Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname
On Tue, Jul 19, 2016 at 02:21:05PM +0200, Martin Basti wrote: > > > On 01.07.2016 13:26, Petr Spacek wrote: > > On 20.1.2016 05:04, Fraser Tweedale wrote: > > > On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote: > > > > On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote: > > > > > Fraser Tweedale wrote: > > > > > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > > > > > > > On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > > > > > > > > The attached patch fixes > > > > > > > > https://fedorahosted.org/freeipa/ticket/4970. > > > > > > > > > > > > > > > > Note that the problem is addressed by adding the appropriate > > > > > > > > request > > > > > > > > extension to the CSR; the fix does not involve changing the > > > > > > > > default > > > > > > > > profile behaviour, which is complicated (see ticket for > > > > > > > > details). > > > > > > > Thanks for the patch! This is something we should really fix, I > > > > > > > already get > > > > > > > warnings in my Python scripts when I hit sites protected by such > > > > > > > HTTPS cert: > > > > > > > > > > > > > > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264: > > > > > > > SubjectAltNameWarning: Certificate for > > > > > > > projects.engineering.redhat.com has no > > > > > > > `subjectAltName`, falling back to check for a `commonName` for > > > > > > > now. This > > > > > > > feature is being removed by major browsers and deprecated by RFC > > > > > > > 2818. (See > > > > > > > https://github.com/shazow/urllib3/issues/497 for details.) > > > > > > > > > > > > > > Should we split ticket 4970, for the FreeIPA server part and then > > > > > > > for cert > > > > > > > profile part? As it looks like the FreeIPA server will be fixed > > > > > > > even in FreeIPA > > > > > > > 4.3.x and the other part later. > > > > > > > > > > > > > > How difficult do you see the general FreeIPA Certificate Profile > > > > > > > part of this > > > > > > > request? Is it a too big task to handle in 4.4 time frame? > > > > > > > > > > > > > I will split the ticket and would suggest 4.4 Backlog - it might be > > > > > > doable but is a lower priority than e.g. Sub-CAs. > > > > > If you are going to defer the profile part then you should probably > > > > > update the client to also include a SAN if --request-cert is provided. > > > > > > > > > > rob > > > > > > > > > Yes, good idea. Updated patch attached. > > > > > > > > Cheers, > > > > Fraser > > > Bump, with rebased patch. > > Hi, > > > > this seems to work for Apache on IPA server & client cert. ACK. > Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3 > > > > > Interestingly enough I found out that Dogtag cert used on port 8443 does not > > have any SAN. > > > > Is it in scope of this ticket? > I will leave the ticket open until this is answered. > It's in scope. Also in scope is to make default profile automatically add SAN dNSName if none is supplied. Thanks, Fraser > Martin^2 > > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2
Hi, I have updated the design page http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules with my plan for implementing user-configurable rules for mapping IPA data into certificate requests. In brief: we will use Jinja2 for templating. Data rules (which map individual data items) and syntax rules (which group them into certificate fields) will both be snippets of Jinja2 markup. The formatting process will be as follows: 1. Syntax rules will be rendered using Jinja2. Data rules (rule text, not rendered) will be passed as the datarules attribute. 2. Rendered syntax rules will be processed by the Formatter class for the selected CSR generation helper (e.g. openssl or certutil). The formatter combines these partial rules into a full template for the config. 3. The template will be rendered using Jinja2. Relevant data from the IPA database will be available in the context for this rendering. 4. The final rendered template will be returned to the caller, labeled with its function (e.g. a command line or a config file). Are there any comments or objections to this approach? Here's an example to show what it might look like in practice. Example data rules: email={{subject.email}} O={{config.ipacertificatesubjectbase}}\nCN={{subject.username}} Example syntax rule: subjectAltName=@{% section %}{{datarules|join('\n')}}{% endsection %} Example composed config template: [ req ] prompt = no encrypt_key = no distinguished_name = {% section %}O={{config.ipacertificatesubjectbase}} CN={{subject.username}}{% endsection %} req_extensions = exts [ exts ] subjectAltName=@{% section %}email={{subject.email}}{% endsection %} There's a lot more information about the thinking behind this at http://blog.benjaminlipton.com/2016/07/19/csr-generation-templating.html if you're interested, as well. Thanks, Ben -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0001][Tests] Fix for dns_plugin tests
Greetings! Fix for ipatests/test_xmlrpc/test_dns_plugin.py (test_forwardzone_delegation_warnings.test) You can't have a DNS zone with the authoritative nameserver that does not have a A or record in the local DNS. Since in some test environments primary hostname of the master is managed by an external DNS, this hostname can not be used as a NS-record for IPA-managed zones. Therefore another existing fqdn corresponding to the master's ip and managed by IPA DNS was used. Best regards, Ganna Kaihorodova Associate Software Quality Engineer From 23104798f8350966bec3637396a85b528a47a9f4 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 18 Jul 2016 19:10:17 +0200 Subject: [PATCH 1/2] You can't have a dns zone with the authoritative nameserver that does not have a A or record in the local DNS. Since in some test environments primary hostname of the master is managed by an external DNS, this hostname can not be used as a ns-record for IPA-managed zones. Therefore another existing fqdn corresponding to the master's ip and managed by IPA DNS was used --- ipatests/test_xmlrpc/test_dns_plugin.py | 15 --- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index f3484166dd3c5986978d89ca64589960b3d12338..038d17e9debc86a8e9afcadcea30e7cee29bbd05 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -1,6 +1,6 @@ # Authors: # Pavel Zuna -# +# Ganna Kaihorodova # Copyright (C) 2010 Red Hat # see file 'COPYING' for use and warranty information # @@ -39,6 +39,7 @@ else: _dns_zone_record = DNSName(u'@') # default value of idnssoamname is local DNS server +self_server_ns_1 = normalize_zone("ipa-ca.%s" % api.env.domain) self_server_ns = normalize_zone(api.env.host) self_server_ns_dnsname = DNSName(self_server_ns) @@ -5078,7 +5079,7 @@ class test_forwardzone_delegation_warnings(Declarative): desc='Delegate zone %r from zone %r using NS record' % ( zone1_sub_fw, zone1_sub), command=('dnsrecord_add', [zone1_sub, u'fw'], - {'nsrecord': self_server_ns}), + {'nsrecord': self_server_ns_1}), expected={ 'value': DNSName(u'fw'), 'summary': None, @@ -5086,7 +5087,7 @@ class test_forwardzone_delegation_warnings(Declarative): 'objectclass': objectclasses.dnsrecord, 'dn': DN(('idnsname', u'fw'), zone1_sub_dn), 'idnsname': [DNSName(u'fw')], -'nsrecord': [self_server_ns], +'nsrecord': [self_server_ns_1], }, }, ), @@ -5206,7 +5207,7 @@ class test_forwardzone_delegation_warnings(Declarative): desc='Delegate zone %r from zone %r using NS record' % ( zone1_sub2_fw, zone1_sub), command=('dnsrecord_add', [zone1_sub, u'fw.sub2'], - {'nsrecord': self_server_ns}), + {'nsrecord': self_server_ns_1}), expected={ 'value': DNSName(u'fw.sub2'), 'summary': None, @@ -5214,7 +5215,7 @@ class test_forwardzone_delegation_warnings(Declarative): 'objectclass': objectclasses.dnsrecord, 'dn': DN(('idnsname', u'fw.sub2'), zone1_sub_dn), 'idnsname': [DNSName(u'fw.sub2')], -'nsrecord': [self_server_ns], +'nsrecord': [self_server_ns_1], }, }, ), @@ -5291,7 +5292,7 @@ class test_forwardzone_delegation_warnings(Declarative): desc='Delegate zone %r from zone %r using NS record' % ( zone1_sub2_fw, zone1), command=('dnsrecord_add', [zone1, u'fw.sub2.sub'], - {'nsrecord': self_server_ns}), + {'nsrecord': self_server_ns_1}), expected={ 'value': DNSName(u'fw.sub2.sub'), 'summary': None, @@ -5299,7 +5300,7 @@ class test_forwardzone_delegation_warnings(Declarative): 'objectclass': objectclasses.dnsrecord, 'dn': DN(('idnsname', u'fw.sub2.sub'), zone1_dn), 'idnsname': [DNSName(u'fw.sub2.sub')], -'nsrecord': [self_server_ns], +'nsrecord': [self_server_ns_1], }, }, ), -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0553] CI tests: improve log collecting in tests
On 19.07.2016 16:18, Martin Basti wrote: Patch attached. self-NACK, my assumptions were wrong, this doesn't work if any of log files do not exist -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys
On 12.07.2016 16:45, Christian Heimes wrote: Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. The server.keys file and all keys are now removed when during uninstallation of a server, too. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6015 https://fedorahosted.org/freeipa/ticket/6056 NACK ipa-server-install --uninstall doesn't work 2016-07-19T15:00:34Z INFO Remove Custodia keys 2016-07-19T15:00:34Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1367, in main uninstall(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1075, in uninstall custodiainstance.CustodiaInstance().uninstall() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 88, in uninstall self.__remove_keys() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 74, in __remove_keys keystore.remove_server_keys() File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 224, in remove_server_keys self.remove_keys('host') File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 231, in remove_keys ldapconn.remove_key(KEY_USAGE_SIG, principal) File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 145, in remove_key conn = self.connect() File "/usr/lib/python2.7/site-packages/ipapython/secrets/common.py", line 38, in connect conn.sasl_interactive_bind_s('', auth_tokens) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 244, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) SERVER_DOWN: {'desc': "Can't contact LDAP server"} -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0553] CI tests: improve log collecting in tests
Patch attached. From 55a4b4a47bd859194bfb3fc4ab6acde4f8086f6e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 19 Jul 2016 12:09:29 +0200 Subject: [PATCH] CI tests: improve log collecting We should collect as much as possible relevant logs to be able do better investigation from test automation --- ipaplatform/base/paths.py | 1 + ipatests/test_integration/tasks.py | 60 +- 2 files changed, 47 insertions(+), 14 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index d6fbe32f6839a5db40148777132ba1454cbc3382..4e9b41974541acc676c3f6b2399cbf8f5808642a 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -300,6 +300,7 @@ class BasePathNamespace(object): SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access" SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors" VAR_LOG_HTTPD_DIR = "/var/log/httpd" +VAR_LOG_HTTPD_ERROR = "/var/log/httpd/error_log" IPABACKUP_LOG = "/var/log/ipabackup.log" IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log" IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log" diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 5ce2595c078e093adc3af024d41ddb5fb6892776..eabbee4dc6a1736842e5657ee596060a6f566430 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -47,6 +47,49 @@ from ipalib.constants import DOMAIN_LEVEL_0 log = log_mgr.get_logger(__name__) +def setup_server_logs_collecting(host): +""" +This function setup logs to be collected on host. We should collect all +possible logs that may be helpful to debug IPA server +""" +# dirsrv logs +inst = host.domain.realm.replace('.', '-') +host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst) +host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst) + +# IPA install logs +host.collect_log(paths.IPASERVER_INSTALL_LOG) +host.collect_log(paths.IPACLIENT_INSTALL_LOG) +host.collect_log(paths.IPAREPLICA_INSTALL_LOG) +host.collect_log(paths.IPAREPLICA_CONNCHECK_LOG) +host.collect_log(paths.IPAREPLICA_CA_INSTALL_LOG) +host.collect_log(paths.IPACLIENT_INSTALL_LOG) +host.collect_log(paths.IPASERVER_KRA_INSTALL_LOG) +host.collect_log(paths.IPASERVER_CA_INSTALL_LOG) +host.collect_log(paths.IPA_CUSTODIA_AUDIT_LOG) + +# IPA uninstall logs +host.collect_log(paths.IPASERVER_KRA_UNINSTALL_LOG) +host.collect_log(paths.IPACLIENT_UNINSTALL_LOG) +host.collect_log(paths.IPASERVER_KRA_UNINSTALL_LOG) + +# IPA backup and restore logs +host.collect_log(paths.IPARESTORE_LOG) +host.collect_log(paths.IPABACKUP_LOG) + +# kerberos related logs +host.collect_log(paths.KADMIND_LOG) + +# httpd logs +host.collect_log(paths.VAR_LOG_HTTPD_ERROR) + +# dogtag logs +host.collect_log(os.path.join(paths.VAR_LOG_PKI_DIR, '*')) + +# SSSD debugging must be set after client is installed (function +# setup_sssd_debugging) + + def check_arguments_are(slice, instanceof): """ :param: slice - tuple of integers denoting the beginning and the end @@ -234,12 +277,7 @@ def install_master(host, setup_dns=True, setup_kra=False, extra_args=(), domain_level=None): if domain_level is None: domain_level = host.config.domain_level -host.collect_log(paths.IPASERVER_INSTALL_LOG) -host.collect_log(paths.IPACLIENT_INSTALL_LOG) -inst = host.domain.realm.replace('.', '-') -host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst) -host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst) - +setup_server_logs_collecting(host) apply_common_fixes(host) fix_apache_semaphores(host) @@ -321,8 +359,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, if domain_level is None: domain_level = domainlevel(master) apply_common_fixes(replica) -replica.collect_log(paths.IPAREPLICA_INSTALL_LOG) -replica.collect_log(paths.IPAREPLICA_CONNCHECK_LOG) +setup_server_logs_collecting(replica) allow_sync_ptr(master) # Otherwise ipa-client-install would not create a PTR # and replica installation would fail @@ -400,12 +437,7 @@ def install_adtrust(host): Configures the compat tree for the legacy clients. """ -# ipa-adtrust-install appends to ipaserver-install.log -host.collect_log(paths.IPASERVER_INSTALL_LOG) - -inst = host.domain.realm.replace('.', '-') -host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst) -host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst) +setup_server_logs_collecting(host) kinit_admin(host) host.run_command(['ipa-adtrust-install', '-U', -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribu
Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname
On 01.07.2016 13:26, Petr Spacek wrote: On 20.1.2016 05:04, Fraser Tweedale wrote: On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote: On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote: Fraser Tweedale wrote: On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: On 12/07/2015 06:26 AM, Fraser Tweedale wrote: The attached patch fixes https://fedorahosted.org/freeipa/ticket/4970. Note that the problem is addressed by adding the appropriate request extension to the CSR; the fix does not involve changing the default profile behaviour, which is complicated (see ticket for details). Thanks for the patch! This is something we should really fix, I already get warnings in my Python scripts when I hit sites protected by such HTTPS cert: /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264: SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) Should we split ticket 4970, for the FreeIPA server part and then for cert profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA 4.3.x and the other part later. How difficult do you see the general FreeIPA Certificate Profile part of this request? Is it a too big task to handle in 4.4 time frame? I will split the ticket and would suggest 4.4 Backlog - it might be doable but is a lower priority than e.g. Sub-CAs. If you are going to defer the profile part then you should probably update the client to also include a SAN if --request-cert is provided. rob Yes, good idea. Updated patch attached. Cheers, Fraser Bump, with rebased patch. Hi, this seems to work for Apache on IPA server & client cert. ACK. Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3 Interestingly enough I found out that Dogtag cert used on port 8443 does not have any SAN. Is it in scope of this ticket? I will leave the ticket open until this is answered. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0187] Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
On 18.07.2016 10:53, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6082 -- Martin^3 Babinsky From 990f29cbfb457c6179ffc0bed452dc358ba30d21 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 14 Jul 2016 09:31:22 +0200 Subject: [PATCH] Use server API in com.redhat.idm.trust-fetch-domains oddjob helper https://fedorahosted.org/freeipa/ticket/6082 --- install/oddjob/com.redhat.idm.trust-fetch-domains | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index a6b87cde917cfa5bfedf28442a6d1b2b512706f9..7c948fd53bd54bf3638ef3cc4407576b9011f4fb 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -76,7 +76,7 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(debug=env.debug, log=None) +api.bootstrap(in_server=True, debug=env.debug, log=None) api.finalize() # Only import trust plugin after api is initialized or internal imports ACK. Pushed to master: b144bf527db76573590255d4ac80e9dfd813ba3d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains
On 18.07.2016 18:09, Martin Babinsky wrote: On 07/14/2016 03:39 PM, Lenka Doudova wrote: On 07/13/2016 06:04 PM, Martin Babinsky wrote: On 07/01/2016 04:45 PM, Lenka Doudova wrote: On 07/01/2016 03:04 PM, Martin Babinsky wrote: On 07/01/2016 11:13 AM, Lenka Doudova wrote: And, of course, a patch file :) On 07/01/2016 11:09 AM, Lenka Doudova wrote: Hi all, here's patch with basic test suite for support of UPN. Note: it needs to be applied on top of my patch 0025.2 (or later, if there's will be more fixes to that patch). Lenka Hi Lenka, test data such as usernames, etc. should be stored either in separate resource files or at least as class attributes like this: diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index e8fdc6b..86ba7cc 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase): """ Test support of UPN for trusted domains """ +upn_suffix = 'UPNsuffix.com' +upn_username = 'upnuser' +upn_princ = '{}@{}'.format(upn_username, upn_suffix) +upn_password = 'Secret123456' + def test_upn_in_nonposix_trust(self): """ Check that UPN is listed as trust attribute """ result = self.master.run_command(['ipa', 'trust-show', self.ad_domain, '--all', '--raw']) -assert "ipantadditionalsuffixes: UPNsuffix.com" in result.stdout_text +assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in +result.stdout_text) def test_upn_user_resolution_in_nonposix_trust(self): """ Check that user with UPN can be resolved """ -upnuser = 'upnu...@upnsuffix.com' -result = self.master.run_command(['getent', 'passwd', upnuser]) +result = self.master.run_command(['getent', 'passwd', self.upn_princ]) # result will contain AD domain, not UPN -upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN User:/:$".format( -self.ad_domain) +upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format( +self.upn_username, self.ad_domain) assert re.search(upnuser_regex, result.stdout_text) def test_upn_user_authentication(self): """ Check that AD user with UPN can authenticate in IPA """ self.master.run_command(['systemctl', 'restart', 'krb5kdc']) -self.master.run_command(['kinit', '-C', '-E', 'upnu...@upnsuffix.com'], - stdin_text='Secret123456') +self.master.run_command(['kinit', '-C', '-E', self.upn_princ], + stdin_text=self.upn_password) otherwise LGTM. Thanks for review, fixed patch attached. Few notes: 1. mbabinsky's suggestion to store testdata as class attributes or separate resource file: I decided to use the class attribute approach. The separate resource file is a nice idea, which I have already put on my "to do" list - there's a lot of hardcoded stuff in the trust tests, even in the original ones (before my patches), so when there's time I'll work on a way how to dynamically provide this data as test configuration 2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the getent command, since according to mbasti the alternative would not work in CI. Lenka Hi Lenka, I am not sure 'test_all_trustdomains_found' should be run as a part of this test suite. Maybe yes, I'm not sure. Also I would add a 60 second sleep after KDC restart in 'test_upn_user_authentication' so that MS-PAC cache gets refreshed before trying to kinit as enterprise principal. Two of the tests fail on my setup but that is probably due to https://fedorahosted.org/freeipa/ticket/6082 . Hi, the "test_all_trustdomains_found" method is inherited from parent class, and I believe it cannot hurt to have it there. I added the sleep as you requested. I also tried to run the tests with two way trust and since everything was fine then, the failures you experienced are really most likely due to the oddjob issue you linked. Of course the patch still contains tests with one way trusts, so until the oddjob issue is solved, the tests will probably fail, and should be fine once the fix is provided. Fixed patch attached. Lenka Yes I think that the failing tests are due to bugs in trust, not the test code. ACK. New ticket created for tests https://fedorahosted.org/freeipa/ticket/6094 Pushed to master: 6a072f3c5c114747c190d0c309a8d53dd8e46394 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust
On 18.07.2016 18:07, Martin Babinsky wrote: On 07/18/2016 04:59 PM, Lenka Doudova wrote: On 07/18/2016 04:55 PM, Martin Babinsky wrote: On 07/14/2016 11:42 AM, Lenka Doudova wrote: On 07/13/2016 05:40 PM, Martin Babinsky wrote: On 07/01/2016 04:15 PM, Lenka Doudova wrote: On 07/01/2016 02:38 PM, Martin Babinsky wrote: On 07/01/2016 06:36 AM, Lenka Doudova wrote: On 06/30/2016 05:01 PM, Martin Babinsky wrote: On 06/30/2016 03:47 PM, Lenka Doudova wrote: Hi, attaching patch with some basic coverage for external trust feature. Bit more detailed info in commit message. Since the feature requires me to run commands previously used only for forest root domains even for subdomains, I made some changes in ipatests/test_integration/tasks.py file, so that it would enable me to reuse existing function without copy-pasting them for one variable change. Lenka Hi Lenka, I have a few comments: 1.) -def establish_trust_with_ad(master, ad, extra_args=()): +def establish_trust_with_ad(master, ad, extra_args=(), subdomain=False): This modification seems extremely kludgy to me. I would rather change the function signature to: -def establish_trust_with_ad(master, ad, extra_args=()): +def establish_trust_with_ad(master, ad_domain, extra_args=()): and pass the domain name itself to the function instead of doing magic inside. The same goes with `remove trust_with_ad`. You may want to fix the calls to them in existing code so that the domain is passed instead of the whole trust object. 2.) +def sync_time_hostname(host, srv_hostname): +""" +Syncs time with the remote server given by its hostname. +Please note that this function leaves ntpd stopped. +""" +host.run_command(['systemctl', 'stop', 'ntpd']) +host.run_command(['ntpdate', srv_hostname]) + + this looks like a duplicate of the function above it, why is it even needed? 3.) +class TestExternalTrustWithSubdomain(ADTrustBase): +""" +Test establishing external trust with subdomain +""" + +@classmethod +def install(cls, mh): +super(ADTrustBase, cls).install(mh) +cls.ad = cls.ad_domains[0].ads[0] +cls.install_adtrust() +cls.check_sid_generation() + +# Determine whether the subdomain AD is available +try: +child_ad = cls.host_by_role(cls.optional_extra_roles[0]) +cls.ad_subdomain = '.'.join(child_ad.hostname.split('.')[1:]) +cls.ad_subdomain_hostname = child_ad.hostname +except LookupError: +cls.ad_subdomain = None + +cls.configure_dns_and_time() Please use proper OOP practices when overriding the behavior of the base test class. For starters you could rewrite the install method like this: +@classmethod +def install(cls, mh): +# Determine whether the subdomain AD is available +try: +cls.child_ad = cls.host_by_role(cls.optional_extra_roles[0]) +cls.ad_subdomain = '.'.join(child_ad.hostname.split('.')[1:]) +cls.ad_subdomain_hostname = child_ad.hostname +except LookupError: +raise nose.SkipTest("AFAIK this will skip the whole test class") +super(ADTrustBase, cls).install(mh) with child_ad stored as class attribute, you can override `configure_dns_and_time`: +def configure_dns_and_time(cls): +tasks.configure_dns_for_trust(cls.master, cls.ad_subdomain) # no need to re-implement the function just to get to the child AD DC hostname now +tasks.sync_time(cls.master, cls.child_ad.hostname) You can then use this class as an intermediary in the hierarchy and inherit the other external/non-external trust test classes from it, since most setup method in them are just copy-pasted from this one. Hi, thanks for review, fixed patch attached. Lenka Hi Lenka, I am still not happy about the patch underutilizing the potential for a proper inheritance hierarchy and instead relying on a staggering amounts of copy-pasting for implementation. I am attaching a quick untested patch illustrating how the implementation should look like. Also you have some leftovers from previous revision, please fix them: Pylint is running, please wait ... * Module ipatests.test_integration.test_trust ipatests/test_integration/test_trust.py:236: [E1101(no-member), TestExternalTrustWithSubdomain.configure_dns_and_time] Module 'ipatests.test_integration.tasks' has no 'sync_time_hostname' member) ipatests/test_integration/test_trust.py:243: [E1123(unexpected-keyword-arg), TestExternalTrustWithSubdomain.test_establish_trust] Unexpected keyword argument 'subdomain' in function call) ipatests/test_integration/test_trust.py:279: [E1123(unexpected-keyword-arg), TestExternalTrustWithSubdomain.test_remove_nonposix_trust] Unexpected keyword argument 'subdomain' in function call) ipatests/test_integration/test_trust.py:330: [E1101(no-member), TestNonexternalTrustWithSubdomain.configure_dns_and
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On 07/19/2016 01:13 PM, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Martin Babinsky wrote: On 07/18/2016 12:29 PM, Martin Babinsky wrote: > On 07/18/2016 10:01 AM, Jan Cholasta wrote: > > Hi, > > > > On 16.7.2016 12:46, Alexander Bokovoy wrote: > > > Hi, > > > > > > I had some time and was blocked by these bugs to do my tickets so I > > > actually fixed these three problems that are assigned to Martin > > > Babinsky. Hopefully, Martin wouldn't be offended by that. :) > > > > > > -- > > > > > > Output entry elements may have multiple types allowed. We need to check > > > all of them to properly validate the output. Right now, thin client > > > receives type specifications for elements as tuples of types, so > > > what is seen as 'None' on the server side becomes (type(None),) tuple > > > on the thin client side. > > > > > > Change validation to account this by processing each separate type > > > of the element and account for both None and type(None). Raise type > > > error only if all of the type checks failed. > > > > > > https://fedorahosted.org/freeipa/ticket/6061 > > > > NACK, this only hides the real issue, which is that trustconfig-show > > (and automember-set-default in #6037) claims to return the primary key > > of the object in the 'value' output field, but the object does not have > > a primary key, so the client rightfully expects None. > > > > A proper fix would be to set "has_output = output.simple_value" for > > these commands (all of automember_default_group_{set,remove,show}, > > trustconfig_{mod,show}). > > > > Honza > > > > The problem is that these commands do not return a simple boolean in > 'result' but a full entry dict, so 'simple_value' won't do the trick in > this case. > > But I agree, we should rather fix misbehaving commands rather than bend > the framework to accomodate their idiosyncracies, we have enough of that > already. > I am attaching a patch that adds a custom shim for misbehaving commands so that they work as before. There is also a big fat warning added to discourage implementation of such commands. Let's go by this patch. I originally thought changing trust.py to simply not supply 'value' field at all but this fix is simpler. We found out that we still would need to handle automember-default-group-{set,remove} commands which use the value to print out summary, so it seems that we cannot win without some more extensive fixing. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0023 Bug in the ipapwd plugin
On 19.07.2016 12:21, Simo Sorce wrote: On Tue, 2016-07-19 at 10:17 +0200, thierry bordaz wrote: On 07/13/2016 10:02 PM, Lukas Slebodnik wrote: On (13/07/16 16:50), thierry bordaz wrote: https://fedorahosted.org/freeipa/ticket/6030 >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 13 Jul 2016 15:34:20 +0200 Subject: [PATCH] Ticket 6030 Bug in the ipapwd plugin ipapwd_encrypt_encode_key allocates 'kset' on the heap but with num_keys and keys not being initialized. Then ipa_krb5_generate_key_data initializes them with the generated keys. If ipa_krb5_generate_key_data fails (here EINVAL meaning no principal->realm.data), num_keys and keys are left uninitialized. Upon failure, ipapwd_keyset_free is called to free 'kset' that contains random num_keys and keys. allocates kset with calloc so that kset->num_keys==0 and kset->keys==NULL https://fedorahosted.org/freeipa/ticket/6030 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 5ca155d..46bf79a 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -148,7 +148,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, pwd.length = strlen(data->password); } -kset = malloc(sizeof(struct ipapwd_keyset)); +kset = calloc(sizeof(struct ipapwd_keyset)); I though that calloc need two arguments man malloc says: void *malloc(size_t size); void *calloc(size_t nmemb, size_t size); LS Oppss, sorry for this dummy patch. Here is the right one ACK, Simo. Pushed to master: b04f617803c430b13f8796e911f78bd65f6cf55f -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0024][Tests] Fix integration tests not to produce incorrect /etc/hosts file
On 06/29/2016 06:49 PM, Petr Spacek wrote: On 29.6.2016 18:39, Oleg Fayans wrote: In fact, I believe /etc/hosts file should not be touched at all. Hostname resolution is usually governed by the DNS system of the lab in which tests are running. We do not modify it when perform tests manually, so I'd rather remove this method at all. +1, it should not be need. Let me know if it is needed for some reason and I will have a look. Petr^2 Spacek Hi, providing new (and renamed) patch as was suggested in the discussion above - removing manipulation with /etc/hosts file from the tests. The "fix_etc_hosts" function was completely removed from the tasks file. Verification that nothing is broken by this change was done by running some random integration test (trust tests), and also on Milan's suggestion by running a test requiring two replicas (replica promotion tests). Lenka On 06/29/2016 06:27 PM, Lenka Doudova wrote: Hi all, a function 'fix_etc_hosts' in ipatests/test_integration/tasks.py produces incorrect /etc/hosts file (solitary IPv6 address), and currently parser is not able to resolve the issue, causing ipa-server-install to fail with 'list index out of range' error. Hence I'm attaching patch to fix this issue before parser is fixed (related ticket to it #6014). The fix is just change of regexs responsible for creating incorrect file so that all the lines containing defined hostname are removed, not just specific IP/hostname/shortname strings. Lenka From eb73a40d4294c062a646b8d6cf9fe495382896ed Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Tue, 19 Jul 2016 13:12:05 +0200 Subject: [PATCH] Tests: Removing manipulation with /etc/hosts file from integration tests --- ipatests/test_integration/tasks.py | 19 --- 1 file changed, 19 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index cee6c15ccdc260f6ebe4cdebbc2cf6ec84931f27..55cc902b490c57b8741a644ed691254c7d83dc24 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -96,7 +96,6 @@ def allow_sync_ptr(host): def apply_common_fixes(host): -fix_etc_hosts(host) fix_hostname(host) prepare_host(host) @@ -118,24 +117,6 @@ def backup_file(host, filename): return False -def fix_etc_hosts(host): -backup_file(host, paths.HOSTS) -contents = host.get_file_contents(paths.HOSTS) -# Remove existing mentions of the host's FQDN, short name, and IP -# Removing of IP must be done as first, otherwise hosts file may be -# corrupted -contents = re.sub('^%s.*' % re.escape(host.ip), '', contents, - flags=re.MULTILINE) -contents = re.sub('\s%s(\s|$)' % re.escape(host.hostname), ' ', contents, - flags=re.MULTILINE) -contents = re.sub('\s%s(\s|$)' % re.escape(host.shortname), ' ', contents, - flags=re.MULTILINE) -# Add the host's info again -contents += '\n%s %s %s\n' % (host.ip, host.hostname, host.shortname) -log.debug('Writing the following to /etc/hosts:\n%s', contents) -host.put_file_contents(paths.HOSTS, contents) - - def fix_hostname(host): backup_file(host, paths.ETC_HOSTNAME) host.put_file_contents(paths.ETC_HOSTNAME, host.hostname + '\n') -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Location mechanism RFE
Hello, can you please check if TCs for basic test looks good for http://www.freeipa.org/page/V4/DNS_Location_Mechanism TC 1 - default values (50:50) - ipa-server-install + replica - add two location - mod SRV record (ipa server-mod) to master - location1 | replica - location2 - check by 'dig' (dig @$FIRST_IPA_DNS_SERVER _kerberos._udp.$PRIMARYDNSDOMAIN SRV) output: both servers/location listed TC 2 - set up service weight - another replica in location1 - ipa server-mod server1 --service-weight=75 location1 - ipa server-mod server2 --service-weight=25 location1 - check traffic output: trafic divided into 1:4 TC 3 - used location server go offline - ipactl stop on location1 output : switch to another location TC 4 (negative) - try to add non-existant server to location :: can't be added - wrong dns setup :: non location in dig output -- Pavel Picka Red Hat Brno -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On Mon, 18 Jul 2016, Martin Babinsky wrote: On 07/18/2016 12:29 PM, Martin Babinsky wrote: > On 07/18/2016 10:01 AM, Jan Cholasta wrote: > > Hi, > > > > On 16.7.2016 12:46, Alexander Bokovoy wrote: > > > Hi, > > > > > > I had some time and was blocked by these bugs to do my tickets so I > > > actually fixed these three problems that are assigned to Martin > > > Babinsky. Hopefully, Martin wouldn't be offended by that. :) > > > > > > -- > > > > > > Output entry elements may have multiple types allowed. We need to check > > > all of them to properly validate the output. Right now, thin client > > > receives type specifications for elements as tuples of types, so > > > what is seen as 'None' on the server side becomes (type(None),) tuple > > > on the thin client side. > > > > > > Change validation to account this by processing each separate type > > > of the element and account for both None and type(None). Raise type > > > error only if all of the type checks failed. > > > > > > https://fedorahosted.org/freeipa/ticket/6061 > > > > NACK, this only hides the real issue, which is that trustconfig-show > > (and automember-set-default in #6037) claims to return the primary key > > of the object in the 'value' output field, but the object does not have > > a primary key, so the client rightfully expects None. > > > > A proper fix would be to set "has_output = output.simple_value" for > > these commands (all of automember_default_group_{set,remove,show}, > > trustconfig_{mod,show}). > > > > Honza > > > > The problem is that these commands do not return a simple boolean in > 'result' but a full entry dict, so 'simple_value' won't do the trick in > this case. > > But I agree, we should rather fix misbehaving commands rather than bend > the framework to accomodate their idiosyncracies, we have enough of that > already. > I am attaching a patch that adds a custom shim for misbehaving commands so that they work as before. There is also a big fat warning added to discourage implementation of such commands. Let's go by this patch. I originally thought changing trust.py to simply not supply 'value' field at all but this fix is simpler. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0011 server uninstall fails to remove krb principals
On 07/11/2016 09:52 AM, Florence Blanc-Renaud wrote: > Hi, > > please find a patch for the 3rd issue of ticket 6012. > > https://fedorahosted.org/freeipa/ticket/6012 > > bump for review -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On 19.7.2016 12:31, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 11:36, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 10:40, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Not true, as this only applies to servers with API schema (4.4+). Only because thin client does not work against servers without API schema at all: [root@f24-master ~]# ipa -vv -e xmlrpc_uri=https://id.vda.li/ipa/xml config-show ipa: INFO: trying https://id.vda.li/ipa/json ipa: INFO: Request: { "id": 0,"method": "ping","params": [ [],{} ] } ipa: INFO: Response: { "error": null,"id": 0,"principal": "ad...@vda.li", "result": { "messages": [ { "code": 13001,"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.156","name": "VersionMissing", "type": "warning" } ],"summary": "IPA server version 4.2.3. API version 2.156" },"version": "4.2.3" } ipa: INFO: Forwarding 'config_show/1' to json server 'https://id.vda.li/ipa/json' ipa: INFO: Request: { "id": 0,"method": "config_show/1","params": [ [],{ "version": "2.210" } ] } ipa: INFO: Response: { "error": { "code": 905,"message": "unknown command 'config_show/1'", "name": "CommandError" },"id": 0,"principal": "ad...@vda.li","result": null, "version": "4.2.3" } ipa: ERROR: unknown command 'config_show/1' Works fine for me: $ rpm -q freeipa-client freeipa-client-4.4.0.201607180602GITa2891af3-0.fc24.x86_64 $ ipa ping --- IPA server version 4.2.3. API version 2.156 --- $ ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: abc.idm.lab.eng.brq.redhat.com Search time limit: -1 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC Try removing ~/.cache/ipa/servers/ - if you reinstalled the server in the last hour (the default cache TTL), it should help. Yes, this did help, thanks. I didn't reinstall the server at all but I ran ipa command before adding CA cert of that install to my client's NSS database. I guess it was the cache from that attempt that broke it. Hmm, that does not sound right. If there was no CA cert for the server, then it wasn't possible to talk to it, so there should not have been any information cached for it. I will investigate further, but it might be a bug in caching. Coming back to trustconf
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 11:36, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 10:40, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Not true, as this only applies to servers with API schema (4.4+). Only because thin client does not work against servers without API schema at all: [root@f24-master ~]# ipa -vv -e xmlrpc_uri=https://id.vda.li/ipa/xml config-show ipa: INFO: trying https://id.vda.li/ipa/json ipa: INFO: Request: { "id": 0,"method": "ping","params": [ [],{} ] } ipa: INFO: Response: { "error": null,"id": 0,"principal": "ad...@vda.li", "result": { "messages": [ { "code": 13001,"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.156","name": "VersionMissing", "type": "warning" } ],"summary": "IPA server version 4.2.3. API version 2.156" },"version": "4.2.3" } ipa: INFO: Forwarding 'config_show/1' to json server 'https://id.vda.li/ipa/json' ipa: INFO: Request: { "id": 0,"method": "config_show/1","params": [ [],{ "version": "2.210" } ] } ipa: INFO: Response: { "error": { "code": 905,"message": "unknown command 'config_show/1'", "name": "CommandError" },"id": 0,"principal": "ad...@vda.li","result": null, "version": "4.2.3" } ipa: ERROR: unknown command 'config_show/1' Works fine for me: $ rpm -q freeipa-client freeipa-client-4.4.0.201607180602GITa2891af3-0.fc24.x86_64 $ ipa ping --- IPA server version 4.2.3. API version 2.156 --- $ ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: abc.idm.lab.eng.brq.redhat.com Search time limit: -1 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC Try removing ~/.cache/ipa/servers/ - if you reinstalled the server in the last hour (the default cache TTL), it should help. Yes, this did help, thanks. I didn't reinstall the server at all but I ran ipa command before adding CA cert of that install to my client's NSS database. I guess it was the cache from that attempt that broke it. Coming back to trustconfig-show, older server response's 'value' field is ignored. I guess we can actually remove the value completely because it is of no use anywhere. As to other commands without primary key and returning value, may be you can revive your patch? -- / Alexander Bokovoy -- Manage your subsc
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
Hi, On 18.7.2016 13:51, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6078 I don't think we want the secret searchable. Add a 'no_search' flag to the param to fix that. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On 19.7.2016 11:36, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 10:40, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Not true, as this only applies to servers with API schema (4.4+). Only because thin client does not work against servers without API schema at all: [root@f24-master ~]# ipa -vv -e xmlrpc_uri=https://id.vda.li/ipa/xml config-show ipa: INFO: trying https://id.vda.li/ipa/json ipa: INFO: Request: { "id": 0,"method": "ping","params": [ [],{} ] } ipa: INFO: Response: { "error": null,"id": 0,"principal": "ad...@vda.li", "result": { "messages": [ { "code": 13001,"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.156","name": "VersionMissing", "type": "warning" } ],"summary": "IPA server version 4.2.3. API version 2.156" },"version": "4.2.3" } ipa: INFO: Forwarding 'config_show/1' to json server 'https://id.vda.li/ipa/json' ipa: INFO: Request: { "id": 0,"method": "config_show/1","params": [ [],{ "version": "2.210" } ] } ipa: INFO: Response: { "error": { "code": 905,"message": "unknown command 'config_show/1'", "name": "CommandError" },"id": 0,"principal": "ad...@vda.li","result": null, "version": "4.2.3" } ipa: ERROR: unknown command 'config_show/1' Works fine for me: $ rpm -q freeipa-client freeipa-client-4.4.0.201607180602GITa2891af3-0.fc24.x86_64 $ ipa ping --- IPA server version 4.2.3. API version 2.156 --- $ ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: abc.idm.lab.eng.brq.redhat.com Search time limit: -1 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC Try removing ~/.cache/ipa/servers/ - if you reinstalled the server in the last hour (the default cache TTL), it should help. Same happens for every other command so I cannot even test the behavior. It works against the same server as the thin client is. [root@f24-master ~]# ipa -vv config-show ipa: INFO: trying https://f24-master.ipa.ad.test/ipa/json ipa: INFO: Forwarding 'config_show/1' to json server 'https://f24-master.ipa.ad.test/ipa/json' ipa: INFO: Request: { "id": 0,"method": "config_show/1","params": [ [],{ "version": "2.210" } ] } ipa: INFO: Response: { "error": null,"id": 0,"
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On Tue, 19 Jul 2016, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 10:40, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Not true, as this only applies to servers with API schema (4.4+). Only because thin client does not work against servers without API schema at all: [root@f24-master ~]# ipa -vv -e xmlrpc_uri=https://id.vda.li/ipa/xml config-show ipa: INFO: trying https://id.vda.li/ipa/json ipa: INFO: Request: { "id": 0,"method": "ping","params": [ [],{} ] } ipa: INFO: Response: { "error": null,"id": 0,"principal": "ad...@vda.li", "result": { "messages": [ { "code": 13001,"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.156","name": "VersionMissing", "type": "warning" } ],"summary": "IPA server version 4.2.3. API version 2.156" },"version": "4.2.3" } ipa: INFO: Forwarding 'config_show/1' to json server 'https://id.vda.li/ipa/json' ipa: INFO: Request: { "id": 0,"method": "config_show/1","params": [ [],{ "version": "2.210" } ] } ipa: INFO: Response: { "error": { "code": 905,"message": "unknown command 'config_show/1'","name": "CommandError" },"id": 0,"principal": "ad...@vda.li","result": null, "version": "4.2.3" } ipa: ERROR: unknown command 'config_show/1' Same happens for every other command so I cannot even test the behavior. It works against the same server as the thin client is. [root@f24-master ~]# ipa -vv config-show ipa: INFO: trying https://f24-master.ipa.ad.test/ipa/json ipa: INFO: Forwarding 'config_show/1' to json server 'https://f24-master.ipa.ad.test/ipa/json' ipa: INFO: Request: { "id": 0,"method": "config_show/1","params": [ [],{ "version": "2.210" } ] } ipa: INFO: Response: { "error": null,"id": 0,"principal": "ad...@ipa.ad.test", "result": { "result": { "ca_renewal_master_server": "f24-master.ipa.ad.test", "ca_server_server": [ "f24-master.ipa.ad.test" ],"dn": "cn=ipaConfig,cn=etc,dc=ipa,dc=ad,dc=test", "ipa_master_server": [ "f24-master.ipa.ad.test" ],"ipacertificatesubjectbase": [ "O=IPA.AD.TEST" ],"ipaconfigstring": [ "AllowNThash" ],"ipadefaultemaildomain": [ "ipa.ad.test" ],"ipadefaultloginshell": [ "/bin/sh" ],"ipadefaultprimarygroup": [ "ipausers" ],"ipagroupsearchfields": [ "cn,description" ],"ipahomesrootdir": [ "/home" ],"ipakrbauthzdata": [ "nfs:NONE","MS-PAC" ],"ipamaxusernamelength": [ "32" ],"ipamigrationenabled": [
Re: [Freeipa-devel] [PATCH] 0023 Bug in the ipapwd plugin
On Tue, 2016-07-19 at 10:17 +0200, thierry bordaz wrote: > > > On 07/13/2016 10:02 PM, Lukas Slebodnik wrote: > > On (13/07/16 16:50), thierry bordaz wrote: > >> https://fedorahosted.org/freeipa/ticket/6030 > >> >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 > 2001 > >> From: Thierry Bordaz > >> Date: Wed, 13 Jul 2016 15:34:20 +0200 > >> Subject: [PATCH] Ticket 6030 Bug in the ipapwd plugin > >> > >> ipapwd_encrypt_encode_key allocates 'kset' on the heap but > >> with num_keys and keys not being initialized. > >> Then ipa_krb5_generate_key_data initializes them with the > >> generated keys. > >> If ipa_krb5_generate_key_data fails (here EINVAL meaning no > >> principal->realm.data), num_keys and keys are left uninitialized. > >> Upon failure, ipapwd_keyset_free is called to free 'kset' > >> that contains random num_keys and keys. > >> > >> allocates kset with calloc so that kset->num_keys==0 and > >> kset->keys==NULL > >> > >> https://fedorahosted.org/freeipa/ticket/6030 > >> --- > >> daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c > b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c > >> index 5ca155d..46bf79a 100644 > >> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c > >> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c > >> @@ -148,7 +148,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct > ipapwd_krbcfg *krbcfg, > >> pwd.length = strlen(data->password); > >> } > >> > >> -   kset = malloc(sizeof(struct ipapwd_keyset)); > >> +   kset = calloc(sizeof(struct ipapwd_keyset)); > > I though that calloc need two arguments > > > > man malloc says: > > void *malloc(size_t size); > > void *calloc(size_t nmemb, size_t size); > > > > LS > Oppss, sorry for this dummy patch. Here is the right one ACK, Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name
On 19.7.2016 11:54, Fraser Tweedale wrote: On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote: Hi, On 15.7.2016 07:05, Fraser Tweedale wrote: On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: The attached patch is a work in progress for https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). I am sharing now to make the approach clear and solicit feedback. It has been tested for server install, replica install (with and without CA) and CA-replica install (all hosts running master+patch). Migration from earlier versions and server/replica/CA install on a CA-less deployment are not yet tested; these will be tested over coming days and patch will be tweaked as necessary. Commit message has a fair bit to say so I won't repeat here but let me know your questions and comments. Thanks, Fraser It does help to attach the patch, of course ^_^ IMO explicit is better than implicit, so instead of introducing additional magic around --subject, I would rather add a new separate option for specifying the CA subject name (I think --ca-subject, for consistency with --ca-signing-algorithm). The current situation - the --subject argument which specifies the not the subject but the subject base, is confusing enough (to say nothing of the limitations that give rise to the RFE). Retaining --subject for specifying the subject base and adding --ca-subject for specifying the *actual* subject DN gets us over the line in terms of the RFE, but does not make the installer less confusing. This is why I made --subject accept the full subject DN, with provisions to retain existing behaviour. IMO if we want to have separate arguments for subject DN and subject base (I am not against it), let's bite the bullet and name arguments accordingly. --subject should be used to specify full Subject DN, --subject-base (or similar) for specifying subject base. IMHO --ca-subject is better than --subject, because it is more explicit whose subject name that is (the CA's). I agree that --subject should be deprecated and replaced with --subject-base. (I intentionally defer discussion of specific behaviour if one, none or both are specified; let's resolve the question or renaming / changing meaning of arguments first). By specifying the option you would override the default "CN=Certificate Authority,$SUBJECT_BASE" subject name. If --external-ca was not used, additional validation would be done to make sure the subject name meets Dogtag's expectations. Actually, it might make sense to always do the additional validation, to be able to print a warning that if a Dogtag-incompatible subject name is used, it won't be possible to change the CA cert chaining from externally signed to self-signed later. Honza -- Jan Cholasta -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name
On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote: > Hi, > > On 15.7.2016 07:05, Fraser Tweedale wrote: > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: > > > The attached patch is a work in progress for > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). > > > > > > I am sharing now to make the approach clear and solicit feedback. > > > > > > It has been tested for server install, replica install (with and > > > without CA) and CA-replica install (all hosts running master+patch). > > > > > > Migration from earlier versions and server/replica/CA install on a > > > CA-less deployment are not yet tested; these will be tested over > > > coming days and patch will be tweaked as necessary. > > > > > > Commit message has a fair bit to say so I won't repeat here but let > > > me know your questions and comments. > > > > > > Thanks, > > > Fraser > > > > > It does help to attach the patch, of course ^_^ > > IMO explicit is better than implicit, so instead of introducing additional > magic around --subject, I would rather add a new separate option for > specifying the CA subject name (I think --ca-subject, for consistency with > --ca-signing-algorithm). > The current situation - the --subject argument which specifies the not the subject but the subject base, is confusing enough (to say nothing of the limitations that give rise to the RFE). Retaining --subject for specifying the subject base and adding --ca-subject for specifying the *actual* subject DN gets us over the line in terms of the RFE, but does not make the installer less confusing. This is why I made --subject accept the full subject DN, with provisions to retain existing behaviour. IMO if we want to have separate arguments for subject DN and subject base (I am not against it), let's bite the bullet and name arguments accordingly. --subject should be used to specify full Subject DN, --subject-base (or similar) for specifying subject base. (I intentionally defer discussion of specific behaviour if one, none or both are specified; let's resolve the question or renaming / changing meaning of arguments first). > By specifying the option you would override the default "CN=Certificate > Authority,$SUBJECT_BASE" subject name. If --external-ca was not used, > additional validation would be done to make sure the subject name meets > Dogtag's expectations. Actually, it might make sense to always do the > additional validation, to be able to print a warning that if a > Dogtag-incompatible subject name is used, it won't be possible to change the > CA cert chaining from externally signed to self-signed later. > > Honza > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On Tue, 19 Jul 2016, Jan Cholasta wrote: On 19.7.2016 10:40, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Not true, as this only applies to servers with API schema (4.4+). Only because thin client does not work against servers without API schema at all: [root@f24-master ~]# ipa -vv -e xmlrpc_uri=https://id.vda.li/ipa/xml config-show ipa: INFO: trying https://id.vda.li/ipa/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "ad...@vda.li", "result": { "messages": [ { "code": 13001, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.156", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.2.3. API version 2.156" }, "version": "4.2.3" } ipa: INFO: Forwarding 'config_show/1' to json server 'https://id.vda.li/ipa/json' ipa: INFO: Request: { "id": 0, "method": "config_show/1", "params": [ [], { "version": "2.210" } ] } ipa: INFO: Response: { "error": { "code": 905, "message": "unknown command 'config_show/1'", "name": "CommandError" }, "id": 0, "principal": "ad...@vda.li", "result": null, "version": "4.2.3" } ipa: ERROR: unknown command 'config_show/1' Same happens for every other command so I cannot even test the behavior. It works against the same server as the thin client is. [root@f24-master ~]# ipa -vv config-show ipa: INFO: trying https://f24-master.ipa.ad.test/ipa/json ipa: INFO: Forwarding 'config_show/1' to json server 'https://f24-master.ipa.ad.test/ipa/json' ipa: INFO: Request: { "id": 0, "method": "config_show/1", "params": [ [], { "version": "2.210" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "ad...@ipa.ad.test", "result": { "result": { "ca_renewal_master_server": "f24-master.ipa.ad.test", "ca_server_server": [ "f24-master.ipa.ad.test" ], "dn": "cn=ipaConfig,cn=etc,dc=ipa,dc=ad,dc=test", "ipa_master_server": [ "f24-master.ipa.ad.test" ], "ipacertificatesubjectbase": [ "O=IPA.AD.TEST" ], "ipaconfigstring": [ "AllowNThash" ], "ipadefaultemaildomain": [ "ipa.ad.test" ], "ipadefaultloginshell": [ "/bin/sh" ], "ipadefaultprimarygroup": [ "ipausers" ], "ipagroupsearchfields": [ "cn,description" ], "ipahomesrootdir": [ "/home" ], "ipakrbauthzdata": [ "nfs:NONE", "MS-PAC" ], "ipamaxusernamelength": [ "32"
Re: [Freeipa-devel] [PATCH] 0211-0212 Make sure --raw option works for trust-add
On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 12:06, Martin Babinsky wrote: On 07/16/2016 12:50 PM, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) Note that this fix (patch 0211) has potential for a break but also introduces a correct behavior in my view as we should not really have non-lower cased keys in LDAP dictionaries in entry_to_dict() for both normal and --raw modes. - 0211 Since commit a8dd7aa337f25abd938a582d0fcba51d3b356410 if IPA command is called with --raw option, a retrieved LDAP entry's attribute names aren't normalized to lower case when converting the entry to a dictionary. This breaks overall assumption that dictionary keys are in lower case. Partially fixes 'ipa trust-add --raw' issues. https://fedorahosted.org/freeipa/ticket/6059 - 0212 Make sure we display raw values for 'trust-add --raw' case. https://fedorahosted.org/freeipa/ticket/6059 Hi Alexander, I am CC'ing Jan since I hope he knows why a8dd7aa337f25abd938a582d0fcba51d3b356410 was implemented in this way. I think there was a reason behind this decision and we should not revert it without further discussion. I think it was just because with --raw, the raw LDAP entry should be returned, letter case and all. I don't really care if the names are lowercased or not, but you should never assume anything about raw results in your code anyway, so I think the revert would be pointless. There were a few bugs with --raw unrelated to letter case in the past and most of the offending code was fixed, the same should be done here IMO. This is not about LDAP entry, this is about Python dictionary from entry_to_dict(). LDAP attribute name is case-insensitive. We call entry_to_dict() in multiple places and we expect that dictionary keys are lowcased in Python code. I don't think it is fair to have this assumption broken when --raw is used -- after all, we are dealing with Python dictionary and LDAP attributes are case insensitive. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Using RPZ to overcome multi Kerberos domains and multiple DNS authorities.
On 18.7.2016 19:44, Jim Glenz wrote: > IPA DNS configuration using Response Policy Zone (RPZ). > > IPA utilizes DNS extensively to locate service records (SRV) and text > records (TXT) associated with the Kerberos realm. > IPA also heavily require DNS A records and PTR records to function > correctly. > Normally all A,SRV,TXT,PTR records are part of the same DNS domain zone. > > The following shows how to decouple IPA "TXT and SRV" records only, and > pass (forward) all other records to another internal DNS server when > required to have all records (except SRV and TXT) records in the other DNS > system. > > Note: Below is very customized for specific environment, your environment > may be different. Just wanted to pass on this DNS trick. > Methodology used was to implement a BIND instance on at least two servers > and then configuring a Response Policy Zone (RPZ). > The RPZ is configured to respond to specific DNS records and forward other > DNS records onward to next hop DNS. > > All A and PTR records should exist in the next hop DNS authoritative server. > As mentioned, the following solution is very specific to a unique > environment. > > IPA members and clinet servers must have their primary/secondary DNS > resolvers set to the DNS RPZ BIND servers. > > > Steps > Create your Master and Slave Bind DNS where RPZ will be used (can be your > IPA server or any other server having Bind DNS installed) > Create Response Policy Zone (RPZ) files. > Test configuration. > > Search below for " > nslookup > nslookup > > nslookup . > nslookup . > > nslookup > nslookup . > nslookup -type=TXT _kerberos. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _kerberos-master._tcp. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _kerberos-master._udp. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _kerberos._tcp. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _kerberos._udp. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _kpasswd._tcp. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _kpasswd._udp. Bind-DNS-RPZ2-IP-address> > nslookup -type=SRV _ldap._tcp. Bind-DNS-RPZ2-IP-address> > > nslookup > nslookup . > nslookup -type=TXT _kerberos. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _kerberos-master._tcp. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _kerberos-master._udp. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _kerberos._tcp. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _kerberos._udp. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _kpasswd._tcp. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _kpasswd._udp. Bind-DNS-RPZ1-IP-address> > nslookup -type=SRV _ldap._tcp. Bind-DNS-RPZ1-IP-address> > > nslookup google.com > nslookup google.com > > nslookup -type=ptr Bind-DNS-RPZ2-IP-address> > nslookup -type=ptr Bind-DNS-RPZ1-IP-address> > nslookup -type=ptr Bind-DNS-RPZ2-IP-address> > nslookup -type=ptr Bind-DNS-RPZ1-IP-address> > > > Will be referencing reverse.arpa zone 10.x.x.x internal network. Adjust as > necessary for your environment. > > Appendix A: Primary IPA DNS /etc/named.conf file > # cat named.conf > options { > // Put files that named is allowed to write in the data/ directory: > directory "/var/named"; // the default > dump-file "data/cache_dump.db"; > statistics-file "data/named_stats.txt"; > memstatistics-file "data/named_mem_stats.txt"; > #forward first; > forwarders { > ; > ; > }; > response-policy {zone ""; }; > > // Any host is permitted to issue recursive queries > allow-recursion { any; }; > > tkey-gssapi-credential "DNS/"; > tkey-domain ""; > }; > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > * By default, SELinux policy does not allow named to modify the /var/named > directory, > * so put the default debug log file in data/ : > */ > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > zone "" IN { > type master; > file ""; > also-notify {;}; > }; > > zone "10.in-addr.arpa" IN { > type forward; > forwarders { > ; > ; > }; > }; > > include "/etc/named.rfc1912.zones"; > > # dynamic not used, remark out. > #dynamic-db "ipa" { > #library "ldap.so"; > #}; > > Appendix B: Primary IPA DNS /var/named/ file > $ORIGIN . > $TTL 86400 ; 1 day > .rpz IN SOA localhost. root.localhost. ( > 201505162150 ; serial > 3600 ; refresh (1 hour) > 1800 ; retry (30 minutes) > 604800 ; expire (1 week) >
Re: [Freeipa-devel] [PATCH] 0211-0212 Make sure --raw option works for trust-add
On 18.7.2016 12:06, Martin Babinsky wrote: On 07/16/2016 12:50 PM, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) Note that this fix (patch 0211) has potential for a break but also introduces a correct behavior in my view as we should not really have non-lower cased keys in LDAP dictionaries in entry_to_dict() for both normal and --raw modes. - 0211 Since commit a8dd7aa337f25abd938a582d0fcba51d3b356410 if IPA command is called with --raw option, a retrieved LDAP entry's attribute names aren't normalized to lower case when converting the entry to a dictionary. This breaks overall assumption that dictionary keys are in lower case. Partially fixes 'ipa trust-add --raw' issues. https://fedorahosted.org/freeipa/ticket/6059 - 0212 Make sure we display raw values for 'trust-add --raw' case. https://fedorahosted.org/freeipa/ticket/6059 Hi Alexander, I am CC'ing Jan since I hope he knows why a8dd7aa337f25abd938a582d0fcba51d3b356410 was implemented in this way. I think there was a reason behind this decision and we should not revert it without further discussion. I think it was just because with --raw, the raw LDAP entry should be returned, letter case and all. I don't really care if the names are lowercased or not, but you should never assume anything about raw results in your code anyway, so I think the revert would be pointless. There were a few bugs with --raw unrelated to letter case in the past and most of the offending code was fixed, the same should be done here IMO. I had the fix for trust-add ready on Friday but was unable to test it properly because of some issues with my VMs. I am attaching it for reference, since it is similar to your patch 212 but relies on attrs_list passed in to LDAP search in order to fetch lowercased attributes. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On 19.7.2016 10:40, Alexander Bokovoy wrote: On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Not true, as this only applies to servers with API schema (4.4+). Aside from that, comparing "(type(None),) is None" will never give you True on the thin client side. At the server side we have "None is None" and that works. So the question is also why there is a change like that between client and server sides? I don't see how this has anything to do with anything. In output validation, "type = None" means that value of any type is allowed, "type = (type(None),)" means that only None is allowed. Nothing changed with regard to that in thin client. Really? Previous code worked against corresponding server, new code doesn't work against the very same server. I consider it a breakage. Really, since commit b6e4972e. If something is broken, please file a ticket. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0029][Tests] Adding authentication test to trust test suite
Hi, this patch adds authentication test (specifically "kinit -E ipauser@IPADOMAIN") to basic trust test suite, as requested by Sumit. Intended to be applied after my patches 25.4 and 26.3 (already waiting to be pushed). Lenka From 394304d23ef752c30cf1f4d69d5e6116fd41ad2d Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Mon, 18 Jul 2016 14:38:18 +0200 Subject: [PATCH] Tests: Adding authentication test to basic trust test suite Providing missing test case verifying authentication as IPA user, namely "kinit -E ipauser@IPADOMAIN". --- ipatests/test_integration/test_trust.py | 19 +++ ipatests/test_integration/util.py | 13 + 2 files changed, 32 insertions(+) diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index e3fe9c89e9cd1357c8913d8fcd98699906f07f85..3dc1056dea82d0fe21a983ffe5354ff33e8ad8a3 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -161,6 +161,25 @@ class TestBasicADTrust(ADTrustBase): assert re.search(testuser_regex, result.stdout_text) +def test_ipauser_authentication(self): +ipauser = u'tuser' +original_passwd = 'Secret123' +new_passwd = 'userPasswd123' + +# create an ipauser for this test +self.master.run_command(['ipa', 'user-add', ipauser, '--first=Test', + '--last=User', '--password'], + stdin_text=original_passwd) + +# change password for the user to be able to kinit +util.unlock_principal_password(ipauser, original_passwd, new_passwd, + self.master) + +# try to kinit as ipauser +self.master.run_command( +['kinit', '-E','{0}@{1}'.format(ipauser, self.master.domain.name)], +stdin_text=new_passwd) + def test_remove_nonposix_trust(self): tasks.remove_trust_with_ad(self.master, self.ad_domain) tasks.clear_sssd_cache(self.master) diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py index 594737b6d753d476cd06aeb0d5cd376b7ca46467..b317beed7756bdc50c6a17c199f4970b5af15303 100644 --- a/ipatests/test_integration/util.py +++ b/ipatests/test_integration/util.py @@ -20,6 +20,8 @@ import time import re +from ipaplatform.paths import paths +from ipapython.ipautil import run def run_repeatedly(host, command, assert_zero_rc=True, test=None, timeout=30, **kwargs): @@ -75,3 +77,14 @@ def get_host_ip_with_hostmask(host): if match: return match.group('full_ip') + + +def unlock_principal_password(user, oldpw, newpw, master): +container_user = "cn=users,cn=accounts" +basedn = master.domain.basedn + +userdn = "uid={},{},{}".format(user, container_user, basedn) + +args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, +'-s', newpw, '-x'] +return run(args) -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On Tue, 19 Jul 2016, Jan Cholasta wrote: On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) This means thin client would not work against old server which would return a non-primary key value. I think it is unacceptable. Aside from that, comparing "(type(None),) is None" will never give you True on the thin client side. At the server side we have "None is None" and that works. So the question is also why there is a change like that between client and server sides? I don't see how this has anything to do with anything. In output validation, "type = None" means that value of any type is allowed, "type = (type(None),)" means that only None is allowed. Nothing changed with regard to that in thin client. Really? Previous code worked against corresponding server, new code doesn't work against the very same server. I consider it a breakage. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0210 frontend: fix output validation for multiple type choices
On 18.7.2016 10:12, Alexander Bokovoy wrote: On Mon, 18 Jul 2016, Jan Cholasta wrote: Hi, On 16.7.2016 12:46, Alexander Bokovoy wrote: Hi, I had some time and was blocked by these bugs to do my tickets so I actually fixed these three problems that are assigned to Martin Babinsky. Hopefully, Martin wouldn't be offended by that. :) -- Output entry elements may have multiple types allowed. We need to check all of them to properly validate the output. Right now, thin client receives type specifications for elements as tuples of types, so what is seen as 'None' on the server side becomes (type(None),) tuple on the thin client side. Change validation to account this by processing each separate type of the element and account for both None and type(None). Raise type error only if all of the type checks failed. https://fedorahosted.org/freeipa/ticket/6061 NACK, this only hides the real issue, which is that trustconfig-show (and automember-set-default in #6037) claims to return the primary key of the object in the 'value' output field, but the object does not have a primary key, so the client rightfully expects None. Why did it work before introducing thin client? Because I took the liberty of not putting any extra effort just to keep old hacks working on thin client. In this case, output.PrimaryKey was used for the 'value' output field before, which always allowed unicode in addition to the primary key type. On thin client, output.Output with the primary key type is used instead, which is less forgiving and uncovers bogus command definitions. (There aren't any besides the ones already mentioned, I remember fixing them but the commit got lost somehow. Oh well.) Aside from that, comparing "(type(None),) is None" will never give you True on the thin client side. At the server side we have "None is None" and that works. So the question is also why there is a change like that between client and server sides? I don't see how this has anything to do with anything. In output validation, "type = None" means that value of any type is allowed, "type = (type(None),)" means that only None is allowed. Nothing changed with regard to that in thin client. A proper fix would be to set "has_output = output.simple_value" for these commands (all of automember_default_group_{set,remove,show}, trustconfig_{mod,show}). Honza -- Jan Cholasta -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0059] Fix to ipa-cacert-manage man and help differences
On 07/15/2016 02:09 PM, Stanislav Laznicka wrote: https://fedorahosted.org/freeipa/ticket/6013 Hi Stanislav, thanks for your patch. As CERTFILE is added in the arguments for install, I would suggest to mention it in the command description. For instance: install - Install a CA certificate This command can be used to install the certificate contained in CERTFILE as a new CA certificate to IPA. Flo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0023 Bug in the ipapwd plugin
On 07/13/2016 10:02 PM, Lukas Slebodnik wrote: On (13/07/16 16:50), thierry bordaz wrote: https://fedorahosted.org/freeipa/ticket/6030 >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 13 Jul 2016 15:34:20 +0200 Subject: [PATCH] Ticket 6030 Bug in the ipapwd plugin ipapwd_encrypt_encode_key allocates 'kset' on the heap but with num_keys and keys not being initialized. Then ipa_krb5_generate_key_data initializes them with the generated keys. If ipa_krb5_generate_key_data fails (here EINVAL meaning no principal->realm.data), num_keys and keys are left uninitialized. Upon failure, ipapwd_keyset_free is called to free 'kset' that contains random num_keys and keys. allocates kset with calloc so that kset->num_keys==0 and kset->keys==NULL https://fedorahosted.org/freeipa/ticket/6030 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 5ca155d..46bf79a 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -148,7 +148,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, pwd.length = strlen(data->password); } -kset = malloc(sizeof(struct ipapwd_keyset)); +kset = calloc(sizeof(struct ipapwd_keyset)); I though that calloc need two arguments man malloc says: void *malloc(size_t size); void *calloc(size_t nmemb, size_t size); LS Oppss, sorry for this dummy patch. Here is the right one thanks thierry >From 84efaaab758a07fa8cee2f6ad44ba770b67b4bbc Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Mon, 18 Jul 2016 15:00:02 +0200 Subject: [PATCH] Heap corruption in ipapwd plugin ipapwd_encrypt_encode_key allocates 'kset' on the heap but with num_keys and keys not being initialized. Then ipa_krb5_generate_key_data initializes them with the generated keys. If ipa_krb5_generate_key_data fails (here EINVAL meaning no principal->realm.data), num_keys and keys are left uninitialized. Upon failure, ipapwd_keyset_free is called to free 'kset' that contains random num_keys and keys. allocates kset with calloc so that kset->num_keys==0 and kset->keys==NULL https://fedorahosted.org/freeipa/ticket/6030 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 9c62f05..7b2f341 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -157,7 +157,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, pwd.length = strlen(data->password); } -kset = malloc(sizeof(struct ipapwd_keyset)); +kset = (struct ipapwd_keyset *) calloc(1, sizeof(struct ipapwd_keyset)); if (!kset) { LOG_OOM(); goto enc_error; -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 963 unite log file name of ipa-ca-install
On 19.7.2016 09:27, Petr Vobornik wrote: On 07/19/2016 08:01 AM, Jan Cholasta wrote: Hi, On 18.7.2016 18:50, Florence Blanc-Renaud wrote: On 07/15/2016 04:29 PM, Petr Vobornik wrote: ipa-ca-install said that it used /var/log/ipareplica-ca-install.log but in fact it used /var/log/ipaserver-ca-install.log This patch unites it to ipaserver-ca-install.log It was chosen because ipa-ca-install can be also used on master on CA-less -> CA conversion. Term "server" is valid for both master and replica. https://fedorahosted.org/freeipa/ticket/6088 Looks good to me. Ack Does not look so good to me, "ipareplica-ca-install.log" is in fact the original file name used since ipa-ca-install was introduced (in commit 8a32bb3746802a29b2655e4ad2cbbba8481e1eaf), so why the switch to "ipaserver-ca-install.log"? Honza Ideally it would be ipa-ca-install.log but for backwards compatibility, let's stick with one which we have. AFAIK the framework(run_script methodĂș doesn't support switching the log name which is printed in error message depending on usage. Therefore the universal was chosen - ipaserver-ca-install.log. It was introduced by your commit d27e77adc56f5a04f3bdd1aaed5440a89ed3acad Correct, but only for CA-less to CA-ful conversion. It is used exclusively only since commit 958996b9cc55b6e9ecdc23981e79599ec6826b4c and by accident, AFAICT. And I see, that I used wrong ticket number in the commit. Correct is https://fedorahosted.org/freeipa/ticket/6086 Proper solution might be to rework main and __main__ function in ipa-ca-install but IMO we spent too much time on this already. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name
Hi, On 15.7.2016 07:05, Fraser Tweedale wrote: On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: The attached patch is a work in progress for https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). I am sharing now to make the approach clear and solicit feedback. It has been tested for server install, replica install (with and without CA) and CA-replica install (all hosts running master+patch). Migration from earlier versions and server/replica/CA install on a CA-less deployment are not yet tested; these will be tested over coming days and patch will be tweaked as necessary. Commit message has a fair bit to say so I won't repeat here but let me know your questions and comments. Thanks, Fraser It does help to attach the patch, of course ^_^ IMO explicit is better than implicit, so instead of introducing additional magic around --subject, I would rather add a new separate option for specifying the CA subject name (I think --ca-subject, for consistency with --ca-signing-algorithm). By specifying the option you would override the default "CN=Certificate Authority,$SUBJECT_BASE" subject name. If --external-ca was not used, additional validation would be done to make sure the subject name meets Dogtag's expectations. Actually, it might make sense to always do the additional validation, to be able to print a warning that if a Dogtag-incompatible subject name is used, it won't be possible to change the CA cert chaining from externally signed to self-signed later. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 963 unite log file name of ipa-ca-install
On 07/19/2016 08:01 AM, Jan Cholasta wrote: > Hi, > > On 18.7.2016 18:50, Florence Blanc-Renaud wrote: >> On 07/15/2016 04:29 PM, Petr Vobornik wrote: >>> ipa-ca-install said that it used >>> /var/log/ipareplica-ca-install.log >>> but in fact it used >>> /var/log/ipaserver-ca-install.log >>> >>> This patch unites it to ipaserver-ca-install.log >>> >>> It was chosen because ipa-ca-install can be also used on >>> master on CA-less -> CA conversion. >>> >>> Term "server" is valid for both master and replica. >>> >>> https://fedorahosted.org/freeipa/ticket/6088 >>> >>> >>> >> >> Looks good to me. >> Ack > > Does not look so good to me, "ipareplica-ca-install.log" is in fact the > original file name used since ipa-ca-install was introduced (in commit > 8a32bb3746802a29b2655e4ad2cbbba8481e1eaf), so why the switch to > "ipaserver-ca-install.log"? > > Honza > Ideally it would be ipa-ca-install.log but for backwards compatibility, let's stick with one which we have. AFAIK the framework(run_script methodĂș doesn't support switching the log name which is printed in error message depending on usage. Therefore the universal was chosen - ipaserver-ca-install.log. It was introduced by your commit d27e77adc56f5a04f3bdd1aaed5440a89ed3acad And I see, that I used wrong ticket number in the commit. Correct is https://fedorahosted.org/freeipa/ticket/6086 Proper solution might be to rework main and __main__ function in ipa-ca-install but IMO we spent too much time on this already. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] Make get_entries not ignore its size_limit argument
Hi, On 14.7.2016 14:36, Stanislav Laznicka wrote: Hello, This patch fixes https://fedorahosted.org/freeipa/ticket/5640. With not so much experience with the framework, it raises question in my head whether ipaldap.get_entries is used properly throughout the system - does it always assume that it gets ALL the requested entries or just a few of those as configured by the 'ipaSearchRecordsLimit' attribute of ipaConfig.etc which it actually gets? That depends. If you call get_entries() on the ldap2 plugin (which is usually the case in the framework), then ipaSearchRecordsLimit is used. If you call it on some arbitrary LDAPClient instance, the hardcoded default (= unlimited) is used. One spot that I know the get_entries method was definitely not used properly before this patch is in the baseldap.LDAPObject.get_memberindirect() method: 692 result = self.backend.get_entries( 693 self.api.env.basedn, 694 filter=filter, 695 attrs_list=['member'], 696 size_limit=-1, # paged search will get everything anyway 697 paged_search=True) which to me seems kind of important if the environment size_limit is not set properly :) The patch does not fix the non-propagation of the paged_search, though. Why do you think size_limit is not used properly here? Anyway, this ticket is not really easily fixable without more profound changes. Often, multiple LDAP searches are done during command execution. What do you do with the size limit then? Do you pass the same size limit to all the searches? Do you subtract the result size from the size limit after each search? Do you do something else with it? ... The answer is that it depends on the purpose of each individual LDAP search (like in get_memberindirect() above, we have to do unlimited search, otherwise the resulting entry would be incomplete), and fixing this accross the whole framework is a non-trivial task. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0183] ipa-advise: correct handling of plugin namespace iteration
On 07/18/2016 08:46 AM, Jan Cholasta wrote: Hi, On 11.7.2016 14:18, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6044 Note that you should use .name rather than .__name__ to get plugin names, otherwise the code won't work with plugins with non-default names. There currently aren't any Advice plugins with non-default name, but I would rather fix this now to avoid surprises later. Honza I didn't realize this when doing the patch, here's the fix for that. I have attached the original closed ticket to the commit message, should I create a new ticket for such a small change? -- Martin^3 Babinsky From 5da15a1a56174d06120c8296d8878e71ec8a66a4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 18 Jul 2016 10:44:23 +0200 Subject: [PATCH] advise: Use `name` instead of `__name__` to get plugin names This change will allow ipa-advise to correctly handle advise plugins with custom names. https://fedorahosted.org/freeipa/ticket/6044 --- ipaserver/advise/base.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index a2dc9ccee93811da415c1e1eb0b57f47ac817a3f..f7e8ef5e49c7efc18d5c29583183e908e1284eae 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -168,11 +168,11 @@ class IpaAdvise(admintool.AdminTool): self.print_header('List of available advices') max_keyword_len = max( -(len(advice.__name__) for advice in advise_api.Advice)) +(len(advice.name) for advice in advise_api.Advice)) for advice in advise_api.Advice: description = getattr(advice, 'description', '') -keyword = advice.__name__.replace('_', '-') +keyword = advice.name.replace('_', '-') # Compute the number of spaces needed for the table to be aligned offset = max_keyword_len - len(keyword) -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] cert-show: show subject alternative names
On Tue, Jul 19, 2016 at 08:50:34AM +0200, Jan Cholasta wrote: > Hi, > > On 14.7.2016 13:44, Fraser Tweedale wrote: > > Hi all, > > > > The attached patch includes SANs in cert-show output. If you have > > certs with esoteric altnames (especially any that are more than just > > ASN.1 string types), please test with those certs. > > > > https://fedorahosted.org/freeipa/ticket/6022 > > I think it would be better to have a separate attribute for each supported > SAN type rather than cramming everything into subject_alt_name. That way if > you care only about a single specific type you won't have to go through all > the values and parse them. Also it would allow you to use param types > appropriate to the SAN types (DNSNameParam for DNS names, Principal for > principal names, etc.) > You are right; that would be much better. > Nitpick: please don't mix moving existing stuff and adding new stuff in a > single patch. > Will cut new patches to address both of these points. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [freeipa] #6002: Default CA can be used without an ACL
On Tue, Jul 19, 2016 at 08:26:22AM +0200, Jan Cholasta wrote: > Hi, > > On 4.7.2016 09:06, Fraser Tweedale wrote: > > On Tue, Jun 28, 2016 at 01:47:23PM -, freeipa wrote: > > > #6002: Default CA can be used without an ACL > > > > > > Comment (by ftweedal): > > > > > > This is expected behaviour; if a CA ACL does not reference any CAs, > > > and does not have cacat=all, then it is assumed to refer to the > > > default CA. This is for backwards compatibility with existing > > > CA ACLs, which do not reference any CAs but did (and still do) > > > allow access to IPA CA. > > > > > > Leaving open for discussion about whether to break compatibility > > > for a more consistent behaviour. > > > > > Didn't get any feedback in the ticket yet so raising on list for > > visibility. If people agree with current behaviour I can add a > > clarification to caacl plugin help text and close out this ticket. > > (Sorry for the late reply, I was on vacation the last 2 weeks.) > > I would very much prefer if this was consistent with (literally) every other > member list+category attribute, that is, no member and no category means the > rule never matches. > > While documenting this as an exception to the above rule is the easy way > out, IMHO adhering to the rule is even better - anyone who touched HBAC or > sudo in IPA would immediately know their way around CA ACLs without having > to read the documentation at all, which is a win, because people don't > generally read documentation until something goes wrong. The current > behavior might surprise them, even if documented properly (it sure surprised > me at first :-). > > BTW I think this can be done without breaking compatibility, e.g. by using a > new objectclass to distinguish between "old" (CA is always implicitly the > top-level CA) and "new" (CAs are specified using the member and category > attributes) CA ACLs. > > Honza > Is there precedent of "varying behaviour based on objectclass" in IPA? Would it go along the lines of... 1. subtype 'ipaCaAcl' object class (let us call it 'ipaCaAclWithCa' for sake of discussion). (Note that moving the 'ipaCa' attribute to be part of 'ipaCaAclWithCa' would not be backwards compatible with v4.4 as currently released, so it would remain in 'ipaCaAcl' objectclass.) 2. Upgrade script to take 'ipaCaAcl' objects that are NOT 'ipaCaAclWithCa', and make them so, while adding the IPA CA. Is this what you have in mind? If so, I don't think there is actually a need to vary the behaviour based on object class, other than during upgrade. The reason I was not doing upgrades in the first place was because I could not in distinguish between "old" CA ACLs, and "new" CA ACLs that don't have any CAs defined. However, adding a new objectclass resolves this ambiguity. Lmk what you think; I could be way off track :) Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code