa/ticket/5507
Patch attached.
Is proposed workaround in ticket enough or should I also prepare a
update that will fix missing maps?
From 39e1124314a66578022f7d7810fd6252af96fd80 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 6 Jan 2016 19:47:22 +0100
Subject: [PATCH] Upgrade: Fix upgrade of NIS Server configuration
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.
Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.
https://fedorahosted.org/freeipa/ticket/5507
---
install/share/Makefile.am | 1 +
.../50-nis.update => share/nis-update.uldif} | 19 +--
install/updates/50-nis.update | 58 ++
ipaplatform/base/paths.py | 1 +
ipaserver/install/plugins/update_nis.py| 36 ++
5 files changed, 42 insertions(+), 73 deletions(-)
copy install/{updates/50-nis.update => share/nis-update.uldif} (91%)
create mode 100644 ipaserver/install/plugins/update_nis.py
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 42f3972e1061fda5bfd23b2fa8f63d675f92f5ba..b4cb8312471a68d8cd855f542478afe10d200c39 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -61,6 +61,7 @@ app_DATA =\
memberof-task.ldif \
memberof-conf.ldif \
nis.uldif \
+ nis-update.uldif \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
diff --git a/install/updates/50-nis.update b/install/share/nis-update.uldif
similarity index 91%
copy from install/updates/50-nis.update
copy to install/share/nis-update.uldif
index 149889ec7bdb38073eb6df88628792526cfe58e6..e602c1de061fbcece349b2d86970c4db5051473b 100644
--- a/install/updates/50-nis.update
+++ b/install/share/nis-update.uldif
@@ -1,20 +1,4 @@
-# NIS Server plugin must be disabled by default
-# command 'ipa-nis-manage enable' enables NIS server
-dn: cn=NIS Server,cn=plugins,cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: off
-default:nsslapd-pluginid: nis-server
-default:nsslapd-pluginversion: 0.10
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: NIS Server Plugin
-default:nis-tcp-wrappers-name: nis-server
+# Updates for NIS
# Correct syntax error that caused users to not appear
dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
@@ -52,4 +36,3 @@ default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7")
default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
default:nis-secure: no
-
diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update
index 149889ec7bdb38073eb6df88628792526cfe58e6..05a166f003aefc50fc25f10f01f7364d752425bc 100644
--- a/install/updates/50-nis.update
+++ b/install/updates/50-nis.update
@@ -1,55 +1,3 @@
-# NIS Server plugin must be disabled by default
-# command 'ipa-nis-manage enable' enables NIS server
-dn: cn=NIS Server,cn=plugins,cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: off
-default:nsslapd-pluginid: nis-server
-default:nsslapd-pluginversion: 0.10
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: NIS Server Plugin
-default:nis-tcp-wrappers-name: nis-server
-
-# Correct syntax error that caused users to not appear
-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\"memberHost\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"member\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"memberHost\\\",\\\"member\\\",\\\"fqdn\\\")\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%der
[Freeipa-devel] [PATCH 0398] Allow to use mixed case for sysrestore
https://fedorahosted.org/freeipa/ticket/5574
Patch attached.
From cffa75803ba38587a4002107df76558a77120262 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Tue, 5 Jan 2016 17:58:49 +0100
Subject: [PATCH] Allow to used mixed case for sysrestore
This commit allows to use mixed case of keys for sysrestore, before this
commit all keys were saved in lowercase what prevents to accesing them.
Original usage of mixed case for sysretore key in opendssecinstance had
to be changed to lowercase to prevent issues on already installed
systems.
https://fedorahosted.org/freeipa/ticket/5574
---
ipapython/sysrestore.py | 3 +++
ipaserver/install/opendnssecinstance.py | 6 +++---
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 65ef5da898a58a9e42804314a45872770b11c80e..5d6b30f5a0194f360f96e8ed2048fe1266d343c4 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -71,6 +71,7 @@ class FileStore:
self.files = {}
p = SafeConfigParser()
+p.optionxform = str
p.read(self._index)
for section in p.sections():
@@ -92,6 +93,7 @@ class FileStore:
return
p = SafeConfigParser()
+p.optionxform = str
p.add_section('files')
for (key, value) in self.files.items():
@@ -355,6 +357,7 @@ class StateFile:
return
p = SafeConfigParser()
+p.optionxform = str
for module in self.modules.keys():
p.add_section(module)
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 1c6aaeefaf10df21dde29a467fcfc2713b2d6c2c..4d3b65ff990fef87134bfd333ad65694feac925f 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -268,11 +268,11 @@ class OpenDNSSECInstance(service.Service):
def __setup_dnssec(self):
# run once only
-if self.get_state("KASP_DB_configured") and not self.kasp_db_file:
+if self.get_state("kasp_db_configured") and not self.kasp_db_file:
root_logger.debug("Already configured, skipping step")
return
-self.backup_state("KASP_DB_configured", True)
+self.backup_state("kasp_db_configured", True)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_DB):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_DB)
@@ -377,7 +377,7 @@ class OpenDNSSECInstance(service.Service):
except ValueError as error:
root_logger.debug(error)
-self.restore_state("KASP_DB_configured") # just eat state
+self.restore_state("kasp_db_configured") # just eat state
# disabled by default, by ldap_enable()
if enabled:
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0072-0081] DNSSEC: fixes
On 22.12.2015 14:32, Petr Spacek wrote: On 21.12.2015 18:56, Martin Basti wrote: On 21.12.2015 15:45, Martin Basti wrote: On 21.12.2015 15:33, Petr Spacek wrote: Hello, this patch set fixes key rotation in DNSSEC. You can use attached template files for OpenDNSSEC config to shorten time intervals between key rotations. Please let me know if you have any questions, I'm all ears! Please fix whitespace error: Applying: DNSSEC: logging improvements in ldapkeydb.py /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:14: trailing whitespace. warning: 1 line adds whitespace errors. *) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal Is is safe to do not use try - except with ipatuil.run()? What if ods-signer command failed? That is intentional. The call should never fail, so if it fails there is no way how to recover cleanly except restarting the daemon. The unhandled exception will kill the daemon and systemd will restart it later on. *) DNSSEC: Improve error reporting from ipa-ods-exporter IMO log.exception(ex) is enough, do we need to add traceback to msg? msg is sent over socket to another process (see send_systemd_reply(conn, msg) call in finally: block). Without this the remote party would not receive the error information. *) DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP I think this is okay because we want to use KSK instantly, but just to be sure, is Publish->Activate okay? +bind_times['idnsSecKeyActivate'] = ods_times['idnsSecKeyPublish'] Just to be sure how this will be handle during KSK key rotation? We have to copy semantics from OpenDNSSEC. Please see design page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates , it describes in detail why I done it this way. *) DNSSEC: Make sure that current key state in LDAP matches key state in BIND LGTM *) DNSSEC: remove obsolete TODO note ACK *) DNSSEC: add debug mode to ldapkeydb.py A) You can remove __str__ method, python will use __repr__ as default Done. B) for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']: Do we need to sanitize *public*Key and publicKeyinfo? Yes, we need it. The output with any of ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo'] is huge blob and printing it does not help readability. Purpose of the patch is to make it easy to read and debug so printing useless blobs would go directly against the purpose :-) C) in odsmgr.py is used ipa_log_manager, can we use the same for consistency? Fixed, thanks. D) Do we need logging there, everything is printed via print except debug info about connecting, can you just redirect it to stderr, and usable data leave in stdout? Yes, we need it because it eases debugging. print() prints useful information to stdout. 'Garbage' about connecting to LDAP, IPA framework initialization and so on does via logger to stderr, so it can be easily separated from useful information using redirection in BASH. I've added a comment right below if __name__ == '__main__': to make it clear why we do not use logger in there. *) DNSSEC: logging improvements in ldapkeydb.py IMO commit message should be: " in ipa-ods-exporter" Otherwise LGTM Fixed, thanks. *) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP A) coding style: please use (), instead of "\" assert set(pubkeys_local) == set(privkeys_local), ( "IDs of private and public keys for DNS zones in local HSM does " "not match to key pairs: %s vs. %s" % (hex_set(pubkeys_local), hex_set(privkeys_local)) ) Fixed. B) coding style assert not matched_already, ( "key %s is in more than one keyset" % hexlify(keyid) ) Not relevant anymore, see below. C) schedule_key_deletion() how about case when keyid is not in any keyset, then keyid will not be replaced by object and it blow up somewhere else Not relevant anymore, see below. D) +class KeyDeleter(object): I would like to have a check there which blows up nicely if _update_key() is called twice on the same object. With current implementation you will get NoneType has no delete_entry method. Not relevant anymore, see below. E) I somehow does not like the placeholder object. Could we just extend Key object with attribute "to_be_deleted" or something similar, and if this attribute is set to True, Key._update_key() can remove, instead of creation a new object. Key.prepare_deletion() can set the value "to_be_deleted" to True. Main purpose of the KeyDeleter object was to be incompatible the Key object. I want to be 100 % that is not possible to call schedule_delete() and subsequenty modify the Key object. I've reworked the Key object so it has schedule_deletion() method and that all other methods call __assert_not_deleted() to make sure that the object was not deleted. Is it better? *) DNSSEC: ipa-dnsk
[Freeipa-devel] [PATCHES 0396-0397] DNSSEC CI: fix tests
Patches attached.
From 87f8712e3ef6e4a601889625c1649e9fcbb7db75 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Tue, 5 Jan 2016 19:41:14 +0100
Subject: [PATCH] DNSSEC test: fix adding zones with --skip-overlap-check
In DNSSEC tests the root zone has to be created, this requires to use
--skip-overlap-check to work properly.
---
ipatests/test_integration/test_dnssec.py | 17 -
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index a4387d353d0a72c107978bb292561dde312a9721..65b1bdaf0e5dd4991b5f4dc1e8173f0fc8ad0537 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -100,6 +100,7 @@ class TestInstallDNSSECLast(IntegrationTest):
args = [
"ipa",
"dnszone-add", test_zone,
+"--skip-overlap-check",
"--dnssec", "true",
]
self.master.run_command(args)
@@ -119,6 +120,7 @@ class TestInstallDNSSECLast(IntegrationTest):
args = [
"ipa",
"dnszone-add", test_zone_repl,
+"--skip-overlap-check",
"--dnssec", "true",
]
self.replicas[0].run_command(args)
@@ -268,7 +270,8 @@ class TestInstallDNSSECFirst(IntegrationTest):
def test_sign_root_zone(self):
args = [
-"ipa", "dnszone-add", root_zone, "--dnssec", "true"
+"ipa", "dnszone-add", root_zone, "--dnssec", "true",
+"--skip-overlap-check",
]
self.master.run_command(args)
@@ -297,7 +300,8 @@ class TestInstallDNSSECFirst(IntegrationTest):
# add test zone
args = [
-"ipa", "dnszone-add", example_test_zone, "--dnssec", "true"
+"ipa", "dnszone-add", example_test_zone, "--dnssec", "true",
+"--skip-overlap-check",
]
self.master.run_command(args)
@@ -433,7 +437,8 @@ class TestMigrateDNSSECMaster(IntegrationTest):
# add test zone
args = [
-"ipa", "dnszone-add", example_test_zone, "--dnssec", "true"
+"ipa", "dnszone-add", example_test_zone, "--dnssec", "true",
+"--skip-overlap-check",
]
self.master.run_command(args)
@@ -490,7 +495,8 @@ class TestMigrateDNSSECMaster(IntegrationTest):
# add test zone
args = [
-"ipa", "dnszone-add", example2_test_zone, "--dnssec", "true"
+"ipa", "dnszone-add", example2_test_zone, "--dnssec", "true",
+"--skip-overlap-check",
]
self.replicas[0].run_command(args)
@@ -522,7 +528,8 @@ class TestMigrateDNSSECMaster(IntegrationTest):
# add new zone to new replica
args = [
-"ipa", "dnszone-add", example3_test_zone, "--dnssec", "true"
+"ipa", "dnszone-add", example3_test_zone, "--dnssec", "true",
+"--skip-overlap-check",
]
self.replicas[1].run_command(args)
--
2.5.0
From aeeb791e087451df411318bc5029b8e11d4c8e41 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 6 Jan 2016 15:05:12 +0100
Subject: [PATCH] DNSSEC CI: add missing ldns-utils dependency
---
freeipa.spec.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 34fd2d51a065f90a05e5fb642eb383d53b8d1e2a..2e284e6c8923470671d07d2f2cd5de50847733bb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -568,6 +568,7 @@ Requires: python-coverage
Requires: python-polib
Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
+Requires: ldns-utils
Provides: %{alt_name}-tests%{?_isa} = %{version}
Conflicts: %{alt_name}-tests
@@ -598,6 +599,7 @@ Requires: python3-coverage
Requires: python3-polib
Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
+Requires: ldns-utils
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] certmonger everywhere
Jan Cholasta wrote: > On 4.1.2016 19:57, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 16.12.2015 01:40, Fraser Tweedale wrote: >>> >>> I'm not proposing to change cert-request to a client side command - I'm >>> proposing to change the way cert-request is handled *on the server*. >>> This way we can keep all the configuration on the server and make >>> changes to it without having to reconfigure all clients. >>> >>> This is how I envision the workflow: >>> >>> 1. client requests a certificate with "getcert request", using >>> "IPA" as >>> the CA and, optionally, a string identifying the sub-CA (for the lack of >>> better term) >>> >>> 2. "getcert request" forwards the request to certmonger over D-Bus and >>> exits >>> >>> 3. certmonger creates CSR for the request >>> >>> 4. certmonger executes the IPA CA helper to handle the request >>> >>> 5. the IPA CA helper calls the cert-request command on the server over >>> RPC, using local host credentials for authentication >>> >>> 6. cert-request on the server validates the request >>> >>> 7. cert-request fetches the configuration for the specified sub-CA, or >>> the default sub-CA if none was specified, from LDAP >>> >>> 8. cert-request forwards the request to the certmonger CA helper >>> specified in the LDAP configuration over D-Bus (this is the D-Bus method >>> that currently does not exist and needs to be implemented) >>> >>> 9. certmonger executes the specified CA helper to handle the request >>> >>> 10. the CA helper requests the certificate from the CA and returns >>> either the certificate, wait delay or error >>> >>> 11. certmonger returns the result back to cert-request >>> >>> 12. cert-request returns the result back to IPA CA helper on the >>> client >>> >>> 13. the IPA CA helper on the client returns the result back to >>> certmonger >>> >>> 14. if the result was wait delay, certmonger waits and then retries >>> the >>> request from step 4, otherwise it stores the certificate or sets error >>> status >>> >> >> I guess this would work but I think you'd have quite a difficult time >> returning usable error messages to a user (and they are pretty bad now >> in cert-request). > > I don't see why, error messages can be easily passed between all the > involved interfaces. The current messages aren't great but at least with some amount of google-fu one can discover what the current ones mean. The certmonger messages tend to be just "can't talk to http://...:9180/... and a semi-documented status code. >> I assume that a CSR can be seeded into the certmonger request process >> but I've never tried it myself. Do you know if it works? >> >> I really wonder how the case of delayed issuance would be handled. Would >> you leave the server-side certmonger request to idle until the second >> step was handled? Wouldn't this have the potential to have an >> unmanageable number of certmonger requests? It gets confusing enough for >> users for the 8 typical tracked certs, what about hundreds? > > See step 8: there won't be any new certmonger requests, everything will > be forwarded directly to the proper certmonger CA helper using a new > D-Bus call. Ok, I read it as creating a request via the D-Bus call. Makes me wonder what this means for masters that don't run CA. >> >> If you want to eventually use the requestors credentials won't this >> require a pretty big change in certmonger to be able to use passed-in >> credentials? > > Yes, I guess. However, we can use the current Dogtag backed for our CA > and certmonger for other CAs until that is implemented. > >> How will those work in the two-step case? > > What do you mean? This question was based on my misunderstanding how certmonger would be called via D-Bus. You'd have had to correlate a status request with an existing certmonger request in some way, but since you aren't creating one it's a no-op. I think this is interesting in theory but I fear it is going to make a complex process even more complex. It does raise the interesting possibility of removing the need to store the RA credentials in the Apache NSS database and to me that is the bigger win. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0753-0759
Petr Viktorin wrote: > Hello, > > Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except > "no-absolute-import" (which seems redundant to me) and the ones in > contrib/RHEL4. > > As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been > used for a long time and probably doesn't work. Since then it's for > example been changed to use ipapython.dn, which I'd bet no one checks > for Python 2.5 compatibility. Since this seems to be untested and > non-working code, so I'm sending a patch to remove it. But if that's not > wanted tell me, and I'll skip pylint --py3k checks there instead. > > The last patch adds py3k lint check to make-lint. It's a bit > cumbersome, since pylint doesn't allow running regular checkers and the > py3k ones at the same time, but it allows you to run the check. As for > whether to enable --py3k by default, or run it on every package build, > I'd like to defer the decision to core devs. (Is CI good enough nowadays > to only run it there?) > > > [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html > > > My only nit would be to remove contrib/RHEL4 as being deprecated rather than lack of testing against some old version. It just configures ldap and Kerberos via authconfig so unless the discovery failed it would likely still work fairly well, but clearly it isn't being maintained so I'd remove it for that reason for historical purposes. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES] 0753-0759
Hello,
Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except
"no-absolute-import" (which seems redundant to me) and the ones in
contrib/RHEL4.
As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been
used for a long time and probably doesn't work. Since then it's for
example been changed to use ipapython.dn, which I'd bet no one checks
for Python 2.5 compatibility. Since this seems to be untested and
non-working code, so I'm sending a patch to remove it. But if that's not
wanted tell me, and I'll skip pylint --py3k checks there instead.
The last patch adds py3k lint check to make-lint. It's a bit
cumbersome, since pylint doesn't allow running regular checkers and the
py3k ones at the same time, but it allows you to run the check. As for
whether to enable --py3k by default, or run it on every package build,
I'd like to defer the decision to core devs. (Is CI good enough nowadays
to only run it there?)
[0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html
--
Petr Viktorin
From 576d4ac726659f9c3bf1440d1d9ea3b002f749c4 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Tue, 5 Jan 2016 13:36:15 +0100
Subject: [PATCH] Don't index exceptions directly
In Python 3, exceptions don't behave as tuples of their arguments;
instead of e[1] it's necessary to use e.args[1].
---
ipalib/cli.py | 4 ++--
ipalib/plugins/vault.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 3b1b5a39371845d59bab07ac2fc32de598a469be..5398b7e7a8d5e0bfd72ef0638994968f8ae35c7c 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -1291,14 +1291,14 @@ class cli(backend.Executioner):
except IOError as e:
raise ValidationError(
name=to_cli(p.cli_name),
-error='%s: %s:' % (fname, e[1])
+error='%s: %s:' % (fname, e.args[1])
)
elif p.stdin_if_missing:
try:
raw = sys.stdin.read()
except IOError as e:
raise ValidationError(
-name=to_cli(p.cli_name), error=e[1]
+name=to_cli(p.cli_name), error=e.args[1]
)
if raw:
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 0cf6f1d2447716a469c9c5626fffba97419d8fdb..4d8419e75770dc4c8b856560cf6c1613a132f8c0 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -221,7 +221,7 @@ def validated_read(argname, filename, mode='r', encoding=None):
raise errors.ValidationError(
name=argname,
error=_("Cannot read file '%(filename)s': %(exc)s") % {
-'filename': filename, 'exc': exc[1]
+'filename': filename, 'exc': exc.args[1]
}
)
except UnicodeError as exc:
@@ -1547,7 +1547,7 @@ class vault_archive(PKQuery, Local):
except OSError as exc:
raise errors.ValidationError(name="in", error=_(
"Cannot read file '%(filename)s': %(exc)s")
-% {'filename': input_file, 'exc': exc[1]})
+% {'filename': input_file, 'exc': exc.args[1]})
if stat.st_size > MAX_VAULT_DATA_SIZE:
raise errors.ValidationError(name="in", error=_(
"Size of data exceeds the limit. Current vault data size "
--
2.5.0
From b76b2e9fac3c44cdf41f071f647ed9c520e6a0f5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Tue, 5 Jan 2016 13:39:39 +0100
Subject: [PATCH] Use print_function future definition wherever print() is used
Pylint considers `print` a statement if the __future__ import is
not present, even if it's used like a function with one argument.
Add the __future__ import to files `pylint --py3k` complains about.
---
doc/examples/python-api.py | 1 +
ipaserver/install/server/common.py | 2 ++
2 files changed, 3 insertions(+)
diff --git a/doc/examples/python-api.py b/doc/examples/python-api.py
index 8c79dc4cac0c170a577ed1b5f90fa5f268401559..0a6eb60efa84102ce0571277c1698664b1865619 100755
--- a/doc/examples/python-api.py
+++ b/doc/examples/python-api.py
@@ -19,6 +19,7 @@
# along with this program. If not, see
Re: [Freeipa-devel] [PATCH 0018] Fixed install_ca and install_kra failures at domain level 0
I cannot apply your patch on master branch, missing blobs, can you
rebase please?
On 06.01.2016 11:47, Oleg Fayans wrote:
Any chance this patch can be merged this week?
On 12/14/2015 02:08 PM, Oleg Fayans wrote:
Hi Martin,
On 12/11/2015 05:58 PM, Martin Basti wrote:
On 11.12.2015 17:28, Oleg Fayans wrote:
+myre = re.compile(".*Backed up to (?P.*?)\n.*")
IMO this regexp is not good.
1)
please name it better than "myre"
Done
2)
initial '.*' is not needed because regexp does not start with '^' and
you use search() later
3)
trailing '.*' is not needed as well, because it does not end with '$'
4)
You can use re.MULTILINE that will parse string per lines
path_re = re.compile("^Backed up to (?P.*)$", re.MULTILINE)
Used it, thanks!
5)
+matched = myre.search(result.stdout_text + result.stderr_text)
Why do you need search in both stderr and stdout?
Because of this bug: https://fedorahosted.org/freeipa/ticket/5484
Martin^2
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] certmonger everywhere
On 4.1.2016 19:57, Rob Crittenden wrote: Jan Cholasta wrote: On 16.12.2015 01:40, Fraser Tweedale wrote: I'm not proposing to change cert-request to a client side command - I'm proposing to change the way cert-request is handled *on the server*. This way we can keep all the configuration on the server and make changes to it without having to reconfigure all clients. This is how I envision the workflow: 1. client requests a certificate with "getcert request", using "IPA" as the CA and, optionally, a string identifying the sub-CA (for the lack of better term) 2. "getcert request" forwards the request to certmonger over D-Bus and exits 3. certmonger creates CSR for the request 4. certmonger executes the IPA CA helper to handle the request 5. the IPA CA helper calls the cert-request command on the server over RPC, using local host credentials for authentication 6. cert-request on the server validates the request 7. cert-request fetches the configuration for the specified sub-CA, or the default sub-CA if none was specified, from LDAP 8. cert-request forwards the request to the certmonger CA helper specified in the LDAP configuration over D-Bus (this is the D-Bus method that currently does not exist and needs to be implemented) 9. certmonger executes the specified CA helper to handle the request 10. the CA helper requests the certificate from the CA and returns either the certificate, wait delay or error 11. certmonger returns the result back to cert-request 12. cert-request returns the result back to IPA CA helper on the client 13. the IPA CA helper on the client returns the result back to certmonger 14. if the result was wait delay, certmonger waits and then retries the request from step 4, otherwise it stores the certificate or sets error status I guess this would work but I think you'd have quite a difficult time returning usable error messages to a user (and they are pretty bad now in cert-request). I don't see why, error messages can be easily passed between all the involved interfaces. I assume that a CSR can be seeded into the certmonger request process but I've never tried it myself. Do you know if it works? I really wonder how the case of delayed issuance would be handled. Would you leave the server-side certmonger request to idle until the second step was handled? Wouldn't this have the potential to have an unmanageable number of certmonger requests? It gets confusing enough for users for the 8 typical tracked certs, what about hundreds? See step 8: there won't be any new certmonger requests, everything will be forwarded directly to the proper certmonger CA helper using a new D-Bus call. If you want to eventually use the requestors credentials won't this require a pretty big change in certmonger to be able to use passed-in credentials? Yes, I guess. However, we can use the current Dogtag backed for our CA and certmonger for other CAs until that is implemented. How will those work in the two-step case? What do you mean? -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 155] ipa-kdb: get_authz_data_types() make sure entry can be NULL
On 6.1.2016 12:15, Sumit Bose wrote: > Hi, > > this patch fixes and issue found by Simo when he called > get_authz_data_types() with the second argument being NULL. > This function determines which type of authorization data should be > added to the Kerberos ticket. There are global default and it is > possible to configure this per service as well. The second argument is > the data base entry of a service. If no service is given it makes sens > to return the global defaults and most parts of get_authz_data_types() > handle this case well and this patch fixes the remain issue and adds a > test for this as well. > > Please note that currently get_authz_data_types() is used in a code path > where the service entry is expected to be not NULL and it turned out > that in Simo's case it will be non-NULL as well. Nevertheless the patch > makes the code more robust and makes the future use of > get_authz_data_types() more safe. > > bye, > Sumit Nitpick without looking at the code: It would be good to include the text above (or a variant of it) in the commit message. The person doing software archaeology some years from now will appreciate it :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8
On 2016-01-05 11:30, Tomas Babej wrote: > > > On 01/05/2016 08:54 AM, Jan Cholasta wrote: >> Hi, >> >> the attached patch replaces the default_encoding_utf8 binary module with >> 2 lines of equivalent Python code. >> >> Honza >> >> >> > > This looks fine to me, however, I wonder, why this approach was ever > taken? The sys.setdefaultencoding is available in all versions of Python > ever supported by FreeIPA. > > Is it possible we're missing something here? Or was this option simply > overlooked? sys.setdefaultencoding() is not available unless you use a hack and reload the sys module. The function is hidden for a very good reason. It can and will break internal assumption as well as libraries in bad, hard to detect ways. For example it wreaks havoc on hashing for dicts and sets. The blog posting https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/ explains the problem in much greater detail. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 155] ipa-kdb: get_authz_data_types() make sure entry can be NULL
Hi,
this patch fixes and issue found by Simo when he called
get_authz_data_types() with the second argument being NULL.
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sens
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.
Please note that currently get_authz_data_types() is used in a code path
where the service entry is expected to be not NULL and it turned out
that in Simo's case it will be non-NULL as well. Nevertheless the patch
makes the code more robust and makes the future use of
get_authz_data_types() more safe.
bye,
Sumit
From ac3468375a71da08d1437362caabae4504c87386 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Wed, 16 Dec 2015 12:37:50 +0100
Subject: [PATCH] ipa-kdb: get_authz_data_types() make sure entry can be NULL
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 8
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index
8594309dbd27b45abda68de5f7ebf0c31e16904d..daa42e369014f2ed401742474453ebb1aadef07c
100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2005,7 +2005,7 @@ void get_authz_data_types(krb5_context context,
krb5_db_entry *entry,
service_specific = false;
authz_data_type = authz_data_list[c];
sep = strchr(authz_data_list[c], ':');
-if (sep != NULL) {
+if (sep != NULL && entry != NULL) {
if (entry->princ == NULL) {
krb5_klog_syslog(LOG_ERR, "Missing principal in database "
"entry, no authorization data will "
\
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index
0811972d3bb306e86a97d3c979a8e5cd0182cadd..1220d889ef76929161846dd41fa49df79b7b46f3
100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -410,6 +410,14 @@ void test_get_authz_data_types(void **state)
get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
+
+/* test if global default are returned if there is no server entry */
+if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) {
+get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac,
+ &with_pad);
+assert_true(with_pad == test_set[c].exp_with_pad);
+assert_true(with_pac == test_set[c].exp_with_pac);
+}
}
free(ied);
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] replica promotion testplan review
Hi! Could you guys take a look at http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan once again to see if it lacks something important -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0018] Fixed install_ca and install_kra failures at domain level 0
Any chance this patch can be merged this week?
On 12/14/2015 02:08 PM, Oleg Fayans wrote:
> Hi Martin,
>
> On 12/11/2015 05:58 PM, Martin Basti wrote:
>>
>>
>> On 11.12.2015 17:28, Oleg Fayans wrote:
>>> +myre = re.compile(".*Backed up to (?P.*?)\n.*")
>>
>> IMO this regexp is not good.
>>
>> 1)
>> please name it better than "myre"
>
> Done
>
>>
>> 2)
>> initial '.*' is not needed because regexp does not start with '^' and
>> you use search() later
>>
>> 3)
>>
>> trailing '.*' is not needed as well, because it does not end with '$'
>>
>> 4)
>> You can use re.MULTILINE that will parse string per lines
>>
>> path_re = re.compile("^Backed up to (?P.*)$", re.MULTILINE)
>
> Used it, thanks!
>
>>
>> 5)
>> +matched = myre.search(result.stdout_text + result.stderr_text)
>> Why do you need search in both stderr and stdout?
>
> Because of this bug: https://fedorahosted.org/freeipa/ticket/5484
>
>>
>> Martin^2
>>
>>
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall
On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: On (05/01/16 12:24), Christian Heimes wrote: The combination of a bug in Dogtag's sslget command and a new feature in mod_nss causes an incomplete uninstallation of KRA. The bug has been fixed in Dogtag 10.2.6-13. and it ins in fedora 23 stable for a week https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 LS https://fedorahosted.org/freeipa/ticket/5469 https://fedorahosted.org/pki/ticket/1704 Signed-off-by: Christian Heimes ipa-kra-install can be uninstalled and XMLRPC tests are also happy. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 559] Fix kadmin for new users
On 01/06/2016 08:42 AM, Martin Kosek wrote: On 01/06/2016 08:37 AM, Martin Babinsky wrote: On 11/25/2015 03:41 PM, Martin Kosek wrote: On 11/25/2015 03:32 PM, Simo Sorce wrote: On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: On 11/25/2015 02:13 PM, Tomas Babej wrote: On 11/25/2015 02:00 PM, Martin Babinsky wrote: On 11/24/2015 11:32 PM, Simo Sorce wrote: Ticket #937 was reopened a while ago because one corner case, new users that have never been assigned a password cause kadmin/kadmin.local to throw a fit when they try to visualize information about those user's principals. This patch fakes up modification information when no krbExtraData is available for the principal so that kadmin is happy. Tested and working as designed. Simo. ACK Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d On a related note, should we backport this to later branches? It wouldn't hurt, it should apply straight to any 4.x and probably latest 3.x branches too. I would not fix anything older than FreeIPA 4.1.x which is in F22, which is the oldest supported Fedora (or rather fill be, one month after F23 GA). https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 milestone with priority critical. Shouldn't we backport the patch to ipa-4-2 branch? We should... Petr? Right, that's why it is in 4.2.4. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
