[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (edited)
Akasurde's pull request #83: "Added a fix for setting Priority as required field " was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/83 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/83/head:pr83 git checkout pr83 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment)
mbasti-rh commented on a pull request """ @Akasurde I said we need a *new* ticket for it. I opened one for you https://fedorahosted.org/freeipa/ticket/6335 """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247530662 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment)
Akasurde commented on a pull request """ @mbasti-rh I re-opened the ticket, Could you please provide ack ? """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247519895 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (comment)
On 09/15/2016 02:12 AM, jcholast wrote: jcholast commented on a pull request """ In addition to my inline comments above: 1. "Certificate mapping" does not really evoke "certificate request templating" to me, and is also used in the context of mapping identities to certificates. Could we use a more suitable name to avoid confusion? 2. The `ipalib.certmapping` module is used only in `ipaclient`, so that's where it should be located. It can be moved to `ipalib` later if necessary. 3. I don't think `IPAExtension` deserves it's own module, at least not now. """ See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-247244120 Tried sending my comments as a "review" (new Github feature) and it seems they don't get sent to the list that way. So: Thanks for the comments! I've fixed the simple ones and replied to the rest. Regarding your comments about file organization: 1. I quite agree that certmapping isn't a good name for what this turned out to be. With the convention of naming modules after the objects they model, perhaps a good name would be|certrequest|or|csr|? The command could be renamed to something like|certrequest-get-data|(or|certrequest-get-script|). 2. Just to confirm, you're suggesting just moving these classes to the|ipaclient.plugins.|module? 3. Seems reasonable, I've moved it into the ipalib module for now. It will go wherever the contents of that module end up. Logistical stuff: * Now that this is under review I won't add any more content. Are you ok with the two commits about testing being part of this review or should I remove them? * If you run rebase --autosquash with the latest commit it doesn't actually apply cleanly, but I'm trying not to change history while it's being reviewed, so I'll do the rebase later on if that's ok? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronized)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronized
See the full pull-request at https://github.com/freeipa/freeipa/pull/10
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/10/head:pr10
git checkout pr10
From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001
From: Ben Lipton
Date: Tue, 5 Jul 2016 14:19:35 -0400
Subject: [PATCH 01/11] Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
---
freeipa.spec.in | 8 +
install/configure.ac| 1 +
install/share/Makefile.am | 1 +
install/share/csr/Makefile.am | 27 +++
install/share/csr/templates/certutil_base.tmpl | 14 ++
install/share/csr/templates/ipa_macros.tmpl | 42
install/share/csr/templates/openssl_base.tmpl | 35 +++
install/share/csr/templates/openssl_macros.tmpl | 29 +++
ipaclient/plugins/certmapping.py| 105 +
ipalib/certmapping.py | 285
ipalib/errors.py| 9 +
ipapython/templating.py | 31 +++
12 files changed, 587 insertions(+)
create mode 100644 install/share/csr/Makefile.am
create mode 100644 install/share/csr/templates/certutil_base.tmpl
create mode 100644 install/share/csr/templates/ipa_macros.tmpl
create mode 100644 install/share/csr/templates/openssl_base.tmpl
create mode 100644 install/share/csr/templates/openssl_macros.tmpl
create mode 100644 ipaclient/plugins/certmapping.py
create mode 100644 ipalib/certmapping.py
create mode 100644 ipapython/templating.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index e3ad5b6..ab8e8e6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -507,6 +507,7 @@ Requires: python-custodia
Requires: python-dns >= 1.11.1
Requires: python-netifaces >= 0.10.4
Requires: pyusb
+Requires: python-jinja2
Conflicts: %{alt_name}-python < %{version}
@@ -1178,6 +1179,13 @@ fi
%{_usr}/share/ipa/advise/legacy/*.template
%dir %{_usr}/share/ipa/profiles
%{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/csr
+%dir %{_usr}/share/ipa/csr/templates
+%{_usr}/share/ipa/csr/templates/*.tmpl
+%dir %{_usr}/share/ipa/csr/profiles
+%{_usr}/share/ipa/csr/profiles/*.json
+%dir %{_usr}/share/ipa/csr/rules
+%{_usr}/share/ipa/csr/rules/*.json
%dir %{_usr}/share/ipa/ffextension
%{_usr}/share/ipa/ffextension/bootstrap.js
%{_usr}/share/ipa/ffextension/install.rdf
diff --git a/install/configure.ac b/install/configure.ac
index 81f17b9..365f0e9 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -87,6 +87,7 @@ AC_CONFIG_FILES([
share/Makefile
share/advise/Makefile
share/advise/legacy/Makefile
+share/csr/Makefile
share/profiles/Makefile
share/schema.d/Makefile
ui/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index d8845ee..0a15635 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
SUBDIRS = \
advise\
+ csr\
profiles \
schema.d \
$(NULL)
diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am
new file mode 100644
index 000..5a8ef5c
--- /dev/null
+++ b/install/share/csr/Makefile.am
@@ -0,0 +1,27 @@
+NULL =
+
+profiledir = $(IPA_DATA_DIR)/csr/profiles
+profile_DATA =\
+ $(NULL)
+
+ruledir = $(IPA_DATA_DIR)/csr/rules
+rule_DATA =\
+ $(NULL)
+
+templatedir = $(IPA_DATA_DIR)/csr/templates
+template_DATA = \
+ templates/certutil_base.tmpl \
+ templates/openssl_base.tmpl \
+ templates/openssl_macros.tmpl \
+ templates/ipa_macros.tmpl \
+ $(NULL)
+
+EXTRA_DIST =\
+ $(profile_DATA) \
+ $(rule_DATA) \
+ $(template_DATA) \
+ $(NULL)
+
+MAINTAINERCLEANFILES = \
+ *~\
+ Makefile.in
diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl
new file mode 100644
index 000..6c6425f
--- /dev/null
+++ b/install/share/csr/templates/certutil_base.tmpl
@@ -0,0 +1,14 @@
+{% raw -%}
+{% import "ipa_macros.tmpl" as ipa -%}
+{%- endraw %}
+#!/bin/bash -e
+
+if [[ $# -lt 1 ]]; then
+echo "Usage: $0 [ ]"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CSR="$1"
+shift
+certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@"
diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
new file mode 100644
index 000..e790d4e
--- /dev/null
+++ b/install/share/csr/templates/ipa_macros.tmpl
@@ -0,0 +1,4
[Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (+pushed)
pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/72 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (closed)
pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/72 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/72/head:pr72 git checkout pr72 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (comment)
mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b18a35145df92522ae990e020513d1a77e311493 """ See the full comment at https://github.com/freeipa/freeipa/pull/72#issuecomment-247349710 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (-ack)
Akasurde's pull request #83: "Added a fix for setting Priority as required field " label *ack* has been removed See the full pull-request at https://github.com/freeipa/freeipa/pull/83 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment)
mbasti-rh commented on a pull request """ Sorry guys, but ticket is in closed milestone you need a new one. """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247348762 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment)
ofayans commented on a pull request """ sure """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247344841 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment)
mbasti-rh commented on a pull request """ Can wait until Lenka give us the reason? """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247344542 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment)
rcritten commented on a pull request """ For the record this test used to pass. Don't blame the test when the code it is testing was changed. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247329152 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment)
ofayans commented on a pull request """ Probably Lenka has some use-case for this. I am pretty sure these lines weren't added just for fun :) """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247328115 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#77] Tests: Update host test with ipa-join (comment)
mbasti-rh commented on a pull request """ Please split this into 2 commits, it contains independent issues * wrong path to IPA join * extra attribute It is not related to this PR, but for me it looks that this test is focused to ipa-join command and I don't see how this is related to API tests. I don't think that we can tests this from intree tests because it requires build first """ See the full comment at https://github.com/freeipa/freeipa/pull/77#issuecomment-247325837 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment)
mbasti-rh commented on a pull request """ I was thinking hard about it, if there should be SSSD restart, but I cannot find any case where it is needed after server uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247322795 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize)
flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 From b4d5a74265377bf182f3cc1fec90669c93b47470 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 1 Sep 2016 13:56:24 +0200 Subject: [PATCH] Add cert checks in ipa-server-certinstall When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263 --- ipaserver/install/ipa_server_certinstall.py | 40 +++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 0a8fb21..7bc39e3 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -25,8 +25,8 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths -from ipapython import admintool -from ipapython.certdb import get_ca_nickname +from ipapython import admintool, ipautil +from ipapython.certdb import get_ca_nickname, NSSDatabase from ipapython.dn import DN from ipalib import api, errors from ipalib.constants import CACERT @@ -157,6 +157,38 @@ def install_http_cert(self): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) +def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): +# create a temp nssdb +with NSSDatabase() as tempnssdb: +db_password = ipautil.ipa_generate_password() +db_pwdfile = ipautil.write_tmp_file(db_password) +tempnssdb.create_db(db_pwdfile.name) + +# import the PKCS12 file, then delete all CA certificates +# this leaves only the server certs in the temp db +tempnssdb.import_pkcs12( +pkcs12_filename, db_pwdfile.name, pkcs12_pin) +for nickname, flags in tempnssdb.list_certs(): +if 'u' not in flags: +while tempnssdb.has_nickname(nickname): +tempnssdb.delete_cert(nickname) + +# import all the CA certs from nssdb into the temp db +for nickname, flags in nssdb.list_certs(): +if 'u' not in flags: +cert = nssdb.get_cert_from_db(nickname) +tempnssdb.add_cert(cert, nickname, flags) + +# now get the server certs from tempnssdb and check their validity +try: +for nick, flags in tempnssdb.find_server_certs(): +tempnssdb.verify_server_cert_validity(nick, api.env.host) +except ValueError as e: +raise admintool.ScriptError( +"Peer's certificate issuer is not trusted (%s). " +"Please run ipa-cacert-manage install and ipa-certupdate " +"to install the CA certificate." % str(e)) + def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, @@ -167,6 +199,10 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): dirname = os.path.normpath(dirname) cdb = certs.CertDB(api.env.realm, nssdir=dirname) + +# Check that the ca_cert is known and trusted +self.check_chain(pkcs12_file.name, pin, cdb) + try: ca_enabled = api.Command.ca_is_enabled()['result'] if ca_enabled: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#89] client: remove hard dependency on pam_krb5 (synchronize)
jcholast's pull request #89: "client: remove hard dependency on pam_krb5" was
synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/89
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/89/head:pr89
git checkout pr89
From 62d5bb13d1f668fb9df70ffe804b92a51720879f Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 1 Aug 2016 10:51:24 +0200
Subject: [PATCH] client: remove hard dependency on pam_krb5
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.
https://fedorahosted.org/freeipa/ticket/5557
---
client/ipa-client-install | 4
freeipa.spec.in | 1 -
ipaplatform/base/paths.py | 2 ++
ipaplatform/redhat/paths.py | 1 +
4 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 535fe65..f22e653 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -2289,6 +2289,10 @@ def install(options, env, fstore, statestore):
# when installing with '--no-sssd' option, check whether nss-ldap is installed
if not options.sssd:
+if not os.path.exists(paths.PAM_KRB5_SO):
+root_logger.error("The pam_krb5 package must be installed")
+return CLIENT_INSTALL_ERROR
+
(nssldap_installed, nosssd_files) = nssldap_exists()
if not nssldap_installed:
root_logger.error("One of these packages must be installed: " +
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 589060b..3b0e4b2 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -326,7 +326,6 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: krb5-workstation
Requires: authconfig
-Requires: pam_krb5
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
Requires: initscripts
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f927a7a..025bed6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -191,11 +191,13 @@ class BasePathNamespace(object):
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
LIB_FIREFOX = "/usr/lib/firefox"
LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
+PAM_KRB5_SO = "/usr/lib/security/pam_krb5.so"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
LIB64_FIREFOX = "/usr/lib64/firefox"
LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
+PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b80a1b4..b27b065 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -32,6 +32,7 @@ class RedHatPathNamespace(BasePathNamespace):
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
+PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
paths = RedHatPathNamespace()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#89] client: remove hard dependency on pam_krb5 (opened)
jcholast's pull request #89: "client: remove hard dependency on pam_krb5" was
opened
PR body:
"""
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.
https://fedorahosted.org/freeipa/ticket/5557
"""
See the full pull-request at https://github.com/freeipa/freeipa/pull/89
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/89/head:pr89
git checkout pr89
From d3c69a74c9009bc394fc5bec974ad4add207fd8c Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 1 Aug 2016 10:51:24 +0200
Subject: [PATCH] client: remove hard dependency on pam_krb5
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.
https://fedorahosted.org/freeipa/ticket/5557
---
client/ipa-client-install | 4
freeipa.spec.in | 1 -
ipaplatform/base/paths.py | 2 ++
ipaplatform/redhat/paths.py | 1 +
4 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 535fe65..f22e653 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -2289,6 +2289,10 @@ def install(options, env, fstore, statestore):
# when installing with '--no-sssd' option, check whether nss-ldap is installed
if not options.sssd:
+if not os.path.exists(paths.PAM_KRB5_SO):
+root_logger.error("The pam_krb5 package must be installed")
+return CLIENT_INSTALL_ERROR
+
(nssldap_installed, nosssd_files) = nssldap_exists()
if not nssldap_installed:
root_logger.error("One of these packages must be installed: " +
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 589060b..3b0e4b2 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -326,7 +326,6 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: krb5-workstation
Requires: authconfig
-Requires: pam_krb5
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
Requires: initscripts
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f927a7a..3926c94 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -191,11 +191,13 @@ class BasePathNamespace(object):
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
LIB_FIREFOX = "/usr/lib/firefox"
LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
+PAM_KRB5_SO = "/usr/lib64/security/pam_krb5.so"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
LIB64_FIREFOX = "/usr/lib64/firefox"
LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
+PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b80a1b4..b27b065 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -32,6 +32,7 @@ class RedHatPathNamespace(BasePathNamespace):
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
+PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
paths = RedHatPathNamespace()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#88] test_plugable: update the rest of test_init (opened)
jcholast's pull request #88: "test_plugable: update the rest of test_init" was opened PR body: """ In commit ed4c2d9252a995d01dc098e5b761ded8cd9373d8, changes to the Plugin class were made, but the test was updated only partially. Update the rest to fix the failing test. https://fedorahosted.org/freeipa/ticket/6313 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/88 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/88/head:pr88 git checkout pr88 From e336efd4394707756d5d7ef7dd87ca190fd42678 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 15 Sep 2016 14:38:49 +0200 Subject: [PATCH] test_plugable: update the rest of test_init In commit ed4c2d9252a995d01dc098e5b761ded8cd9373d8, changes to the Plugin class were made, but the test was updated only partially. Update the rest to fix the failing test. https://fedorahosted.org/freeipa/ticket/6313 --- ipatests/test_ipalib/test_plugable.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipatests/test_ipalib/test_plugable.py b/ipatests/test_ipalib/test_plugable.py index 0ea02a7..f104c51 100644 --- a/ipatests/test_ipalib/test_plugable.py +++ b/ipatests/test_ipalib/test_plugable.py @@ -52,7 +52,7 @@ def test_init(self): api = 'the api instance' o = self.cls(api) assert o.name == 'Plugin' -assert isinstance(o.doc, text.Gettext) +assert isinstance(o.doc, str) class some_subclass(self.cls): """ Do sub-classy things. @@ -66,11 +66,12 @@ class some_subclass(self.cls): o = some_subclass(api) assert o.name == 'some_subclass' assert o.summary == 'Do sub-classy things.' -assert isinstance(o.doc, text.Gettext) +assert isinstance(o.doc, str) class another_subclass(self.cls): pass o = another_subclass(api) -assert o.summary == '<%s>' % o.fullname +assert o.summary == u'<%s.%s>' % (another_subclass.__module__, + another_subclass.__name__) # Test that Plugin makes sure the subclass hasn't defined attributes # whose names conflict with the logger methods set in Plugin.__init__(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#25] Added install check before executing ipa-* command (comment)
Akasurde commented on a pull request """ @pspacek Should I close this PR then? """ See the full comment at https://github.com/freeipa/freeipa/pull/25#issuecomment-247315968 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment)
Akasurde commented on a pull request """ @stlaz Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247312920 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#87] dns: re-introduce --raw in dnsrecord-del (opened)
jcholast's pull request #87: "dns: re-introduce --raw in dnsrecord-del" was
opened
PR body:
"""
The flag was removed in commit ff52c25ae299abba8bed653fe324951979a41293
because it is unused. Add it back for compatibility with old clients.
https://fedorahosted.org/freeipa/ticket/5644
"""
See the full pull-request at https://github.com/freeipa/freeipa/pull/87
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/87/head:pr87
git checkout pr87
From fdd0885a22ca015f30288cbf62fd1c7f2ceeeb3d Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 15 Sep 2016 14:13:28 +0200
Subject: [PATCH] dns: re-introduce --raw in dnsrecord-del
The flag was removed in commit ff52c25ae299abba8bed653fe324951979a41293
because it is unused. Add it back for compatibility with old clients.
https://fedorahosted.org/freeipa/ticket/5644
---
API.txt | 3 ++-
VERSION | 4 ++--
ipaserver/plugins/dns.py | 4
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/API.txt b/API.txt
index f3b2938..1e02ac2 100644
--- a/API.txt
+++ b/API.txt
@@ -1340,7 +1340,7 @@ output: Entry('result')
output: Output('summary', type=[, ])
output: PrimaryKey('value')
command: dnsrecord_del/1
-args: 2,34,3
+args: 2,35,3
arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone')
arg: DNSNameParam('idnsname', cli_name='name')
option: A6Record('a6record*', autofill=False, cli_name='a6_rec')
@@ -1367,6 +1367,7 @@ option: NAPTRRecord('naptrrecord*', autofill=False, cli_name='naptr_rec')
option: NSECRecord('nsecrecord*', autofill=False, cli_name='nsec_rec')
option: NSRecord('nsrecord*', autofill=False, cli_name='ns_rec')
option: PTRRecord('ptrrecord*', autofill=False, cli_name='ptr_rec')
+option: Flag('raw', autofill=True, default=False)
option: RPRecord('rprecord*', autofill=False, cli_name='rp_rec')
option: RRSIGRecord('rrsigrecord*', autofill=False, cli_name='rrsig_rec')
option: SIGRecord('sigrecord*', autofill=False, cli_name='sig_rec')
diff --git a/VERSION b/VERSION
index 5f138f5..e5f8d96 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=214
-# Last change: ftweedal: add ca-disable and ca-enable commands
+IPA_API_VERSION_MINOR=215
+# Last change: dns: re-introduce --raw in dnsrecord-del
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index 5510a66..0c880f8 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -3800,6 +3800,10 @@ class dnsrecord_del(LDAPUpdate):
label=_('Delete all associated records'),
),
dnsrecord.structured_flag,
+Flag(
+'raw',
+exclude=('cli', 'webui'),
+),
)
def get_options(self):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (opened)
ofayans's pull request #86: "Made sssd restart a non-raising opration" was
opened
PR body:
"""
Uninstallation of ipa-server usually removes sssd configuration file,
/etc/sssd/sssd.conf
If we then issue syustemctl restart sssd.service, the command fails because is
unable to find the config file. We need to make this call not raise an
exception
"""
See the full pull-request at https://github.com/freeipa/freeipa/pull/86
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/86/head:pr86
git checkout pr86
From 27c33b1e36d6ea34caa619cb89ead223603396c0 Mon Sep 17 00:00:00 2001
From: Oleg Fayans
Date: Thu, 15 Sep 2016 14:10:41 +0200
Subject: [PATCH] Made sssd restart a non-raising opration
Uninstallation of ipa-server usually removes sssd configuration file,
/etc/sssd/sssd.conf
If we then issue syustemctl restart sssd.service, the command fails because is
unable to find the config file. We need to make this call not raise an
exception
---
ipatests/test_integration/tasks.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index ee9d4a2..6a08659 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -691,7 +691,7 @@ def uninstall_master(host, ignore_topology_disconnect=True,
"xargs rm -fv", raiseonerr=False)
host.run_command("find /run/ipa -name 'krb5*' | xargs rm -fv",
raiseonerr=False)
-host.run_command(['systemctl', 'restart', 'sssd'])
+host.run_command(['systemctl', 'restart', 'sssd'], raiseonerr=False)
unapply_fixes(host)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment)
stlaz commented on a pull request """ Looks OK to me, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247310347 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (+ack)
Akasurde's pull request #83: "Added a fix for setting Priority as required field " label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/83 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment)
stlaz commented on a pull request """ Well, I did fix the test, then. I can imagine the function being pretty handy as a library function although it'd better be used in the future. What infuriates me is the fact that the test might have never worked (well, at least year and a half, but my guess is never) and nobody really cared. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247309050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (synchronize)
stlaz's pull request #84: "Removed update_from_dict function from ldapupdate"
was synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/84
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/84/head:pr84
git checkout pr84
From 404ecb27908da636e49a18602fbf05e843f31270 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Thu, 15 Sep 2016 13:52:35 +0200
Subject: [PATCH] Fix to testing of update_from_dict()
The tests did not respect the expected format to be passed to
update_from_dict() function. Also, removal of leaf entry
with its container was swapped so the tests may have never
worked.
https://fedorahosted.org/freeipa/ticket/6311
---
ipatests/test_install/test_updates.py | 71 ++-
1 file changed, 37 insertions(+), 34 deletions(-)
diff --git a/ipatests/test_install/test_updates.py b/ipatests/test_install/test_updates.py
index 3fa2cd7..c004667 100644
--- a/ipatests/test_install/test_updates.py
+++ b/ipatests/test_install/test_updates.py
@@ -270,32 +270,37 @@ def test_from_dict(self):
entries = self.ld.get_entries(
self.user_dn, self.ld.SCOPE_BASE, 'objectclass=*', ['*'])
-
-update = {
-self.container_dn:
-{'dn': self.container_dn,
- 'updates': ['add:objectClass: top',
- 'add:objectClass: nsContainer',
- 'add:cn: test'
-],
-},
-self.user_dn:
-{'dn': self.user_dn,
- 'updates': ['add:objectclass: top',
- 'add:objectclass: person',
- 'add:objectclass: posixaccount',
- 'add:objectclass: krbprincipalaux',
- 'add:objectclass: inetuser',
- 'add:homedirectory: /home/tuser',
- 'add:loginshell: /bin/bash',
- 'add:sn: User',
- 'add:uid: tuser',
- 'add:uidnumber: 999',
- 'add:gidnumber: 999',
- 'add:cn: Test User',
-],
-},
-}
+update = [
+{'dn': self.container_dn,
+ 'updates':
+ [
+{'action': 'add', 'attr': 'objectClass', 'value': 'top'},
+{'action': 'add', 'attr': 'objectClass',
+ 'value': 'nsContainer'},
+{'action': 'add', 'attr': 'cn', 'value': 'test'},
+ ],
+ },
+{'dn': self.user_dn,
+ 'updates':
+ [
+{'action': 'add', 'attr': 'objectclass', 'value': 'top'},
+{'action': 'add', 'attr': 'objectclass', 'value': 'person'},
+{'action': 'add', 'attr': 'objectclass',
+ 'value': 'posixaccount'},
+{'action': 'add', 'attr': 'objectclass',
+ 'value': 'krbprincipalaux'},
+{'action': 'add', 'attr': 'objectclass', 'value': 'inetuser'},
+{'action': 'add', 'attr': 'homedirectory',
+ 'value': '/home/tuser'},
+{'action': 'add', 'attr': 'loginshell', 'value': '/bin/bash'},
+{'action': 'add', 'attr': 'sn', 'value': 'User'},
+{'action': 'add', 'attr': 'uid', 'value': 'tuser'},
+{'action': 'add', 'attr': 'uidnumber', 'value': '999'},
+{'action': 'add', 'attr': 'gidnumber', 'value': '999'},
+{'action': 'add', 'attr': 'cn', 'value': 'Test User'},
+ ],
+ },
+]
modified = self.updater.update_from_dict(update)
self.assertTrue(modified)
@@ -327,16 +332,14 @@ def test_from_dict(self):
# Now delete
-update = {
-self.container_dn:
-{'dn': self.container_dn,
- 'deleteentry': None,
-},
-self.user_dn:
+update = [
{'dn': self.user_dn,
'deleteentry': 'deleteentry: reset: nada',
-},
-}
+ },
+{'dn': self.container_dn,
+ 'deleteentry': None,
+ },
+]
modified = self.updater.update_from_dict(update)
self.assertTrue(modified)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment)
abbra commented on a pull request """ Update plugins are higher level of abstraction. They use ipaserver.install.ldapupdate.LDAPUpdate which provides both .update() and .update_from_dict() methods. Update plugins can produce dictionaries. With the change in this pull request they will have to always write down dynamic update content to files first and then run LDAPUpdate.update() with those files. Or re-implement .update_from_dict(). That's why I gave a NACK -- consider this coming from the work I'm doing right now to create documentation for external plugins. It is silly to remove function only to introduce it back. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247307982 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment)
mbasti-rh commented on a pull request """ Shouldn't external plugins use update files or update plugins as IPA does? We don't have any guaranteed internal API for anything, we don't have any document about external plugins, we don't have prepared any API for 3rd party plugins. We just have your POC 3rd party plugin. Unless there is no design document with serious investigation and agreed workflow how to work with 3rd party plugins, provided stable well tested API for 3rd party plugins (not just internal API that may and will change), then "is a handy" is not valid argument for me. I don't remember that we did freeze our internal API, so 3rd party plugins will fail with any change there. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247302163 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment)
jcholast commented on a pull request """ Functional ACK, but please don't use newlines in exception messages. If you want the original error on a separate line, you can use the logger to log it, but I think it would be preferable to use this format: ``` Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-247299454 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (+ack)
pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/72 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#85] WebUI: Change group name from 'normal' to 'Non-POSIX' (opened)
pvomacka's pull request #85: "WebUI: Change group name from 'normal' to
'Non-POSIX'" was opened
PR body:
"""
It will correspond with CLI and will be more self-explanatory.
https://fedorahosted.org/freeipa/ticket/6334
"""
See the full pull-request at https://github.com/freeipa/freeipa/pull/85
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/85/head:pr85
git checkout pr85
From 3c639c648cfa56e9e81d4bc77bb90825bc4f9e2a Mon Sep 17 00:00:00 2001
From: Pavel Vomacka
Date: Wed, 14 Sep 2016 13:19:25 +0200
Subject: [PATCH] WebUI: Change group name from 'normal' to 'Non-POSIX'
It will correspond with CLI and will be more self-explanatory.
https://fedorahosted.org/freeipa/ticket/6334
---
install/ui/src/freeipa/group.js| 12 +---
install/ui/test/data/ipa_init.json | 2 +-
ipaserver/plugins/internal.py | 2 +-
3 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index b26560c..7a6bc91 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -62,7 +62,7 @@ return {
name: 'external',
param: 'objectclass',
label: '@i18n:objects.group.type',
-default_label: '@i18n:objects.group.normal',
+default_label: '@i18n:objects.group.nonposix',
value_map: {
ipaexternalgroup: '@i18n:objects.group.external',
posixgroup: '@i18n:objects.group.posix'
@@ -174,8 +174,8 @@ return {
default_value: 'posix',
options: [
{
-value: 'normal',
-label: '@i18n:objects.group.normal'
+value: 'nonposix',
+label: '@i18n:objects.group.nonposix'
},
{
value: 'external',
@@ -224,10 +224,8 @@ IPA.group_adder_dialog = function(spec) {
var type_field = that.fields.get_field('type');
var type = type_field.save()[0];
-if (type === 'normal') {
-command.set_option('nonposix', true);
-} else if (type === 'external') {
-command.set_option('external', true);
+if (type === 'nonposix' || type === 'external') {
+command.set_option(type, true);
}
return command;
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 6903f92..99851ab 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -373,7 +373,7 @@
"external": "External",
"make_external": "Change to external group",
"make_posix": "Change to POSIX group",
-"normal": "Normal",
+"nonposix": "Non-POSIX",
"posix": "POSIX",
"type": "Group Type"
},
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index c2819aa..530458d 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -524,7 +524,7 @@ class i18n_messages(Command):
"external": _("External"),
"make_external": _("Change to external group"),
"make_posix": _("Change to POSIX group"),
-"normal": _("Normal"),
+"nonposix": _("Non-POSIX"),
"posix": _("POSIX"),
"type": _("Group Type"),
},
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (synchronize)
Akasurde's pull request #83: "Added a fix for setting Priority as required
field " was synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/83
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/83/head:pr83
git checkout pr83
From 99505c8b4dab123f1ca57ffc5a94ee89d4bd5155 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Thu, 15 Sep 2016 15:52:08 +0530
Subject: [PATCH] Added a fix for setting Priority as required field in
Password Policy Details facet
Fixes: https://fedorahosted.org/freeipa/ticket/5553
Signed-off-by: Abhijeet Kasurde
---
install/ui/src/freeipa/policy.js | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js
index 6c20cc1..83f47e7 100644
--- a/install/ui/src/freeipa/policy.js
+++ b/install/ui/src/freeipa/policy.js
@@ -69,7 +69,10 @@ return {
name: 'krbpwdlockoutduration',
measurement_unit: 'seconds'
},
-'cospriority'
+{
+name: 'cospriority',
+required: true
+}
]
}]
}
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment)
abbra commented on a pull request """ NACK. Please instead fix update_from_dict() to follow _run_updates() expectations. update_from_dict() is a handy function for externally provided FreeIPA modules. They will need to implement the same functionality if they would want to do dynamic updates themselves. Thus, the function is better to stay to avoid duplication and instead be fixed to properly call _run_updates(). """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247279263 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (opened)
stlaz's pull request #84: "Removed update_from_dict function from ldapupdate"
was opened
PR body:
"""
update_from_dict was basically dead code as it's used nowhere in
the project.
https://fedorahosted.org/freeipa/ticket/6311
"""
See the full pull-request at https://github.com/freeipa/freeipa/pull/84
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/84/head:pr84
git checkout pr84
From 20e820b1858730f54f2175578eaecc6c0542bbee Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Thu, 15 Sep 2016 10:42:11 +0200
Subject: [PATCH] Removed update_from_dict function in ldapupdate
update_from_dict was basically dead code as it's used nowhere in
the project.
https://fedorahosted.org/freeipa/ticket/6311
---
ipaserver/install/ldapupdate.py | 14 --
ipatests/test_install/test_updates.py | 95 ---
2 files changed, 109 deletions(-)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 1b39745..7d87c8b 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -921,20 +921,6 @@ def update(self, files, ordered=True):
return self.modified
-def update_from_dict(self, updates):
-"""
-Apply updates internally as opposed to from a file.
-updates is a dictionary containing the updates
-"""
-self.modified = False
-try:
-self.create_connection()
-self._run_updates(updates)
-finally:
-self.close_connection()
-
-return self.modified
-
def close_connection(self):
"""Close ldap connection"""
if self.conn:
diff --git a/ipatests/test_install/test_updates.py b/ipatests/test_install/test_updates.py
index 3fa2cd7..01e06ca 100644
--- a/ipatests/test_install/test_updates.py
+++ b/ipatests/test_install/test_updates.py
@@ -253,98 +253,3 @@ def test_9_badsyntax(self):
with self.assertRaises(BadSyntax):
modified = self.updater.update(
[os.path.join(self.testdir, "9_badsyntax.update")])
-
-def test_from_dict(self):
-"""
-Test updating from a dict.
-
-This replicates what was done in test 1.
-"""
-
-# First make sure we're clean
-with self.assertRaises(errors.NotFound):
-entries = self.ld.get_entries(
-self.container_dn, self.ld.SCOPE_BASE, 'objectclass=*', ['*'])
-
-with self.assertRaises(errors.NotFound):
-entries = self.ld.get_entries(
-self.user_dn, self.ld.SCOPE_BASE, 'objectclass=*', ['*'])
-
-
-update = {
-self.container_dn:
-{'dn': self.container_dn,
- 'updates': ['add:objectClass: top',
- 'add:objectClass: nsContainer',
- 'add:cn: test'
-],
-},
-self.user_dn:
-{'dn': self.user_dn,
- 'updates': ['add:objectclass: top',
- 'add:objectclass: person',
- 'add:objectclass: posixaccount',
- 'add:objectclass: krbprincipalaux',
- 'add:objectclass: inetuser',
- 'add:homedirectory: /home/tuser',
- 'add:loginshell: /bin/bash',
- 'add:sn: User',
- 'add:uid: tuser',
- 'add:uidnumber: 999',
- 'add:gidnumber: 999',
- 'add:cn: Test User',
-],
-},
-}
-
-modified = self.updater.update_from_dict(update)
-self.assertTrue(modified)
-
-entries = self.ld.get_entries(
-self.container_dn, self.ld.SCOPE_BASE, 'objectclass=*', ['*'])
-self.assertEqual(len(entries), 1)
-entry = entries[0]
-
-objectclasses = entry.get('objectclass')
-for item in ('top', 'nsContainer'):
-self.assertTrue(item in objectclasses)
-
-self.assertEqual(entry.single_value['cn'], 'test')
-
-entries = self.ld.get_entries(
-self.user_dn, self.ld.SCOPE_BASE, 'objectclass=*', ['*'])
-self.assertEqual(len(entries), 1)
-entry = entries[0]
-
-objectclasses = entry.get('objectclass')
-for item in ('top', 'person', 'posixaccount', 'krbprincipalaux', 'inetuser'):
-self.assertTrue(item in objectclasses)
-
-self.assertEqual(entry.single_value['loginshell'], paths.BASH)
-self.assertEqual(entry.single_value['sn'], 'User')
-self.assertEqual(entry.single_value['uid'], 'tuser')
-self.assertEqual(entry.single_value['cn'], 'Test User')
-
-# Now delete
-
-update = {
-self.container_dn:
-
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
On 14.09.2016 10:43, Oleg Fayans wrote: Again ping for review, please it completely blocks the whole job. On 09/07/2016 03:27 PM, Oleg Fayans wrote: ping for review On 08/24/2016 01:58 PM, Oleg Fayans wrote: And here is how the run looks like: $ ipa-run-tests test_integration/test_topology.py WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ..x === 2 passed, 1 xfailed in 1558.66 seconds === On 08/12/2016 04:05 PM, Martin Basti wrote: On 12.08.2016 15:48, Oleg Fayans wrote: Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ludwig, do you know details about this change, why positions of server names are different than used to be in topology name? Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This is very good way how to report tickets: * nobody knows what happened * nobody can search in current tickets, what is wrong without proper description * developers cannot investigate issue, because there is even no name of exact test in ticket, no steps to reproduce, nothing * without proper tickets it is hard to backport patches correctly, if patch fixes different issue than is reported I'm closing ticket as invalid, please follow http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new proper ticket. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds = I don't care about test output until there is no valid description of problem, fixing test may just cover real issue. Martin^2 Martin^2 ACK master: * 49fbbb0641df2adab28fd3440686cb7430645c85 Fixed segment naming in topology tests * 3e4740f788aee00ae03a61d39238f605779fcece Xfai
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin,
The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?
On 09/15/2016 09:49 AM, Martin Basti wrote:
On 14.09.2016 18:53, Sumit Bose wrote:
On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
On 14.09.2016 17:53, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
On 14.09.2016 17:41, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?
You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.
For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in that
one.
Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.
How can be this tested with SSSD?
You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is there any
cmdline util which allows us to test certificate against AD user?
You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.
You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .
HTH
bye,
Sumit
Thank you Alexander and Summit for hints.
Oleg I realized we don't have any other idviews integration tests
So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later
Martin^2
Martin^2
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans
Date: Tue, 6 Sep 2016 13:55:16 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
.../test_integration/test_idviews.py | 121 +
1 file changed, 121 insertions(+)
create mode 100644 ipatests/test_integration/test_idviews.py
diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+ad = config.ad_domains[0].ads[0]
+ad_domain = ad.domain.name
+aduser = "testuser@%s" % ad_domain
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+ extra_args=['--range-type',
+ 'ipa-ad-trust'])
+
+tasks.sync_time(cls.master, cls.ad)
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
