[Freeipa-devel] [PATCH] ipa-kdb: Allow to build with samba 4.5
ehlo,
attached patches fix a build of freeipa on fedora 25 and fedora rawhide.
IMHO, this change in krb5pac.h is an ABI change and samba guys should
also bump a SONAME to related (private?) libraries. I could not see it;
but maybe I overlooked it.
LS
>From 02db5adc82c36592f8aef5fd4d5e2f2e27f15b11 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Fri, 5 Aug 2016 08:29:27 +0200
Subject: [PATCH 1/2] ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_group_dom_sid'
if (info->info->res_group_dom_sid != NULL &&
^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_groups'; did you mean 'resource_groups'?
info->info->res_groups.count != 0) {
^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs
Related change in samba
https://github.com/samba-team/samba/commit/4406cf792a599724f55777a45efb6367a9bd92b2
Resolves:
https://fedorahosted.org/freeipa/ticket/6173
---
daemons/configure.ac| 12
daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +
2 files changed, 21 insertions(+)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index
94d66d813728fe4e32f9e3c0eef920d8e2395d8f..5c5a1046397aa97ba18cafc1b81dc2a6fb2dfd34
100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -170,6 +170,18 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba
-Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
AC_SUBST(SAMBA40EXTRA_LIBPATH)
+bck_cflags="$CFLAGS"
+CFLAGS="$NDRPAC_CFLAGS"
+AC_CHECK_MEMBER(
+[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
+[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
+ [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
+[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
+ [[#include
+ #include ]])
+
+CFLAGS="$bck_cflags"
+
LIBPDB_NAME=""
AC_CHECK_LIB([samba-passdb],
[make_pdb_method],
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index
80e7055fd6cd7b962eeffbccc675a73d73700793..65cc03565dc06d1052c6acd0c0d6ee7265b37b36
100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -20,6 +20,8 @@
* along with this program. If not, see
[Freeipa-devel] [PATCH] 0001 Update ipa-replica-install documentation
Hi, attached a patch to update man page and doc. Tomas From 6aae0cca6e3347bd3b02af45aa27c61d25407f61 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 5 Aug 2016 09:25:05 +0200 Subject: [PATCH] Update ipa-replica-install documentation Update the ipa-replica-install man page and help to reflect that replica_file is optional instead of mandatory. https://fedorahosted.org/freeipa/ticket/6164 --- install/tools/ipa-replica-install | 2 +- install/tools/man/ipa-replica-install.1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 17fc957a583739bbda386676f44209e196282a9a..b3f0361c6577cb693dcc0d81d8ca95b0c220679e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -27,7 +27,7 @@ ReplicaInstall = cli.install_tool( Replica, command_name='ipa-replica-install', positional_arguments=['replica_file'], -usage='%prog [options] REPLICA_FILE', +usage='%prog [options] [REPLICA_FILE]', log_file_name=paths.IPAREPLICA_INSTALL_LOG, debug_option=True, ) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 55bae2cb77e1a1c520e0598983b8939a919a9ee9..af37b07956691aeb676bb8e41e90f6ce783a5270 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -22,7 +22,7 @@ ipa\-replica\-install \- Create an IPA replica .SH "SYNOPSIS" .SS "DOMAIN LEVEL 0" .TP -ipa\-replica\-install [\fIOPTION\fR]... replica_file +ipa\-replica\-install [\fIOPTION\fR]... [replica_file] .SS "DOMAIN LEVEL 1" .TP ipa\-replica\-install [\fIOPTION\fR]... -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0153] Fix ipa-replica-prepare's error message about missing local CA instanc
On 04.08.2016 17:35, Petr Spacek wrote: On 3.8.2016 22:56, Ben Lipton wrote: On 08/01/2016 11:38 AM, Petr Spacek wrote: Hello, Fix ipa-replica-prepare's error message about missing local CA instance ipa-replica-prepare must be run on a replica with CA or all the certs needs to be provided (for CA-less case). The old messages were utterly confusing because they mixed errors about missing certs and missing local CA instance into one text. https://fedorahosted.org/freeipa/ticket/6134 The error message in the patch says "must be ran" instead of "must be run". Thanks! Fixed patch is attached. ACK Pushed to: master: 503d096ebc6a4813c15701454fa3cf7abc7970d7 ipa-4-3: fedee72a5a0e9fbb2b82c4105034857b17f8a5c4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation
On 04.08.2016 15:09, Martin Basti wrote: On 29.07.2016 06:21, Fraser Tweedale wrote: On Thu, Jul 28, 2016 at 09:56:30AM +0200, Martin Babinsky wrote: On 07/28/2016 03:31 AM, Fraser Tweedale wrote: The attached patch fixes a kerberos.Principal-related regression. Thanks, Fraser Hi Fraser, The ticket you linked in the commit message points to a closed milestone. You have to open a new ticket which needs to be triaged. Sorry, those are the processes. Filed ticket:https://fedorahosted.org/freeipa/ticket/6146 Updated patch attached (rebase and update commit message only). Thanks, Fraser ACK, works for me Pushed to master: 9dac0a13f101277948b4ce73b21b1d7ec75848b6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Update ipa-replica-install documentation
On 05.08.2016 10:44, Tomas Krizek wrote: Hi, attached a patch to update man page and doc. Tomas ACK Pushed to master: d8fe5863d297b74efff9ba6bbb2e8134e457d6e4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] Coverity fixes
On 07/28/2016 01:01 PM, Martin Basti wrote: > > > On 25.07.2016 11:46, Simo Sorce wrote: >> The attached patches fix some minor issues found by coverity, and pull >> in other fixes released by the asn1c project. >> >> Simo. >> >> >> > I cannot build RPMS with this patch, is there any missing build dependency? > > /bin/sh ./libtool --tag=CC --mode=link gcc -Wall -Wshadow > -Wstrict-prototypes -Wpointer-arith -Wcast-align > -Werror-implicit-function-declaration -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -g -O2 > -Wall > -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare > -Wno-missing-field-initializers -Wl,-z,relro > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o ipa-getkeytab > ipa-getkeytab.o > ipa-client-common.o ipa_krb5.o ../asn1/libipaasn1.la -lkrb5 -lk5crypto > -lcom_err > -llber -lldap -lsasl2 -lpopt -lini_config -lbasicobjects -lref_array > -lcollection -lini_config -lini_config > libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith > -Wcast-align -Werror-implicit-function-declaration -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -g -O2 > -Wall > -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare > -Wno-missing-field-initializers -Wl,-z -Wl,relro > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o ipa-getkeytab > ipa-getkeytab.o > ipa-client-common.o ipa_krb5.o ../asn1/.libs/libipaasn1.a -lkrb5 -lk5crypto > -lcom_err -llber -lldap -lsasl2 -lpopt -lbasicobjects -lref_array > -lcollection > -lini_config > ../asn1/.libs/libipaasn1.a(constr_CHOICE.o): In function `CHOICE_decode_uper': > /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_CHOICE.c:897: > undefined reference to `uper_open_type_get' > ../asn1/.libs/libipaasn1.a(constr_CHOICE.o): In function `CHOICE_encode_uper': > /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_CHOICE.c:982: > undefined reference to `uper_open_type_put' > ../asn1/.libs/libipaasn1.a(constr_SEQUENCE.o): In function > `SEQUENCE_handle_extensions': > /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_SEQUENCE.c:1285: > undefined reference to `uper_open_type_put' > ../asn1/.libs/libipaasn1.a(constr_SEQUENCE.o): In function > `SEQUENCE_decode_uper': > /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_SEQUENCE.c:1187: > undefined reference to `uper_open_type_get' > /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_SEQUENCE.c:1203: > undefined reference to `uper_open_type_skip' > collect2: error: ld returned 1 exit status > > Martin^2 > Bumping. Was it temporary issue or issue in the patch? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] External plugin integration
On 04.08.2016 17:49, Alexander Bokovoy wrote: Hi! I've stumbled into an interesting problem. Suppose, I have a plugin that adds schema and a subtree where entries it manages will be stored. This subtree will have ACIs applied based on the plugin permissions' configuration. Now, I put schema file in /usr/ipa/share, and updates file in /usr/share/ipa/updates, and also add plugin code to the ipaserver/plugins/ (let's say, rpm does it for me). Next, I want to install IPA server. The install will run through up to server upgrade phase which will fail because generation of ACIs will reference schema attributes/classes which aren't loaded to the dirsrv by installer. How to solve it? Installer uses hard-coded list of schema files and this is a third-party plugin, it needs to extend the list of active schema files. If we can define a place where third-party plugins could drop schema and we just load everything from there before processing updates, it would probably be enough. TLDR: you don't without modifications in current IPA code, or it will be huge hack I think, this is a part of "Support of 3rd party plugins" effort, but it has not been designed yet. I would like to avoid any ad-hoc solution. Maybe we should create a desing page and gathering requirements, you have a lot of them already :). Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0196] baseldap: Fix MidairCollision instantiation during entry modification
On 07/26/2016 05:22 PM, Alexander Bokovoy wrote:
On Tue, 26 Jul 2016, Martin Babinsky wrote:
Fix for https://fedorahosted.org/freeipa/ticket/6097
Since this issue was found during investigation of other ticket[1],
you can test it by performing steps to reproduce #6041, but instead
of internal error you should see the MidairCollision raised as public
error with the right error message.
[1] https://fedorahosted.org/freeipa/ticket/6041
I have a preliminary patch for slapi-nis to fix 6041 (attached).
The slapi-nis patch looks good to me.
Ludwig may give the final ACK.
thanks
thierry
As for this fix -- ACK.
--
Martin^3 Babinsky
From 8f0d6dab08f61fe2fd1ad64a63f7ab91fc5227d4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 25 Jul 2016 14:05:08 +0200
Subject: [PATCH] baseldap: Fix MidairCollision instantiation during
entry
modification
https://fedorahosted.org/freeipa/ticket/6097
---
ipaserver/plugins/baseldap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/baseldap.py
b/ipaserver/plugins/baseldap.py
index
6107e43a6ee17d9b9a63d9dc109664d8b232069f..f7844e3e7c59c259b9c8367d135b2dbefc3f0016
100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1466,7 +1466,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
entry_attrs.dn, attrs_list)
except errors.NotFound:
raise errors.MidairCollision(
-format=_('the entry was deleted while being modified')
+message=_('the entry was deleted while being modified')
)
self.obj.get_indirect_members(entry_attrs, attrs_list)
@@ -2344,7 +2344,7 @@ class BaseLDAPModAttribute(LDAPQuery):
entry_attrs.dn, attrs_list)
except errors.NotFound:
raise errors.MidairCollision(
-format=_('the entry was deleted while being modified')
+message=_('the entry was deleted while being modified')
)
for callback in self.get_callbacks('post'):
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] External plugin integration
On Fri, 05 Aug 2016, Martin Basti wrote:
On 04.08.2016 17:49, Alexander Bokovoy wrote:
Hi!
I've stumbled into an interesting problem.
Suppose, I have a plugin that adds schema and a subtree where entries it
manages will be stored. This subtree will have ACIs applied based on the
plugin permissions' configuration. Now, I put schema file in
/usr/ipa/share, and updates file in /usr/share/ipa/updates, and also add
plugin code to the ipaserver/plugins/ (let's say, rpm does it for me).
Next, I want to install IPA server. The install will run through up to
server upgrade phase which will fail because generation of ACIs will
reference schema attributes/classes which aren't loaded to the dirsrv by
installer. How to solve it?
Installer uses hard-coded list of schema files and this is a third-party
plugin, it needs to extend the list of active schema files.
If we can define a place where third-party plugins could drop schema and
we just load everything from there before processing updates, it would
probably be enough.
TLDR: you don't without modifications in current IPA code, or it will
be huge hack
So far all I needed are following modifications which really boil down
to:
- introduce /usr/share/ipa/schema.d to hold third-party schema files
- add support to read the schema files from /usr/share/ipa/schema.d
to dsintance upgrade step and to ipa-server-upgrade
That's all. Since I'm adding a new directory, I needed to update
Makefile.am and install/configure.ac which requires regeneration of
Makefile/configure files. You'd need to remove install/Makefile and run
'make bootstrap-autogen' to make sure the install/Makefile is recreated
and install/share/schema.d/Makefile is created.
I think, this is a part of "Support of 3rd party plugins" effort, but
it has not been designed yet. I would like to avoid any ad-hoc
solution.
Maybe we should create a desing page and gathering requirements, you
have a lot of them already :).
I'm working on the whole package for FleetCommander integration and I'll
produce a howto based on it. So far, there was no need to have anything
dramatic.
--
/ Alexander Bokovoy
From 6a6383d234607c33b402df93e923478e9b64c000 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 5 Aug 2016 13:04:19 +0300
Subject: [PATCH 2/2] WIP: support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
---
freeipa.spec.in | 5 -
install/configure.ac| 1 +
install/share/Makefile.am | 1 +
install/share/schema.d/Makefile.am | 16
install/share/schema.d/README | 11 +++
ipaplatform/base/paths.py | 1 +
ipaserver/install/dsinstance.py | 16 +++-
ipaserver/install/server/upgrade.py | 3 +++
8 files changed, 52 insertions(+), 2 deletions(-)
create mode 100644 install/share/schema.d/Makefile.am
create mode 100644 install/share/schema.d/README
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c9..8acb3fc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -871,6 +871,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia
+mkdir -p %{buildroot}%{_usr}/share/ipa/schema.d
+
%endif # ONLY_CLIENT
@@ -1248,7 +1250,8 @@ fi
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
-
+%dir %{_usr}/share/ipa/schema.d
+%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
%files server-dns
%defattr(-,root,root,-)
diff --git a/install/configure.ac b/install/configure.ac
index b5f77bf..81f17b9 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -88,6 +88,7 @@ AC_CONFIG_FILES([
share/advise/Makefile
share/advise/legacy/Makefile
share/profiles/Makefile
+share/schema.d/Makefile
ui/Makefile
ui/css/Makefile
ui/src/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index cd1c164..d8845ee 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -3,6 +3,7 @@ NULL =
SUBDIRS = \
advise \
profiles\
+ schema.d\
$(NULL)
appdir = $(IPA_DATA_DIR)
diff --git a/install/share/schema.d/Makefile.am
b/install/share/schema.d/Makefile.am
new file mode 100644
index 000..0fef87f
--- /dev/null
+++ b/install/share/schema.d/Makefile.am
@@ -0,0 +1,16 @@
+NULL =
+
+SUBDIRS = \
+ $(NULL)
+
+appdir = $(IPA_DATA_DIR)/schema.d
+app_DATA = README \
+ $(NULL)
+
+EXTRA_DIST =
Re: [Freeipa-devel] External plugin integration
On 05.08.2016 13:58, Alexander Bokovoy wrote: On Fri, 05 Aug 2016, Martin Basti wrote: On 04.08.2016 17:49, Alexander Bokovoy wrote: Hi! I've stumbled into an interesting problem. Suppose, I have a plugin that adds schema and a subtree where entries it manages will be stored. This subtree will have ACIs applied based on the plugin permissions' configuration. Now, I put schema file in /usr/ipa/share, and updates file in /usr/share/ipa/updates, and also add plugin code to the ipaserver/plugins/ (let's say, rpm does it for me). Next, I want to install IPA server. The install will run through up to server upgrade phase which will fail because generation of ACIs will reference schema attributes/classes which aren't loaded to the dirsrv by installer. How to solve it? Installer uses hard-coded list of schema files and this is a third-party plugin, it needs to extend the list of active schema files. If we can define a place where third-party plugins could drop schema and we just load everything from there before processing updates, it would probably be enough. TLDR: you don't without modifications in current IPA code, or it will be huge hack So far all I needed are following modifications which really boil down to: - introduce /usr/share/ipa/schema.d to hold third-party schema files - add support to read the schema files from /usr/share/ipa/schema.d to dsintance upgrade step and to ipa-server-upgrade That's all. Since I'm adding a new directory, I needed to update Makefile.am and install/configure.ac which requires regeneration of Makefile/configure files. You'd need to remove install/Makefile and run 'make bootstrap-autogen' to make sure the install/Makefile is recreated and install/share/schema.d/Makefile is created. I think, this is a part of "Support of 3rd party plugins" effort, but it has not been designed yet. I would like to avoid any ad-hoc solution. Maybe we should create a desing page and gathering requirements, you have a lot of them already :). I'm working on the whole package for FleetCommander integration and I'll produce a howto based on it. So far, there was no need to have anything dramatic. You introduced a new convention, +Each schema file should be named NN-description.schema where NN is a number 00..90. Currently all LDAP schema files are *.ldif, why do not stay with this naming? Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] Coverity fixes
On (05/08/16 12:43), Petr Vobornik wrote: >On 07/28/2016 01:01 PM, Martin Basti wrote: >> >> >> On 25.07.2016 11:46, Simo Sorce wrote: >>> The attached patches fix some minor issues found by coverity, and pull >>> in other fixes released by the asn1c project. >>> >>> Simo. >>> >>> >>> >> I cannot build RPMS with this patch, is there any missing build dependency? >> >> /bin/sh ./libtool --tag=CC --mode=link gcc -Wall -Wshadow >> -Wstrict-prototypes -Wpointer-arith -Wcast-align >> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches >> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -g -O2 >> -Wall >> -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare >> -Wno-missing-field-initializers -Wl,-z,relro >> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o ipa-getkeytab >> ipa-getkeytab.o >> ipa-client-common.o ipa_krb5.o ../asn1/libipaasn1.la -lkrb5 -lk5crypto >> -lcom_err >> -llber -lldap -lsasl2 -lpopt -lini_config -lbasicobjects -lref_array >> -lcollection -lini_config -lini_config >> libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith >> -Wcast-align -Werror-implicit-function-declaration -O2 -g -pipe -Wall >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches >> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -g -O2 >> -Wall >> -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare >> -Wno-missing-field-initializers -Wl,-z -Wl,relro >> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o ipa-getkeytab >> ipa-getkeytab.o >> ipa-client-common.o ipa_krb5.o ../asn1/.libs/libipaasn1.a -lkrb5 -lk5crypto >> -lcom_err -llber -lldap -lsasl2 -lpopt -lbasicobjects -lref_array >> -lcollection >> -lini_config >> ../asn1/.libs/libipaasn1.a(constr_CHOICE.o): In function >> `CHOICE_decode_uper': >> /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_CHOICE.c:897: >> undefined reference to `uper_open_type_get' >> ../asn1/.libs/libipaasn1.a(constr_CHOICE.o): In function >> `CHOICE_encode_uper': >> /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_CHOICE.c:982: >> undefined reference to `uper_open_type_put' >> ../asn1/.libs/libipaasn1.a(constr_SEQUENCE.o): In function >> `SEQUENCE_handle_extensions': >> /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_SEQUENCE.c:1285: >> >> undefined reference to `uper_open_type_put' >> ../asn1/.libs/libipaasn1.a(constr_SEQUENCE.o): In function >> `SEQUENCE_decode_uper': >> /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_SEQUENCE.c:1187: >> >> undefined reference to `uper_open_type_get' >> /root/freeipa/rpmbuild/BUILD/freeipa-4.4.0/asn1/asn1c/constr_SEQUENCE.c:1203: >> >> undefined reference to `uper_open_type_skip' >> collect2: error: ld returned 1 exit status >> >> Martin^2 >> > >Bumping. Was it temporary issue or issue in the patch? > I could not see such error. However, these patches would be good to test with coverity. We need to use fedora rawhide for testing due to BuildRequires in freeipa.spec. But C-part of freeIPA cannot be compiled on rawhide due to new samba (4.5). Patches are already on the list. LS -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0100: Fix question marks in adders in topology graph
Hello,
Please review attached patch.
https://fedorahosted.org/freeipa/ticket/6175
--
Pavel^3 Vomacka
From d79140c96c35101d9e00475981ec290b9ed226eb Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Fri, 5 Aug 2016 14:04:03 +0200
Subject: [PATCH] Fix unicode characters in ca and domain adders
Topology graph didn't show plus icons correctly.
https://fedorahosted.org/freeipa/ticket/6175
---
install/ui/src/freeipa/topology_graph.js | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/topology_graph.js b/install/ui/src/freeipa/topology_graph.js
index ce2ebeaff611987ae27f2655b5da80bdcd1b4f8a..4bc3668647979c77719efa78b7a663d0e899216e 100644
--- a/install/ui/src/freeipa/topology_graph.js
+++ b/install/ui/src/freeipa/topology_graph.js
@@ -530,12 +530,14 @@ topology_graph.TopoGraph = declare([Evented], {
function add_labels(type, color, adder_group) {
var label_radius = 3;
+var decimal_plus = parseInt('f067', 16); // Converts hexadecimal
+// code of plus icon to decimal.
var plus = adder_group
.append('text')
.classed('plus', true)
.classed(type + '_plus', true)
-.text('\uf067');
+.text(String.fromCharCode(decimal_plus));
var label = adder_group.append('path')
.attr('id', type + '_label');
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous
ehlo,
attached patches fixes few compiler warnings in ipa-extop.
Sorry for not following naming convention for patches.
But I do not remeber my numer and you will use github/pagure
anyway.
LS
>From 8a3e8c5e35749f82336e6375e91d7203b1072714 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Fri, 5 Aug 2016 12:00:55 +
Subject: [PATCH 1/4] ipa_pwd_extop: Fix warning declaration shadows previous
local
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ipa_pwd_extop.c:397:19: warning: declaration of ‘target_sdn’
shadows a previous local [-Wshadow]
Slapi_DN *target_sdn;
^~
ipa_pwd_extop.c:212:16: note: shadowed declaration is here
Slapi_DN *target_sdn = NULL;
^~
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index
3c2c44f6198bf74615fff1ae231a48bed77526ee..74ddfdf87ab19f9fe65b488f78c3b4217544ab2f
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -394,7 +394,6 @@ parse_req_done:
if (dn) {
Slapi_DN *bind_sdn;
-Slapi_DN *target_sdn;
/* if the user changing the password is self, we must request the
* old password and verify it matches the current one before
--
2.7.4
>From 09d32bb149d52d79e4b4cb58fdc3d49bdda81115 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Fri, 5 Aug 2016 12:03:07 +
Subject: [PATCH 2/4] =?UTF-8?q?ipa-pwd-extop:=20Fix=20warning=20assignment?=
=?UTF-8?q?=20discards=20=E2=80=98const=E2=80=99=20qualifier=20from=20poin?=
=?UTF-8?q?ter?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ipa_pwd_extop.c: In function ‘ipapwd_chpwop’:
ipa_pwd_extop.c:337:13: warning: assignment discards ‘const’ qualifier
from pointer target type [-Wdiscarded-qualifiers]
target_dn = slapi_sdn_get_ndn(target_sdn);
^
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index
74ddfdf87ab19f9fe65b488f78c3b4217544ab2f..6a87a2786c3fb762e07e40509c663a84134978a5
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -210,7 +210,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct
ipapwd_krbcfg *krbcfg)
char *principal = NULL;
Slapi_PBlock *chpwop_pb = NULL;
Slapi_DN *target_sdn = NULL;
- char *target_dn = NULL;
+ const char *target_dn = NULL;
/* Get the ber value of the extended operation */
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] External plugin integration
On Fri, 05 Aug 2016, Martin Basti wrote: On 05.08.2016 13:58, Alexander Bokovoy wrote: On Fri, 05 Aug 2016, Martin Basti wrote: On 04.08.2016 17:49, Alexander Bokovoy wrote: Hi! I've stumbled into an interesting problem. Suppose, I have a plugin that adds schema and a subtree where entries it manages will be stored. This subtree will have ACIs applied based on the plugin permissions' configuration. Now, I put schema file in /usr/ipa/share, and updates file in /usr/share/ipa/updates, and also add plugin code to the ipaserver/plugins/ (let's say, rpm does it for me). Next, I want to install IPA server. The install will run through up to server upgrade phase which will fail because generation of ACIs will reference schema attributes/classes which aren't loaded to the dirsrv by installer. How to solve it? Installer uses hard-coded list of schema files and this is a third-party plugin, it needs to extend the list of active schema files. If we can define a place where third-party plugins could drop schema and we just load everything from there before processing updates, it would probably be enough. TLDR: you don't without modifications in current IPA code, or it will be huge hack So far all I needed are following modifications which really boil down to: - introduce /usr/share/ipa/schema.d to hold third-party schema files - add support to read the schema files from /usr/share/ipa/schema.d to dsintance upgrade step and to ipa-server-upgrade That's all. Since I'm adding a new directory, I needed to update Makefile.am and install/configure.ac which requires regeneration of Makefile/configure files. You'd need to remove install/Makefile and run 'make bootstrap-autogen' to make sure the install/Makefile is recreated and install/share/schema.d/Makefile is created. I think, this is a part of "Support of 3rd party plugins" effort, but it has not been designed yet. I would like to avoid any ad-hoc solution. Maybe we should create a desing page and gathering requirements, you have a lot of them already :). I'm working on the whole package for FleetCommander integration and I'll produce a howto based on it. So far, there was no need to have anything dramatic. You introduced a new convention, +Each schema file should be named NN-description.schema where NN is a number 00..90. Currently all LDAP schema files are *.ldif, why do not stay with this naming? Because I wanted to unify it with other publicly visible component, /usr/share/ipa/updates. In updates directory we have update files following the same pattern, NN-description.update. Unfortunately, I just realised that extension has probably to be .ldif for 389-ds to correctly recognize it when files are loaded and upgraded via 398-ds tools. I fixed the extension part. Testing the whole setup now. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] webui: Fix coverity bugs
On 08/01/2016 05:53 PM, Petr Vobornik wrote:
On 07/29/2016 03:25 PM, Alexander Bokovoy wrote:
On Fri, 29 Jul 2016, Pavel Vomacka wrote:
Hello,
please review attached patches which fixes errors from Coverity.
--
Pavel^3 Vomacka
From 0391289b3f6844897e2a9f3ae549bd4c33233ffc Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Mon, 25 Jul 2016 10:36:47 +0200
Subject: [PATCH 01/13] Coverity - null pointer exception
Variable 'option' can be null and there will be error of reading
property of null.
---
install/ui/src/freeipa/widget.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/widget.js
b/install/ui/src/freeipa/widget.js
index
9151ebac9438e9e674f81bfb1ccfe7a63872b1ae..cfdf5d4750951e4549c16a2b9b9c355f61e90c39
100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -2249,7 +2249,7 @@ IPA.option_widget_base = function(spec, that) {
var child_values = [];
var option = that.get_option(value);
-if (option.widget) {
+if (option && option.widget) {
child_values = option.widget.save();
values.push.apply(values, child_values);
}
--
2.5.5
ACK
ACK
From 6df8e608232e25daa9aefe4fccbdeca4dbaf1998 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Mon, 25 Jul 2016 10:43:00 +0200
Subject: [PATCH 02/13] Coverity - null pointer exception
Variable 'row' could be null in some cases. And set css to variable
which is pointing to null
causes error. Therefore there is new check.
---
install/ui/src/freeipa/widget.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/ui/src/freeipa/widget.js
b/install/ui/src/freeipa/widget.js
index
cfdf5d4750951e4549c16a2b9b9c355f61e90c39..5844436abf090f12d5a9d65efe7a1aaee14097e2
100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -5766,6 +5766,8 @@ exp.fluid_layout = IPA.fluid_layout =
function(spec) {
that.on_visible_change = function(event) {
var row = that._get_row(event);
+if (!row) return;
+
if (event.visible) {
row.css('display', '');
} else {
--
2.5.5
ACK
ACK
From 6f2ddc9e1c5323a640bdf744d2da00bfee7ab766 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Mon, 25 Jul 2016 13:48:16 +0200
Subject: [PATCH 03/13] Coverity - not initialized variable
The variable hasn't been initialized, now it is set to null by default.
---
install/ui/src/freeipa/widget.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/widget.js
b/install/ui/src/freeipa/widget.js
index
5844436abf090f12d5a9d65efe7a1aaee14097e2..43804c5ea524ca741017d02f6e12ccf60d50b5df
100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1047,7 +1047,7 @@ IPA.multivalued_widget = function(spec) {
that.child_spec = spec.child_spec;
that.size = spec.size || 30;
-that.undo_control;
+that.undo_control = null;
that.initialized = true;
that.updating = false;
--
2.5.5
ACK
ACK
From b9ddd32ec45aadae5a79e372c3e1b70990071e60 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Mon, 25 Jul 2016 14:42:50 +0200
Subject: [PATCH 04/13] Coverity - identical code for different branches
In both cases when the condition is true or false ut is set the same
value.
Changed to assign the value directly.
---
install/ui/src/freeipa/topology_graph.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/ui/src/freeipa/topology_graph.js
b/install/ui/src/freeipa/topology_graph.js
index
ce2ebeaff611987ae27f2655b5da80bdcd1b4f8a..712d38fbe67e87ffa773e0a3a1f8937e9595c9a6
100644
--- a/install/ui/src/freeipa/topology_graph.js
+++ b/install/ui/src/freeipa/topology_graph.js
@@ -325,8 +325,8 @@ topology_graph.TopoGraph = declare([Evented], {
off = dir ? -1 : 1, // determines shift direction of
curve
ns = 5, // shift on normal vector
s = target_count > 1 ? 1 : 0, // shift from center?
-spad = d.left ? 18 : 18, // source padding
-tpad = d.right ? 18 : 18, // target padding
+spad = d.left = 18, // source padding
+tpad = d.right = 18, // target padding
sourceX = d.source.x + (spad * ux) + off * nx * ns * s,
sourceY = d.source.y + (spad * uy) + off * ny * ns * s,
targetX = d.target.x - (tpad * ux) + off * nx * ns * s,
--
2.5.5
ACK
NACK
following lines are not equivalent
spad = d.left ? 18 : 18
spad = d.left = 18
same with tpad
Fixed
From f1f2b55247d6c7f41f8053f372a47945c93fc8a4 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Mon, 25 Jul 2016 14:52:15 +0200
Subject: [PATCH 05/13] Coverity - Accesing attribute of null
There is a possibility that widget is null and then there could be an
error.
Therefore there is new check of widget variable.
---
inst
[Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
Hi,
I have extended my previous patch for authentication with user
certificate/smartcard. This patch includes patches and plugin described
here: http://www.freeipa.org/page/V4/External_Authentication/Setup
Page also contains steps to configure and test this feature. Once this
patch is merged and released we will simplify this page to not confuse
customers.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
Thanks.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From e22843f6ab1556528b307951fbcc2476a61a417f Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate
https://fedorahosted.org/freeipa/ticket/5764
---
freeipa.spec.in | 5 +
install/conf/ipa.conf | 14 +++
install/ui/src/freeipa/plugins/cert_auth.js | 179
ipaserver/plugins/xmlserver.py | 3 +-
ipaserver/rpcserver.py | 5 +
5 files changed, 205 insertions(+), 1 deletion(-)
create mode 100644 install/ui/src/freeipa/plugins/cert_auth.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c980011c6c2730c6c29a3c22098e48270d5..2b95b83613ca3720c95f255f7f64dc029195452c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -817,6 +817,8 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins/cert_auth.js %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
# DNSSEC config
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
@@ -1210,6 +1212,9 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d..c37819ff2bd2c045404a383631435ad6c24fdaa3 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -77,6 +77,20 @@ WSGIScriptReloading Off
Header always append Content-Security-Policy "frame-ancestors 'none'"
+# Login with user certificate/smartcard configuration
+
+ AuthType none
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiImpersonate On
+ NSSVerifyClient require
+ NSSUserName SSL_CLIENT_CERT
+ LookupUserByCertificate On
+ WSGIProcessGroup ipa
+ WSGIApplicationGroup ipa
+
+
# Turn off Apache authentication for sessions
Satisfy Any
diff --git a/install/ui/src/freeipa/plugins/cert_auth.js b/install/ui/src/freeipa/plugins/cert_auth.js
new file mode 100644
index ..282883d6fe82258405afb167dd61b5d6b0f1a7bd
--- /dev/null
+++ b/install/ui/src/freeipa/plugins/cert_auth.js
@@ -0,0 +1,179 @@
+/* Authors:
+ *Petr Vobornik
+ *Tibor Dudlák
+ *
+ * Copyright (C) 2016 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On Fri, 05 Aug 2016, Tibor Dudlak wrote:
Hi,
I have extended my previous patch for authentication with user
certificate/smartcard. This patch includes patches and plugin described
here: http://www.freeipa.org/page/V4/External_Authentication/Setup
Page also contains steps to configure and test this feature. Once this
patch is merged and released we will simplify this page to not confuse
customers.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
Thanks.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From e22843f6ab1556528b307951fbcc2476a61a417f Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate
https://fedorahosted.org/freeipa/ticket/5764
---
freeipa.spec.in | 5 +
install/conf/ipa.conf | 14 +++
install/ui/src/freeipa/plugins/cert_auth.js | 179
ipaserver/plugins/xmlserver.py | 3 +-
ipaserver/rpcserver.py | 5 +
5 files changed, 205 insertions(+), 1 deletion(-)
create mode 100644 install/ui/src/freeipa/plugins/cert_auth.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
135e9c980011c6c2730c6c29a3c22098e48270d5..2b95b83613ca3720c95f255f7f64dc029195452c
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -817,6 +817,8 @@ install daemons/dnssec/ipa-ods-exporter
%{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins/cert_auth.js
%{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
# DNSSEC config
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
@@ -1210,6 +1212,9 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
Can you rename plugins-dist to something like 'plugins.d'?
This would be more in line with other parts where multiple additions
supposed to come and also in line with other projects where a drop-in
directory is supported.
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index
3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d..c37819ff2bd2c045404a383631435ad6c24fdaa3
100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -77,6 +77,20 @@ WSGIScriptReloading Off
Header always append Content-Security-Policy "frame-ancestors 'none'"
+# Login with user certificate/smartcard configuration
+
+ AuthType none
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiImpersonate On
+ NSSVerifyClient require
+ NSSUserName SSL_CLIENT_CERT
+ LookupUserByCertificate On
+ WSGIProcessGroup ipa
+ WSGIApplicationGroup ipa
+
+
# Turn off Apache authentication for sessions
Satisfy Any
diff --git a/install/ui/src/freeipa/plugins/cert_auth.js
b/install/ui/src/freeipa/plugins/cert_auth.js
new file mode 100644
index
..282883d6fe82258405afb167dd61b5d6b0f1a7bd
--- /dev/null
+++ b/install/ui/src/freeipa/plugins/cert_auth.js
@@ -0,0 +1,179 @@
+/* Authors:
+ *Petr Vobornik
+ *Tibor Dudlák
+ *
+ * Copyright (C) 2016 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see
Re: [Freeipa-devel] [Tests][patch-0066] Fixed incorrect domainlevel determination in integration tests
On 04.08.2016 09:25, Oleg Fayans wrote: ACK master: * bd5746c538a4e1e7f312de7475eaaa4ce6446cc3 Fixed incorrect domainlevel determination in tests ipa-4-3: * ab29e560bdd03f2bb3742dbd122867979e26f108 Fixed incorrect domainlevel determination in tests -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
Hi Alexander,
On Fri, Aug 5, 2016 at 3:19 PM, Alexander Bokovoy
wrote:
> On Fri, 05 Aug 2016, Tibor Dudlak wrote:
>
>> Hi,
>>
>> I have extended my previous patch for authentication with user
>> certificate/smartcard.
>> ...
>
> Thanks.
>>
>> --
>> Tibor Dudlák
>> Intern - Identity management Special Projects
>> Red Hat
>>
>> Can you rename plugins-dist to something like 'plugins.d'?
> This would be more in line with other parts where multiple additions
> supposed to come and also in line with other projects where a drop-in
> directory is supported.
> --
> / Alexander Bokovoy
>
In our case we need to distribute this plugin in such a way that is not
enabled by default. In fact something like 'plugins.d' as you wrote already
exists ('/usr/share/ipa/ui/js/plugins/'). Main point of creating this new
directory is to separate this inactive plugin from plugins located in
'/usr/share/ipa/ui/js/plugins/' directory where active plugins are. User
can easily enable this plugin, once they desire to enable it, only with
creating symlink into this 'plugins' directory.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On 08/05/2016 02:57 PM, Tibor Dudlak wrote: > Hi, > > I have extended my previous patch for authentication with user > certificate/smartcard. This patch includes patches and plugin described here: > http://www.freeipa.org/page/V4/External_Authentication/Setup > Page also contains steps to configure and test this feature. Once this patch > is > merged and released we will simplify this page to not confuse customers. > Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764 > Let's assume that we will go with this approach and not separate RPM. 1. ipa.conf version needs to be bumped 2. Do not put the web ui plugin in src/freeipa/plugins dir. That is a dir for core UI plugins. This one is sort of hybrid - basically a third party plugin added to core package but enabled as third party because the feature is experimental. Create rather a new dir for that. E.g. plugins.d as Alexander suggested -> freeipa/install/ui/src/plugins.d/cert_auth/cert_auth.js 3. unrelated and "alternative solution" comments needs to be removed from the UI plugin. They were added to the example plugin https://pvoborni.fedorapeople.org/plugins/loginauth/loginauth.js mostly to help you with the development. 4. Add comment to freeipa.spec.in describing what the plugin is and why it is put there this way. 5. The plugin itself deserves better description as well. Right now there is the general description. 6. I have not tried it, but make sure that it passes jslint (`jsl -conf jsl.conf`) Easiest may be to use temp(i.e. do not include it here) jsl.conf e.g.: https://pvoborni.fedorapeople.org/plugins/loginauth/jsl.conf -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH]: 0098-99 : Split make lint to more targets and add jslint
On 02.08.2016 18:08, Pavel Vomacka wrote: On 08/02/2016 05:31 PM, Pavel Vomacka wrote: On 08/02/2016 05:27 PM, Martin Basti wrote: On 02.08.2016 17:12, Rob Crittenden wrote: Pavel Vomacka wrote: Hello, please review attached patches which Split make lint to more targets and add jslint What's the driver to split the checks out into separate targets? It is called several times during build (makes build slower), and you cannot run `make clean` in case you have wrong API.txt, because it will explode Yes, definitely. So I removed moving the aci and api checks and just add jslint. You are moving the makeapi and makeaci from version-update to lint. They were in version-update for a reason: downstream builds do not call lint. Downstream may patch code. API cannot break. Can we update downstream spec then? No ticket? Pavel please file tickets. Yes, I will file tickets for these changes. Also ticket is now filed: https://fedorahosted.org/freeipa/ticket/6161 rob Martin^2 ACK 0098-2: works for me Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error 'could not
connect to replica ', or something similar. instead of
listing/cleaning/whatever operation was executed. I think that it should
be more specific regexp than just finding a replica name substring (Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong
3)
I'm not sure if clean-ruv is instant operations or there is some magic
happening in background (we have abort-clean-ruv). Maybe some sleep
should be there, but this needs investigation.
+assert(replica.hostname in result2.stdout_text), (
+"The wrong RUV was deleted")
+result3 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p',
master.config.dirman_password])
+assert(result3.stdout_text.count(replica.hostname) == 1), (
+"CA RUV of the replica is still displayed")
Based on my discussion with Stanislav Laznicka, I understood that by
default clean-ruv does not return the shell until the operation is
finished. You can force dropping into the shell by pressing CTRL+C, in
which case the background job will still be running, but this is not
the default behavior
Test failed:
result4 = master.run_command(['ipa-replica-manage', 'list-ruv',
'-p', master.config.dirman_password])
> assert(replica.hostname not in result4.stdout_text), (
"replica's RUV is still displayed")
E AssertionError: replica's RUV is still displayed
E assert 'replica3.ipa.test' not in 'Replica Update
V...ipa.test:389: 8\n'
E 'replica3.ipa.test' is contained here:
E Replica Update Vectors:
E \tmaster.ipa.test:389: 4
E \treplica3.ipa.test:389: 3
E \treplica2.ipa.test:389: 7
E
