[Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 From 585fdab796513b63850500b3196c941047d0cd03 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 2 Jan 2017 13:53:18 +0100 Subject: [PATCH] certdb: use certutil and match_hostname for cert verification Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. --- freeipa.spec.in | 16 +-- ipalib/x509.py | 71 --- ipapython/certdb.py | 80 - ipasetup.py.in | 2 +- 4 files changed, 94 insertions(+), 75 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e7e39e8..5678549 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -160,8 +160,8 @@ BuildRequires: python3-wheel # %if 0%{?with_lint} BuildRequires: samba-python -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python-cryptography >= 1.6 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.6 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -196,8 +196,8 @@ BuildRequires: python2-jinja2 %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work #BuildRequires: python3-samba -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python3-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.6 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -636,7 +636,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 1.4 +Requires: python-cryptography >= 1.6 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -685,7 +685,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -760,7 +760,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography >= 1.4 +Requires: python2-cryptography >= 1.6 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -794,7 +794,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, diff --git a/ipalib/x509.py b/ipalib/x509.py index f65cf81..dbcbb59 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -35,6 +35,7 @@ import binascii import datetime import ipaddress +import ssl import base64 import re @@ -49,6 +50,7 @@ from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython.dnsutil import DNSName if six.PY3: unicode = str @@ -406,6 +408,27 @@ def process_othernames(gns): yield gn +def _pyasn1_get_san_general_names(cert): +tbs = decoder.decode( +cert.tbs_certificate_bytes, +asn1Spec=rfc2459.TBSCertificate() +)[0] +OID_SAN = univ.ObjectIdentifier('2.5.29.17') +# One would expect KeyError or empty iterable when the key ('extensions' +# in this particular case) is not pressent in the certificate but pyasn1 +# returns None here +extensions = tbs['extensions'] or [] +gns = [] +for ext in extensions: +if ext['extnID'] == OID_SAN: +der = decoder.decode( +ext['extnValue'], asn1Spec=univ.OctetString())[0] +gns = decoder.decode(der, asn1Spec=rfc2459.SubjectAltName())[0] +break + +return gns + + def get_san_general_names(cert): """ Return SAN general names from a python-cryptography @@ -430,22 +453,7 @@ def get_san_general_names(cert): and should go away. """ -tbs = decoder.decode( -cert.tbs_certificate_bytes, -asn1Spec=rfc2459.TBSCertificate() -)[0] -OID_SAN = univ.ObjectIdentifier('2.5.29.17') -# One would expect KeyError or empty iterable when the key ('extensions' -# in this particular case) is not pressent in the certificate but pyasn1 -# returns N
[Freeipa-devel] [freeipa PR#621][synchronized] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --force-password-reset to user_mod in user.py Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 From 78377d860e797db3b8bd82ebc354513b0dc8f9af Mon Sep 17 00:00:00 2001 From: Gabe Date: Tue, 28 Mar 2017 21:47:06 -0600 Subject: [PATCH] Add --password-expiration to allow admin to force user password expiration - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future --- ACI.txt | 2 +- API.txt | 18 -- VERSION.m4| 2 +- ipalib/parameters.py | 17 +++-- ipaserver/plugins/baseuser.py | 4 ipaserver/plugins/user.py | 2 +- 6 files changed, 30 insertions(+), 15 deletions(-) diff --git a/ACI.txt b/ACI.txt index 9c7996c..185812a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 7594157..7850538 100644 --- a/API.txt +++ b/API.txt @@ -4828,7 +4828,7 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: stageuser_add/1 -args: 1,44,3 +args: 1,45,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', cli_name='radius') option: Str('ipatokenradiususername?', cli_name='radius_username') option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=True, cli_name='principal') option: Str('l?', cli_name='city') @@ -4933,7 +4934,7 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: ListOfPrimaryKeys('value') command: stageuser_find/1 -args: 1,53,4 +args: 1,54,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('carlicense*', autofill=False) @@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False) option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') option: Str('l?', autofill=False, cli_name='city') @@ -4993,7 +4995,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: stageuser_mod/1 -args: 1,46,3 +args: 1,47,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -5014,6 +5016,7 @@ option: Str('ipasshpubkey*', autofill=False
[Freeipa-devel] [freeipa PR#632][edited] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: edited Changed field: body Original value: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry flo-renaud commented: """ I updated the commit message with a different issue number, related to the "Failed to find a unix account" message. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-289891045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 From b000fdfc229917e6cb62ba185ac24522899b3f86 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 21 Mar 2017 17:33:20 +0100 Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain entry When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827 --- daemons/ipa-sam/ipa_sam.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4c1fda5..c483ee4 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, if (entry == NULL || sid == NULL) { smbldap_make_mod(priv2ld(ldap_state), entry, &mods, LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR); } if (td->netbios_name != NULL) { @@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods) return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX; } +static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, +struct ldapsam_privates *ldap_state, +LDAPMessage *entry, +struct dom_sid **_group_sid); + static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, LDAPMessage *entry, struct ldapsam_privates *ldap_state) { NTSTATUS status; struct dom_sid *u_sid; + struct dom_sid *g_sid; char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; @@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, bool res; char *sid_str; enum idmap_error_code err; + TALLOC_CTX *tmp_ctx; if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION, PDB_SET)) { @@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, } talloc_free(u_sid); + tmp_ctx= talloc_init("init_sam_from_td"); + if (!tmp_ctx) { + return false; + } + + if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid) + != 0) { + talloc_free(tmp_ctx); + return false; + } + + if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { + talloc_free(tmp_ctx); + return false; + } + talloc_free(tmp_ctx); + status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL); if (!NT_STATUS_IS_OK(status)) { return false; -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][synchronized] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From 7d2b66cc8b5af7c2a1fefa00fe44a171ae092b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 28 Mar 2017 16:15:21 +0200 Subject: [PATCH] Allow erasing ipaDomainResolutionOrder attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio --- ipaserver/plugins/config.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 232c881..b50e7a4 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -359,6 +359,11 @@ def validate_domain_resolution_order(self, entry_attrs): domain_resolution_order = entry_attrs[attr_name] +# setting up an empty string means that the previous configuration has +# to be cleaned up/removed. So, do nothing and let it pass +if not domain_resolution_order: +return + # empty resolution order is signalized by single separator, do nothing # and let it pass if domain_resolution_order == DOMAIN_RESOLUTION_ORDER_SEPARATOR: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute fidencio commented: """ I have updated the commit message as I found a typo there: "both doing calling delattr or" -> "both calling delattr or" """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-289861109 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][opened] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: opened PR body: """ When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 From b47744c922942426d12b1f5572a89e087bed7a3e Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 28 Mar 2017 16:02:45 +0200 Subject: [PATCH] idrange-mod: properly handle empty --dom-name option When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 --- ipaserver/plugins/idrange.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py index 5b88a6b..c8ea95a 100644 --- a/ipaserver/plugins/idrange.py +++ b/ipaserver/plugins/idrange.py @@ -411,7 +411,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # This needs to stay in options since there is no # ipanttrusteddomainname attribute in LDAP -if 'ipanttrusteddomainname' in options: +if options.get('ipanttrusteddomainname'): if is_set('ipanttrusteddomainsid'): raise errors.ValidationError(name='ID Range setup', error=_('Options dom-sid and dom-name ' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][+pushed] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request tomaskrizek commented: """ master: * ee455f163d756a6b71db8e999365139cad46c6ad extdom: do reverse search for domain separator * 8960398a57f69c124ec3105289dc355baa0d5b09 extdom: improve cert request ipa-4-5: * 8046f9baab1e93b8b8e11d05088c8cdabdd47281 extdom: do reverse search for domain separator * a510a3d7e9f37e89acee84bed2363cb7f57fe88e extdom: improve cert request """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-289824801 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][closed] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][synchronized] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 From e04d0cfe6735a14aa0535d45982ea2aa7480edf5 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 17 Mar 2017 14:10:52 +0100 Subject: [PATCH 1/2] extdom: do reverse search for domain separator To avoid issues which @-signs in the short user or group names it is better to search for the domain separator starting at the end of the fully-qualified name. --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index e629247..aa1ff10 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -515,7 +515,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, char *short_user_name = NULL; short_user_name = strdup(user_name); -if ((locat = strchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { +if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { @@ -626,7 +626,7 @@ int pack_ber_group(enum response_types response_type, char *short_group_name = NULL; short_group_name = strdup(group_name); -if ((locat = strchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { +if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { @@ -901,7 +901,7 @@ static int handle_sid_or_cert_request(struct ipa_extdom_ctx *ctx, goto done; } -sep = strchr(fq_name, SSSD_DOMAIN_SEPARATOR); +sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR); if (sep == NULL) { set_err_msg(req, "Failed to split fully qualified name"); ret = LDAP_OPERATIONS_ERROR; From 33952e2a2cf8e7afeac492ade676027b12649501 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 17 Mar 2017 14:48:50 +0100 Subject: [PATCH 2/2] extdom: improve cert request Certificates can be assigned to multiple user so the extdom plugin must use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and return a list of fully-qualified user names. Due to issues on the SSSD side the current version of lookups by certificates didn't work at all and the changes here won't break existing clients. Related to https://pagure.io/freeipa/issue/6826 --- .../ipa-extdom-extop/ipa_extdom.h | 3 +- .../ipa-extdom-extop/ipa_extdom_common.c | 157 ++--- server.m4 | 2 +- 3 files changed, 143 insertions(+), 19 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 34e2d3c..bc29f06 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -95,7 +95,8 @@ enum response_types { RESP_USER, RESP_GROUP, RESP_USER_GROUPLIST, -RESP_GROUP_MEMBERS +RESP_GROUP_MEMBERS, +RESP_NAME_LIST }; struct extdom_req { diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index aa1ff10..fe225fa 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -698,6 +698,90 @@ int pack_ber_group(enum response_types response_type, return ret; } +int pack_ber_name_list(struct extdom_req *req, char **fq_name_list, + struct berval **berval) +{ +BerElement *ber = NULL; +int ret; +char *sep; +size_t c; +size_t len; +size_t name_len; + +/* count the names */ +for (c = 0; fq_name_list[c] != NULL; c++); +if (c == 0) { +set_err_msg(req, "Empty name list"); +return LDAP_NO_SUCH_OBJECT; +} + +ber = ber_alloc_t( LBER_USE_DER ); +if (ber == NULL) { +set_err_msg(req, "BER alloc failed"); +return LDAP_OPERATIONS_ERROR; +} + + +ret = ber_printf(ber,"{e{", RESP_NAME_LIST); +if (ret == -1) { +set_err_msg(req, "BER start failed"); +ber_free(ber, 1); +return LDAP_OPERATIONS_ERROR; +} + +for (c = 0; fq_name_list[c] != NULL; c++) { +len = strlen(fq_name_list[c]); +if (len < 3) { +set_err_msg(req, "Fully qualified name too short"); +ber_free(ber, 1); +return LDAP_OPERATIONS_ERROR; +} + +
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists frozencemetery commented: """ (Note: a standard directory in distributions that freeipa could use would be provided by the krb5 maintainer, not the freeipa maintainer.) """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289823559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification tiran commented: """ github magic is bad magic :/ It still shows up as 'conflicting' for me. I'll try to find time to review the issue tomorrow, Thursday latest. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289822893 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-289817220 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#665][synchronized] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From e81f650ea4dbe262275a8b1a13f8a99368f03c45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 28 Mar 2017 16:15:21 +0200 Subject: [PATCH] Allow erasing ipaDomainResolutionOrder attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio --- ipaserver/plugins/config.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 232c881..b50e7a4 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -359,6 +359,11 @@ def validate_domain_resolution_order(self, entry_attrs): domain_resolution_order = entry_attrs[attr_name] +# setting up an empty string means that the previous configuration has +# to be cleaned up/removed. So, do nothing and let it pass +if not domain_resolution_order: +return + # empty resolution order is signalized by single separator, do nothing # and let it pass if domain_resolution_order == DOMAIN_RESOLUTION_ORDER_SEPARATOR: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][opened] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: opened PR body: """ This PR should unblock replica install against <4.5 masters if `--no-pkinit` option is given. Be aware of the non-working WebUI after install, this will be fixed once local PKINIT will be implemented. Requires https://github.com/freeipa/freeipa/pull/631 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666 From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 21 Mar 2017 17:03:35 +0100 Subject: [PATCH 1/6] Upgrade: configure PKINIT after adding anonymous principal In order to set up PKINIT, the anonymous principal must already be created, otherwise the upgrade with fail when trying out anonymous PKINIT. Switch the order of steps so that this issue does not occur. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..be07d78 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1809,9 +1809,9 @@ def upgrade_configuration(): KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) -setup_pkinit(krb) enable_anonymous_principal(krb) http.request_anon_keytab() +setup_pkinit(krb) if not ds_running: ds.stop(ds_serverid) From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 22 Mar 2017 10:01:34 +0100 Subject: [PATCH 2/6] Remove unused variable from failed anonymous PKINIT handling https://pagure.io/freeipa/issue/6792 --- ipaserver/install/krbinstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index d936cc5..c817076 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -413,7 +413,7 @@ def setup_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) -except ipautil.CalledProcessError as e: +except ipautil.CalledProcessError: raise RuntimeError("Failed to configure anonymous PKINIT") def enable_ssl(self): From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 22 Mar 2017 10:04:52 +0100 Subject: [PATCH 3/6] Split out anonymous PKINIT test to a separate method This allows for more flexibility in the whole PKINIT setup process. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/krbinstance.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c817076..5f4b528 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -410,6 +410,7 @@ def setup_pkinit(self): root_logger.critical("krb5kdc service failed to restart") raise +def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) @@ -421,6 +422,7 @@ def enable_ssl(self): self.steps = [] self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) +self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) self.start_creation() From a2ecdb818ef9e3f8dc2bb97688c894c99ca9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 22 Mar 2017 11:56:18 +0100 Subject: [PATCH 4/6] Ensure KDC is propery configured after upgrade https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index be07d78..0db764c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb): def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") -if os.path.exists(paths.KDC_CERT): -root_logger.info("PKINIT already set up") -return - if not api.Command.ca_is_enabled()['result']: root_logger.info("CA is not enabled") return -krb.setup_pkinit() +if not os.path.exists(paths.KDC_CERT): +root_logger.info("Requesting PKINIT certificate") +krb.setup_pkinit() + replacevars = dict() replacevars['pkinit_identity'] = 'FILE:{},{}'.format( paths.KDC_CERT,paths.KDC_KEY)
[Freeipa-devel] [freeipa PR#665][opened] Allow erasing ipaDomainResolutionOrder attribute
URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: opened PR body: """ Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From afa6e8342bcfedf09cd3e7e6917243b3512d3cfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 28 Mar 2017 16:15:21 +0200 Subject: [PATCH] Allow erasing ipaDomainResolutionOrder attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fidêncio --- ipaserver/plugins/config.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 232c881..7167baa 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -359,6 +359,11 @@ def validate_domain_resolution_order(self, entry_attrs): domain_resolution_order = entry_attrs[attr_name] +# setting up an empty string means that the previous configuration has +# to be cleaned up/removed. So, do nothing and let it pass +if not domain_resolution_order: +return + # empty resolution order is signalized by single separator, do nothing # and let it pass if domain_resolution_order == DOMAIN_RESOLUTION_ORDER_SEPARATOR: @@ -367,6 +372,7 @@ def validate_domain_resolution_order(self, entry_attrs): submitted_domains = domain_resolution_order.split( DOMAIN_RESOLUTION_ORDER_SEPARATOR) + known_domains = self.gather_trusted_domains() # add FreeIPA domain to the list of domains. This one is always enabled -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 21 Mar 2017 17:03:35 +0100 Subject: [PATCH 1/4] Upgrade: configure PKINIT after adding anonymous principal In order to set up PKINIT, the anonymous principal must already be created, otherwise the upgrade with fail when trying out anonymous PKINIT. Switch the order of steps so that this issue does not occur. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..be07d78 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1809,9 +1809,9 @@ def upgrade_configuration(): KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) -setup_pkinit(krb) enable_anonymous_principal(krb) http.request_anon_keytab() +setup_pkinit(krb) if not ds_running: ds.stop(ds_serverid) From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 22 Mar 2017 10:01:34 +0100 Subject: [PATCH 2/4] Remove unused variable from failed anonymous PKINIT handling https://pagure.io/freeipa/issue/6792 --- ipaserver/install/krbinstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index d936cc5..c817076 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -413,7 +413,7 @@ def setup_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) -except ipautil.CalledProcessError as e: +except ipautil.CalledProcessError: raise RuntimeError("Failed to configure anonymous PKINIT") def enable_ssl(self): From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 22 Mar 2017 10:04:52 +0100 Subject: [PATCH 3/4] Split out anonymous PKINIT test to a separate method This allows for more flexibility in the whole PKINIT setup process. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/krbinstance.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c817076..5f4b528 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -410,6 +410,7 @@ def setup_pkinit(self): root_logger.critical("krb5kdc service failed to restart") raise +def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) @@ -421,6 +422,7 @@ def enable_ssl(self): self.steps = [] self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) +self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) self.start_creation() From a2ecdb818ef9e3f8dc2bb97688c894c99ca9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 22 Mar 2017 11:56:18 +0100 Subject: [PATCH 4/4] Ensure KDC is propery configured after upgrade https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index be07d78..0db764c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb): def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") -if os.path.exists(paths.KDC_CERT): -root_logger.info("PKINIT already set up") -return - if not api.Command.ca_is_enabled()['result']: root_logger.info("CA is not enabled") return -krb.setup_pkinit() +if not os.path.exists(paths.KDC_CERT): +root_logger.info("Requesting PKINIT certificate") +krb.setup_pkinit() + replacevars = dict() replacevars['pkinit_identity'] = 'FILE:{},{}'.format( paths.KDC_CERT,paths.KDC_KEY) @@ -1519,6 +1518,7 @@ def setup_pkinit(krb): if krb.is_running(): krb.stop() krb.start() +krb.test_anonymous_pkinit() def disable_httpd_system_trust(http): -- Manage your subscription for the Freeipa-devel mailing list: https://ww
[Freeipa-devel] [freeipa PR#658][synchronized] Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/658 Author: Akasurde Title: #658: Hide PKI Client database password in log file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/658/head:pr658 git checkout pr658 From 08f9f956ca67a317fd2088787d23944b247494ed Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Mon, 27 Mar 2017 16:06:09 +0530 Subject: [PATCH] Hide PKI Client database password in log file Signed-off-by: Abhijeet Kasurde --- ipaserver/install/cainstance.py | 5 - ipaserver/install/krainstance.py | 9 ++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 92bb760..2d33a97 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -617,7 +617,10 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, -nolog_list=(self.dm_password, self.admin_password, pki_pin) +nolog_list=(self.dm_password, +self.admin_password, +pki_pin, +self.tmp_agent_pwd) ) finally: os.remove(cfg_file) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 34d6678..6fa4f0f 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -150,6 +150,7 @@ def __spawn_instance(self): os.chown(cfg_file, pent.pw_uid, pent.pw_gid) self.tmp_agent_db = tempfile.mkdtemp( prefix="tmp-", dir=paths.VAR_LIB_IPA) +tmp_agent_pwd = ipautil.ipa_generate_password() # Create KRA configuration config = ConfigParser() @@ -173,8 +174,7 @@ def __spawn_instance(self): # Client security database config.set("KRA", "pki_client_database_dir", self.tmp_agent_db) -config.set("KRA", "pki_client_database_password", - ipautil.ipa_generate_password()) +config.set("KRA", "pki_client_database_password", tmp_agent_pwd) config.set("KRA", "pki_client_database_purge", "True") config.set("KRA", "pki_client_pkcs12_password", self.admin_password) @@ -279,7 +279,10 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, -nolog_list=(self.dm_password, self.admin_password, pki_pin) +nolog_list=(self.dm_password, +self.admin_password, +pki_pin, +tmp_agent_pwd) ) finally: os.remove(p12_tmpfile_name) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 From 940c715bcf57fa59255166fbc12ccad06f3f0db0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 2 Jan 2017 13:53:18 +0100 Subject: [PATCH] certdb: use certutil and match_hostname for cert verification Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. --- freeipa.spec.in | 16 +-- ipalib/x509.py | 71 --- ipapython/certdb.py | 80 - ipasetup.py.in | 2 +- 4 files changed, 94 insertions(+), 75 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5c835ca..2cde0da 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -129,8 +129,8 @@ BuildRequires: python-cffi %if 0%{?with_lint} BuildRequires: samba-python BuildRequires: python-setuptools -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python-cryptography >= 1.6 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -165,8 +165,8 @@ BuildRequires: python2-jinja2 # FIXME: this depedency is missing - server will not work #BuildRequires: python3-samba BuildRequires: python3-setuptools -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python3-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -592,7 +592,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 1.4 +Requires: python-cryptography >= 1.6 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -642,7 +642,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -717,7 +717,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography >= 1.4 +Requires: python2-cryptography >= 1.6 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -751,7 +751,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, diff --git a/ipalib/x509.py b/ipalib/x509.py index f65cf81..dbcbb59 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -35,6 +35,7 @@ import binascii import datetime import ipaddress +import ssl import base64 import re @@ -49,6 +50,7 @@ from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython.dnsutil import DNSName if six.PY3: unicode = str @@ -406,6 +408,27 @@ def process_othernames(gns): yield gn +def _pyasn1_get_san_general_names(cert): +tbs = decoder.decode( +cert.tbs_certificate_bytes, +asn1Spec=rfc2459.TBSCertificate() +)[0] +OID_SAN = univ.ObjectIdentifier('2.5.29.17') +# One would expect KeyError or empty iterable when the key ('extensions' +# in this particular case) is not pressent in the certificate but pyasn1 +# returns None here +extensions = tbs['extensions'] or [] +gns = [] +for ext in extensions: +if ext['extnID'] == OID_SAN: +der = decoder.decode( +ext['extnValue'], asn1Spec=univ.OctetString())[0] +gns = decoder.decode(der, asn1Spec=rfc2459.SubjectAltName())[0] +break + +return gns + + def get_san_general_names(cert): """ Return SAN general names from a python-cryptography @@ -430,22 +453,7 @@ def get_san_general_names(cert): and should go away. """ -tbs = decoder.decode( -cert.tbs_certificate_bytes, -asn1Spec=rfc2459.TBSCertificate() -)[0] -OID_SAN = univ.ObjectIdentifier('2.5.29.17') -# One would expect KeyError or empty iterable when the key ('extensions' -# in this particular case) is not pressent in
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification stlaz commented: """ I tried to use the wonderful github tool to resolve conflicts to make this more review-friendly but I guess it kind of missed the magic, it's ready for review anyway, please, finish it. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289807247 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][comment] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … tomaskrizek commented: """ ipa-4-5: * 2a499551ca5ddf2596cc19a77f47c34e9f5c10c5 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available master: * 0128e805e591bc8ca5cea99739ad4cd7478df0b4 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289802039 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][closed] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Author: dkupka Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/655/head:pr655 git checkout pr655 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][+pushed] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][closed] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Author: stlaz Title: #663: Generate PIN for PKI to help Dogtag in FIPS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/663/head:pr663 git checkout pr663 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][comment] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS tomaskrizek commented: """ ipa-4-5: * 39eac72faef5f44c9fb2cad943ad58d23fe60cf3 Generate PIN for PKI to help Dogtag in FIPS master: * e204d030fc4154800acb0b2b312188e72dd80f80 Generate PIN for PKI to help Dogtag in FIPS """ See the full comment at https://github.com/freeipa/freeipa/pull/663#issuecomment-289800871 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][+pushed] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][+ack] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][+pushed] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][+ack] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][comment] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches tomaskrizek commented: """ ipa-4-5: * f1d731a79c384c7406c52232ff291644137e100b Python 3: Fix session storage * ba828a53a4736ed326d95e30856daba2c060439c Avoid growing FILE ccaches unnecessarily * f41c9f476d678f9ecc4ca3338c7a58de0182f76f Handle failed authentication via cookie * 0912185b18599414e4f9302b1a80c6c7e9876821 Work around issues fetching session data * e94575f3466bbb8d4959ad0a1c436dcf745e3036 Prevent churn on ccaches """ See the full comment at https://github.com/freeipa/freeipa/pull/664#issuecomment-289795974 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][comment] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches tomaskrizek commented: """ Thanks for the rebase! """ See the full comment at https://github.com/freeipa/freeipa/pull/664#issuecomment-289795319 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][closed] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Author: simo5 Title: #664: Backport of client session storage patches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/664/head:pr664 git checkout pr664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][+pushed] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][comment] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth HonzaCholasta commented: """ master: * 2dda1acf44dc96e660e81baadee9c3a54bf05eb0 spec file: bump krb5-devel BuildRequires for certauth ipa-4-5: * 2d246000ef2d715fab464b8ef71fdb3731da127e spec file: bump krb5-devel BuildRequires for certauth """ See the full comment at https://github.com/freeipa/freeipa/pull/662#issuecomment-289780434 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][closed] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Author: HonzaCholasta Title: #662: spec file: bump krb5-devel BuildRequires for certauth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/662/head:pr662 git checkout pr662 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ Custodia 0.3.1 also fixes https://github.com/latchset/custodia/issues/135 (KEM requests with whitespace in key name fail). The bug has been reported by @adelton as https://bugzilla.redhat.com/show_bug.cgi?id=1411810 . """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289779539 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][comment] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/662#issuecomment-289772910 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][opened] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Author: simo5 Title: #664: Backport of client session storage patches Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/664/head:pr664 git checkout pr664 From 00457bdbb587aee442768582b24e5b29dfdafa10 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 14 Mar 2017 18:20:13 +0100 Subject: [PATCH 1/5] Python 3: Fix session storage ctypes can only handle bytes, not text. Encode and decode all incoming and outgoing text from UTF-8 to bytes. Signed-off-by: Christian Heimes Reviewed-By: Simo Sorce --- ipapython/session_storage.py | 19 ++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index 7fe17fb..bcf0947 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -104,6 +104,13 @@ def store_data(princ_name, key, value): """ Stores the session cookie in a hidden ccache entry. """ +if not isinstance(princ_name, bytes): +princ_name = princ_name.encode('utf-8') +if not isinstance(key, bytes): +key = key.encode('ascii') +if not isinstance(value, bytes): +value = value.encode('utf-8') + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() @@ -136,6 +143,11 @@ def get_data(princ_name, key): """ Gets the session cookie in a hidden ccache entry. """ +if not isinstance(princ_name, bytes): +princ_name = princ_name.encode('utf-8') +if not isinstance(key, bytes): +key = key.encode('utf-8') + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() @@ -152,7 +164,7 @@ def get_data(princ_name, key): krb5_cc_get_config(context, ccache, principal, key, ctypes.byref(data)) -return str(data.data) +return data.data.decode('utf-8') finally: if principal: @@ -169,6 +181,11 @@ def remove_data(princ_name, key): """ Removes the hidden ccache entry with the session cookie. """ +if not isinstance(princ_name, bytes): +princ_name = princ_name.encode('utf-8') +if not isinstance(key, bytes): +key = key.encode('utf-8') + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From 6a456dd40c861cdc37359f67e24ef9bc3dfea053 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Mar 2017 18:25:38 -0400 Subject: [PATCH 2/5] Avoid growing FILE ccaches unnecessarily Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce --- ipapython/session_storage.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index bcf0947..f208827 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -111,6 +111,12 @@ def store_data(princ_name, key, value): if not isinstance(value, bytes): value = value.encode('utf-8') +# FILE ccaches grow every time an entry is stored, so we need +# to avoid storing the same entry multiple times. +oldvalue = get_data(princ_name, key) +if oldvalue == value: +return + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From afb87ae3b7e08e42f4bd2399f48a0f2c45012cb2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Mar 2017 18:38:22 -0400 Subject: [PATCH 3/5] Handle failed authentication via cookie If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce --- ipalib/rpc.py | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 303b22a..f597ce0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None): else: raise errors.KerberosError(message=unicode(e)) -def get_host_info(self, host): +def _get_host(self): +return self._connection[0] + +def _remove_extra_header(self, name): +for (h, v) in self._extra_headers: +if h == name: +self._extra_headers.remove((h, v)) +break + +def get_auth_info(self, use_cookie=True): """ Two things can happen here. If we have a session we will add a cookie for that. If not we will set an Authorization header. """ -(host, extra_headers, x509) = SSLTransport.get_host_info(self, host) - -if not isinstance(extra_headers, list):
[Freeipa-devel] [freeipa PR#662][+ack] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][+ack] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-289764835 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][closed] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3.1 features Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features pvomacka commented: """ ipa-4-5: * 403263df7a3be61086c87c5577698cf32a912065 Use Custodia 0.3.1 features master: * f5bf5466eda0de2a211b4f2682e5c50b82577701 Use Custodia 0.3.1 features """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289762284 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][+pushed] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes MartinBasti commented: """ Yes please """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761754 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Issue with clients
Hello, I am new to this community and have a FreeIPA server install that is trusted to AD using AD dns. I am having problems getting my clients to work properly. Everything seems to install properly the first time i try it but i get the following logs after that: (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158225]: Authentication Failed (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2048 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'homeipa01.brad.local' as 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'homeipa01.brad.local' as 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7efdeeccb150], connected[1], ops[(nil)], ldap[0x7efdeecf6730], destructor_lock[0], release_memory[0] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 389 for server 'homeipa01.brad.local' is 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 0 for server 'homeipa01.brad.local' is 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #2 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_mark_offline] (0x2000): Going offline! (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 73 seconds from now [1490682941] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_subdomains_refresh_connect_done] (0x0080): No IPA server is available, cannot get the subdomain list while offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Subdomains Refresh]: scheduling task 14400 seconds from now [1490697268] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #2 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 21600 seconds from now [149070
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Should I make a new PR for 4.5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761195 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][synchronized] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Author: HonzaCholasta Title: #623: client install: do not assume /etc/krb5.conf.d exists Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/623/head:pr623 git checkout pr623 From 540fa8f81622838815d784fd5295c7a4656caf3c Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 20 Mar 2017 06:56:53 + Subject: [PATCH] install: do not assume /etc/krb5.conf.d exists Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if /etc/krb5.conf.d exists. Do not rely on /etc/krb5.conf.d to enable the certauth plugin. This fixes install on platforms which do not have /etc/krb5.conf.d. https://pagure.io/freeipa/issue/6589 --- .gitignore | 1 - daemons/ipa-kdb/Makefile.am | 12 + daemons/ipa-kdb/ipa-certauth.in | 5 freeipa.spec.in | 1 - install/share/krb5.conf.template| 7 - ipaclient/install/client.py | 16 +++- ipaplatform/base/paths.py | 2 ++ ipaplatform/redhat/paths.py | 1 + ipaserver/install/krbinstance.py| 9 ++- ipaserver/install/server/upgrade.py | 51 + 10 files changed, 79 insertions(+), 26 deletions(-) delete mode 100644 daemons/ipa-kdb/ipa-certauth.in diff --git a/.gitignore b/.gitignore index 8941fd8..90d7d23 100644 --- a/.gitignore +++ b/.gitignore @@ -75,7 +75,6 @@ freeipa2-dev-doc /daemons/dnssec/ipa-ods-exporter.socket /daemons/ipa-kdb/ipa_kdb_tests /daemons/ipa-kdb/tests/.dirstamp -/daemons/ipa-kdb/ipa-certauth /daemons/ipa-otpd/ipa-otpd /daemons/ipa-otpd/ipa-otpd.socket /daemons/ipa-otpd/ipa-otpd@.service diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 715666e..a512ab7 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -42,16 +42,6 @@ ipadb_la_SOURCES = \ if BUILD_IPA_CERTAUTH_PLUGIN ipadb_la_SOURCES += ipa_kdb_certauth.c - - -%: %.in - sed \ - -e 's|@plugindir@|$(plugindir)|g' \ - '$(srcdir)/$@.in' >$@ - -krb5confdir = $(sysconfdir)/krb5.conf.d -krb5conf_DATA = ipa-certauth -CLEANFILES = $(krb5conf_DATA) endif ipadb_la_LDFLAGS = \ @@ -105,7 +95,7 @@ ipa_kdb_tests_LDADD = \ -lsss_idmap \ $(NULL) -dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in +dist_noinst_DATA = ipa_kdb.exports clean-local: rm -f tests/.dirstamp diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in deleted file mode 100644 index eda89a2..000 --- a/daemons/ipa-kdb/ipa-certauth.in +++ /dev/null @@ -1,5 +0,0 @@ -[plugins] - certauth = { - module = ipakdb:@plugindir@/ipadb.so - enable_only = ipakdb - } diff --git a/freeipa.spec.in b/freeipa.spec.in index 5419ed1..d1bb171 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1167,7 +1167,6 @@ fi %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf -%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth %dir %{_libexecdir}/ipa/certmonger %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* # NOTE: systemd specific section diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index e8b2ad8..acfeeb3 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -1,4 +1,4 @@ -includedir /etc/krb5.conf.d/ +$INCLUDES includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] @@ -34,3 +34,8 @@ $OTHER_DOMAIN_REALM_MAPS db_library = ipadb.so } +[plugins] + certauth = { + module = ipakdb:$IPADB_SO + enable_only = ipakdb + } diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 549c9b8..371581a 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -641,14 +641,18 @@ def configure_krb5_conf( 'value': 'File modified by ipa-client-install' }, krbconf.emptyLine(), -{ -'name': 'includedir', -'type': 'option', -'value': paths.COMMON_KRB5_CONF_DIR, -'delim': ' ' -} ] +if os.path.exists(paths.COMMON_KRB5_CONF_DIR): +opts.extend([ +{ +'name': 'includedir', +'type': 'option', +'value': paths.COMMON_KRB5_CONF_DIR, +'delim': ' ' +} +]) + # SSSD include dir if configure_sssd: opts.extend([ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9cf160f..7395f14 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -186,12 +186,14 @@ class BasePathNamespace(object): BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/" USR_LIB_DIRSRV = "/usr/lib/dirsrv" LIB_FIREFOX = "/usr/lib/firefo
[Freeipa-devel] [freeipa PR#517][+ack] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][closed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+pushed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][synchronized] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3.1 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 From 776d7ec853051cc09c5b6de928f3a4c62dfd4695 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 28 Feb 2017 12:07:19 +0100 Subject: [PATCH] Use Custodia 0.3.1 features * Use sd-notify in ipa-custodia.service * Introduce libexec/ipa/ipa-custodia script. It comes with correct default setting for IPA's config file. The new file also makes it simpler to run IPA's custodia instance with its own SELinux context. * ipapython no longer depends on custodia The patch addresses three issues: * https://bugzilla.redhat.com/show_bug.cgi?id=1430247 Forward compatibility with Custodia 0.3 in Fedora rawhide * https://pagure.io/freeipa/issue/5825 Use sd-notify * https://pagure.io/freeipa/issue/6788 Prepare for separate SELinux context Signed-off-by: Christian Heimes --- freeipa.spec.in | 13 - init/systemd/Makefile.am | 1 + init/systemd/ipa-custodia.service.in | 5 ++--- install/tools/Makefile.am| 1 + install/tools/ipa-custodia | 6 ++ ipapython/setup.py | 1 - ipaserver/secrets/service.py | 30 ++ ipaserver/setup.py | 1 + ipasetup.py.in | 1 + 9 files changed, 50 insertions(+), 9 deletions(-) create mode 100755 install/tools/ipa-custodia create mode 100644 ipaserver/secrets/service.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 5419ed1..4c27fab 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -181,7 +181,8 @@ BuildRequires: pki-base-python2 BuildRequires: python-pytest-multihost BuildRequires: python-pytest-sourceorder BuildRequires: python-jwcrypto -BuildRequires: python-custodia +# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) +BuildRequires: python-custodia >= 0.3.1 BuildRequires: dbus-python BuildRequires: python-dateutil BuildRequires: python-enum34 @@ -216,7 +217,8 @@ BuildRequires: pki-base-python3 BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder BuildRequires: python3-jwcrypto -BuildRequires: python3-custodia +# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) +BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-dbus BuildRequires: python3-dateutil BuildRequires: python3-enum34 @@ -337,6 +339,7 @@ BuildArch: noarch Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} +Requires: python-custodia >= 0.3.1 Requires: python-ldap >= 2.4.15 Requires: python-lxml Requires: python-gssapi >= 1.2.0 @@ -367,6 +370,7 @@ BuildArch: noarch Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-custodia >= 0.3.1 Requires: python3-pyldap >= 2.4.15 Requires: python3-lxml Requires: python3-gssapi >= 1.2.0 @@ -396,7 +400,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= 2.4.6-31 Requires: systemd-units >= 38 -Requires: custodia +Requires: custodia >= 0.3.1 Provides: %{alt_name}-server-common = %{version} Conflicts: %{alt_name}-server-common @@ -647,7 +651,6 @@ Requires: python-jwcrypto Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests -Requires: python-custodia Requires: python-dns >= 1.15 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 @@ -696,7 +699,6 @@ Requires: python3-six Requires: python3-jwcrypto Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 -Requires: python3-custodia Requires: python3-requests Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 @@ -1157,6 +1159,7 @@ fi %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard %dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 325e857..945f6ac 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -18,5 +18,6 @@ CLEANFILES = $(systemdsystemunit_DATA) -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \ -e 's|@sbindir[@]|$(sbindir)|g' \ + -e 's|@libexecdir[@]|$(libexecdir)|g' \ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \ '$(srcdir)/$@.in' >$@ diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in index 3f9b128..0247bd8 100644 --- a/init/systemd/ipa-custodia.service.in +++ b/init/systemd/ipa
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ ipa-4-5: * aa24ed88006925e6d7e44567b087364b0116db9c spec file: Bump requires to make Certificate Login in WebUI work master: * 27d13d90fe9b06618c88bc20b7d6540e6b4d367f spec file: Bump requires to make Certificate Login in WebUI work """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289753377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists tiran commented: """ **Practicality beats purity** Let's define ```/etc/krb5.conf.d``` as part of our API and don't waste more time on shaving yet another yak. @tjaalton (Debian/Ubuntu maintainer) said > fine by me """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289747474 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#663][opened] Generate PIN for PKI to help Dogtag in FIPS
URL: https://github.com/freeipa/freeipa/pull/663 Author: stlaz Title: #663: Generate PIN for PKI to help Dogtag in FIPS Action: opened PR body: """ Dogtag is currently unable to generate a PIN it could use for an NSS database creation in FIPS. Generate it for them so that we don't fail. https://pagure.io/freeipa/issue/6824 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/663/head:pr663 git checkout pr663 From 287954ab65a579f9551ecd5c6d8e403e5f06abc9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 28 Mar 2017 13:54:16 +0200 Subject: [PATCH] Generate PIN for PKI to help Dogtag in FIPS Dogtag is currently unable to generate a PIN it could use for an NSS database creation in FIPS. Generate it for them so that we don't fail. https://pagure.io/freeipa/issue/6824 --- ipaserver/install/cainstance.py | 6 +- ipaserver/install/krainstance.py | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f0d3c23..92bb760 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -541,6 +541,10 @@ def __spawn_instance(self): # CA key algorithm config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) +# generate pin which we know can be used for FIPS NSS database +pki_pin = ipautil.ipa_generate_password() +config.set("CA", "pki_pin", pki_pin) + if self.clone: if self.no_db_setup: @@ -613,7 +617,7 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, -nolog_list=(self.dm_password, self.admin_password) +nolog_list=(self.dm_password, self.admin_password, pki_pin) ) finally: os.remove(cfg_file) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index b41ccb6..34d6678 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -235,6 +235,10 @@ def __spawn_instance(self): "KRA", "pki_share_dbuser_dn", str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca' +# generate pin which we know can be used for FIPS NSS database +pki_pin = ipautil.ipa_generate_password() +config.set("KRA", "pki_pin", pki_pin) + _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP) if self.clone: @@ -275,7 +279,7 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, -nolog_list=(self.dm_password, self.admin_password) +nolog_list=(self.dm_password, self.admin_password, pki_pin) ) finally: os.remove(p12_tmpfile_name) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tomaskrizek commented: """ master: * 9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e Avoid growing FILE ccaches unnecessarily * fbbeb132bf37f8a03ef2f2184adb11796ab13d8b Handle failed authentication via cookie * e07aefb886096a7d419a4f1a2dec287e5ecd1626 Work around issues fetching session data * d63326632b796a5ec9c6468c5ffe0c5a846501e1 Prevent churn on ccaches """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289742598 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 From 8ed872f93ad46f6b1fb261a74566444e850ab190 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 23 Mar 2017 08:43:51 +0100 Subject: [PATCH] spec file: Bump requires to make Certificate Login in WebUI work gssproxy >= 0.7.0-2 - fixes impersonator checking mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method https://pagure.io/freeipa/issue/6823 --- freeipa.spec.in | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index f776b34..144d0cd 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -267,9 +267,11 @@ Requires: ntp Requires: httpd >= 2.4.6-31 Requires: mod_wsgi Requires: mod_auth_gssapi >= 1.5.0 -Requires: mod_nss >= 1.0.8-26 +# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 +Requires: mod_nss >= 1.0.14-3 Requires: mod_session -Requires: mod_lookup_identity +# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 +Requires: mod_lookup_identity >= 0.9.9 Requires: python-ldap >= 2.4.15 Requires: python-gssapi >= 1.2.0 Requires: acl @@ -297,9 +299,10 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip Requires: oddjob -Requires: gssproxy >= 0.7.0 -# Require 1.15.1 for the certificate identity mapping feature -Requires: sssd-dbus >= 1.15.1 +# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 +Requires: gssproxy >= 0.7.0-2 +# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) +Requires: sssd-dbus >= 1.15.2 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tomaskrizek commented: """ @simo5 Please rebase for `ipa-4-5`. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289742723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][+pushed] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][closed] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features MartinBasti commented: """ Works for me, can be pushed when dependencies bumped """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289739858 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists lslebodn commented: """ On (28/03/17 04:08), Christian Heimes wrote: >The ipa-certauth plugin now starts to rely on the existence of >```/etc/krb5.conf.d```: > >``` >%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth >``` > The upstream spec file is fedora/rhel spec files and fedora+rhel have `%{_sysconfdir}/krb5.conf.d/`. I cannot see any problem. >**Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the >offical FreeIPA configuation settings on all IPA enrolled systems. > But neither debian nor arch linux/opensuse have this directory(or any other) included by default in `/etc/krb5.conf`. I would like to see standard directory for krb5 snippet files. But that should be solved in distribution. And just used by freeipa. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289738839 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][closed] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Author: stlaz Title: #656: Backup CA cert from kerberos folder Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/656/head:pr656 git checkout pr656 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder tomaskrizek commented: """ master: * dc13703e75997e0c9539b326acb13458dae00202 Backup CA cert from kerberos folder ipa-4-5: * 9fdc27ba3594e921d21d664fc5728292e52ac350 Backup CA cert from kerberos folder """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289738530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][+pushed] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][+pushed] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][comment] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… tomaskrizek commented: """ master: * f17460a34ce452b46d431850aa565efd6c7b23ba git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org """ See the full comment at https://github.com/freeipa/freeipa/pull/661#issuecomment-289737719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][closed] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][+pushed] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][comment] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method pvomacka commented: """ ipa-4-5: * c80941e98bfd00c1c6e530aa4a592354adff8d90 rpcserver.login_x509: Actually return reply from __call__ method master: * 7e1fdd2c5881893fd9540689045a11f9e88beef9 rpcserver.login_x509: Actually return reply from __call__ method """ See the full comment at https://github.com/freeipa/freeipa/pull/660#issuecomment-289736121 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features MartinBasti commented: """ Probably we should bump requires to custodia >= 0.3.1 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289737346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists tiran commented: """ The ipa-certauth plugin now starts to rely on the existence of ```/etc/krb5.conf.d```: ``` %config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth ``` **Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the offical FreeIPA configuation settings on all IPA enrolled systems. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289736798 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][closed] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Author: dkupka Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/660/head:pr660 git checkout pr660 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ F25 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18643521 ``` $ fedpkg clone custodia $ cd custodia $ fedpkg switch-branch master $ fedpkg scratch-build --srpm --target f25 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289735201 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#662][opened] spec file: bump krb5-devel BuildRequires for certauth
URL: https://github.com/freeipa/freeipa/pull/662 Author: HonzaCholasta Title: #662: spec file: bump krb5-devel BuildRequires for certauth Action: opened PR body: """ Bump BuildRequires on krb5-devel to the version which introduces the certauth pluggable interface. This fixes RPM build failure when an older version of krb5-devel was installed. https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/662/head:pr662 git checkout pr662 From eaf2627c1893527f425a4f9e2e469b9c12f2c298 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 28 Mar 2017 10:43:31 + Subject: [PATCH] spec file: bump krb5-devel BuildRequires for certauth Bump BuildRequires on krb5-devel to the version which introduces the certauth pluggable interface. This fixes RPM build failure when an older version of krb5-devel was installed. https://pagure.io/freeipa/issue/4905 --- freeipa.spec.in | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5419ed1..85610a0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -80,12 +80,10 @@ BuildRequires: openldap-devel # will cause the build to fail due to unsatisfied dependencies. # DAL version change may cause code crash or memory leaks, it is better to fail early. %if 0%{?fedora} > 25 -BuildRequires: krb5-devel >= 1.15-5 BuildRequires: krb5-kdb-version = 6.1 -%else -# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) -BuildRequires: krb5-devel >= 1.12 %endif +# 1.15.1-3: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +BuildRequires: krb5-devel >= 1.15.1-3 # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][comment] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … stlaz commented: """ This fixes the mentioned issue. I did not test whether the actual disable works but I should hope so as I don't see how this could break it. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289729611 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#655][+ack] httpinstance.disable_system_trust: Don't fail if module 'Root Certs' …
URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' … Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 MartinBasti commented: """ With this PR applied I cannot use webUI with DL0 """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289721101 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ Yeah and I found where, it fails with #640 This PR can be pushed and ticket closed """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289720981 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ Works for me on DL0 as well, you might have had a broken installation. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289714596 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ @dkupka I created a new ticket: https://pagure.io/freeipa/issue/6823 """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289705221 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ This seems like a pkinit-related issue, since pkinit is not finished (although released) and should be only avaialable on domain levels > 0, I don't think this should stop us from pushing this, I will investigate the issue nonetheless. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289702239 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ I tried with DL0: * it may be different bug with DL0 * backup/restore is broken only with DL0 """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289700819 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ master: * abefb64bea8ea1b8487ad87716e4a33d19dc Simplify KRA transport cert cache ipa-4-5: * 2723b5fa5edc75901c8fbaf110a37c87df0aec87 Simplify KRA transport cert cache """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-289696220 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][closed] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][+ack] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#616][+pushed] Simplify KRA transport cert cache
URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][comment] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… stlaz commented: """ ACK, stopping the tests as the change does not have anything to do with our codebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/661#issuecomment-289693993 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][+ack] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#661][opened] git-commit-template: update ticket url to use pagure.io instead of fe…
URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe… Action: opened PR body: """ …dorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 From 256270a2eaaa673ac3479341f8b86fb4f80c7263 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 28 Mar 2017 09:25:31 +0200 Subject: [PATCH] git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 --- .git-commit-template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.git-commit-template b/.git-commit-template index a5671eb..6076f1a 100644 --- a/.git-commit-template +++ b/.git-commit-template @@ -2,4 +2,4 @@ component: Subject Explanation -https://fedorahosted.org/freeipa/ticket/ +https://pagure.io/freeipa/issue/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][+ack] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ Ah, right, replica does not have `domain_level` option 🙄 """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289684664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder
URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ Yes, it indeed works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289683317 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][comment] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function HonzaCholasta commented: """ master: * e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function ipa-4-5: * 8f738f1ea9f86a921e3dc0fd02e57419f3173ed9 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function """ See the full comment at https://github.com/freeipa/freeipa/pull/652#issuecomment-289681810 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][+pushed] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][closed] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Author: flo-renaud Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/652/head:pr652 git checkout pr652 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#652][+ack] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code