[Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490
Author: HonzaCholasta
Title: #490: certdb: use certutil and match_hostname for cert verification
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/490/head:pr490
git checkout pr490
From 585fdab796513b63850500b3196c941047d0cd03 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 2 Jan 2017 13:53:18 +0100
Subject: [PATCH] certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.
---
freeipa.spec.in | 16 +--
ipalib/x509.py | 71 ---
ipapython/certdb.py | 80 -
ipasetup.py.in | 2 +-
4 files changed, 94 insertions(+), 75 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index e7e39e8..5678549 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -160,8 +160,8 @@ BuildRequires: python3-wheel
#
%if 0%{?with_lint}
BuildRequires: samba-python
-# 1.4: the version where Certificate.serial changed to .serial_number
-BuildRequires: python-cryptography >= 1.4
+# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
+BuildRequires: python-cryptography >= 1.6
BuildRequires: python-gssapi >= 1.2.0
BuildRequires: pylint >= 1.6
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -196,8 +196,8 @@ BuildRequires: python2-jinja2
%if 0%{?with_python3}
# FIXME: this depedency is missing - server will not work
#BuildRequires: python3-samba
-# 1.4: the version where Certificate.serial changed to .serial_number
-BuildRequires: python3-cryptography >= 1.4
+# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
+BuildRequires: python3-cryptography >= 1.6
BuildRequires: python3-gssapi >= 1.2.0
BuildRequires: python3-pylint >= 1.6
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -636,7 +636,7 @@ Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
-Requires: python-cryptography >= 1.4
+Requires: python-cryptography >= 1.6
Requires: python-netaddr
Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
@@ -685,7 +685,7 @@ Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
Requires: python3-nss >= 0.16
-Requires: python3-cryptography >= 1.4
+Requires: python3-cryptography >= 1.6
Requires: python3-netaddr
Requires: python3-libipa_hbac
Requires: python3-qrcode-core >= 5.0.0
@@ -760,7 +760,7 @@ Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
Requires: ldns-utils
Requires: python-sssdconfig
-Requires: python2-cryptography >= 1.4
+Requires: python2-cryptography >= 1.6
Provides: %{alt_name}-tests = %{version}
Conflicts: %{alt_name}-tests
@@ -794,7 +794,7 @@ Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: ldns-utils
Requires: python3-sssdconfig
-Requires: python3-cryptography >= 1.4
+Requires: python3-cryptography >= 1.6
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
diff --git a/ipalib/x509.py b/ipalib/x509.py
index f65cf81..dbcbb59 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -35,6 +35,7 @@
import binascii
import datetime
import ipaddress
+import ssl
import base64
import re
@@ -49,6 +50,7 @@
from ipalib import util
from ipalib import errors
from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
@@ -406,6 +408,27 @@ def process_othernames(gns):
yield gn
+def _pyasn1_get_san_general_names(cert):
+tbs = decoder.decode(
+cert.tbs_certificate_bytes,
+asn1Spec=rfc2459.TBSCertificate()
+)[0]
+OID_SAN = univ.ObjectIdentifier('2.5.29.17')
+# One would expect KeyError or empty iterable when the key ('extensions'
+# in this particular case) is not pressent in the certificate but pyasn1
+# returns None here
+extensions = tbs['extensions'] or []
+gns = []
+for ext in extensions:
+if ext['extnID'] == OID_SAN:
+der = decoder.decode(
+ext['extnValue'], asn1Spec=univ.OctetString())[0]
+gns = decoder.decode(der, asn1Spec=rfc2459.SubjectAltName())[0]
+break
+
+return gns
+
+
def get_san_general_names(cert):
"""
Return SAN general names from a python-cryptography
@@ -430,22 +453,7 @@ def get_san_general_names(cert):
and should go away.
"""
-tbs = decoder.decode(
-cert.tbs_certificate_bytes,
-asn1Spec=rfc2459.TBSCertificate()
-)[0]
-OID_SAN = univ.ObjectIdentifier('2.5.29.17')
-# One would expect KeyError or empty iterable when the key ('extensions'
-# in this particular case) is not pressent in the certificate but pyasn1
-# returns N
[Freeipa-devel] [freeipa PR#621][synchronized] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --force-password-reset to user_mod in user.py
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621
From 78377d860e797db3b8bd82ebc354513b0dc8f9af Mon Sep 17 00:00:00 2001
From: Gabe
Date: Tue, 28 Mar 2017 21:47:06 -0600
Subject: [PATCH] Add --password-expiration to allow admin to force user
password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
---
ACI.txt | 2 +-
API.txt | 18 --
VERSION.m4| 2 +-
ipalib/parameters.py | 17 +++--
ipaserver/plugins/baseuser.py | 4
ipaserver/plugins/user.py | 2 +-
6 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 9c7996c..185812a 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 7594157..7850538 100644
--- a/API.txt
+++ b/API.txt
@@ -4828,7 +4828,7 @@ output: Entry('result')
output: Output('summary', type=[, ])
output: PrimaryKey('value')
command: stageuser_add/1
-args: 1,44,3
+args: 1,45,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
option: Str('l?', cli_name='city')
@@ -4933,7 +4934,7 @@ output: Output('result', type=[])
output: Output('summary', type=[, ])
output: ListOfPrimaryKeys('value')
command: stageuser_find/1
-args: 1,53,4
+args: 1,54,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('carlicense*', autofill=False)
@@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False)
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
option: Str('l?', autofill=False, cli_name='city')
@@ -4993,7 +4995,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[, ])
output: Output('truncated', type=[])
command: stageuser_mod/1
-args: 1,46,3
+args: 1,47,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5014,6 +5016,7 @@ option: Str('ipasshpubkey*', autofill=False
[Freeipa-devel] [freeipa PR#632][edited] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: edited Changed field: body Original value: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry flo-renaud commented: """ I updated the commit message with a different issue number, related to the "Failed to find a unix account" message. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-289891045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain
entry
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632
From b000fdfc229917e6cb62ba185ac24522899b3f86 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Tue, 21 Mar 2017 17:33:20 +0100
Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain
entry
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.
https://pagure.io/freeipa/issue/6827
---
daemons/ipa-sam/ipa_sam.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 4c1fda5..c483ee4 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (entry == NULL || sid == NULL) {
smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR);
}
if (td->netbios_name != NULL) {
@@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
}
+static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+struct ldapsam_privates *ldap_state,
+LDAPMessage *entry,
+struct dom_sid **_group_sid);
+
static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
LDAPMessage *entry,
struct ldapsam_privates *ldap_state)
{
NTSTATUS status;
struct dom_sid *u_sid;
+ struct dom_sid *g_sid;
char *name;
char *trustpw = NULL;
char *trustpw_utf8 = NULL;
@@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
bool res;
char *sid_str;
enum idmap_error_code err;
+ TALLOC_CTX *tmp_ctx;
if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
PDB_SET)) {
@@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
}
talloc_free(u_sid);
+ tmp_ctx= talloc_init("init_sam_from_td");
+ if (!tmp_ctx) {
+ return false;
+ }
+
+ if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid)
+ != 0) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+ talloc_free(tmp_ctx);
+
status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
if (!NT_STATUS_IS_OK(status)) {
return false;
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][synchronized] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From 7d2b66cc8b5af7c2a1fefa00fe44a171ae092b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 28 Mar 2017 16:15:21 +0200 Subject: [PATCH] Allow erasing ipaDomainResolutionOrder attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio --- ipaserver/plugins/config.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 232c881..b50e7a4 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -359,6 +359,11 @@ def validate_domain_resolution_order(self, entry_attrs): domain_resolution_order = entry_attrs[attr_name] +# setting up an empty string means that the previous configuration has +# to be cleaned up/removed. So, do nothing and let it pass +if not domain_resolution_order: +return + # empty resolution order is signalized by single separator, do nothing # and let it pass if domain_resolution_order == DOMAIN_RESOLUTION_ORDER_SEPARATOR: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute fidencio commented: """ I have updated the commit message as I found a typo there: "both doing calling delattr or" -> "both calling delattr or" """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-289861109 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][opened] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667
Author: flo-renaud
Title: #667: idrange-mod: properly handle empty --dom-name option
Action: opened
PR body:
"""
When idrange-mod is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.
We need to handle empty dom-name as if the option was not specified.
https://pagure.io/freeipa/issue/6404
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/667/head:pr667
git checkout pr667
From b47744c922942426d12b1f5572a89e087bed7a3e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Tue, 28 Mar 2017 16:02:45 +0200
Subject: [PATCH] idrange-mod: properly handle empty --dom-name option
When idrange-mod is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.
We need to handle empty dom-name as if the option was not specified.
https://pagure.io/freeipa/issue/6404
---
ipaserver/plugins/idrange.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index 5b88a6b..c8ea95a 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -411,7 +411,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# This needs to stay in options since there is no
# ipanttrusteddomainname attribute in LDAP
-if 'ipanttrusteddomainname' in options:
+if options.get('ipanttrusteddomainname'):
if is_set('ipanttrusteddomainsid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid and dom-name '
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][+pushed] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request tomaskrizek commented: """ master: * ee455f163d756a6b71db8e999365139cad46c6ad extdom: do reverse search for domain separator * 8960398a57f69c124ec3105289dc355baa0d5b09 extdom: improve cert request ipa-4-5: * 8046f9baab1e93b8b8e11d05088c8cdabdd47281 extdom: do reverse search for domain separator * a510a3d7e9f37e89acee84bed2363cb7f57fe88e extdom: improve cert request """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-289824801 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][closed] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][synchronized] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644
Author: sumit-bose
Title: #644: extdom: improve certificate request
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/644/head:pr644
git checkout pr644
From e04d0cfe6735a14aa0535d45982ea2aa7480edf5 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Fri, 17 Mar 2017 14:10:52 +0100
Subject: [PATCH 1/2] extdom: do reverse search for domain separator
To avoid issues which @-signs in the short user or group names it is
better to search for the domain separator starting at the end of the
fully-qualified name.
---
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index e629247..aa1ff10 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -515,7 +515,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
char *short_user_name = NULL;
short_user_name = strdup(user_name);
-if ((locat = strchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
@@ -626,7 +626,7 @@ int pack_ber_group(enum response_types response_type,
char *short_group_name = NULL;
short_group_name = strdup(group_name);
-if ((locat = strchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
@@ -901,7 +901,7 @@ static int handle_sid_or_cert_request(struct ipa_extdom_ctx *ctx,
goto done;
}
-sep = strchr(fq_name, SSSD_DOMAIN_SEPARATOR);
+sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR);
if (sep == NULL) {
set_err_msg(req, "Failed to split fully qualified name");
ret = LDAP_OPERATIONS_ERROR;
From 33952e2a2cf8e7afeac492ade676027b12649501 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Fri, 17 Mar 2017 14:48:50 +0100
Subject: [PATCH 2/2] extdom: improve cert request
Certificates can be assigned to multiple user so the extdom plugin must
use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and
return a list of fully-qualified user names.
Due to issues on the SSSD side the current version of lookups by
certificates didn't work at all and the changes here won't break
existing clients.
Related to https://pagure.io/freeipa/issue/6826
---
.../ipa-extdom-extop/ipa_extdom.h | 3 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 157 ++---
server.m4 | 2 +-
3 files changed, 143 insertions(+), 19 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 34e2d3c..bc29f06 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -95,7 +95,8 @@ enum response_types {
RESP_USER,
RESP_GROUP,
RESP_USER_GROUPLIST,
-RESP_GROUP_MEMBERS
+RESP_GROUP_MEMBERS,
+RESP_NAME_LIST
};
struct extdom_req {
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index aa1ff10..fe225fa 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -698,6 +698,90 @@ int pack_ber_group(enum response_types response_type,
return ret;
}
+int pack_ber_name_list(struct extdom_req *req, char **fq_name_list,
+ struct berval **berval)
+{
+BerElement *ber = NULL;
+int ret;
+char *sep;
+size_t c;
+size_t len;
+size_t name_len;
+
+/* count the names */
+for (c = 0; fq_name_list[c] != NULL; c++);
+if (c == 0) {
+set_err_msg(req, "Empty name list");
+return LDAP_NO_SUCH_OBJECT;
+}
+
+ber = ber_alloc_t( LBER_USE_DER );
+if (ber == NULL) {
+set_err_msg(req, "BER alloc failed");
+return LDAP_OPERATIONS_ERROR;
+}
+
+
+ret = ber_printf(ber,"{e{", RESP_NAME_LIST);
+if (ret == -1) {
+set_err_msg(req, "BER start failed");
+ber_free(ber, 1);
+return LDAP_OPERATIONS_ERROR;
+}
+
+for (c = 0; fq_name_list[c] != NULL; c++) {
+len = strlen(fq_name_list[c]);
+if (len < 3) {
+set_err_msg(req, "Fully qualified name too short");
+ber_free(ber, 1);
+return LDAP_OPERATIONS_ERROR;
+}
+
+
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists frozencemetery commented: """ (Note: a standard directory in distributions that freeipa could use would be provided by the krb5 maintainer, not the freeipa maintainer.) """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289823559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification tiran commented: """ github magic is bad magic :/ It still shows up as 'conflicting' for me. I'll try to find time to review the issue tomorrow, Thursday latest. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289822893 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-289817220 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][synchronized] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From e81f650ea4dbe262275a8b1a13f8a99368f03c45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 28 Mar 2017 16:15:21 +0200 Subject: [PATCH] Allow erasing ipaDomainResolutionOrder attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio --- ipaserver/plugins/config.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 232c881..b50e7a4 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -359,6 +359,11 @@ def validate_domain_resolution_order(self, entry_attrs): domain_resolution_order = entry_attrs[attr_name] +# setting up an empty string means that the previous configuration has +# to be cleaned up/removed. So, do nothing and let it pass +if not domain_resolution_order: +return + # empty resolution order is signalized by single separator, do nothing # and let it pass if domain_resolution_order == DOMAIN_RESOLUTION_ORDER_SEPARATOR: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][opened] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666
Author: martbab
Title: #666: Fix anonymous principal handling in replica install
Action: opened
PR body:
"""
This PR should unblock replica install against <4.5 masters if `--no-pkinit`
option is given. Be aware of the non-working WebUI after install, this will be
fixed once local PKINIT will be implemented.
Requires https://github.com/freeipa/freeipa/pull/631
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/666/head:pr666
git checkout pr666
From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/6] Upgrade: configure PKINIT after adding anonymous
principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
-setup_pkinit(krb)
enable_anonymous_principal(krb)
http.request_anon_keytab()
+setup_pkinit(krb)
if not ds_running:
ds.stop(ds_serverid)
From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/6] Remove unused variable from failed anonymous PKINIT
handling
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-except ipautil.CalledProcessError as e:
+except ipautil.CalledProcessError:
raise RuntimeError("Failed to configure anonymous PKINIT")
def enable_ssl(self):
From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/6] Split out anonymous PKINIT test to a separate method
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
root_logger.critical("krb5kdc service failed to restart")
raise
+def test_anonymous_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
self.steps = []
self.step("installing X509 Certificate for PKINIT",
self.setup_pkinit)
+self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
self.start_creation()
From a2ecdb818ef9e3f8dc2bb97688c894c99ca9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/6] Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
def setup_pkinit(krb):
root_logger.info("[Setup PKINIT]")
-if os.path.exists(paths.KDC_CERT):
-root_logger.info("PKINIT already set up")
-return
-
if not api.Command.ca_is_enabled()['result']:
root_logger.info("CA is not enabled")
return
-krb.setup_pkinit()
+if not os.path.exists(paths.KDC_CERT):
+root_logger.info("Requesting PKINIT certificate")
+krb.setup_pkinit()
+
replacevars = dict()
replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
paths.KDC_CERT,paths.KDC_KEY)
[Freeipa-devel] [freeipa PR#665][opened] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: opened PR body: """ Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From afa6e8342bcfedf09cd3e7e6917243b3512d3cfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 28 Mar 2017 16:15:21 +0200 Subject: [PATCH] Allow erasing ipaDomainResolutionOrder attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio --- ipaserver/plugins/config.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 232c881..7167baa 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -359,6 +359,11 @@ def validate_domain_resolution_order(self, entry_attrs): domain_resolution_order = entry_attrs[attr_name] +# setting up an empty string means that the previous configuration has +# to be cleaned up/removed. So, do nothing and let it pass +if not domain_resolution_order: +return + # empty resolution order is signalized by single separator, do nothing # and let it pass if domain_resolution_order == DOMAIN_RESOLUTION_ORDER_SEPARATOR: @@ -367,6 +372,7 @@ def validate_domain_resolution_order(self, entry_attrs): submitted_domains = domain_resolution_order.split( DOMAIN_RESOLUTION_ORDER_SEPARATOR) + known_domains = self.gather_trusted_domains() # add FreeIPA domain to the list of domains. This one is always enabled -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631
Author: martbab
Title: #631: Upgrade: configure PKINIT after adding anonymous principal
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/631/head:pr631
git checkout pr631
From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/4] Upgrade: configure PKINIT after adding anonymous
principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
-setup_pkinit(krb)
enable_anonymous_principal(krb)
http.request_anon_keytab()
+setup_pkinit(krb)
if not ds_running:
ds.stop(ds_serverid)
From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/4] Remove unused variable from failed anonymous PKINIT
handling
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-except ipautil.CalledProcessError as e:
+except ipautil.CalledProcessError:
raise RuntimeError("Failed to configure anonymous PKINIT")
def enable_ssl(self):
From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/4] Split out anonymous PKINIT test to a separate method
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
root_logger.critical("krb5kdc service failed to restart")
raise
+def test_anonymous_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
self.steps = []
self.step("installing X509 Certificate for PKINIT",
self.setup_pkinit)
+self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
self.start_creation()
From a2ecdb818ef9e3f8dc2bb97688c894c99ca9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/4] Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
def setup_pkinit(krb):
root_logger.info("[Setup PKINIT]")
-if os.path.exists(paths.KDC_CERT):
-root_logger.info("PKINIT already set up")
-return
-
if not api.Command.ca_is_enabled()['result']:
root_logger.info("CA is not enabled")
return
-krb.setup_pkinit()
+if not os.path.exists(paths.KDC_CERT):
+root_logger.info("Requesting PKINIT certificate")
+krb.setup_pkinit()
+
replacevars = dict()
replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
paths.KDC_CERT,paths.KDC_KEY)
@@ -1519,6 +1518,7 @@ def setup_pkinit(krb):
if krb.is_running():
krb.stop()
krb.start()
+krb.test_anonymous_pkinit()
def disable_httpd_system_trust(http):
--
Manage your subscription for the Freeipa-devel mailing list:
https://ww
[Freeipa-devel] [freeipa PR#658][synchronized] Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/658
Author: Akasurde
Title: #658: Hide PKI Client database password in log file
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/658/head:pr658
git checkout pr658
From 08f9f956ca67a317fd2088787d23944b247494ed Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Mon, 27 Mar 2017 16:06:09 +0530
Subject: [PATCH] Hide PKI Client database password in log file
Signed-off-by: Abhijeet Kasurde
---
ipaserver/install/cainstance.py | 5 -
ipaserver/install/krainstance.py | 9 ++---
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 92bb760..2d33a97 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -617,7 +617,10 @@ def __spawn_instance(self):
try:
DogtagInstance.spawn_instance(
self, cfg_file,
-nolog_list=(self.dm_password, self.admin_password, pki_pin)
+nolog_list=(self.dm_password,
+self.admin_password,
+pki_pin,
+self.tmp_agent_pwd)
)
finally:
os.remove(cfg_file)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 34d6678..6fa4f0f 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -150,6 +150,7 @@ def __spawn_instance(self):
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.tmp_agent_db = tempfile.mkdtemp(
prefix="tmp-", dir=paths.VAR_LIB_IPA)
+tmp_agent_pwd = ipautil.ipa_generate_password()
# Create KRA configuration
config = ConfigParser()
@@ -173,8 +174,7 @@ def __spawn_instance(self):
# Client security database
config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
-config.set("KRA", "pki_client_database_password",
- ipautil.ipa_generate_password())
+config.set("KRA", "pki_client_database_password", tmp_agent_pwd)
config.set("KRA", "pki_client_database_purge", "True")
config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
@@ -279,7 +279,10 @@ def __spawn_instance(self):
try:
DogtagInstance.spawn_instance(
self, cfg_file,
-nolog_list=(self.dm_password, self.admin_password, pki_pin)
+nolog_list=(self.dm_password,
+self.admin_password,
+pki_pin,
+tmp_agent_pwd)
)
finally:
os.remove(p12_tmpfile_name)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490
Author: HonzaCholasta
Title: #490: certdb: use certutil and match_hostname for cert verification
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/490/head:pr490
git checkout pr490
From 940c715bcf57fa59255166fbc12ccad06f3f0db0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 2 Jan 2017 13:53:18 +0100
Subject: [PATCH] certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.
---
freeipa.spec.in | 16 +--
ipalib/x509.py | 71 ---
ipapython/certdb.py | 80 -
ipasetup.py.in | 2 +-
4 files changed, 94 insertions(+), 75 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c835ca..2cde0da 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -129,8 +129,8 @@ BuildRequires: python-cffi
%if 0%{?with_lint}
BuildRequires: samba-python
BuildRequires: python-setuptools
-# 1.4: the version where Certificate.serial changed to .serial_number
-BuildRequires: python-cryptography >= 1.4
+# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
+BuildRequires: python-cryptography >= 1.6
BuildRequires: python-gssapi >= 1.2.0
BuildRequires: pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -165,8 +165,8 @@ BuildRequires: python2-jinja2
# FIXME: this depedency is missing - server will not work
#BuildRequires: python3-samba
BuildRequires: python3-setuptools
-# 1.4: the version where Certificate.serial changed to .serial_number
-BuildRequires: python3-cryptography >= 1.4
+# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
+BuildRequires: python3-cryptography >= 1.6
BuildRequires: python3-gssapi >= 1.2.0
BuildRequires: python3-pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -592,7 +592,7 @@ Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
-Requires: python-cryptography >= 1.4
+Requires: python-cryptography >= 1.6
Requires: python-netaddr
Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
@@ -642,7 +642,7 @@ Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
Requires: python3-nss >= 0.16
-Requires: python3-cryptography >= 1.4
+Requires: python3-cryptography >= 1.6
Requires: python3-netaddr
Requires: python3-libipa_hbac
Requires: python3-qrcode-core >= 5.0.0
@@ -717,7 +717,7 @@ Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
Requires: ldns-utils
Requires: python-sssdconfig
-Requires: python2-cryptography >= 1.4
+Requires: python2-cryptography >= 1.6
Provides: %{alt_name}-tests = %{version}
Conflicts: %{alt_name}-tests
@@ -751,7 +751,7 @@ Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: ldns-utils
Requires: python3-sssdconfig
-Requires: python3-cryptography >= 1.4
+Requires: python3-cryptography >= 1.6
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
diff --git a/ipalib/x509.py b/ipalib/x509.py
index f65cf81..dbcbb59 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -35,6 +35,7 @@
import binascii
import datetime
import ipaddress
+import ssl
import base64
import re
@@ -49,6 +50,7 @@
from ipalib import util
from ipalib import errors
from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
@@ -406,6 +408,27 @@ def process_othernames(gns):
yield gn
+def _pyasn1_get_san_general_names(cert):
+tbs = decoder.decode(
+cert.tbs_certificate_bytes,
+asn1Spec=rfc2459.TBSCertificate()
+)[0]
+OID_SAN = univ.ObjectIdentifier('2.5.29.17')
+# One would expect KeyError or empty iterable when the key ('extensions'
+# in this particular case) is not pressent in the certificate but pyasn1
+# returns None here
+extensions = tbs['extensions'] or []
+gns = []
+for ext in extensions:
+if ext['extnID'] == OID_SAN:
+der = decoder.decode(
+ext['extnValue'], asn1Spec=univ.OctetString())[0]
+gns = decoder.decode(der, asn1Spec=rfc2459.SubjectAltName())[0]
+break
+
+return gns
+
+
def get_san_general_names(cert):
"""
Return SAN general names from a python-cryptography
@@ -430,22 +453,7 @@ def get_san_general_names(cert):
and should go away.
"""
-tbs = decoder.decode(
-cert.tbs_certificate_bytes,
-asn1Spec=rfc2459.TBSCertificate()
-)[0]
-OID_SAN = univ.ObjectIdentifier('2.5.29.17')
-# One would expect KeyError or empty iterable when the key ('extensions'
-# in this particular case) is not pressent in
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification stlaz commented: """ I tried to use the wonderful github tool to resolve conflicts to make this more review-friendly but I guess it kind of missed the magic, it's ready for review anyway, please, finish it. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289807247 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][comment] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … tomaskrizek commented: """ ipa-4-5: * 2a499551ca5ddf2596cc19a77f47c34e9f5c10c5 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available master: * 0128e805e591bc8ca5cea99739ad4cd7478df0b4 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289802039 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][closed] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Author: dkupka Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/655/head:pr655 git checkout pr655 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][+pushed] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][closed] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Author: stlaz Title: #663: Generate PIN for PKI to help Dogtag in FIPS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/663/head:pr663 git checkout pr663 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][comment] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS tomaskrizek commented: """ ipa-4-5: * 39eac72faef5f44c9fb2cad943ad58d23fe60cf3 Generate PIN for PKI to help Dogtag in FIPS master: * e204d030fc4154800acb0b2b312188e72dd80f80 Generate PIN for PKI to help Dogtag in FIPS """ See the full comment at https://github.com/freeipa/freeipa/pull/663#issuecomment-289800871 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][+pushed] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][+ack] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][+pushed] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][+ack] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][comment] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches tomaskrizek commented: """ ipa-4-5: * f1d731a79c384c7406c52232ff291644137e100b Python 3: Fix session storage * ba828a53a4736ed326d95e30856daba2c060439c Avoid growing FILE ccaches unnecessarily * f41c9f476d678f9ecc4ca3338c7a58de0182f76f Handle failed authentication via cookie * 0912185b18599414e4f9302b1a80c6c7e9876821 Work around issues fetching session data * e94575f3466bbb8d4959ad0a1c436dcf745e3036 Prevent churn on ccaches """ See the full comment at https://github.com/freeipa/freeipa/pull/664#issuecomment-289795974 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][comment] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches tomaskrizek commented: """ Thanks for the rebase! """ See the full comment at https://github.com/freeipa/freeipa/pull/664#issuecomment-289795319 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][closed] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Author: simo5 Title: #664: Backport of client session storage patches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/664/head:pr664 git checkout pr664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][+pushed] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][comment] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth HonzaCholasta commented: """ master: * 2dda1acf44dc96e660e81baadee9c3a54bf05eb0 spec file: bump krb5-devel BuildRequires for certauth ipa-4-5: * 2d246000ef2d715fab464b8ef71fdb3731da127e spec file: bump krb5-devel BuildRequires for certauth """ See the full comment at https://github.com/freeipa/freeipa/pull/662#issuecomment-289780434 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][closed] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Author: HonzaCholasta Title: #662: spec file: bump krb5-devel BuildRequires for certauth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/662/head:pr662 git checkout pr662 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ Custodia 0.3.1 also fixes https://github.com/latchset/custodia/issues/135 (KEM requests with whitespace in key name fail). The bug has been reported by @adelton as https://bugzilla.redhat.com/show_bug.cgi?id=1411810 . """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289779539 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][comment] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/662#issuecomment-289772910 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][opened] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664
Author: simo5
Title: #664: Backport of client session storage patches
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/664/head:pr664
git checkout pr664
From 00457bdbb587aee442768582b24e5b29dfdafa10 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 14 Mar 2017 18:20:13 +0100
Subject: [PATCH 1/5] Python 3: Fix session storage
ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.
Signed-off-by: Christian Heimes
Reviewed-By: Simo Sorce
---
ipapython/session_storage.py | 19 ++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 7fe17fb..bcf0947 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -104,6 +104,13 @@ def store_data(princ_name, key, value):
"""
Stores the session cookie in a hidden ccache entry.
"""
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('ascii')
+if not isinstance(value, bytes):
+value = value.encode('utf-8')
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
@@ -136,6 +143,11 @@ def get_data(princ_name, key):
"""
Gets the session cookie in a hidden ccache entry.
"""
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('utf-8')
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
@@ -152,7 +164,7 @@ def get_data(princ_name, key):
krb5_cc_get_config(context, ccache, principal, key,
ctypes.byref(data))
-return str(data.data)
+return data.data.decode('utf-8')
finally:
if principal:
@@ -169,6 +181,11 @@ def remove_data(princ_name, key):
"""
Removes the hidden ccache entry with the session cookie.
"""
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('utf-8')
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From 6a456dd40c861cdc37359f67e24ef9bc3dfea053 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 2/5] Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce
---
ipapython/session_storage.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
if not isinstance(value, bytes):
value = value.encode('utf-8')
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From afb87ae3b7e08e42f4bd2399f48a0f2c45012cb2 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 3/5] Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce
---
ipalib/rpc.py | 52
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
else:
raise errors.KerberosError(message=unicode(e))
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
"""
Two things can happen here. If we have a session we will add
a cookie for that. If not we will set an Authorization header.
"""
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
[Freeipa-devel] [freeipa PR#662][+ack] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][+ack] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-289764835 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][closed] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3.1 features Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features pvomacka commented: """ ipa-4-5: * 403263df7a3be61086c87c5577698cf32a912065 Use Custodia 0.3.1 features master: * f5bf5466eda0de2a211b4f2682e5c50b82577701 Use Custodia 0.3.1 features """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289762284 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][+pushed] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes MartinBasti commented: """ Yes please """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761754 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Issue with clients
Hello, I am new to this community and have a FreeIPA server install that is trusted to AD using AD dns. I am having problems getting my clients to work properly. Everything seems to install properly the first time i try it but i get the following logs after that: (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158225]: Authentication Failed (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2048 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'homeipa01.brad.local' as 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'homeipa01.brad.local' as 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7efdeeccb150], connected[1], ops[(nil)], ldap[0x7efdeecf6730], destructor_lock[0], release_memory[0] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 389 for server 'homeipa01.brad.local' is 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 0 for server 'homeipa01.brad.local' is 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #2 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_mark_offline] (0x2000): Going offline! (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 73 seconds from now [1490682941] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_subdomains_refresh_connect_done] (0x0080): No IPA server is available, cannot get the subdomain list while offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Subdomains Refresh]: scheduling task 14400 seconds from now [1490697268] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #2 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 21600 seconds from now [149070
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Should I make a new PR for 4.5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761195 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][synchronized] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623
Author: HonzaCholasta
Title: #623: client install: do not assume /etc/krb5.conf.d exists
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/623/head:pr623
git checkout pr623
From 540fa8f81622838815d784fd5295c7a4656caf3c Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 20 Mar 2017 06:56:53 +
Subject: [PATCH] install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
---
.gitignore | 1 -
daemons/ipa-kdb/Makefile.am | 12 +
daemons/ipa-kdb/ipa-certauth.in | 5
freeipa.spec.in | 1 -
install/share/krb5.conf.template| 7 -
ipaclient/install/client.py | 16 +++-
ipaplatform/base/paths.py | 2 ++
ipaplatform/redhat/paths.py | 1 +
ipaserver/install/krbinstance.py| 9 ++-
ipaserver/install/server/upgrade.py | 51 +
10 files changed, 79 insertions(+), 26 deletions(-)
delete mode 100644 daemons/ipa-kdb/ipa-certauth.in
diff --git a/.gitignore b/.gitignore
index 8941fd8..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -75,7 +75,6 @@ freeipa2-dev-doc
/daemons/dnssec/ipa-ods-exporter.socket
/daemons/ipa-kdb/ipa_kdb_tests
/daemons/ipa-kdb/tests/.dirstamp
-/daemons/ipa-kdb/ipa-certauth
/daemons/ipa-otpd/ipa-otpd
/daemons/ipa-otpd/ipa-otpd.socket
/daemons/ipa-otpd/ipa-otpd@.service
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 715666e..a512ab7 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -42,16 +42,6 @@ ipadb_la_SOURCES = \
if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c
-
-
-%: %.in
- sed \
- -e 's|@plugindir@|$(plugindir)|g' \
- '$(srcdir)/$@.in' >$@
-
-krb5confdir = $(sysconfdir)/krb5.conf.d
-krb5conf_DATA = ipa-certauth
-CLEANFILES = $(krb5conf_DATA)
endif
ipadb_la_LDFLAGS = \
@@ -105,7 +95,7 @@ ipa_kdb_tests_LDADD = \
-lsss_idmap \
$(NULL)
-dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in
+dist_noinst_DATA = ipa_kdb.exports
clean-local:
rm -f tests/.dirstamp
diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in
deleted file mode 100644
index eda89a2..000
--- a/daemons/ipa-kdb/ipa-certauth.in
+++ /dev/null
@@ -1,5 +0,0 @@
-[plugins]
- certauth = {
- module = ipakdb:@plugindir@/ipadb.so
- enable_only = ipakdb
- }
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5419ed1..d1bb171 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1167,7 +1167,6 @@ fi
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
%dir %{_libexecdir}/ipa/certmonger
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
# NOTE: systemd specific section
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index e8b2ad8..acfeeb3 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -1,4 +1,4 @@
-includedir /etc/krb5.conf.d/
+$INCLUDES
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
@@ -34,3 +34,8 @@ $OTHER_DOMAIN_REALM_MAPS
db_library = ipadb.so
}
+[plugins]
+ certauth = {
+ module = ipakdb:$IPADB_SO
+ enable_only = ipakdb
+ }
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 549c9b8..371581a 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -641,14 +641,18 @@ def configure_krb5_conf(
'value': 'File modified by ipa-client-install'
},
krbconf.emptyLine(),
-{
-'name': 'includedir',
-'type': 'option',
-'value': paths.COMMON_KRB5_CONF_DIR,
-'delim': ' '
-}
]
+if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+opts.extend([
+{
+'name': 'includedir',
+'type': 'option',
+'value': paths.COMMON_KRB5_CONF_DIR,
+'delim': ' '
+}
+])
+
# SSSD include dir
if configure_sssd:
opts.extend([
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9cf160f..7395f14 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -186,12 +186,14 @@ class BasePathNamespace(object):
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
LIB_FIREFOX = "/usr/lib/firefo
[Freeipa-devel] [freeipa PR#517][+ack] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][closed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+pushed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][synchronized] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: Use Custodia 0.3.1 features
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From 776d7ec853051cc09c5b6de928f3a4c62dfd4695 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH] Use Custodia 0.3.1 features
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia
The patch addresses three issues:
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
Use sd-notify
* https://pagure.io/freeipa/issue/6788
Prepare for separate SELinux context
Signed-off-by: Christian Heimes
---
freeipa.spec.in | 13 -
init/systemd/Makefile.am | 1 +
init/systemd/ipa-custodia.service.in | 5 ++---
install/tools/Makefile.am| 1 +
install/tools/ipa-custodia | 6 ++
ipapython/setup.py | 1 -
ipaserver/secrets/service.py | 30 ++
ipaserver/setup.py | 1 +
ipasetup.py.in | 1 +
9 files changed, 50 insertions(+), 9 deletions(-)
create mode 100755 install/tools/ipa-custodia
create mode 100644 ipaserver/secrets/service.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5419ed1..4c27fab 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -181,7 +181,8 @@ BuildRequires: pki-base-python2
BuildRequires: python-pytest-multihost
BuildRequires: python-pytest-sourceorder
BuildRequires: python-jwcrypto
-BuildRequires: python-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires: python-custodia >= 0.3.1
BuildRequires: dbus-python
BuildRequires: python-dateutil
BuildRequires: python-enum34
@@ -216,7 +217,8 @@ BuildRequires: pki-base-python3
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
BuildRequires: python3-jwcrypto
-BuildRequires: python3-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires: python3-custodia >= 0.3.1
BuildRequires: python3-dbus
BuildRequires: python3-dateutil
BuildRequires: python3-enum34
@@ -337,6 +339,7 @@ BuildArch: noarch
Requires: %{name}-server-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipaclient = %{version}-%{release}
+Requires: python-custodia >= 0.3.1
Requires: python-ldap >= 2.4.15
Requires: python-lxml
Requires: python-gssapi >= 1.2.0
@@ -367,6 +370,7 @@ BuildArch: noarch
Requires: %{name}-server-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-custodia >= 0.3.1
Requires: python3-pyldap >= 2.4.15
Requires: python3-lxml
Requires: python3-gssapi >= 1.2.0
@@ -396,7 +400,7 @@ BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= 2.4.6-31
Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3.1
Provides: %{alt_name}-server-common = %{version}
Conflicts: %{alt_name}-server-common
@@ -647,7 +651,6 @@ Requires: python-jwcrypto
Requires: python-cffi
Requires: python-ldap >= 2.4.15
Requires: python-requests
-Requires: python-custodia
Requires: python-dns >= 1.15
Requires: python-enum34
Requires: python-netifaces >= 0.10.4
@@ -696,7 +699,6 @@ Requires: python3-six
Requires: python3-jwcrypto
Requires: python3-cffi
Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
Requires: python3-requests
Requires: python3-dns >= 1.15
Requires: python3-netifaces >= 0.10.4
@@ -1157,6 +1159,7 @@ fi
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-dnskeysyncd
%{_libexecdir}/ipa/ipa-dnskeysync-replica
%{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 325e857..945f6ac 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -18,5 +18,6 @@ CLEANFILES = $(systemdsystemunit_DATA)
-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sbindir[@]|$(sbindir)|g' \
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
'$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ ipa-4-5: * aa24ed88006925e6d7e44567b087364b0116db9c spec file: Bump requires to make Certificate Login in WebUI work master: * 27d13d90fe9b06618c88bc20b7d6540e6b4d367f spec file: Bump requires to make Certificate Login in WebUI work """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289753377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists tiran commented: """ **Practicality beats purity** Let's define ```/etc/krb5.conf.d``` as part of our API and don't waste more time on shaving yet another yak. @tjaalton (Debian/Ubuntu maintainer) said > fine by me """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289747474 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][opened] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663
Author: stlaz
Title: #663: Generate PIN for PKI to help Dogtag in FIPS
Action: opened
PR body:
"""
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.
https://pagure.io/freeipa/issue/6824
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/663/head:pr663
git checkout pr663
From 287954ab65a579f9551ecd5c6d8e403e5f06abc9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Tue, 28 Mar 2017 13:54:16 +0200
Subject: [PATCH] Generate PIN for PKI to help Dogtag in FIPS
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.
https://pagure.io/freeipa/issue/6824
---
ipaserver/install/cainstance.py | 6 +-
ipaserver/install/krainstance.py | 6 +-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f0d3c23..92bb760 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -541,6 +541,10 @@ def __spawn_instance(self):
# CA key algorithm
config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
+# generate pin which we know can be used for FIPS NSS database
+pki_pin = ipautil.ipa_generate_password()
+config.set("CA", "pki_pin", pki_pin)
+
if self.clone:
if self.no_db_setup:
@@ -613,7 +617,7 @@ def __spawn_instance(self):
try:
DogtagInstance.spawn_instance(
self, cfg_file,
-nolog_list=(self.dm_password, self.admin_password)
+nolog_list=(self.dm_password, self.admin_password, pki_pin)
)
finally:
os.remove(cfg_file)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index b41ccb6..34d6678 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -235,6 +235,10 @@ def __spawn_instance(self):
"KRA", "pki_share_dbuser_dn",
str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'
+# generate pin which we know can be used for FIPS NSS database
+pki_pin = ipautil.ipa_generate_password()
+config.set("KRA", "pki_pin", pki_pin)
+
_p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
if self.clone:
@@ -275,7 +279,7 @@ def __spawn_instance(self):
try:
DogtagInstance.spawn_instance(
self, cfg_file,
-nolog_list=(self.dm_password, self.admin_password)
+nolog_list=(self.dm_password, self.admin_password, pki_pin)
)
finally:
os.remove(p12_tmpfile_name)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tomaskrizek commented: """ master: * 9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e Avoid growing FILE ccaches unnecessarily * fbbeb132bf37f8a03ef2f2184adb11796ab13d8b Handle failed authentication via cookie * e07aefb886096a7d419a4f1a2dec287e5ecd1626 Work around issues fetching session data * d63326632b796a5ec9c6468c5ffe0c5a846501e1 Prevent churn on ccaches """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289742598 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643
Author: dkupka
Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login
in WebUI work
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/643/head:pr643
git checkout pr643
From 8ed872f93ad46f6b1fb261a74566444e850ab190 Mon Sep 17 00:00:00 2001
From: David Kupka
Date: Thu, 23 Mar 2017 08:43:51 +0100
Subject: [PATCH] spec file: Bump requires to make Certificate Login in WebUI
work
gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method
https://pagure.io/freeipa/issue/6823
---
freeipa.spec.in | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f776b34..144d0cd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -267,9 +267,11 @@ Requires: ntp
Requires: httpd >= 2.4.6-31
Requires: mod_wsgi
Requires: mod_auth_gssapi >= 1.5.0
-Requires: mod_nss >= 1.0.8-26
+# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
+Requires: mod_nss >= 1.0.14-3
Requires: mod_session
-Requires: mod_lookup_identity
+# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
+Requires: mod_lookup_identity >= 0.9.9
Requires: python-ldap >= 2.4.15
Requires: python-gssapi >= 1.2.0
Requires: acl
@@ -297,9 +299,10 @@ Requires: systemd-python
Requires: %{etc_systemd_dir}
Requires: gzip
Requires: oddjob
-Requires: gssproxy >= 0.7.0
-# Require 1.15.1 for the certificate identity mapping feature
-Requires: sssd-dbus >= 1.15.1
+# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
+Requires: gssproxy >= 0.7.0-2
+# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
+Requires: sssd-dbus >= 1.15.2
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tomaskrizek commented: """ @simo5 Please rebase for `ipa-4-5`. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289742723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][+pushed] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][closed] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features MartinBasti commented: """ Works for me, can be pushed when dependencies bumped """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289739858 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists
lslebodn commented:
"""
On (28/03/17 04:08), Christian Heimes wrote:
>The ipa-certauth plugin now starts to rely on the existence of
>```/etc/krb5.conf.d```:
>
>```
>%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
>```
>
The upstream spec file is fedora/rhel spec files and fedora+rhel have
`%{_sysconfdir}/krb5.conf.d/`. I cannot see any problem.
>**Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the
>offical FreeIPA configuation settings on all IPA enrolled systems.
>
But neither debian nor arch linux/opensuse have this directory(or any other)
included by default in `/etc/krb5.conf`.
I would like to see standard directory for krb5 snippet files.
But that should be solved in distribution. And just used by freeipa.
LS
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/623#issuecomment-289738839
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][closed] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Author: stlaz Title: #656: Backup CA cert from kerberos folder Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/656/head:pr656 git checkout pr656 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder tomaskrizek commented: """ master: * dc13703e75997e0c9539b326acb13458dae00202 Backup CA cert from kerberos folder ipa-4-5: * 9fdc27ba3594e921d21d664fc5728292e52ac350 Backup CA cert from kerberos folder """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289738530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][+pushed] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][+pushed] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][comment] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… tomaskrizek commented: """ master: * f17460a34ce452b46d431850aa565efd6c7b23ba git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org """ See the full comment at https://github.com/freeipa/freeipa/pull/661#issuecomment-289737719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][closed] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][+pushed] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][comment] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method pvomacka commented: """ ipa-4-5: * c80941e98bfd00c1c6e530aa4a592354adff8d90 rpcserver.login_x509: Actually return reply from __call__ method master: * 7e1fdd2c5881893fd9540689045a11f9e88beef9 rpcserver.login_x509: Actually return reply from __call__ method """ See the full comment at https://github.com/freeipa/freeipa/pull/660#issuecomment-289736121 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features MartinBasti commented: """ Probably we should bump requires to custodia >= 0.3.1 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289737346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists
tiran commented:
"""
The ipa-certauth plugin now starts to rely on the existence of
```/etc/krb5.conf.d```:
```
%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
```
**Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the
offical FreeIPA configuation settings on all IPA enrolled systems.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/623#issuecomment-289736798
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][closed] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Author: dkupka Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/660/head:pr660 git checkout pr660 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ F25 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18643521 ``` $ fedpkg clone custodia $ cd custodia $ fedpkg switch-branch master $ fedpkg scratch-build --srpm --target f25 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289735201 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][opened] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662
Author: HonzaCholasta
Title: #662: spec file: bump krb5-devel BuildRequires for certauth
Action: opened
PR body:
"""
Bump BuildRequires on krb5-devel to the version which introduces the
certauth pluggable interface.
This fixes RPM build failure when an older version of krb5-devel was
installed.
https://pagure.io/freeipa/issue/4905
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/662/head:pr662
git checkout pr662
From eaf2627c1893527f425a4f9e2e469b9c12f2c298 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Tue, 28 Mar 2017 10:43:31 +
Subject: [PATCH] spec file: bump krb5-devel BuildRequires for certauth
Bump BuildRequires on krb5-devel to the version which introduces the
certauth pluggable interface.
This fixes RPM build failure when an older version of krb5-devel was
installed.
https://pagure.io/freeipa/issue/4905
---
freeipa.spec.in | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5419ed1..85610a0 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -80,12 +80,10 @@ BuildRequires: openldap-devel
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
%if 0%{?fedora} > 25
-BuildRequires: krb5-devel >= 1.15-5
BuildRequires: krb5-kdb-version = 6.1
-%else
-# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
-BuildRequires: krb5-devel >= 1.12
%endif
+# 1.15.1-3: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
+BuildRequires: krb5-devel >= 1.15.1-3
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
BuildRequires: popt-devel
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][comment] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … stlaz commented: """ This fixes the mentioned issue. I did not test whether the actual disable works but I should hope so as I don't see how this could break it. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289729611 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][+ack] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 MartinBasti commented: """ With this PR applied I cannot use webUI with DL0 """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289721101 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ Yeah and I found where, it fails with #640 This PR can be pushed and ticket closed """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289720981 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ Works for me on DL0 as well, you might have had a broken installation. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289714596 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ @dkupka I created a new ticket: https://pagure.io/freeipa/issue/6823 """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289705221 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ This seems like a pkinit-related issue, since pkinit is not finished (although released) and should be only avaialable on domain levels > 0, I don't think this should stop us from pushing this, I will investigate the issue nonetheless. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289702239 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ I tried with DL0: * it may be different bug with DL0 * backup/restore is broken only with DL0 """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289700819 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ master: * abefb64bea8ea1b8487ad87716e4a33d19dc Simplify KRA transport cert cache ipa-4-5: * 2723b5fa5edc75901c8fbaf110a37c87df0aec87 Simplify KRA transport cert cache """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-289696220 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][closed] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][+ack] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][+pushed] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][comment] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… stlaz commented: """ ACK, stopping the tests as the change does not have anything to do with our codebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/661#issuecomment-289693993 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][+ack] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][opened] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Action: opened PR body: """ …dorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 From 256270a2eaaa673ac3479341f8b86fb4f80c7263 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 28 Mar 2017 09:25:31 +0200 Subject: [PATCH] git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 --- .git-commit-template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.git-commit-template b/.git-commit-template index a5671eb..6076f1a 100644 --- a/.git-commit-template +++ b/.git-commit-template @@ -2,4 +2,4 @@ component: Subject Explanation -https://fedorahosted.org/freeipa/ticket/ +https://pagure.io/freeipa/issue/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][+ack] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ Ah, right, replica does not have `domain_level` option 🙄 """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289684664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ Yes, it indeed works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289683317 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][comment] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function HonzaCholasta commented: """ master: * e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function ipa-4-5: * 8f738f1ea9f86a921e3dc0fd02e57419f3173ed9 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function """ See the full comment at https://github.com/freeipa/freeipa/pull/652#issuecomment-289681810 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][+pushed] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][closed] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Author: flo-renaud Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/652/head:pr652 git checkout pr652 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][+ack] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
