Re: [Freeipa-devel] [PATCH 0003] Test validity of URIs in certificate

[Lenka Doudova]

On 08/10/2016 05:48 PM, Martin Basti wrote:




On 08.08.2016 10:30, Martin Basti wrote:




On 02.08.2016 14:50, Lenka Doudova wrote:




On 07/29/2016 11:43 AM, Lenka Doudova wrote:




On 07/29/2016 11:41 AM, Lenka Doudova wrote:


On 07/28/2016 01:35 PM, Peter Lacko wrote:

Hops, fixed.

Peter


- Original Message -
From: "Lenka Doudova"
To:freeipa-devel@redhat.com
Sent: Thursday, July 28, 2016 1:32:25 PM
Subject: Re: [Freeipa-devel] [PATCH 0003] Test validity of URIs in  
certificate

Hi,

I cannot find any attached patch :)

Lenka


On 07/28/2016 01:30 PM, Peter Lacko wrote:

Attached you can find a patch adding test for URIs in generated certificate
ipatests/test_xmlrpc/test_cert_plugin.py
Since I'm leaving Red Hat in end of July, I won't be able to modify this patch 
anymore.

Regards,

Peter





Hi,

NACK. Code looks fine and works well on master branch, but patch 
does not apply on 4-3 and 4-2 branches.
Peter left the company but claimed he can fix the patch if 
necessary, I'll communicate it with him or fix it myself.


Lenka



Oh, and forgot this one - PEP8 error:
./ipatests/test_xmlrpc/test_cert_plugin.py:191:80: E501 line too 
long (105 > 79 characters)


Lenka



Hi,

since Peter has quit already, I took it upon myself to do minor fix 
and rebase to the patch.
1) i removed pylint disable comments from the patch, as they were 
unnecessary (this also solved PEP8 error)

2) I rebased the patch to be applicable for ipa-4-3 branch.
Original functionality of the patch remains unchanged.

Both fixed patches attached.

Lenka




Hello,

1)
This is not needed
+global sn
+
+result = api.Command.cert_show(sn, out=unicode(self.certfile))

you need the global statement only for write access. But sn is not assigned in 
this code block.

2)
I prefer to use instance attributes (self.sn) instead of global variables


As we figured out, pytest creates for each test new instance of class, 
so 2) will not fork.

Please fix only 1), sorry.

Martin^2

Hi,
attached fixed patches for master and 4.3 branches.

Lenka




Martin^2






From 0c11503843cd4c69549751cbb3e2113e79f196d6 Mon Sep 17 00:00:00 2001
From: Peter Lacko 
Date: Fri, 15 Jul 2016 16:55:51 +0200
Subject: [PATCH] Test URIs in certificate.

Test that CRL URI and OCSP URI are present and correct in generated certificate.

https://fedorahosted.org/freeipa/ticket/5881
---
 ipatests/test_xmlrpc/test_cert_plugin.py | 49 
 1 file changed, 37 insertions(+), 12 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index a3839d0f79af7208bc2e9ce54183dec288f79ff1..d6a0bca72a272cd51e7da7728fd1a2618a27ff7a 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -19,24 +19,26 @@
 """
 Test the `ipalib/plugins/cert.py` module against a RA.
 """
+from __future__ import print_function
 
 import sys
+import base64
+import nose
 import os
+import pytest
 import shutil
-from nose.tools import raises, assert_raises  # pylint: disable=E0611
 
-from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, assert_attr_equal
+import six
+import tempfile
 from ipalib import api
 from ipalib import errors
 from ipalib import x509
-import tempfile
-from ipapython import ipautil
-import six
-import nose
-import base64
 from ipaplatform.paths import paths
+from ipapython import ipautil
 from ipapython.dn import DN
-import pytest
+from ipapython.ipautil import run
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, assert_attr_equal
+from nose.tools import raises, assert_raises
 
 if six.PY3:
 unicode = str
@@ -44,6 +46,11 @@ if six.PY3:
 # So we can save the cert from issuance and compare it later
 cert = None
 newcert = None
+sn = None
+
+_DOMAIN = api.env.domain
+_EXP_CRL_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ipa/crl/MasterCRL.bin'])
+_EXP_OCSP_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ca/ocsp'])
 
 def is_db_configured():
 """
@@ -82,6 +89,8 @@ class test_cert(XMLRPC_test):
 
 if 'cert_request' not in api.Command:
 raise nose.SkipTest('cert_request not registered')
+if 'cert_show' not in api.Command:
+raise nose.SkipTest('cert_show not registered')
 
 is_db_configured()
 
@@ -94,6 +103,7 @@ class test_cert(XMLRPC_test):
 self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
 self.reqfile = self.reqdir + "/test.csr"
 self.pwname = self.reqdir + "/pwd"
+self.certfile = self.reqdir + "/cert.crt"
 
 # Create an empty password file
 fp = open(self.pwname, "w")
@@ -144,13 +154,15 @@ class test_cert(XMLRPC_test):
 Test the `xmlrpc.cert_request` method with --add.
 """
 # Our host should exist from previous test
-global cert
+global cert, sn
 
 csr = unicode(self.generateCSR(str(self.subject)))
 res = api.Command['cert_request'](csr, principal=self.service_pr

Re: [Freeipa-devel] [PATCH 0058] Make get_entries not ignore its size_limit argument

[Jan Cholasta]

On 2.8.2016 13:47, Stanislav Laznicka wrote:

On 07/19/2016 09:20 AM, Jan Cholasta wrote:

Hi,

On 14.7.2016 14:36, Stanislav Laznicka wrote:

Hello,

This patch fixes https://fedorahosted.org/freeipa/ticket/5640.

With not so much experience with the framework, it raises question in my
head whether ipaldap.get_entries is used properly throughout the system
- does it always assume that it gets ALL the requested entries or just a
few of those as configured by the 'ipaSearchRecordsLimit' attribute of
ipaConfig.etc which it actually gets?


That depends. If you call get_entries() on the ldap2 plugin (which is
usually the case in the framework), then ipaSearchRecordsLimit is
used. If you call it on some arbitrary LDAPClient instance, the
hardcoded default (= unlimited) is used.



One spot that I know the get_entries method was definitely not used
properly before this patch is in the
baseldap.LDAPObject.get_memberindirect() method:

 692 result = self.backend.get_entries(
 693 self.api.env.basedn,
 694 filter=filter,
 695 attrs_list=['member'],
 696 size_limit=-1, # paged search will get everything
anyway
 697 paged_search=True)

which to me seems kind of important if the environment size_limit is not
set properly :) The patch does not fix the non-propagation of the
paged_search, though.


Why do you think size_limit is not used properly here?

AFAIU it is desired that the search is unlimited. However, due to the
fact that neither size_limit nor paged_search are passed from
ldap2.get_entries() to ldap2.find_entries() (methods inherited from
LDAPClient), only the number of records specified by
ipaSearchRecordsLimit is returned. That could eventually cause problems
should ipaSearchRecordsLimit be set to a low value as in the ticket.


I see. This is *not* intentional, the **kwargs of get_entries() should 
be passed to find_entries(). This definitely needs to be fixed.




Anyway, this ticket is not really easily fixable without more profound
changes. Often, multiple LDAP searches are done during command
execution. What do you do with the size limit then? Do you pass the
same size limit to all the searches? Do you subtract the result size
from the size limit after each search? Do you do something else with
it? ... The answer is that it depends on the purpose of each
individual LDAP search (like in get_memberindirect() above, we have to
do unlimited search, otherwise the resulting entry would be
incomplete), and fixing this accross the whole framework is a
non-trivial task.


I do realize that the proposed fix for the permission plugin is not
perfect, it would probably be better to subtract the number of currently
loaded records from the sizelimit, although in the end the number of
returned values will not be higher than the given size_limit.  However,
it seems reasonable that if get_entries is passed a size limit, it
should apply it over current ipaSearchRecordsLimit rather than ignoring
it. Then, any use of get_entries could be fixed accordingly if someone
sees fit.



Right. Anyway, this is a different issue than above, so please put this 
into a separate commit.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk

[Matthew Harmsen]

On 08/10/2016 10:59 AM, Ben Lipton wrote:

On 08/10/2016 12:21 PM, Matthew Harmsen wrote:


*The following candidate builds of Dogtag 10.3.5 and ldapjdk on 
Fedora 24, 25, and 26 (rawhide) consist of the following:*


  * *Fedora 24:*
  o *dogtag-pki-10.3.5-1.fc24
*
  o *dogtag-pki-theme-10.3.5-1.fc24
*
  o *pki-core-10.3.5-1.fc24
*
  o *pki-console-10.3.5-1.fc24
*
  o *ldapjdk-4.18-19.fc24
*
  * *Fedora 25:*
  o *dogtag-pki-10.3.5-1.fc25
*
  o *dogtag-pki-theme-10.3.5-1.fc25
*
  o *pki-core-10.3.5-1.fc25
*
  o *pki-console-10.3.5-1.fc25
*
  o *ldapjdk-4.18-19.fc25
*
  * *Fedora 26 (rawhide):*
  o *dogtag-pki-10.3.5-1.fc26
*
  o *dogtag-pki-theme-10.3.5-1.fc26
*
  o *pki-core-10.3.5-1.fc26
*
  o *pki-console-10.3.5-1.fc26
*
  o *ldapjdk-4.18-19.fc26
*

*Please provide Karma for the following builds:*

  * *Fedora 24:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee
dogtag-pki-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f
dogtag-pki-theme-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e
pki-core-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7
pki-console-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39
ldapjdk-4.18-19.fc24

*
  * *Fedora 25:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5
   dogtag-pki-10.3.5-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152
   dogtag-pki-theme-10.3.5-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60
pki-core-10.3.5-1.fc25
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1
pki-console-10.3.5-1.fc25
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601
ldapjdk-4.18-19.fc25

*



On Fedora 24 I am unable to upgrade to these packages without manual 
intervention:

[root@vm freeipa]# dnf update --allowerasing --best
Last metadata expiration check: 2:08:29 ago on Wed Aug 10 16:38:24 2016.
Error: nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
package pki-tools-10.3.5-1.fc24.x86_64 requires pki-base-java = 
10.3.5-1.fc24, but none of the providers can be installed.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch

[root@vm freeipa]# rpm -q resteasy-atom-provider
resteasy-atom-provider-3.0.6-11.fc24.noarch

Am I doing something wrong, or does the new resteasy need to be added 
back to testing? 
(https://bodhi.fedoraproject.org/updates/FEDORA-2016-d80872c309)


Ben


Ben,

No, the resteasy 3.0.17 builds received bad karma because they were 
utilized with an incompatible pki-core 10.3.3 as used by FreeIPA and the 
packages were thus obsoleted.


This build fixes that problem, but requires the version of resteasy 
3.0.17 that was obsoleted.


We are going

[Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI

[Oleg Fayans]

--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 3befa8b390e4c5c02c81ad2efee19acc237c9222 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Wed, 10 Aug 2016 20:30:31 +0200
Subject: [PATCH] Fixed expected segment name

Lately replica installation results in creation of a topology segment with
replica being left node, not right node as it used to be. This broke tests that
expected replica to be right node

https://fedorahosted.org/freeipa/ticket/6201
---
 ipatests/test_integration/test_topology.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index e956563c27eafd84deed5786274a73d0d3594642..8853af71b5834934573bef25f2720de746306e4b 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -117,8 +117,8 @@ class TestTopologyOptions(IntegrationTest):
 "%s: segment not found" % segment['name'])
 # Remove master <-> replica2 segment and make sure that the changes get
 # there through replica1
-deleteme = "%s-to-%s" % (self.master.hostname,
- self.replicas[1].hostname)
+deleteme = "%s-to-%s" % (self.replicas[1].hostname,
+ self.master.hostname)
 returncode, error = tasks.destroy_segment(self.master, deleteme)
 assert returncode == 0, error
 # Wait till replication ends and make sure replica1 does not have
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0024 memory leak in ipapwd plugin

[Alexander Bokovoy]

On Wed, 10 Aug 2016, thierry bordaz wrote:



On 08/10/2016 11:24 AM, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, thierry bordaz wrote:





From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001

From: Thierry Bordaz 
Date: Tue, 9 Aug 2016 16:46:25 +0200
Subject: [PATCH] ipa-pwd-extop memory leak during passord update

During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git 
a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

index 6a87a27..2eda6c6 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -398,16 +398,20 @@ parse_req_done:
   /* if the user changing the password is self, we must 
request the

* old password and verify it matches the current one before
* proceeding with the password change */
-bind_sdn = slapi_sdn_new_dn_byref(bindDN);
-target_sdn = slapi_sdn_new_dn_byref(dn);
+bind_sdn = slapi_sdn_new_dn_byval(bindDN);
+target_sdn = slapi_sdn_new_dn_byval(dn);
   if (!bind_sdn || !target_sdn) {
   LOG_OOM();
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
   rc = LDAP_OPERATIONS_ERROR;
   goto free_and_return;
   }
   /* this one will normalize and compare, so difference in 
case will be

* correctly handled */
   ret = slapi_sdn_compare(bind_sdn, target_sdn);
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
   if (ret == 0) {
   Slapi_Value *cpw[2] = { NULL, NULL };
   Slapi_Value *pw;

I would prefer to unify memory freeing. Because slapi_sdn_compare() can
be run with NULL arguments (it will return 0), and slapi_sdn_free() is
no-op for NULL argument, you can actually do comparison, then free the
SDNs and then do error handling:


bind_sdn = slapi_sdn_new_dn_byval(bindDN);
target_sdn = slapi_sdn_new_dn_byval(dn);

rc = (!bind_sdn || !target_sdn) ? LDAP_OPERATIONS_ERROR : 0;
ret = slapi_sdn_compare(bind_sdn, target_sdn);

slapi_sdn_free(&bind_sdn);
slapi_sdn_free(&target_sdn);

if (rc != 0) {
   LOG_OOM();
   goto free_and_return;
}

if (ret == 0) {
 
}




--
2.7.4




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




Thanks again Alexander for the review. Here is the revisited patch



From db4211d855b4d21354dc619952b2b2e1ad31f3b9 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Tue, 9 Aug 2016 16:46:25 +0200
Subject: [PATCH] ipa-pwd-extop memory leak during passord update

During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
---
.../ipa-pwd-extop/ipa_pwd_extop.c  | 24 +++---
1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 6a87a27..eaca0dc 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -398,16 +398,26 @@ parse_req_done:
/* if the user changing the password is self, we must request the
 * old password and verify it matches the current one before
 * proceeding with the password change */
-bind_sdn = slapi_sdn_new_dn_byref(bindDN);
-target_sdn = slapi_sdn_new_dn_byref(dn);
-if (!bind_sdn || !target_sdn) {
-LOG_OOM();
-rc = LDAP_OPERATIONS_ERROR;
-goto free_and_return;
-}
+bind_sdn = slapi_sdn_new_dn_byval(bindDN);
+target_sdn = slapi_sdn_new_dn_byval(dn);
+
+rc = (!bind_sdn || !target_sdn) ? LDAP_OPERATIONS_ERROR : 0;
+
/* this one will normalize and compare, so difference in case will be
 * correctly handled */
ret = slapi_sdn_compare(bind_sdn, target_sdn);
+
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
+
+/* rc should always be 0 (else slapi_sdn_new_dn_byref should have 
sigsev)
+ * but if we end in rc==LDAP_OPERATIONS_ERROR be sure to stop here
+ * because ret is not significant */

A short note here. You talk about slapi_sdn_new_dn_byref() but your
patch replaces that with slapi_sdn_new_dn_byval(). Does the comment
still apply?


+if (rc != 0) {
+LOG_OOM();
+goto free_and_return;
+}
+
if (ret == 0) {
Slapi_Value *cpw[2] = { NULL, NULL };
Slapi_Value *pw;
--
2.7.4




--
/

Re: [Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk

[Ben Lipton]

On 08/10/2016 12:21 PM, Matthew Harmsen wrote:


*The following candidate builds of Dogtag 10.3.5 and ldapjdk on Fedora 
24, 25, and 26 (rawhide) consist of the following:*


  * *Fedora 24:*
  o *dogtag-pki-10.3.5-1.fc24
*
  o *dogtag-pki-theme-10.3.5-1.fc24
*
  o *pki-core-10.3.5-1.fc24
*
  o *pki-console-10.3.5-1.fc24
*
  o *ldapjdk-4.18-19.fc24
*
  * *Fedora 25:*
  o *dogtag-pki-10.3.5-1.fc25
*
  o *dogtag-pki-theme-10.3.5-1.fc25
*
  o *pki-core-10.3.5-1.fc25
*
  o *pki-console-10.3.5-1.fc25
*
  o *ldapjdk-4.18-19.fc25
*
  * *Fedora 26 (rawhide):*
  o *dogtag-pki-10.3.5-1.fc26
*
  o *dogtag-pki-theme-10.3.5-1.fc26
*
  o *pki-core-10.3.5-1.fc26
*
  o *pki-console-10.3.5-1.fc26
*
  o *ldapjdk-4.18-19.fc26
*

*Please provide Karma for the following builds:*

  * *Fedora 24:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee
dogtag-pki-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f
dogtag-pki-theme-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e
pki-core-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7
pki-console-10.3.5-1.fc24
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39
ldapjdk-4.18-19.fc24

*
  * *Fedora 25:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5
   dogtag-pki-10.3.5-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152
   dogtag-pki-theme-10.3.5-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60
pki-core-10.3.5-1.fc25
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1
pki-console-10.3.5-1.fc25
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601
ldapjdk-4.18-19.fc25

*



On Fedora 24 I am unable to upgrade to these packages without manual 
intervention:

[root@vm freeipa]# dnf update --allowerasing --best
Last metadata expiration check: 2:08:29 ago on Wed Aug 10 16:38:24 2016.
Error: nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
package pki-tools-10.3.5-1.fc24.x86_64 requires pki-base-java = 
10.3.5-1.fc24, but none of the providers can be installed.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch

[root@vm freeipa]# rpm -q resteasy-atom-provider
resteasy-atom-provider-3.0.6-11.fc24.noarch

Am I doing something wrong, or does the new resteasy need to be added 
back to testing? 
(https://bodhi.fedoraproject.org/updates/FEDORA-2016-d80872c309)


Ben
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0024 memory leak in ipapwd plugin

[thierry bordaz]

On 08/10/2016 11:24 AM, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, thierry bordaz wrote:





From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001

From: Thierry Bordaz 
Date: Tue, 9 Aug 2016 16:46:25 +0200
Subject: [PATCH] ipa-pwd-extop memory leak during passord update

During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

index 6a87a27..2eda6c6 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -398,16 +398,20 @@ parse_req_done:
/* if the user changing the password is self, we must request 
the

 * old password and verify it matches the current one before
 * proceeding with the password change */
-bind_sdn = slapi_sdn_new_dn_byref(bindDN);
-target_sdn = slapi_sdn_new_dn_byref(dn);
+bind_sdn = slapi_sdn_new_dn_byval(bindDN);
+target_sdn = slapi_sdn_new_dn_byval(dn);
if (!bind_sdn || !target_sdn) {
LOG_OOM();
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
/* this one will normalize and compare, so difference in case 
will be

 * correctly handled */
ret = slapi_sdn_compare(bind_sdn, target_sdn);
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
if (ret == 0) {
Slapi_Value *cpw[2] = { NULL, NULL };
Slapi_Value *pw;

I would prefer to unify memory freeing. Because slapi_sdn_compare() can
be run with NULL arguments (it will return 0), and slapi_sdn_free() is
no-op for NULL argument, you can actually do comparison, then free the
SDNs and then do error handling:


 bind_sdn = slapi_sdn_new_dn_byval(bindDN);
 target_sdn = slapi_sdn_new_dn_byval(dn);

 rc = (!bind_sdn || !target_sdn) ? LDAP_OPERATIONS_ERROR : 0;
 ret = slapi_sdn_compare(bind_sdn, target_sdn);

 slapi_sdn_free(&bind_sdn);
 slapi_sdn_free(&target_sdn);

 if (rc != 0) {
LOG_OOM();
goto free_and_return;
 }

 if (ret == 0) {
  
 }




--
2.7.4




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




Thanks again Alexander for the review. Here is the revisited patch
>From db4211d855b4d21354dc619952b2b2e1ad31f3b9 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Tue, 9 Aug 2016 16:46:25 +0200
Subject: [PATCH] ipa-pwd-extop memory leak during passord update

During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
---
 .../ipa-pwd-extop/ipa_pwd_extop.c  | 24 +++---
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 6a87a27..eaca0dc 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -398,16 +398,26 @@ parse_req_done:
 /* if the user changing the password is self, we must request the
  * old password and verify it matches the current one before
  * proceeding with the password change */
-bind_sdn = slapi_sdn_new_dn_byref(bindDN);
-target_sdn = slapi_sdn_new_dn_byref(dn);
-if (!bind_sdn || !target_sdn) {
-LOG_OOM();
-rc = LDAP_OPERATIONS_ERROR;
-goto free_and_return;
-}
+bind_sdn = slapi_sdn_new_dn_byval(bindDN);
+target_sdn = slapi_sdn_new_dn_byval(dn);
+
+rc = (!bind_sdn || !target_sdn) ? LDAP_OPERATIONS_ERROR : 0;
+
 /* this one will normalize and compare, so difference in case will be
  * correctly handled */
 ret = slapi_sdn_compare(bind_sdn, target_sdn);
+
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
+
+/* rc should always be 0 (else slapi_sdn_new_dn_byref should have sigsev)
+ * but if we end in rc==LDAP_OPERATIONS_ERROR be sure to stop here
+ * because ret is not significant */
+if (rc != 0) {
+LOG_OOM();
+goto free_and_return;
+}
+
 if (ret == 0) {
 Slapi_Value *cpw[2] = { NULL, NULL };
 Slapi_Value *pw;
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page

[Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk

[Matthew Harmsen]

*The following candidate builds of Dogtag 10.3.5 and ldapjdk on Fedora 
24, 25, and 26 (rawhide) consist of the following:*


 * *Fedora 24:*
 o *dogtag-pki-10.3.5-1.fc24
   *
 o *dogtag-pki-theme-10.3.5-1.fc24
   *
 o *pki-core-10.3.5-1.fc24
   *
 o *pki-console-10.3.5-1.fc24
   *
 o *ldapjdk-4.18-19.fc24
   *
 * *Fedora 25:*
 o *dogtag-pki-10.3.5-1.fc25
   *
 o *dogtag-pki-theme-10.3.5-1.fc25
   *
 o *pki-core-10.3.5-1.fc25
   *
 o *pki-console-10.3.5-1.fc25
   *
 o *ldapjdk-4.18-19.fc25
   *
 * *Fedora 26 (rawhide):*
 o *dogtag-pki-10.3.5-1.fc26
   *
 o *dogtag-pki-theme-10.3.5-1.fc26
   *
 o *pki-core-10.3.5-1.fc26
   *
 o *pki-console-10.3.5-1.fc26
   *
 o *ldapjdk-4.18-19.fc26
   *

*Please provide Karma for the following builds:*

 * *Fedora 24:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee
   dogtag-pki-10.3.5-1.fc24
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f
   dogtag-pki-theme-10.3.5-1.fc24
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e
   pki-core-10.3.5-1.fc24
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7
   pki-console-10.3.5-1.fc24
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39
   ldapjdk-4.18-19.fc24
   
   *
 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5
   dogtag-pki-10.3.5-1.fc25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152
   dogtag-pki-theme-10.3.5-1.fc25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60
   pki-core-10.3.5-1.fc25
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1
   pki-console-10.3.5-1.fc25
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601
   ldapjdk-4.18-19.fc25
   
   *

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0003] Test validity of URIs in certificate

[Martin Basti]

On 08.08.2016 10:30, Martin Basti wrote:




On 02.08.2016 14:50, Lenka Doudova wrote:




On 07/29/2016 11:43 AM, Lenka Doudova wrote:




On 07/29/2016 11:41 AM, Lenka Doudova wrote:


On 07/28/2016 01:35 PM, Peter Lacko wrote:

Hops, fixed.

Peter


- Original Message -
From: "Lenka Doudova"
To:freeipa-devel@redhat.com
Sent: Thursday, July 28, 2016 1:32:25 PM
Subject: Re: [Freeipa-devel] [PATCH 0003] Test validity of URIs in  
certificate

Hi,

I cannot find any attached patch :)

Lenka


On 07/28/2016 01:30 PM, Peter Lacko wrote:

Attached you can find a patch adding test for URIs in generated certificate
ipatests/test_xmlrpc/test_cert_plugin.py
Since I'm leaving Red Hat in end of July, I won't be able to modify this patch 
anymore.

Regards,

Peter





Hi,

NACK. Code looks fine and works well on master branch, but patch 
does not apply on 4-3 and 4-2 branches.
Peter left the company but claimed he can fix the patch if 
necessary, I'll communicate it with him or fix it myself.


Lenka



Oh, and forgot this one - PEP8 error:
./ipatests/test_xmlrpc/test_cert_plugin.py:191:80: E501 line too 
long (105 > 79 characters)


Lenka



Hi,

since Peter has quit already, I took it upon myself to do minor fix 
and rebase to the patch.
1) i removed pylint disable comments from the patch, as they were 
unnecessary (this also solved PEP8 error)

2) I rebased the patch to be applicable for ipa-4-3 branch.
Original functionality of the patch remains unchanged.

Both fixed patches attached.

Lenka




Hello,

1)
This is not needed
+global sn
+
+result = api.Command.cert_show(sn, out=unicode(self.certfile))

you need the global statement only for write access. But sn is not assigned in 
this code block.

2)
I prefer to use instance attributes (self.sn) instead of global variables


As we figured out, pytest creates for each test new instance of class, 
so 2) will not fork.

Please fix only 1), sorry.

Martin^2



Martin^2




-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

[thierry bordaz]

On 08/10/2016 04:37 PM, thierry bordaz wrote:



On 08/10/2016 12:51 PM, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, thierry bordaz wrote:



On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:

On Tue, 09 Aug 2016, thierry bordaz wrote:



On 08/09/2016 12:49 PM, Martin Basti wrote:



On 08.08.2016 17:30, thierry bordaz wrote:



On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Lukas Slebodnik wrote:

On (08/08/16 11:35), Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Martin Basti wrote:



On 08.08.2016 09:34, Alexander Bokovoy wrote:
When SSSD resolves AD users on behalf of slapi-nis, it 
can

accept any
user identifier, including user principal name (UPN) 
which may be
different than the canonical user name which SSSD 
returns.


As result, the entry created by slapi-nis will be using

canonical user
name but the filter for search will refer to the 
original (aliased)

name. The search will not match the newly created entry.

The issue is fixed  in slapi-nis-0.56.1 by returning 
two values for
'uid' attribute: the canonical one and the aliased 
one. This way the

search will match.

Standard LDAP schema allows multiple values for 'uid' 
attribute. We
actually use the same trick for 'cn' attribute in the 
groups map

already.

https://fedorahosted.org/freeipa/ticket/6138





Hello,

should we bump requires to slapi-nis-0.56.1 in 
freeipa.spec?
No, this is not required. In Fedora we'll submit a 
combined update --
I've built slapi-nis-0.56.1-1 packages for f24, f25, and 
rawhide already

but did not submit a Bodhi request.

How is combined updated related to requires to 
slapi-nis-0.56.1?

It will not prevent tu update freeipa without new slapi-nis.

e.g.
dnf update freeipa-server.
An update file in FreeIPA that is proposed by this patch 
does not affect
operation of the older slapi-nis deployment once update is 
applied.




Hi,

Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ), does 
the order matters ?
We insert the canonical one first and it seems that 389-ds 
does not
change the order, at least in my tests. You can see the 
output in the

bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2


From ldap pov 
(https://tools.ietf.org/html/rfc4511#section-4.1.7) the order 
of the values is not preserved.
I think it is a bit risky to rely on a specific order 
especially with complex updates (adding several values in a 
single mod, replace) and replication.
would it help to add canonical value with a subtype (e.g. 
'uid;canonical: ') ?

Not sure how what you are mention is relevant here. We talk about
slapi-nis map cache entries which are not modified, replaced or
replicated anywhere by anything other than slapi-nis itself. When
entries are changed by slapi-nis, they are regenerated from 
scratch.


Your worries do not apply here.

ok.
I understand my mistake, I was thinking the compat entry had a 
associated real entry in ldap and this real entry had two uid 
values.




So, could you provide ack thierry?

Martin


Sure but I would have to test first :-)

Alexander, how can I test this ?

slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
http://koji.fedoraproject.org/koji/packageinfo?packageID=6609


Thanks Alexander. So to test this change is there an other way 
(simpler) than setting up AD/trust ?
I don't think so. We don't have UPNs in FreeIPA on the level of 
identity

lookups and we don't allow to lookup identity by email, so you are left
with using a proper AD trust and UPN suffixes in AD forest.

Attached is an updated patch that adds versioned require of slapi-nis
which supports the feature.




Thanks to Lenka, I was able to test the patch with AD trust and a UPN 
suffix.


The tests looks good as 'getent' on a AD user returns user@ADdomain.

Now if I remove the config change in "cn=users,cn=Schema 
Compatibility,cn=plugins,cn=config", I get the same results i.e:

getent passwd upnu...@upnsuffix.com
upnu...@dom-221.idm.lab.eng.brq.redhat.com:*:1965201133:1965201133:UPN 
User:/:



How can I check slapi-nis gets the first value ?

thanks
thierry

acceptance is now completed (successfully).  ACK

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 965 ca-less tests: fix getting cert in pem format from nssdb

[Martin Basti]

On 06.08.2016 13:16, Petr Vobornik wrote:

On 08/06/2016 12:32 PM, Petr Vobornik wrote:

usage of ipautil.run in  get_pem methond of ca-less tests was not
refactored when the ipautil.run was refactored in
099cf98307d4b2f0ace5d5e28754f264808bf59d

This results in failure of all CA-less test (probably).

Patch is untested though.

https://fedorahosted.org/freeipa/ticket/6177


Original patch doesn't fix the issue. Main culprit is that output is
captured only if capture_output=True is passed to ipautil.run

Previous patch therefore just replaced old usage to new usage.

Attaching fixed path.



ACK

Test, instant triage to 4.3

Pushed to master: 6217d680da5b121ba39e48f8823f21a639261584
Pushed to ipa-4-3: 42d3ec37f5a2692a51cd7db878b7b745d8d4c846

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

[thierry bordaz]

On 08/10/2016 12:51 PM, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, thierry bordaz wrote:



On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:

On Tue, 09 Aug 2016, thierry bordaz wrote:



On 08/09/2016 12:49 PM, Martin Basti wrote:



On 08.08.2016 17:30, thierry bordaz wrote:



On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Lukas Slebodnik wrote:

On (08/08/16 11:35), Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Martin Basti wrote:



On 08.08.2016 09:34, Alexander Bokovoy wrote:

When SSSD resolves AD users on behalf of slapi-nis, it can

accept any
user identifier, including user principal name (UPN) 
which may be

different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using

canonical user
name but the filter for search will refer to the 
original (aliased)

name. The search will not match the newly created entry.

The issue is fixed  in slapi-nis-0.56.1 by returning 
two values for
'uid' attribute: the canonical one and the aliased one. 
This way the

search will match.

Standard LDAP schema allows multiple values for 'uid' 
attribute. We
actually use the same trick for 'cn' attribute in the 
groups map

already.

https://fedorahosted.org/freeipa/ticket/6138





Hello,

should we bump requires to slapi-nis-0.56.1 in 
freeipa.spec?
No, this is not required. In Fedora we'll submit a 
combined update --
I've built slapi-nis-0.56.1-1 packages for f24, f25, and 
rawhide already

but did not submit a Bodhi request.

How is combined updated related to requires to 
slapi-nis-0.56.1?

It will not prevent tu update freeipa without new slapi-nis.

e.g.
dnf update freeipa-server.
An update file in FreeIPA that is proposed by this patch 
does not affect
operation of the older slapi-nis deployment once update is 
applied.




Hi,

Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ), does 
the order matters ?
We insert the canonical one first and it seems that 389-ds 
does not
change the order, at least in my tests. You can see the 
output in the

bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2


From ldap pov 
(https://tools.ietf.org/html/rfc4511#section-4.1.7) the order 
of the values is not preserved.
I think it is a bit risky to rely on a specific order 
especially with complex updates (adding several values in a 
single mod, replace) and replication.
would it help to add canonical value with a subtype (e.g. 
'uid;canonical: ') ?

Not sure how what you are mention is relevant here. We talk about
slapi-nis map cache entries which are not modified, replaced or
replicated anywhere by anything other than slapi-nis itself. When
entries are changed by slapi-nis, they are regenerated from 
scratch.


Your worries do not apply here.

ok.
I understand my mistake, I was thinking the compat entry had a 
associated real entry in ldap and this real entry had two uid 
values.




So, could you provide ack thierry?

Martin


Sure but I would have to test first :-)

Alexander, how can I test this ?

slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
http://koji.fedoraproject.org/koji/packageinfo?packageID=6609


Thanks Alexander. So to test this change is there an other way 
(simpler) than setting up AD/trust ?

I don't think so. We don't have UPNs in FreeIPA on the level of identity
lookups and we don't allow to lookup identity by email, so you are left
with using a proper AD trust and UPN suffixes in AD forest.

Attached is an updated patch that adds versioned require of slapi-nis
which supports the feature.




Thanks to Lenka, I was able to test the patch with AD trust and a UPN 
suffix.


The tests looks good as 'getent' on a AD user returns user@ADdomain.

Now if I remove the config change in "cn=users,cn=Schema 
Compatibility,cn=plugins,cn=config", I get the same results i.e:

getent passwd upnu...@upnsuffix.com
upnu...@dom-221.idm.lab.eng.brq.redhat.com:*:1965201133:1965201133:UPN 
User:/:



How can I check slapi-nis gets the first value ?

thanks
thierry

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

[Ben Lipton]

On 08/10/2016 05:07 AM, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, Petr Spacek wrote:

On 9.8.2016 22:07, Ben Lipton wrote:

Aaand there's a typo in patch 15. Updated version attached.


Ben,

it would be great if you can always send whole patch set, including the
patches which were not changed from the previous iteration.

It is getting quite hard to follow and mix-and-match patches from 
e-mails into

one patch set.

As a nice to have addition, you can push the whole patch set to 
Github (or

somewhere else) so we can just clone the repo and be done with it :-)

I concur here. I'm a bit lost which patches have what state, jumping
from thread to thread and from response to response. ;)


Ok, I've merged everything into the older thread, and updated the github 
branch with all the changes, old and new. I hope that will be easier to 
follow. Sorry about the confusion!


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0061] Removing objectclass expectation for LDAP*ReverseMember based commands

[Martin Basti]

On 10.08.2016 11:02, Stanislav Laznicka wrote:

Hello,

I missed some tests in patch to 
https://fedorahosted.org/freeipa/ticket/5892. This patch should fix 
the rest of the additional objectclass expectations mentioned in 
https://fedorahosted.org/freeipa/ticket/6198.




ACK

Pushed to master: 9f26e395e5ed7aee4fef3abebf6c69c2168ac2f2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)

[Oleg Fayans]

Hi Martin,

I am sorry, yes it depends on my patches 0049 and 0050.


On 08/10/2016 12:27 PM, Martin Basti wrote:



On 10.08.2016 10:38, Oleg Fayans wrote:





Hello,

I cannot apply this patch
error: ipatests/test_integration/test_certs_in_idoverrides.py: does not
exist in index
It probably depends on another patch (which one?)

Please, use human readable subjects in email, I do not remember from top
of my head what #6146 is.

Martin^2




--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

[Alexander Bokovoy]

On Wed, 10 Aug 2016, Alexander Bokovoy wrote:

On Wed, 10 Aug 2016, thierry bordaz wrote:



On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:

On Tue, 09 Aug 2016, thierry bordaz wrote:



On 08/09/2016 12:49 PM, Martin Basti wrote:



On 08.08.2016 17:30, thierry bordaz wrote:



On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Lukas Slebodnik wrote:

On (08/08/16 11:35), Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Martin Basti wrote:



On 08.08.2016 09:34, Alexander Bokovoy wrote:

When SSSD resolves AD users on behalf of slapi-nis, it can

accept any
user identifier, including user principal 
name (UPN) which may be

different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using

canonical user
name but the filter for search will refer 
to the original (aliased)

name. The search will not match the newly created entry.

The issue is fixed  in slapi-nis-0.56.1 by 
returning two values for
'uid' attribute: the canonical one and the 
aliased one. This way the

search will match.

Standard LDAP schema allows multiple 
values for 'uid' attribute. We
actually use the same trick for 'cn' 
attribute in the groups map

already.

https://fedorahosted.org/freeipa/ticket/6138





Hello,

should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
No, this is not required. In Fedora we'll 
submit a combined update --
I've built slapi-nis-0.56.1-1 packages for 
f24, f25, and rawhide already

but did not submit a Bodhi request.


How is combined updated related to requires to slapi-nis-0.56.1?
It will not prevent tu update freeipa without new slapi-nis.

e.g.
dnf update freeipa-server.
An update file in FreeIPA that is proposed by this 
patch does not affect
operation of the older slapi-nis deployment once 
update is applied.




Hi,

Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ), 
does the order matters ?

We insert the canonical one first and it seems that 389-ds does not
change the order, at least in my tests. You can see 
the output in the

bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2


From ldap pov 
(https://tools.ietf.org/html/rfc4511#section-4.1.7) the 
order of the values is not preserved.
I think it is a bit risky to rely on a specific order 
especially with complex updates (adding several values 
in a single mod, replace) and replication.
would it help to add canonical value with a subtype 
(e.g. 'uid;canonical: ') ?

Not sure how what you are mention is relevant here. We talk about
slapi-nis map cache entries which are not modified, replaced or
replicated anywhere by anything other than slapi-nis itself. When
entries are changed by slapi-nis, they are regenerated from scratch.

Your worries do not apply here.

ok.
I understand my mistake, I was thinking the compat entry had 
a associated real entry in ldap and this real entry had two 
uid values.




So, could you provide ack thierry?

Martin


Sure but I would have to test first :-)

Alexander, how can I test this ?

slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
http://koji.fedoraproject.org/koji/packageinfo?packageID=6609


Thanks Alexander. So to test this change is there an other way 
(simpler) than setting up AD/trust ?

I don't think so. We don't have UPNs in FreeIPA on the level of identity
lookups and we don't allow to lookup identity by email, so you are left
with using a proper AD trust and UPN suffixes in AD forest.

Attached is an updated patch that adds versioned require of slapi-nis
which supports the feature.


--
/ Alexander Bokovoy
From 4a75c02c66e2ecacb0cb3b6e8c2255805e9f68b5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 4 Aug 2016 09:58:50 +0300
Subject: [PATCH 2/5] support multiple uid values in schema compatibility tree

---
 freeipa.spec.in | 4 +++-
 install/updates/10-schema_compat.update | 4 
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 78ab8ca..c8146e1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,9 +12,11 @@
 %if 0%{?rhel}
 %global samba_version 4.0.5-1
 %global selinux_policy_version 3.12.1-153
+%global slapi_nis_version 0.56.0-4
 %else
 %global samba_version 2:4.0.5-1
 %global selinux_policy_version 3.13.1-158.4
+%global slapi_nis_version 0.56.1
 %endif
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | 
grep -Eo '^[^.]+\.[^.]+')
@@ -157,7 +159,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.56.0
+Requires: slapi-nis >= %{slapi_nis_version}
 Requires: pki-ca >= 1

Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)

[Martin Basti]

On 10.08.2016 10:38, Oleg Fayans wrote:





Hello,

I cannot apply this patch
error: ipatests/test_integration/test_certs_in_idoverrides.py: does not 
exist in index

It probably depends on another patch (which one?)

Please, use human readable subjects in email, I do not remember from top 
of my head what #6146 is.


Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0024 memory leak in ipapwd plugin

[Alexander Bokovoy]

On Wed, 10 Aug 2016, thierry bordaz wrote:





From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001

From: Thierry Bordaz 
Date: Tue, 9 Aug 2016 16:46:25 +0200
Subject: [PATCH] ipa-pwd-extop memory leak during passord update

During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 6a87a27..2eda6c6 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -398,16 +398,20 @@ parse_req_done:
/* if the user changing the password is self, we must request the
 * old password and verify it matches the current one before
 * proceeding with the password change */
-bind_sdn = slapi_sdn_new_dn_byref(bindDN);
-target_sdn = slapi_sdn_new_dn_byref(dn);
+bind_sdn = slapi_sdn_new_dn_byval(bindDN);
+target_sdn = slapi_sdn_new_dn_byval(dn);
if (!bind_sdn || !target_sdn) {
LOG_OOM();
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
/* this one will normalize and compare, so difference in case will be
 * correctly handled */
ret = slapi_sdn_compare(bind_sdn, target_sdn);
+slapi_sdn_free(&bind_sdn);
+slapi_sdn_free(&target_sdn);
if (ret == 0) {
Slapi_Value *cpw[2] = { NULL, NULL };
Slapi_Value *pw;

I would prefer to unify memory freeing. Because slapi_sdn_compare() can
be run with NULL arguments (it will return 0), and slapi_sdn_free() is
no-op for NULL argument, you can actually do comparison, then free the
SDNs and then do error handling:


 bind_sdn = slapi_sdn_new_dn_byval(bindDN);
 target_sdn = slapi_sdn_new_dn_byval(dn);

 rc = (!bind_sdn || !target_sdn) ? LDAP_OPERATIONS_ERROR : 0;
 ret = slapi_sdn_compare(bind_sdn, target_sdn);

 slapi_sdn_free(&bind_sdn);
 slapi_sdn_free(&target_sdn);

 if (rc != 0) {
LOG_OOM();
goto free_and_return;
 }

 if (ret == 0) {
  
 }




--
2.7.4




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

[Alexander Bokovoy]

On Wed, 10 Aug 2016, Petr Spacek wrote:

On 9.8.2016 22:07, Ben Lipton wrote:

Aaand there's a typo in patch 15. Updated version attached.


Ben,

it would be great if you can always send whole patch set, including the
patches which were not changed from the previous iteration.

It is getting quite hard to follow and mix-and-match patches from e-mails into
one patch set.

As a nice to have addition, you can push the whole patch set to Github (or
somewhere else) so we can just clone the repo and be done with it :-)

I concur here. I'm a bit lost which patches have what state, jumping
from thread to thread and from response to response. ;)


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0061] Removing objectclass expectation for LDAP*ReverseMember based commands

[Stanislav Laznicka]

Hello,

I missed some tests in patch to 
https://fedorahosted.org/freeipa/ticket/5892. This patch should fix the 
rest of the additional objectclass expectations mentioned in 
https://fedorahosted.org/freeipa/ticket/6198.
From 7b39ff355ab70a63e96dd8d9bcc6da3a6930a3ba Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 10 Aug 2016 10:53:00 +0200
Subject: [PATCH] Removed objectclass from LDAP*ReverseMember based tests

Some tests were broken because of the recent changes in baseldap (#5892)
as they were wrongly expecting an objectclass attribute.

https://fedorahosted.org/freeipa/ticket/6198
---
 ipatests/test_xmlrpc/test_old_permission_plugin.py | 1 -
 ipatests/test_xmlrpc/test_privilege_plugin.py  | 7 ---
 2 files changed, 8 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py
index 2328c6742d6996c3c3780f4578a8fe02ba371c11..6d1117b6b33b51d575b3ee40356d4fda8df2533f 100644
--- a/ipatests/test_xmlrpc/test_old_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py
@@ -214,7 +214,6 @@ class test_old_permission(Declarative):
 'cn': [privilege1],
 'description': [u'privilege desc. 1'],
 'memberof_permission': [permission1],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
diff --git a/ipatests/test_xmlrpc/test_privilege_plugin.py b/ipatests/test_xmlrpc/test_privilege_plugin.py
index c375f907f6d379e48934a5375eebaf51e1d27c65..49f6c80b91478047de7c710c24cea55706ccf499 100644
--- a/ipatests/test_xmlrpc/test_privilege_plugin.py
+++ b/ipatests/test_xmlrpc/test_privilege_plugin.py
@@ -149,7 +149,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'privilege desc. 1'],
 'memberof_permission': [permission1],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
@@ -287,7 +286,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'privilege desc. 1'],
 'memberof_permission': [permission1, permission2],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
@@ -310,7 +308,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'privilege desc. 1'],
 'memberof_permission': [permission1, permission2],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
@@ -387,7 +384,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'New desc 1'],
 'memberof_permission': [permission2],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
@@ -410,7 +406,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'New desc 1'],
 'memberof_permission': [permission2],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
@@ -433,7 +428,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'New desc 1'],
 'memberof_permission': [permission2],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
@@ -456,7 +450,6 @@ class test_privilege(Declarative):
 'cn': [privilege1],
 'description': [u'New desc 1'],
 'memberof_permission': [permission2],
-'objectclass': objectclasses.privilege,
 }
 ),
 ),
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

[Jan Cholasta]

On 10.8.2016 10:09, Petr Spacek wrote:

On 10.8.2016 08:21, Jan Cholasta wrote:

On 1.8.2016 17:42, Petr Spacek wrote:

On 1.8.2016 08:27, Jan Cholasta wrote:

On 28.7.2016 16:55, Petr Spacek wrote:

On 28.7.2016 16:44, Jan Cholasta wrote:

On 28.7.2016 16:37, Petr Spacek wrote:

On 28.7.2016 16:35, Jan Cholasta wrote:

On 28.7.2016 16:20, Petr Spacek wrote:

Hello,

install: Call hostnamectl set-hostname only if --hostname option is used

This commit also splits hostname backup and configuration into two
separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071


Note that you can set ca_host in cfg unconditionally, the value is only
valid
during install and is not written anywhere.


I prefer not to set it so the code blows up when we attempt to touch
variables
we should reference in particular setups. I.e. Take this as a first step
towards api.env without invalid values :-)


OK. Use the proper condition then ("if setup_ca:").


Oh, I'm probably blind. Here is revised version.


But you used "if not setup_ca:" rather than "if setup_ca:" :-)


This patch set is cursed!


The host name should not be backed up in server install if we are not changing
it, so that it's not attempted to be changed on uninstall.

Otherwise works for me.


Okay, now I see that ipa-backup/restore is storing the host name in backup
header so we do not need it in sysrestore.

New patches are attached.


Thanks, ACK.

Pushed to master: 80e544e7a98ff22469e9d3a4f7bda2ed234601aa

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [test][patch-0057] test for ticket N 6146

[Oleg Fayans]

--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From a33a5aea0f12f63d53ff773b3d5e615b1f582d7f Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Wed, 10 Aug 2016 10:29:59 +0200
Subject: [PATCH] Test for installing rules with service principals

https://fedorahosted.org/freeipa/ticket/6146
---
 .../test_integration/test_certs_in_idoverrides.py  | 82 ++
 1 file changed, 82 insertions(+)

diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
index 9114c4f91cd6378acc53caa068b852ae15670d7a..b9eabdf36abff73d8cd5daab0a1ada2c4dffbca6 100644
--- a/ipatests/test_integration/test_certs_in_idoverrides.py
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -10,6 +10,88 @@ from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration.tasks import assert_error
 
 
+class TestRulesWithServicePrincipals(IntegrationTest):
+"""
+https://fedorahosted.org/freeipa/ticket/6146
+"""
+
+topology = 'star'
+num_replicas = 0
+service_certprofile = 'caIPAserviceCert'
+caacl = 'test_caacl'
+keytab = "replica.keytab"
+csr = "my.csr"
+csr_conf = "replica.cnf"
+
+@classmethod
+def prepare_config(cls):
+template = """
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = %s
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %s
+DNS.2 = %s
+EOF
+"""
+
+contents = template % (cls.replica, cls.replica, cls.master.hostname)
+cls.master.run_command("cat < %s\n%s" % (cls.csr_conf, contents))
+
+@classmethod
+def install(cls, mh):
+super(TestRulesWithServicePrincipals, cls).install(mh)
+master = cls.master
+tasks.kinit_admin(master)
+cls.replica = "replica.%s" % master.domain.name
+master.run_command(['ipa', 'host-add', cls.replica, '--force'])
+cls.service_name = "svc/%s" % master.hostname
+cls.replica_service_name = "svc/%s" % cls.replica
+master.run_command("ipa service-add %s" % cls.service_name)
+master.run_command("ipa service-add %s --force" %
+   cls.replica_service_name)
+master.run_command("ipa service-add-host %s --hosts %s" % (
+cls.service_name, cls.replica))
+master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
+master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
+ cls.replica))
+master.run_command("ipa caacl-add-service %s --services"
+   " svc/`hostname`" % cls.caacl)
+master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
+cls.replica, master.domain.realm, cls.keytab))
+master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
+
+# Prepare a CSR
+
+cls.prepare_config()
+stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
+
+master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
+'-out', cls.csr], stdin_text=stdin_text)
+
+def test_rules_with_service_principals(self):
+result = self.master.run_command(['ipa', 'cert-request', self.csr,
+  '--principal', "svc/%s@%s" % (
+  self.replica,
+  self.master.domain.realm),
+  '--profile-id',
+  self.service_certprofile],
+ raiseonerr=False)
+assert(result.returncode == 0), (
+'Failed to add a cert to custom certprofile')
+
+
 class TestCertsInIDOverrides(IntegrationTest):
 topology = "line"
 service_certprofile = 'caIPAserviceCert'
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 687] client: add missing output params to client-side commands

[David Kupka]

On 10/08/16 09:30, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




Works for me, ACK.

Pushed to master: 20ee4a73e7b9e0ccdc7725ff4b87404d5543992e

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0003 Added support for authentication with user certificate

[Tibor Dudlak]

Hi,

I have improved my previous patch for authentication with user
certificate/smartcard.
This patch includes patches and plugin and apache configuration described
here: http://www.freeipa.org/page/V4/External_Authentication/Setup
It also contains steps to configure and test this feature. Once this patch
is merged and released I will simplify this page to not confuse customers.

On Fri, Aug 5, 2016 at 3:58 PM, Petr Vobornik  wrote:

> On 08/05/2016 02:57 PM, Tibor Dudlak wrote:
> >...
>
> Let's assume that we will go with this approach and not separate RPM.
>
> 1. ipa.conf version needs to be bumped
>

We have found another problem with ipa.conf approach so I have moved
configuration of apache for plugin from ipa.conf into completely separated
file to be not configured in FreeIPA by default. As you said it may cause
some security issues and it definitely causes errors when plugin
dependences are not installed nor configured.

2. Do not put the web ui plugin in src/freeipa/plugins dir. That is a
> dir for core UI plugins. This one is sort of hybrid - basically a third
> party plugin added to core package  but enabled as third party because
> the feature is experimental.
>
> Create rather a new dir for that. E.g. plugins.d as Alexander suggested
> ->  freeipa/install/ui/src/plugins.d/cert_auth/cert_auth.js
>
> 3. unrelated and "alternative solution"  comments needs to be removed
> from the UI plugin. They were added to the example plugin
> https://pvoborni.fedorapeople.org/plugins/loginauth/loginauth.js mostly
> to help you with the development.
>
> 4. Add comment to freeipa.spec.in describing what the plugin is and why
> it is put there this way.
>
> 5. The plugin itself deserves better description as well. Right now
> there is the general description.
>
> 6. I have not tried it, but make sure that it passes jslint (`jsl -conf
> jsl.conf`) Easiest may be to use temp(i.e. do not include it here)
> jsl.conf e.g.: https://pvoborni.fedorapeople.
> org/plugins/loginauth/jsl.conf
>
> --
> Petr Vobornik
>

I hope result of jsl http://pastebin.test.redhat.com/400076 means that
things passed.
Thanks Petr for review and I hope this patch will cover all concerns he
had.

Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764

Thank you.

-- 
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 6f5f0632a238182bbd98be9ecd89121a58e1e17a Mon Sep 17 00:00:00 2001
From: Tiboris 
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate

https://fedorahosted.org/freeipa/ticket/5764
---
 freeipa.spec.in|   8 +
 install/conf/Makefile.am   |   1 +
 install/conf/xx-ipa-cert-auth.conf |  14 ++
 .../freeipa/plugins-dist/cert_auth/cert_auth.js| 169 +
 ipaserver/plugins/xmlserver.py |   3 +-
 ipaserver/rpcserver.py |   5 +
 6 files changed, 199 insertions(+), 1 deletion(-)
 create mode 100644 install/conf/xx-ipa-cert-auth.conf
 create mode 100644 install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c980011c6c2730c6c29a3c22098e48270d5..19828bc84f1f1d13d4bb0e08a4749da626e9dbb3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -818,6 +818,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 # Web UI plugin dir
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
+# Experimental external authentication UI plugin - moved into plugins-dist to be disabled by default
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
+
 # DNSSEC config
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
 
@@ -1210,6 +1214,9 @@ fi
 %{_usr}/share/ipa/ui/js/freeipa/app.js
 %{_usr}/share/ipa/ui/js/freeipa/core.js
 %dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
 %dir %{_usr}/share/ipa/ui/images
 %{_usr}/share/ipa/ui/images/*.jpg
 %{_usr}/share/ipa/ui/images/*.png
@@ -1232,6 +1239,7 @@ fi
 %{_usr}/share/ipa/ipa-rewrite.conf
 %{_usr}/share/ipa/ipa-pki-proxy.conf
 %{_usr}/share/ipa/kdcproxy.conf
+%{_usr}/share/ipa/xx-ipa-cert-auth.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index 5daac776f71c5d01187b46d51044a07bf5fd717a..2e6fbb84902c843fa6e43a96191d5cc58a1213c1 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -6,6 +6,7 @@ app_DATA =  \
 	ipa-kdc-proxy.co

Re: [Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

[Petr Spacek]

On 9.8.2016 22:07, Ben Lipton wrote:
> Aaand there's a typo in patch 15. Updated version attached.

Ben,

it would be great if you can always send whole patch set, including the
patches which were not changed from the previous iteration.

It is getting quite hard to follow and mix-and-match patches from e-mails into
one patch set.

As a nice to have addition, you can push the whole patch set to Github (or
somewhere else) so we can just clone the repo and be done with it :-)

Thank you for understanding.

Petr^2 Spacek

> 
> On 08/09/2016 02:22 PM, Ben Lipton wrote:
>> Hello,
>>
>> The attached patches improve upon my last patchset to:
>>
>> 0013: Add support for generating a full script that makes a CSR, rather than
>> just a config, and use that support to automate the full flow from script
>> generation through cert issuance
>> Usage note: the UI for this could probably use work. I currently have the
>> --helper-args param that allows additional data to be passed to the helper.
>> Commonly this would be something like:
>> Certutil: --helper-args '-d /path/to/nss/db' (precreated with certutil -N -d
>> /path/to/nss/db)
>> Openssl: --helper-args 'd /path/to/keyfile' (precreated with openssl genrsa
>> -out /path/to/keyfile)
>> See the commit message for a full command line.
>>
>> 0014: Allow the feature to be used by non-admin users
>>
>> 0015: Improve error handling by reporting a nice message if the mapping
>> rules are broken, or if the data required to generate the subject DN is 
>> missing
>>
>> These improvements may make it easier to test the other patches.
>>
>> Thanks,
>> Ben
>>
>>
> 
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

[Petr Spacek]

On 10.8.2016 08:21, Jan Cholasta wrote:
> On 1.8.2016 17:42, Petr Spacek wrote:
>> On 1.8.2016 08:27, Jan Cholasta wrote:
>>> On 28.7.2016 16:55, Petr Spacek wrote:
 On 28.7.2016 16:44, Jan Cholasta wrote:
> On 28.7.2016 16:37, Petr Spacek wrote:
>> On 28.7.2016 16:35, Jan Cholasta wrote:
>>> On 28.7.2016 16:20, Petr Spacek wrote:
 Hello,

 install: Call hostnamectl set-hostname only if --hostname option is 
 used

 This commit also splits hostname backup and configuration into two
 separate
 functions. This allows us to backup hostname without setting it at the
 same time.

 https://fedorahosted.org/freeipa/ticket/6071
>>>
>>> Note that you can set ca_host in cfg unconditionally, the value is only
>>> valid
>>> during install and is not written anywhere.
>>
>> I prefer not to set it so the code blows up when we attempt to touch
>> variables
>> we should reference in particular setups. I.e. Take this as a first step
>> towards api.env without invalid values :-)
>
> OK. Use the proper condition then ("if setup_ca:").

 Oh, I'm probably blind. Here is revised version.
>>>
>>> But you used "if not setup_ca:" rather than "if setup_ca:" :-)
>>
>> This patch set is cursed!
> 
> The host name should not be backed up in server install if we are not changing
> it, so that it's not attempted to be changed on uninstall.
> 
> Otherwise works for me.

Okay, now I see that ipa-backup/restore is storing the host name in backup
header so we do not need it in sysrestore.

New patches are attached.

-- 
Petr^2 Spacek
From 96010d6f9d480c6eac39816f449bc647fd6b36c1 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 12 Jul 2016 17:42:40 +0200
Subject: [PATCH] server-install: Fix --hostname option to always override
 api.env values

Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.

https://fedorahosted.org/freeipa/ticket/6071
---
 ipaserver/install/server/install.py | 13 +
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 65f9318201e648b30a3c13626e807ac6f3a9416d..1e925595b93ff95a98b3e6c3d0c357b1766dc1dc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -560,7 +560,12 @@ def install_check(installer):
 cfg = dict(
 context='installer',
 in_server=True,
+# make sure host name specified by user is used instead of default
+host=host_name,
 )
+if setup_ca:
+# we have an IPA-integrated CA
+cfg['ca_host'] = host_name
 
 # Create the management framework config file and finalize api
 target_fname = paths.IPA_DEFAULT_CONF
@@ -586,14 +591,6 @@ def install_check(installer):
 # Must be readable for everyone
 os.chmod(target_fname, 0o644)
 
-system_hostname = get_fqdn()
-if host_name != system_hostname:
-root_logger.debug("Chosen hostname (%s) differs from system hostname "
-  "(%s) - change it" % (host_name, system_hostname))
-# update `api.env.ca_host` to correct hostname
-# https://fedorahosted.org/freeipa/ticket/4936
-api.env.ca_host = host_name
-
 api.bootstrap(**cfg)
 api.finalize()
 
-- 
2.7.4

From d546592834ea7b08908acf66d668c05203734c76 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 28 Jul 2016 16:13:55 +0200
Subject: [PATCH] install: Call hostnamectl set-hostname only if --hostname
 option is used

This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071
---
 client/ipa-client-install   |  3 ++-
 doc/guide/guide.org | 10 +-
 ipaplatform/base/tasks.py   |  7 ++-
 ipaplatform/redhat/tasks.py | 13 ++---
 ipaserver/install/server/install.py | 10 +-
 5 files changed, 16 insertions(+), 27 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 05b6b6e0da07353750d0dca4e6df9d1f58d69c35..4a263b3d0e25960fc57d198e3efb24447cbed98e 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -2525,7 +2525,8 @@ def install(options, env, fstore, statestore):
 if options.hostname and not options.on_master:
 # skip this step when run by ipa-server-install as it always configures
 # hostname
-tasks.backup_and_replace_hostname(fstore, statestore, options.hostname)
+tasks.backup_hostname(fstore, statestore)
+tasks.set_hostname(options.hostname)
 
 ntp_srv_servers = []
 if not options.on_master and options.conf_ntp:
diff --git a/doc/guide/guide.org b/doc/guide/guide.org

Re: [Freeipa-devel] [PATCH 687] client: add missing output params to client-side commands

[Alexander Bokovoy]

On Wed, 10 Aug 2016, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta



From 2f21d1eee2ea2e3cc568b75bd32f24d7188cbe59 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 10 Aug 2016 09:02:47 +0200
Subject: [PATCH] client: add missing output params to client-side commands

Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.

This fixes the commands not having any output in CLI.

https://fedorahosted.org/freeipa/ticket/6182
---
ipaclient/plugins/otptoken_yubikey.py |  6 ++
ipaclient/plugins/vault.py| 24 
2 files changed, 30 insertions(+)

diff --git a/ipaclient/plugins/otptoken_yubikey.py 
b/ipaclient/plugins/otptoken_yubikey.py
index bfa244c..549376a 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -106,6 +106,12 @@ class otptoken_add_yubikey(Command):
for option in super(otptoken_add_yubikey, self).get_options():
yield option

+def get_output_params(self):
+for param in self.api.Command.otptoken_add.output_params():
+yield param
+for param in super(otptoken_add_yubikey, self).get_output_params():
+yield param
+
def _iter_output(self):
return self.api.Command.otptoken_add.output()

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 1e715fd..c0ded21 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -223,6 +223,12 @@ class vault_add(Local):
for option in super(vault_add, self).get_options():
yield option

+def get_output_params(self):
+for param in self.api.Command.vault_add_internal.output_params():
+yield param
+for param in super(vault_add, self).get_output_params():
+yield param
+
def _iter_output(self):
return self.api.Command.vault_add_internal.output()

@@ -423,6 +429,12 @@ class vault_mod(Local):
for option in super(vault_mod, self).get_options():
yield option

+def get_output_params(self):
+for param in self.api.Command.vault_mod_internal.output_params():
+yield param
+for param in super(vault_mod, self).get_output_params():
+yield param
+
def _iter_output(self):
return self.api.Command.vault_mod_internal.output()

@@ -607,6 +619,12 @@ class vault_archive(Local):
for option in super(vault_archive, self).get_options():
yield option

+def get_output_params(self):
+for param in self.api.Command.vault_archive_internal.output_params():
+yield param
+for param in super(vault_archive, self).get_output_params():
+yield param
+
def _iter_output(self):
return self.api.Command.vault_archive_internal.output()

@@ -855,6 +873,12 @@ class vault_retrieve(Local):
for option in super(vault_retrieve, self).get_options():
yield option

+def get_output_params(self):
+for param in self.api.Command.vault_retrieve_internal.output_params():
+yield param
+for param in super(vault_retrieve, self).get_output_params():
+yield param
+
def _iter_output(self):
return self.api.Command.vault_retrieve_internal.output()


ACK.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 687] client: add missing output params to client-side commands

[Jan Cholasta]

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
From 2f21d1eee2ea2e3cc568b75bd32f24d7188cbe59 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 10 Aug 2016 09:02:47 +0200
Subject: [PATCH] client: add missing output params to client-side commands

Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.

This fixes the commands not having any output in CLI.

https://fedorahosted.org/freeipa/ticket/6182
---
 ipaclient/plugins/otptoken_yubikey.py |  6 ++
 ipaclient/plugins/vault.py| 24 
 2 files changed, 30 insertions(+)

diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index bfa244c..549376a 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -106,6 +106,12 @@ class otptoken_add_yubikey(Command):
 for option in super(otptoken_add_yubikey, self).get_options():
 yield option
 
+def get_output_params(self):
+for param in self.api.Command.otptoken_add.output_params():
+yield param
+for param in super(otptoken_add_yubikey, self).get_output_params():
+yield param
+
 def _iter_output(self):
 return self.api.Command.otptoken_add.output()
 
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 1e715fd..c0ded21 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -223,6 +223,12 @@ class vault_add(Local):
 for option in super(vault_add, self).get_options():
 yield option
 
+def get_output_params(self):
+for param in self.api.Command.vault_add_internal.output_params():
+yield param
+for param in super(vault_add, self).get_output_params():
+yield param
+
 def _iter_output(self):
 return self.api.Command.vault_add_internal.output()
 
@@ -423,6 +429,12 @@ class vault_mod(Local):
 for option in super(vault_mod, self).get_options():
 yield option
 
+def get_output_params(self):
+for param in self.api.Command.vault_mod_internal.output_params():
+yield param
+for param in super(vault_mod, self).get_output_params():
+yield param
+
 def _iter_output(self):
 return self.api.Command.vault_mod_internal.output()
 
@@ -607,6 +619,12 @@ class vault_archive(Local):
 for option in super(vault_archive, self).get_options():
 yield option
 
+def get_output_params(self):
+for param in self.api.Command.vault_archive_internal.output_params():
+yield param
+for param in super(vault_archive, self).get_output_params():
+yield param
+
 def _iter_output(self):
 return self.api.Command.vault_archive_internal.output()
 
@@ -855,6 +873,12 @@ class vault_retrieve(Local):
 for option in super(vault_retrieve, self).get_options():
 yield option
 
+def get_output_params(self):
+for param in self.api.Command.vault_retrieve_internal.output_params():
+yield param
+for param in super(vault_retrieve, self).get_output_params():
+yield param
+
 def _iter_output(self):
 return self.api.Command.vault_retrieve_internal.output()
 
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

[Alexander Bokovoy]

On Wed, 10 Aug 2016, thierry bordaz wrote:



On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:

On Tue, 09 Aug 2016, thierry bordaz wrote:



On 08/09/2016 12:49 PM, Martin Basti wrote:



On 08.08.2016 17:30, thierry bordaz wrote:



On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, thierry bordaz wrote:



On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Lukas Slebodnik wrote:

On (08/08/16 11:35), Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Martin Basti wrote:



On 08.08.2016 09:34, Alexander Bokovoy wrote:

When SSSD resolves AD users on behalf of slapi-nis, it can

accept any
user identifier, including user principal 
name (UPN) which may be

different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using

canonical user
name but the filter for search will refer to 
the original (aliased)

name. The search will not match the newly created entry.

The issue is fixed  in slapi-nis-0.56.1 by 
returning two values for
'uid' attribute: the canonical one and the 
aliased one. This way the

search will match.

Standard LDAP schema allows multiple values 
for 'uid' attribute. We
actually use the same trick for 'cn' 
attribute in the groups map

already.

https://fedorahosted.org/freeipa/ticket/6138





Hello,

should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
No, this is not required. In Fedora we'll submit 
a combined update --
I've built slapi-nis-0.56.1-1 packages for f24, 
f25, and rawhide already

but did not submit a Bodhi request.


How is combined updated related to requires to slapi-nis-0.56.1?
It will not prevent tu update freeipa without new slapi-nis.

e.g.
dnf update freeipa-server.
An update file in FreeIPA that is proposed by this 
patch does not affect
operation of the older slapi-nis deployment once 
update is applied.




Hi,

Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ), 
does the order matters ?

We insert the canonical one first and it seems that 389-ds does not
change the order, at least in my tests. You can see the 
output in the

bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2


From ldap pov 
(https://tools.ietf.org/html/rfc4511#section-4.1.7) the 
order of the values is not preserved.
I think it is a bit risky to rely on a specific order 
especially with complex updates (adding several values in 
a single mod, replace) and replication.
would it help to add canonical value with a subtype (e.g. 
'uid;canonical: ') ?

Not sure how what you are mention is relevant here. We talk about
slapi-nis map cache entries which are not modified, replaced or
replicated anywhere by anything other than slapi-nis itself. When
entries are changed by slapi-nis, they are regenerated from scratch.

Your worries do not apply here.

ok.
I understand my mistake, I was thinking the compat entry had a 
associated real entry in ldap and this real entry had two uid 
values.




So, could you provide ack thierry?

Martin


Sure but I would have to test first :-)

Alexander, how can I test this ?

slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
http://koji.fedoraproject.org/koji/packageinfo?packageID=6609


Thanks Alexander. So to test this change is there an other way 
(simpler) than setting up AD/trust ?

I don't think so. We don't have UPNs in FreeIPA on the level of identity
lookups and we don't allow to lookup identity by email, so you are left
with using a proper AD trust and UPN suffixes in AD forest.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code