Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag
On 13/01/17 08:07, Fraser Tweedale wrote: Related to design: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication Currently there are some operations that hit the CA that involve a number of privileged operations against the CA, but for which there is only one associated IPA permission. Deleting a CA is a good example (but it is one specific case of a more general issue). Summary of current ca-del behaviour: 1. Disable LWCA in Dogtag (uses RA Agent cert) 2. Delete LWCA in Dogtag (uses RA Agent cert) 3. Delete CA entry from IPA (requires "System: Delete CA" permission) So there are two things going on under the hood: a modify operation (disable CA) and the delete. When we implement proxy authentication to Dogtag, Dogtag will enforce the IPA permissions on its operations. Disable will map to "System: Modify CA" and delete to "System: Delete CA". So to delete a CA a user will need *both* permissions. Which could be surprising. There are a couple of reasonable approaches to this. 1. Decouple the disable and delete operations. If CA is not disabled, the user will be instructed to execute the ca-disable command separately before they can disable the CA. This introduces an additional manual step for operators. 2. Just improve the error reporting. In my WIP, for a user that has 'System: Delete CA' permission but not 'System: Modify CA', the reported failure is a 403 Authorization Error from Dogtag. We can add guards to fail more gracefully. I lean towards #2 because I guess the common case will be that users either get all CA admin permissions, or none, and we don't want to make more work (in the form of more commands to run) for users in the common case. I welcome alternative views and suggestions. Thanks, Fraser Hi Fraser, as a user with "System: Delete CA" permission calling "ca-del" command I would be really surprised that I don't have enough privileges to complete the action. I would expect: a) "Cannot delete active CA, disable it first" error. b) Delete will be completed successfully. All internal and to my sight hidden operations will be allowed just because I'm allowed to perform the delete operation. I think that b) might lead to strange exceptions in authorization checking and therefore to security issues. So I would prefer decoupling ca-disable and ca-del as you're describing in 1). -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py tiran commented: """ How about we remove the file entirely and just post it on the wiki or something? """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-273042550 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py stlaz commented: """ +1, that was actually my original point. Just revert the change done to the file in https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d6b755e3fcaf32158f4ee36d45e3344b4a03fbc2, don't add `confdir` option to api.bootstrap() and let the script die in peace. """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-273038677 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#387][comment] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Title: #387: Update warning message for ipa server uninstall Akasurde commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/387#issuecomment-273036178 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][synchronized] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394
Author: Akasurde
Title: #394: Add fix for ipa plugins command
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/394/head:pr394
git checkout pr394
From eab5385725b104bfcba1091190bb281a1c980aa1 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Thu, 12 Jan 2017 18:38:37 +0530
Subject: [PATCH] Add fix for ipa plugins command
Fix adds count of plugins loaded to return dict
Fixes https://fedorahosted.org/freeipa/ticket/6513
Signed-off-by: Abhijeet Kasurde
---
ipalib/misc.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipalib/misc.py b/ipalib/misc.py
index 687b018..6366686 100644
--- a/ipalib/misc.py
+++ b/ipalib/misc.py
@@ -7,6 +7,7 @@
from ipalib.output import Output, summary
from ipalib import Flag
from ipalib.plugable import Registry
+import six
register = Registry()
@@ -124,8 +125,9 @@ def execute(self, **options):
for plugin in self.api[namespace]():
cls = type(plugin)
key = '{}.{}'.format(cls.__module__, cls.__name__)
-result.setdefault(key, []).append(namespace)
+result.setdefault(key, []).append(six.text_type(namespace))
return dict(
result=result,
+count=len(result),
)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py HonzaCholasta commented: """ I agree with @mbasti-rh. IMO we should remove all 4.0+ specific code from the script, add a version check at the beginning and disable all failing pylint checks. Maybe also add a comment at the top saying that the file is not to be modified anymore. """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-27306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command rcritten commented: """ How about a test to prevent future regressions? """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-272962038 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command
martbab commented:
"""
Thanks the patch makes the command work. However, the namespace names are
returned as string, not unicode literals and thus the framework returns them as
base64-encoded values:
```
# ipa plugins
ipaclient.plugins.automember.automember_add_condition: Q29tbWFuZA==, TWV0aG9k
ipaclient.plugins.automount.automountlocation_import: Q29tbWFuZA==
ipaclient.plugins.automount.automountlocation_tofiles: Q29tbWFuZA==, TWV0aG9k
# echo 'Q29tbWFuZA==' | base64 -d && echo
Command
# echo '# echo 'TWV0aG9k' | base64 -d && echo
Method
```
One way to fix this is to wrap namespace name in `six.test_type`, this should
work in both py2 and py3:
```diff
diff --git a/ipalib/misc.py b/ipalib/misc.py
index 264ec29..6234961 100644
--- a/ipalib/misc.py
+++ b/ipalib/misc.py
@@ -3,6 +3,9 @@
#
import re
+
+import six
+
from ipalib import LocalOrRemote, _, ngettext
from ipalib.output import Output, summary
from ipalib import Flag
@@ -124,7 +127,7 @@ class plugins(LocalOrRemote):
for plugin in self.api[namespace]():
cls = type(plugin)
key = '{}.{}'.format(cls.__module__, cls.__name__)
-result.setdefault(key, []).append(namespace)
+result.setdefault(key, []).append(six.text_type(namespace))
return dict(
result=result
```
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/394#issuecomment-272905328
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] GetEffectiveRights and add ACIs
On 01/13/2017 06:24 PM, thierry bordaz wrote: Hello, The option specifies the value of 'objectclass' attribute during the GER. That is evaluated at attributeLevelRights but not at the entryLevelRights. I was not able to fix the test case using this option. For information I opened that ticket https://fedorahosted.org/freeipa/ticket/6609 I think we need a 389-ds ticket as well. Looking into it, the aci code contains parts to construct a template entry to evaluate access to a non existent entry, but it is not called because either entries are found and processed or the search returns no such object. It should be possible to make this work. thanks thierry On 01/13/2017 11:01 AM, Ludwig Krispenz wrote: Hi, if you look at: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html#ex-ger-non-entry then it looks like you can provide GER a bit of information eg objectclass of the new entry, so that the existing aci would be selected. Maybe can_add can be extended. Ludwig On 01/13/2017 09:12 AM, thierry bordaz wrote: Hi Fraser, I failed to reproduce you test case, I mean the aci granted the add right to a group member to ADD an entry with the filtered attribute. Now I have a doubt to test attribute valule on an entry that does not yet exist. Would you run /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" W -b "cn=cas,cn=ca,dc=ipa,dc=local " -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=alice,cn=users,cn=accounts,dc=ipa,dc=local" "(objectclass=*)" to get the effective rights under cn=cas,cn=ca,dc=ipa,dc=local Also you may replay your test case with ACL logs (http://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting), nsslapd-errorlog-level: 262272 thanks thierry On 01/13/2017 07:21 AM, Fraser Tweedale wrote: In ca_add.pre_callback, we have: if not ldap.can_add(dn[1:]): raise ACIError(...) `can_add' uses the GetEffectiveRights control to see what rights the user has. When a user with the 'System: Add CA' permission attempts to add a CA, the above ACIError gets raised. This is definitely a bug. I think it is a bug in DS GetEffectiveRights code. The ACI in play is: dn: cn=cas,cn=ca,dc=ipa,dc=local aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System : Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn= pbac,dc=ipa,dc=local";) ... The user definitely has the right membership: dn: uid=alice,cn=users,cn=accounts,dc=ipa,dc=local memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=local memberof: cn=CA Administrator,cn=roles,cn=accounts,dc=ipa,dc=local memberof: cn=LWCA Administration,cn=privileges,cn=pbac,dc=ipa,dc=local memberof: cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=local William suggested I check whether direct vs. indirect membership made a difference. It does not. A wild guess is that the algorithm that computes whether the subject has add access under the given entry does not take the targetfilter into account. To solve, perhaps we could ignore ACI targetfilter when computing add access for GER. Alternatively, is there another way for a user to determine if they can add an entry at a particular place, without actually doing the add? Thanks, Fraser -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Stageuser API
Hello everyone!
I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.
I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:
1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
to-be-employee
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.
Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.
Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?
Thanks for your ideas and opinions!
--
David Kupka
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py mbasti-rh commented: """ this script must work only with IPA3.x, so I wouldn't add there anything from 4.4/master code. As I pointed out several times I don't think that this code even should be in master branch, as we are always just fixing regressions there, but rather as separate script, or script in IPA3.x. Unfortunately I haven't got enough support for my idea. """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-272875313 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#393][edited] [WIP] Py3 allow to run wsgi
URL: https://github.com/freeipa/freeipa/pull/393 Author: mbasti-rh Title: #393: [WIP] Py3 allow to run wsgi Action: edited Changed field: title Original value: """ [WIP] Py3 allow to run wsgi """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#378][+ack] Clean / ignore make check artefact
URL: https://github.com/freeipa/freeipa/pull/378 Title: #378: Clean / ignore make check artefact Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) mbasti-rh commented: """ @HonzaCholasta @tiran bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/382#issuecomment-272865543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#392][comment] Fix coverity issue
URL: https://github.com/freeipa/freeipa/pull/392 Title: #392: Fix coverity issue mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/49855ca9dea9241ccd88e3a89b499b6fed4493c9 """ See the full comment at https://github.com/freeipa/freeipa/pull/392#issuecomment-272865344 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#392][+pushed] Fix coverity issue
URL: https://github.com/freeipa/freeipa/pull/392 Title: #392: Fix coverity issue Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#392][closed] Fix coverity issue
URL: https://github.com/freeipa/freeipa/pull/392 Author: tomaskrizek Title: #392: Fix coverity issue Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/392/head:pr392 git checkout pr392 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#393][synchronized] [WIP] Py3 allow to run wsgi
URL: https://github.com/freeipa/freeipa/pull/393 Author: mbasti-rh Title: #393: [WIP] Py3 allow to run wsgi Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/393/head:pr393 git checkout pr393 From 928a2db32a36e7326d127ba711a2630ff7d74cc1 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 01/27] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From 8c157e9643019bf6ffadab68efdb272d80038871 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 10 Jan 2017 13:45:11 +0100 Subject: [PATCH 02/27] py3: service.py: replace mkstemp by NamedTemporaryFile NamedTemporaryfile can be used in more pythonic way and file can be opened in textual mode that is required with PY3 https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 7 --- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..fbe3f23 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, args += ["-H", ldap_uri] if dm_password: -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) -os.close(pw_fd) +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as pw_file: +pw_file.write(dm_password) +pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: From 35af241c73eb9a3a38a7f613ff24751bd5a10fae Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 03/27] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 6e7019a..a38d4f7 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -589,14 +589,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From 747a29ef0c09276c5b6fb71990d9a9271bce2c25 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 19:01:29 +0100 Subject: [PATCH 04/27] py3: ldap modlist must have keys as string, not bytes https://fedorahosted.org/free
[Freeipa-devel] [freeipa PR#392][+ack] Fix coverity issue
URL: https://github.com/freeipa/freeipa/pull/392 Title: #392: Fix coverity issue Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#391][closed] ipapython: Add dependencies on version.py
URL: https://github.com/freeipa/freeipa/pull/391 Author: tiran Title: #391: ipapython: Add dependencies on version.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/391/head:pr391 git checkout pr391 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#391][+pushed] ipapython: Add dependencies on version.py
URL: https://github.com/freeipa/freeipa/pull/391 Title: #391: ipapython: Add dependencies on version.py Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#391][comment] ipapython: Add dependencies on version.py
URL: https://github.com/freeipa/freeipa/pull/391 Title: #391: ipapython: Add dependencies on version.py mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/504f4417070a308ef54b8f98ff25d02c6604a6f6 """ See the full comment at https://github.com/freeipa/freeipa/pull/391#issuecomment-272864550 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#377][closed] dogtaginstance: track server certificate with our renew agent
URL: https://github.com/freeipa/freeipa/pull/377 Author: HonzaCholasta Title: #377: dogtaginstance: track server certificate with our renew agent Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/377/head:pr377 git checkout pr377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#377][+pushed] dogtaginstance: track server certificate with our renew agent
URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent
URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d5af11f65cc2a2d6860579a63a173b67cb12bcf3 https://fedorahosted.org/freeipa/changeset/ad49bda907b3c2ec5b98946a2c4000bb6edaf835 https://fedorahosted.org/freeipa/changeset/926fe2049a1839fd7e68c9fa55f64154ee83c841 """ See the full comment at https://github.com/freeipa/freeipa/pull/377#issuecomment-272863729 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From fb08cbbd3b9b7047647bac73a59e34d49b6fd9ec Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 16 Jan 2017 13:48:54 +0100
Subject: [PATCH 1/3] Remove obsolete serial_autoincrement from named.conf
parsing
Option serial_autoincrement is no longer supported. Remove it from
the named.conf parser and add it to deprecated options to be removed.
https://fedorahosted.org/freeipa/ticket/6565
---
ipaserver/install/server/upgrade.py | 56 +++--
1 file changed, 4 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5d8e596..4a85103 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -409,8 +409,8 @@ def named_remove_deprecated_options():
From IPA 3.3, persistent search is a default mechanism for new DNS zone
detection.
-Remove psearch, zone_refresh and cache_ttl options, as they have been
-deprecated in bind-dyndb-ldap configuration file.
+Remove psearch, zone_refresh cache_ttl and serial_autoincrement options,
+as they have been deprecated in bind-dyndb-ldap configuration file.
When some change in named.conf is done, this functions returns True.
"""
@@ -422,7 +422,8 @@ def named_remove_deprecated_options():
root_logger.info('DNS is not configured')
return False
-deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl']
+deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl',
+ 'serial_autoincrement']
removed_options = []
try:
@@ -499,54 +500,6 @@ def named_set_minimum_connections():
return changed
-def named_enable_serial_autoincrement():
-"""
-Serial autoincrement is a requirement for zone transfers or DNSSEC. It
-should be enabled both for new installs and upgraded servers.
-
-When some change in named.conf is done, this functions returns True
-"""
-changed = False
-
-root_logger.info('[Enabling serial autoincrement in DNS]')
-
-if not bindinstance.named_conf_exists():
-# DNS service may not be configured
-root_logger.info('DNS is not configured')
-return changed
-
-try:
-serial_autoincrement = bindinstance.named_conf_get_directive(
-'serial_autoincrement')
-except IOError as e:
-root_logger.debug('Cannot retrieve psearch option from %s: %s',
- bindinstance.NAMED_CONF, e)
-return changed
-else:
-serial_autoincrement = None if serial_autoincrement is None \
-else serial_autoincrement.lower()
-
-# enable SOA serial autoincrement
-if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
-if serial_autoincrement != 'yes':
-try:
-bindinstance.named_conf_set_directive('serial_autoincrement',
- 'yes')
-except IOError as e:
-root_logger.error('Cannot enable serial_autoincrement in %s: %s',
-bindinstance.NAMED_CONF, e)
-return changed
-else:
-root_logger.debug('Serial autoincrement enabled')
-changed = True
-else:
-root_logger.debug('Serial autoincrement is alredy enabled')
-sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
-else:
-root_logger.debug('Skip serial autoincrement check')
-
-return changed
-
def named_update_gssapi_configuration():
"""
Update GSSAPI configuration in named.conf to a recent API.
@@ -1706,7 +1659,6 @@ def upgrade_configuration():
named_conf_changes = (
named_remove_deprecated_options(),
named_set_minimum_connections(),
- named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
named_enable_dnssec(),
From 043f1e74f2992bf57f268d26e74f03d845568459 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 2/3] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
---
inst
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" tiran commented: """ @tomaskrizek Upstream doesn't support IPv6. @nkinder told me that our Fedora packages contan several patches. The patches are not yet in upstream. One of the patches adds IPv6 support. I have not checked if the patch provides IPv6 for both client and server sockets or just for SSLSocket. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-272830620 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" tiran commented: """ @tomaskrizek Upstream doesn't support IPv6. @nkinder told me that our Fedora packages contan several patches. The patches are not yet in upstream. One of the patches adds IPv6 support. I have not checked if the patch provides IPv6 for both client and server sockets or just for SSLSocket. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-272830620 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" flo-renaud commented: """ Please wait before merging this PR. @pvoborni Endi suggests 2 possible strategies for the upgrade fix: either in IPA or in PKI. We need to pick one, and depending on the choice modify this PR accordingly. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-272830142 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" tomaskrizek commented: """ @flo You're right, I'm able to install the IPA server in IPv6 env now. I probably forgot some configuration beforehand. @tiran That's odd. If JSS does not support IPv6 at all, why does `::1` work when IPv6 is enabled? """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-272828847 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][+ack] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
