[Freeipa-devel] [freeipa PR#405][opened] ipa-restore must stop tracking PKINIT cert in the preparation phase
URL: https://github.com/freeipa/freeipa/pull/405 Author: flo-renaud Title: #405: ipa-restore must stop tracking PKINIT cert in the preparation phase Action: opened PR body: """ ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs. It must also stop tracking the newly introduced PKINIT cert (stored in /var/kerberos/krb5kdc/kdc.crt). Otherwise the restore operation ends up with PKINIT cert tracked twice and uninstallation fails. https://fedorahosted.org/freeipa/ticket/6570 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/405/head:pr405 git checkout pr405 From 121388c4d8f7ce3fd6ba172904bd30564268db58 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Fri, 20 Jan 2017 08:33:22 +0100 Subject: [PATCH] ipa-restore must stop tracking PKINIT cert in the preparation phase ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs. It must also stop tracking the newly introduced PKINIT cert (stored in /var/kerberos/krb5kdc/kdc.crt). Otherwise the restore operation ends up with PKINIT cert tracked twice and uninstallation fails. https://fedorahosted.org/freeipa/ticket/6570 --- ipaserver/install/ipa_restore.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 2fae215..89cf9e6 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -41,7 +41,7 @@ from ipaserver.install.replication import (wait_for_task, ReplicationManager, get_cs_replication_manager) from ipaserver.install import installutils -from ipaserver.install import dsinstance, httpinstance, cainstance +from ipaserver.install import dsinstance, httpinstance, cainstance, krbinstance from ipapython import ipaldap import ipapython.errors from ipaplatform.constants import constants @@ -821,6 +821,8 @@ def cert_restore_prepare(self): # When IPA is not installed, DS NSS DB does not exist pass +krbinstance.KrbInstance().stop_tracking_certs() + for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'): filename = os.path.join(paths.IPA_NSSDB_DIR, basename) try: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Here's what I did ``` # certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" # rm -rf /var/lib/ipa/radb # ipa-replica-install --domain abc.idm.lab.eng.brq.redhat.com --server vm-226.abc.idm.lab.eng.brq.redhat.com --principal admin --password blablabla ... [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information # getcert list Number of certificates and requests being tracked: 1. Request ID '20170120063423': status: CA_UNREACHABLE ca-error: Server at https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://vm-226.abc.idm.lab.eng.brq.redhat.com:443/ca/rest/account/login': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # certutil -d /var/lib/ipa/radb -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. # stat /var/lib/ipa/radb stat: cannot stat '/var/lib/ipa/radb': No such file or directory ``` Here's the full replica install log: http://pastebin.com/kwj8nFcC """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273991634 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#403][synchronized] Add new ipa passwd-generate command
URL: https://github.com/freeipa/freeipa/pull/403 Author: redhatrises Title: #403: Add new ipa passwd-generate command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/403/head:pr403 git checkout pr403 From a7157c8f83ca544664431a05e3db8171fa9fa27e Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 19 Jan 2017 21:04:57 -0700 Subject: [PATCH] Add new ipa passwd-generate command Adds new `ipa passwd-generate` command which has the ability to create complex passwords using the refactored ipa_generate_password function which is useful for deriving secure passwords for system/service accounts rather than relying on system administrators to come up with their own form of password. --- API.txt | 11 +++ VERSION.m4 | 4 +-- ipaserver/plugins/passwd.py | 75 - 3 files changed, 87 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 543cec5..f0ec2ae 100644 --- a/API.txt +++ b/API.txt @@ -3461,6 +3461,16 @@ option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: Output('value', type=[]) +command: passwd_generate/1 +args: 0,7,1 +option: Int('digits?', autofill=True, default=1) +option: Int('entropy?', autofill=True, default=0) +option: Int('length?', autofill=True, default=8) +option: Int('lowercase?', autofill=True, default=1) +option: Int('special?', autofill=True, default=1) +option: Int('uppercase?', autofill=True, default=1) +option: Str('version?') +output: Output('summary', type=[, ]) command: permission_add/1 args: 1,21,3 arg: Str('cn', cli_name='name') @@ -6546,6 +6556,7 @@ default: param/1 default: param_find/1 default: param_show/1 default: passwd/1 +default: passwd_generate/1 default: permission/1 default: permission_add/1 default: permission_add_member/1 diff --git a/VERSION.m4 b/VERSION.m4 index 36929ee..c4fd931 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 217) -# Last change: Add options to write lightweight CA cert or chain to file +define(IPA_API_VERSION_MINOR, 218) +# Last change: Add new command line option to generate a password diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py index 8cac145..35322b8 100644 --- a/ipaserver/plugins/passwd.py +++ b/ipaserver/plugins/passwd.py @@ -21,7 +21,7 @@ from ipalib import api, errors, krb_utils from ipalib import Command -from ipalib import Password +from ipalib import Password, Int from ipalib import _ from ipalib import output from ipalib.parameters import Principal @@ -29,6 +29,7 @@ from ipalib.request import context from ipapython import kerberos from ipapython.dn import DN +from ipapython.ipautil import ipa_generate_password from ipaserver.plugins.baseuser import normalize_user_principal from ipaserver.plugins.service import validate_realm @@ -147,3 +148,75 @@ def execute(self, principal, password, current_password, **options): result=True, value=principal, ) + + +@register() +class passwd_generate(Command): +__doc__ = _("Autogenerate a password.") + +takes_options = ( +Int('uppercase', +label=_('Uppercase'), +doc=_('Number of uppercase characters'), +default=1, +autofill=True, +required=False, +), +Int('lowercase', +label=_('Lowercase'), +doc=_('Number of lowercase characters'), +default=1, +autofill=True, +required=False, +), +Int('digits', +label=_('Digits'), +doc=_('Number of digits'), +default=1, +autofill=True, +required=False, +), +Int('special', +label=_('Special characters'), +doc=_('Number of special characters'), +default=1, +autofill=True, +required=False, +), +Int('length', +label=_('Length'), +doc=_('Password Length'), +default=8, +autofill=True, +required=False, +), +Int('entropy', +label=_('Entropy'), +doc=_('Number of entropy bits'), +default=0, +autofill=True, +required=False, +), +) + +has_output = ( +output.summary, +) + +def execute(self, *keys, **options): +pwd_length = options.get('length') +entropy = options.get('entropy') +ucase = options.get('uppercase') +lcase = options.get('lowercase') +
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I cannot get a replica install to fail like your did, can you post some logs ? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273891819 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-273845743 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#376][comment] client install: correctly report all failures
URL: https://github.com/freeipa/freeipa/pull/376 Title: #376: client install: correctly report all failures stlaz commented: """ I suspect we are suffering the same "always return 0" error as we've already got reported in other installers, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/376#issuecomment-273838624 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fa7aaef1de2c97ac9d24925ca9adb25c7151055f https://fedorahosted.org/freeipa/changeset/91c050b4e093802d8c6b510a22d6e435faba965f """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-273827674 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][closed] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][+pushed] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][+pushed] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a336de630e9d1ef95a507cc3ee9200c001ab9193 https://fedorahosted.org/freeipa/changeset/c391f6ba58a61e046e49e1b4526b62d7ce250301 """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-273826976 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][closed] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#404][edited] tests: Add LDAP URI to ldappasswd explicitly
URL: https://github.com/freeipa/freeipa/pull/404 Author: dkupka Title: #404: tests: Add LDAP URI to ldappasswd explicitly Action: edited Changed field: title Original value: """ tests: Add LDAP URI to ldappasswd explicitelly """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e04b75cb9e71fb2b9faa49aea7f2244b01fddbcb """ See the full comment at https://github.com/freeipa/freeipa/pull/373#issuecomment-273811327 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][+pushed] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][closed] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Author: tjaalton Title: #373: ipaplatform: Add Debian platform module. Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/373/head:pr373 git checkout pr373 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1
URL: https://github.com/freeipa/freeipa/pull/393 Author: MartinBasti Title: #393: [Py3] allow to run wsgi - part1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/393/head:pr393 git checkout pr393 From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 01/31] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 10 Jan 2017 13:45:11 +0100 Subject: [PATCH 02/31] py3: service.py: replace mkstemp by NamedTemporaryFile NamedTemporaryfile can be used in more pythonic way and file can be opened in textual mode that is required with PY3 https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 7 --- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..fbe3f23 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, args += ["-H", ldap_uri] if dm_password: -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) -os.close(pw_fd) +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as pw_file: +pw_file.write(dm_password) +pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 03/31] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 5a28026..ceb7bf3 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -587,14 +587,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 19:01:29 +0100 Subject: [PATCH 04/31]
[Freeipa-devel] [freeipa PR#393][comment] [Py3] allow to run wsgi - part1
URL: https://github.com/freeipa/freeipa/pull/393 Title: #393: [Py3] allow to run wsgi - part1 MartinBasti commented: """ @tiran we found the issue that caues random test fails, @HonzaCholasta will provide PR with fix, that should be pushed before these commits """ See the full comment at https://github.com/freeipa/freeipa/pull/393#issuecomment-273805191 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. stlaz commented: """ The patch seems fine, I could have some nitpicks but nothing really imporant. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/373#issuecomment-273803873 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][+ack] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. stlaz commented: """ @tiran I would like to test this in a Vagrant box before pushing it """ See the full comment at https://github.com/freeipa/freeipa/pull/373#issuecomment-273796530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. stlaz commented: """ @tiran I would like to test this in a Vagrant box before pushing it """ See the full comment at https://github.com/freeipa/freeipa/pull/373#issuecomment-273796530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Title: #373: ipaplatform: Add Debian platform module. tiran commented: """ @stlaz the patch looks fine to me now. I can't comment on the path values, though. Do you like to see additional modifications? """ See the full comment at https://github.com/freeipa/freeipa/pull/373#issuecomment-273781036 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add placeholder and IPA commands packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/379/head:pr379 git checkout pr379 From 297f9612fc366084f02e8d7229cc488bb24d9dcd Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Mon, 9 Jan 2017 11:02:25 +0100 Subject: [PATCH] Packaging: Add placeholder and IPA commands packages The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for installation in a virtual env. The programs are compiled with distutils / setuptools. The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. https://fedorahosted.org/freeipa/ticket/6484 Signed-off-by: Christian Heimes --- .gitignore| 7 ++ Makefile.am | 5 +- Makefile.python.am| 34 +-- Makefile.pythonbuild.am | 32 +++ configure.ac | 4 + packaging/Makefile.am | 11 +++ packaging/freeipa/Makefile.am | 1 + packaging/freeipa/README.txt | 2 + packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 36 +++ packaging/ipa/Makefile.am | 1 + packaging/ipa/README.txt | 2 + packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 36 +++ packaging/ipacommands/MANIFEST.in | 25 + packaging/ipacommands/Makefile.am | 72 ++ packaging/ipacommands/setup.cfg | 5 + packaging/ipacommands/setup.py| 194 ++ 18 files changed, 446 insertions(+), 33 deletions(-) create mode 100644 Makefile.pythonbuild.am create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py create mode 100644 packaging/ipacommands/MANIFEST.in create mode 100644 packaging/ipacommands/Makefile.am create mode 100644 packaging/ipacommands/setup.cfg create mode 100644 packaging/ipacommands/setup.py diff --git a/.gitignore b/.gitignore index 04553fd..249f158 100644 --- a/.gitignore +++ b/.gitignore @@ -112,3 +112,10 @@ freeipa2-dev-doc /ipaplatform/paths.py /ipaplatform/services.py /ipaplatform/tasks.py + +/packaging/ipacommands/COPYING +/packaging/ipacommands/Contributors.txt +/packaging/ipacommands/asn1 +/packaging/ipacommands/client +/packaging/ipacommands/ipasetup.py +/packaging/ipacommands/util diff --git a/Makefile.am b/Makefile.am index 9bfc899..e25cea3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ @@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..96b0050 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,22 +1,6 @@ -pkgname = $(shell basename "$(abs_srcdir)") -pkgpythondir = $(pythondir)/$(pkgname) - -if VERBOSE_MAKE -VERBOSITY="--verbose" -else -VERBOSITY="--quiet" -endif !VERBOSE_MAKE +include $(top_srcdir)/Makefile.pythonbuild.am -# hack to handle back-in-the-hierarchy depedency on ipasetup.py -.PHONY: $(top_builddir)/ipasetup.py -$(top_builddir)/ipasetup.py: - (cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py) - -all-local: $(top_builddir)/ipasetup.py - cd $(srcdir); $(PYTHON) setup.py \ - $(VERBOSITY) \ - build \ - --build-base "$(abs_builddir)/build" +pkgpythondir = $(pythondir)/$(pkgname) install-exec-local: $(top_builddir)/ipasetup.py $(PYTHON) $(srcdir)/setup.py \ @@ -31,14 +15,6 @@ uninstall-local: cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf rm -rf "$(DESTDIR)$(pkgpythondir)" -clean-local: $(top_builddir)/ipasetup.py - $(PYTHON) "$(srcdir)/setup.py" clean --all - rm -rf "$(srcdir)/build" "$(srcdir)/dist"
[Freeipa-devel] [freeipa PR#404][comment] tests: Add LDAP URI to ldappasswd explicitelly
URL: https://github.com/freeipa/freeipa/pull/404 Title: #404: tests: Add LDAP URI to ldappasswd explicitelly tiran commented: """ ```ipatests/test_integration/util.py``` calls ldappasswd without ```-H``` option, too. Related to the issue at hand, ```ipaserver/install/service.py``` has a similar issue with ldapmodify. """ See the full comment at https://github.com/freeipa/freeipa/pull/404#issuecomment-273774110 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Author: MartinBasti Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/382/head:pr382 git checkout pr382 From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 10 Jan 2017 13:45:11 +0100 Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile NamedTemporaryfile can be used in more pythonic way and file can be opened in textual mode that is required with PY3 https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 7 --- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..fbe3f23 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, args += ["-H", ldap_uri] if dm_password: -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) -os.close(pw_fd) +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as pw_file: +pw_file.write(dm_password) +pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 03/16] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 5a28026..ceb7bf3 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -587,14 +587,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017
[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 From 64ff3f9db5211ccd3c5124a5eadaf29084370534 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Tue, 3 Jan 2017 14:32:05 +0100 Subject: [PATCH] Client-only builds with --disable-server https://fedorahosted.org/freeipa/ticket/6517 --- Makefile.am | 6 +- configure.ac | 251 +-- server.m4| 119 3 files changed, 211 insertions(+), 165 deletions(-) create mode 100644 server.m4 diff --git a/Makefile.am b/Makefile.am index 9bfc899..24d31c8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,11 @@ ACLOCAL_AMFLAGS = -I m4 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po +SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po + +if ENABLE_SERVER +SUBDIRS += daemons init install ipaserver +endif MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ diff --git a/configure.ac b/configure.ac index 6cd3a89..744bcee 100644 --- a/configure.ac +++ b/configure.ac @@ -24,6 +24,17 @@ LT_INIT AC_HEADER_STDC +PKG_PROG_PKG_CONFIG + +AC_ARG_ENABLE([server], +[ --disable-serverDisable server support], +[case "${enableval}" in + yes) enable_server=true ;; + no) enable_server=false ;; + *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;; +esac],[enable_server=true]) +AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue]) + AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) dnl --- @@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr]) PKG_CHECK_MODULES([NSS], [nss]) dnl --- -dnl - Check for DS slapi plugin -dnl --- - -# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h -SAVE_CPPFLAGS=$CPPFLAGS -CPPFLAGS=$NSPR_CFLAGS -AC_CHECK_HEADER(dirsrv/slapi-plugin.h) -if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then - AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)]) -fi -AC_CHECK_HEADER(dirsrv/repl-session-plugin.h) -if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then - AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)]) -fi -CPPFLAGS=$SAVE_CPPFLAGS - -if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then - AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)]) -fi - -dnl --- dnl - Check for KRB5 dnl --- PKG_CHECK_MODULES([KRB5], [krb5]) -AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) -KRAD_LIBS="-lkrad" -krb5rundir="${localstatedir}/run/krb5kdc" -AC_SUBST(KRAD_LIBS) -AC_SUBST(krb5rundir) dnl --- dnl - Check for OpenLDAP SDK @@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then fi dnl --- -dnl Check for ndr_krb5pac and other samba libraries -dnl --- - -PKG_PROG_PKG_CONFIG() -PKG_CHECK_MODULES([TALLOC], [talloc]) -PKG_CHECK_MODULES([TEVENT], [tevent]) -PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) -PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) -PKG_CHECK_MODULES([NDR], [ndr]) -PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" -AC_SUBST(SAMBA40EXTRA_LIBPATH) - -bck_cflags="$CFLAGS" -CFLAGS="$NDRPAC_CFLAGS" -AC_CHECK_MEMBER( -[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid], -[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1], - [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])], -[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])], - [[#include - #include ]]) - -CFLAGS="$bck_cflags" - -LIBPDB_NAME="" -AC_CHECK_LIB([samba-passdb], - [make_pdb_method], - [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1], - [LIBPDB_NAME="pdb"], - [$SAMBA40EXTRA_LIBPATH]) - -if test "x$LIB_PDB_NAME" = "xpdb" ; then - AC_CHECK_LIB([$LIBPDB_NAME], -
[Freeipa-devel] [freeipa PR#372][+rejected] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I can confirm that the ldapi error occurs every other install. I can also confirm that it does not occur during the initial server install on a clean machine, so I agree it can be fixed later. * CA-less install is still broken. To reproduce the bug, make sure to delete all certificates from `/etc/httpd/alias` before running the install, otherwise [ticket 4639](https://fedorahosted.org/freeipa/ticket/4639) will hide the bug. I use: ```bash certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" ``` * Replica install fails when `/var/lib/ipa/radb` does not exist prior to running the install: ``` [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) ``` * `/var/lib/ipa/radb` should be removed on uninstall. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273737162 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) tiran commented: """ I have opened ticket https://fedorahosted.org/freeipa/ticket/6624 to track the matter. """ See the full comment at https://github.com/freeipa/freeipa/pull/382#issuecomment-273735484 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) MartinBasti commented: """ I left json_decode() only in places where external JSON request are coming, all other internal usages of JSON should be in utf-8 encoding. Other requests are out of scope of this PR and should be resolved in separate tickets/PRs """ See the full comment at https://github.com/freeipa/freeipa/pull/382#issuecomment-273733412 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Author: MartinBasti Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/382/head:pr382 git checkout pr382 From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 10 Jan 2017 13:45:11 +0100 Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile NamedTemporaryfile can be used in more pythonic way and file can be opened in textual mode that is required with PY3 https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 7 --- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..fbe3f23 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, args += ["-H", ldap_uri] if dm_password: -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) -os.close(pw_fd) +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as pw_file: +pw_file.write(dm_password) +pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 03/16] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 5a28026..ceb7bf3 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -587,14 +587,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017
[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) MartinBasti commented: """ I left json_decode() only in places where external JSON request are coming, all other internal usages of JSON should be in utf-8 encoding. Other requests are out of scope of this PR and should be resolved in separate tickets/PRs """ See the full comment at https://github.com/freeipa/freeipa/pull/382#issuecomment-273733412 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Author: MartinBasti Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/382/head:pr382 git checkout pr382 From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 10 Jan 2017 13:45:11 +0100 Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile NamedTemporaryfile can be used in more pythonic way and file can be opened in textual mode that is required with PY3 https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 7 --- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..fbe3f23 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, args += ["-H", ldap_uri] if dm_password: -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) -os.close(pw_fd) +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as pw_file: +pw_file.write(dm_password) +pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 03/16] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 5a28026..ceb7bf3 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -587,14 +587,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 65b1b0695ee17e88fab9d6fc0821a6b247b11669 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 9 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 843 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn:
[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
URL: https://github.com/freeipa/freeipa/pull/382 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) tiran commented: """ Let's reiterate. It's obviously wrong to assume that request data such as JSON are encoded as UTF-8. It can be just any encoding. Outside the Western world, JSON and XML are often encoded as UTF-16. That doesn't mean we have to support other encodings than UTF-8 right now. It's fine to restrict requests and responses to UTF-8 as only supported encoding. The check should be performed early in the WSGI layer. A client sends can send the request type as part of the content type. The framework should check for the presence of an encoding hint and refuse encodings that are ```encoding.lower() not in {'utf8', 'utf-8'}```. """ See the full comment at https://github.com/freeipa/freeipa/pull/382#issuecomment-273730248 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#404][opened] tests: Add LDAP URI to ldappasswd explicitelly
URL: https://github.com/freeipa/freeipa/pull/404 Author: dkupka Title: #404: tests: Add LDAP URI to ldappasswd explicitelly Action: opened PR body: """ Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/404/head:pr404 git checkout pr404 From 7cc4014b13e3e8eb7266b395f78e17a50e4d124f Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2
URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 stlaz commented: """ - I think we may need to discuss the support on Monday meeting, generally I think SSL 3.0 and TLS 1.0 should not be supported but there might be troubles with connectivity to legacy IPA servers - Yes, although in that case we would have to fail instead of falling back to "reasonable defaults" as Env object attribute values cannot be changed once set """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-273717304 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code