[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet abbra commented: """ > @sumit-bose What happens when the shared library is missing? Does 32bit kinit > fail or work on a X86_64 system when 32bit ipadb.so is missing? It is not about kinit. The module is for KDC, not client side. We guarantee it exists because we install it. """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-290317784 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet tiran commented: """ LGTM For the recording: according to https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#plugins the plugin directive uses ```plugin_base_dir``` as base dir: > module > This tag may have multiple values. Each value is a string of the form > modulename:pathname, which causes the shared object located at pathname to be > registered as a dynamic module named modulename for the pluggable interface. > If pathname is not an absolute path, it will be treated as relative to the > plugin_base_dir value from [libdefaults]. > plugin_base_dir > If set, determines the base directory where krb5 plugins are located. The > default value is the krb5/plugins subdirectory of the krb5 library directory. @sumit-bose What happens when the shared library is missing? Does 32bit kinit fail or work on a X86_64 system when 32bit ipadb.so is missing? """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-290312805 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#480][comment] Hide request_type doc string in cert-request help
URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help Akasurde commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-290289355 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 From e0f30753a461f3c05401f49a235e18f4610fe426 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 29 Mar 2017 20:34:08 -0600 Subject: [PATCH] Add --password-expiration to allow admin to force user password expiration - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future --- ACI.txt | 2 +- API.txt | 18 -- VERSION.m4| 4 ++-- install/updates/20-aci.update | 3 ++- ipalib/parameters.py | 16 ++-- ipaserver/plugins/baseuser.py | 4 ipaserver/plugins/user.py | 2 +- 7 files changed, 32 insertions(+), 17 deletions(-) diff --git a/ACI.txt b/ACI.txt index 9c7996c..185812a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 7594157..7850538 100644 --- a/API.txt +++ b/API.txt @@ -4828,7 +4828,7 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: stageuser_add/1 -args: 1,44,3 +args: 1,45,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', cli_name='radius') option: Str('ipatokenradiususername?', cli_name='radius_username') option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=True, cli_name='principal') option: Str('l?', cli_name='city') @@ -4933,7 +4934,7 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: ListOfPrimaryKeys('value') command: stageuser_find/1 -args: 1,53,4 +args: 1,54,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('carlicense*', autofill=False) @@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False) option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') option: Str('l?', autofill=False, cli_name='city') @@ -4993,7 +4995,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: stageuser_mod/1 -args: 1,46,3 +args: 1,47,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification tiran commented: """ Your PR is going to remove the last import from python-nss. Awesome! Please remove the requirement from ```ipapython/setup.py``` and ```freeipa.spec.in```, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-290204064 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#636][+ack] [Py3] Fix ipatests.util doc tests
URL: https://github.com/freeipa/freeipa/pull/636 Title: #636: [Py3] Fix ipatests.util doc tests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 From 49724f4c5e85f5b6cf206ab3c5a8651fe38bd97a Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Mar 2017 18:53:11 +0200 Subject: [PATCH] Fix PKCS11 helper Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 --- ipalib/constants.py | 2 + ipaserver/install/dnskeysyncinstance.py | 8 ++-- ipaserver/install/opendnssecinstance.py | 7 ++- ipaserver/p11helper.py | 76 +++-- 4 files changed, 81 insertions(+), 12 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index f8a194c..e604bb4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -313,3 +313,5 @@ '.cache' ) ) + +SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 861a170..8817f25 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -23,9 +23,9 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths from ipalib import errors, api +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipaserver.install.bindinstance import dns_container_exists -softhsm_token_label = u'ipaDNSSEC' softhsm_slot = 0 replica_keylabel_template = u"dnssec-replica:%s" @@ -254,8 +254,8 @@ def __setup_softhsm(self): command = [ paths.SOFTHSM2_UTIL, '--init-token', -'--slot', str(softhsm_slot), -'--label', softhsm_token_label, +'--free', # use random free slot +'--label', SOFTHSM_DNSSEC_TOKEN_LABEL, '--pin', pin, '--so-pin', pin_so, ] @@ -274,7 +274,7 @@ def __setup_replica_keys(self): pin = f.read() os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF -p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) +p11 = _ipap11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) try: # generate replica keypair diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 467f1f0..2af4d29 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -20,10 +20,9 @@ from ipaplatform.paths import paths from ipalib import errors, api from ipaserver import p11helper -from ipaserver.install import dnskeysyncinstance +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL KEYMASTER = u'dnssecKeyMaster' -softhsm_slot = 0 def get_dnssec_key_masters(conn): @@ -68,7 +67,7 @@ def __init__(self, fstore=None): self.ods_gid = None self.conf_file_dict = { 'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO, -'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label, +'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL, 'KASP_DB': paths.OPENDNSSEC_KASP_DB, 'ODS_USER': constants.ODS_USER, 'ODS_GROUP': constants.ODS_GROUP, @@ -237,7 +236,7 @@ def __generate_master_key(self): pin = f.read() os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF -p11 = p11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) +p11 = p11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) try: # generate master key root_logger.debug("Creating master key") diff --git a/ipaserver/p11helper.py b/ipaserver/p11helper.py index 5963c6d..8d596bd 100644 --- a/ipaserver/p11helper.py +++ b/ipaserver/p11helper.py @@ -43,6 +43,8 @@ typedef unsigned long CK_ATTRIBUTE_TYPE; +typedef unsigned long ck_flags_t; + struct _CK_ATTRIBUTE { CK_ATTRIBUTE_TYPE type; @@ -253,6 +255,28 @@ CK_C_WaitForSlotEvent C_WaitForSlotEvent; }; +struct ck_token_info +{ + unsigned char label[32]; + unsigned char manufacturer_id[32]; + unsigned char model[16]; + unsigned char serial_number[16]; + ck_flags_t flags; + unsigned long max_session_count; + unsigned long session_count; + unsigned long max_rw_session_count; + unsigned long rw_session_count; + unsig
[Freeipa-devel] [bind-dyndb-ldap PR#12][comment] README.md: fix markdown formatting
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Title: #12: README.md: fix markdown formatting MartinBasti commented: """ ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/12#issuecomment-290162668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][opened] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: opened PR body: """ Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 From 8295a9a504fe8a7b0c3bd6c24697fcd0c2358a82 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Mar 2017 18:53:11 +0200 Subject: [PATCH] Fix PKCS11 helper Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 --- ipalib/constants.py | 2 ++ ipaserver/install/dnskeysyncinstance.py | 8 +++--- ipaserver/install/opendnssecinstance.py | 7 ++--- ipaserver/p11helper.py | 50 ++--- 4 files changed, 55 insertions(+), 12 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index f8a194c..e604bb4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -313,3 +313,5 @@ '.cache' ) ) + +SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 861a170..8817f25 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -23,9 +23,9 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths from ipalib import errors, api +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipaserver.install.bindinstance import dns_container_exists -softhsm_token_label = u'ipaDNSSEC' softhsm_slot = 0 replica_keylabel_template = u"dnssec-replica:%s" @@ -254,8 +254,8 @@ def __setup_softhsm(self): command = [ paths.SOFTHSM2_UTIL, '--init-token', -'--slot', str(softhsm_slot), -'--label', softhsm_token_label, +'--free', # use random free slot +'--label', SOFTHSM_DNSSEC_TOKEN_LABEL, '--pin', pin, '--so-pin', pin_so, ] @@ -274,7 +274,7 @@ def __setup_replica_keys(self): pin = f.read() os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF -p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) +p11 = _ipap11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) try: # generate replica keypair diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 467f1f0..2af4d29 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -20,10 +20,9 @@ from ipaplatform.paths import paths from ipalib import errors, api from ipaserver import p11helper -from ipaserver.install import dnskeysyncinstance +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL KEYMASTER = u'dnssecKeyMaster' -softhsm_slot = 0 def get_dnssec_key_masters(conn): @@ -68,7 +67,7 @@ def __init__(self, fstore=None): self.ods_gid = None self.conf_file_dict = { 'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO, -'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label, +'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL, 'KASP_DB': paths.OPENDNSSEC_KASP_DB, 'ODS_USER': constants.ODS_USER, 'ODS_GROUP': constants.ODS_GROUP, @@ -237,7 +236,7 @@ def __generate_master_key(self): pin = f.read() os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF -p11 = p11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) +p11 = p11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) try: # generate master key root_logger.debug("Creating master key") diff --git a/ipaserver/p11helper.py b/ipaserver/p11helper.py index 5963c6d..0ad858
Re: [Freeipa-devel] Issue connecting through Clients
On ke, 29 maalis 2017, Bradley Bishop wrote: Hello all, I have an IPA setup with AD and DNS resides on AD and am having issues authenticating with my clients. Getting the Following error on my Clients: (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest3.brad.local Your IPA domain is ipa.brad.local, your host name is bradltest3.brad.local, e.g. it is not in IPA domain. It looks like your IPA client machine is in the AD DNS domain. You should read http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ and http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain to understand what nightmare you are inflicting yourself into. ;) -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#674][opened] Replace hard-coded kdcproxy path with WSGI script
URL: https://github.com/freeipa/freeipa/pull/674 Author: tiran Title: #674: Replace hard-coded kdcproxy path with WSGI script Action: opened PR body: """ mod_wsgi has no way to import a WSGI module by dotted module name. A new kdcproxy.wsgi script is used to import kdcproxy from whatever Python version mod_wsgi is compiled against. This will simplify moving FreeIPA to Python 3 and solves an import problem on Debian. Resolves: https://pagure.io/freeipa/issue/6834 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/674/head:pr674 git checkout pr674 From c10b628ecc6ef9759300ad96d065566c5e3ca94d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 29 Mar 2017 17:58:47 +0200 Subject: [PATCH] Replace hard-coded kdcproxy path with WSGI script mod_wsgi has no way to import a WSGI module by dotted module name. A new kdcproxy.wsgi script is used to import kdcproxy from whatever Python version mod_wsgi is compiled against. This will simplify moving FreeIPA to Python 3 and solves an import problem on Debian. Resolves: https://pagure.io/freeipa/issue/6834 Signed-off-by: Christian Heimes --- freeipa.spec.in | 1 + install/conf/ipa-kdc-proxy.conf.template | 4 ++-- install/share/Makefile.am| 1 + install/share/kdcproxy.wsgi | 5 + 4 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 install/share/kdcproxy.wsgi diff --git a/freeipa.spec.in b/freeipa.spec.in index 829c3f0..d606996 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1256,6 +1256,7 @@ fi # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* +%{_usr}/share/ipa/kdcproxy.wsgi %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template index 9290ceb..6721219 100644 --- a/install/conf/ipa-kdc-proxy.conf.template +++ b/install/conf/ipa-kdc-proxy.conf.template @@ -16,9 +16,9 @@ WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \ user=kdcproxy group=kdcproxy display-name=%{GROUP} -WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ +WSGIImportScript /usr/share/ipa/kdcproxy.wsgi \ process-group=kdcproxy application-group=kdcproxy -WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py +WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi WSGIScriptReloading Off diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 9e539a3..3a34f6e 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -90,6 +90,7 @@ dist_app_DATA =\ gssapi.login \ ipa.conf.tmpfiles \ gssproxy.conf.template \ + kdcproxy.wsgi \ $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy diff --git a/install/share/kdcproxy.wsgi b/install/share/kdcproxy.wsgi new file mode 100644 index 000..be1693c --- /dev/null +++ b/install/share/kdcproxy.wsgi @@ -0,0 +1,5 @@ +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +"""WSGI entry point for kdcproxy +""" +from kdcproxy import application + -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#673][opened] Conf template
URL: https://github.com/freeipa/freeipa/pull/673 Author: tjaalton Title: #673: Conf template Action: opened PR body: """ Move conf templates to a common location, make ipa.conf and named.conf portable. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/673/head:pr673 git checkout pr673 From 134fec33ecbbb462a18fb9dd135b3b3cf23d80fd Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Wed, 15 Mar 2017 19:28:07 +0200 Subject: [PATCH 1/3] Move config templates from install/conf to install/share --- configure.ac | 1 - freeipa.spec.in | 3 - install/Makefile.am | 1 - install/conf/Makefile.am | 13 -- install/conf/ipa-kdc-proxy.conf.template | 30 install/conf/ipa-pki-proxy.conf | 46 -- install/conf/ipa-rewrite.conf | 22 --- install/conf/ipa.conf | 227 -- install/share/Makefile.am | 4 + install/share/ipa-kdc-proxy.conf.template | 30 install/share/ipa-pki-proxy.conf.template | 46 ++ install/share/ipa-rewrite.conf.template | 22 +++ install/share/ipa.conf.template | 227 ++ ipaserver/install/dogtaginstance.py | 2 +- ipaserver/install/httpinstance.py | 4 +- ipaserver/install/server/upgrade.py | 6 +- 16 files changed, 335 insertions(+), 349 deletions(-) delete mode 100644 install/conf/Makefile.am delete mode 100644 install/conf/ipa-kdc-proxy.conf.template delete mode 100644 install/conf/ipa-pki-proxy.conf delete mode 100644 install/conf/ipa-rewrite.conf delete mode 100644 install/conf/ipa.conf create mode 100644 install/share/ipa-kdc-proxy.conf.template create mode 100644 install/share/ipa-pki-proxy.conf.template create mode 100644 install/share/ipa-rewrite.conf.template create mode 100644 install/share/ipa.conf.template diff --git a/configure.ac b/configure.ac index f5c5270..2125d05 100644 --- a/configure.ac +++ b/configure.ac @@ -538,7 +538,6 @@ AC_CONFIG_FILES([ init/Makefile install/Makefile install/certmonger/Makefile -install/conf/Makefile install/html/Makefile install/migration/Makefile install/share/Makefile diff --git a/freeipa.spec.in b/freeipa.spec.in index 829c3f0..5235e13 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1312,9 +1312,6 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec -%{_usr}/share/ipa/ipa.conf -%{_usr}/share/ipa/ipa-rewrite.conf -%{_usr}/share/ipa/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con diff --git a/install/Makefile.am b/install/Makefile.am index f895bcc..f0ec9c7 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -6,7 +6,6 @@ NULL = SUBDIRS = \ certmonger \ -conf \ html \ migration \ share \ diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am deleted file mode 100644 index 751bb16..000 --- a/install/conf/Makefile.am +++ /dev/null @@ -1,13 +0,0 @@ -NULL = - -appdir = $(IPA_DATA_DIR) -app_DATA = \ - ipa.conf \ - ipa-kdc-proxy.conf.template \ - ipa-pki-proxy.conf \ - ipa-rewrite.conf \ - $(NULL) - -EXTRA_DIST =\ -$(app_DATA) \ -$(NULL) diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template deleted file mode 100644 index 9290ceb..000 --- a/install/conf/ipa-kdc-proxy.conf.template +++ /dev/null @@ -1,30 +0,0 @@ -# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy) -# -# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained -# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in -# httpd.service. The service also sets the environment variable -# KDCPROXY_CONFIG to $KDCPROXY_CONFIG. -# -# Disable KDC Proxy on the current host: -# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif -# # systemctl restart httpd.service -# -# Enable KDC Proxy on the current host: -# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif -# # systemctl restart httpd.service -# - -WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \ - user=kdcproxy group=kdcproxy display-name=%{GROUP} -WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ - process-group=kdcproxy application-group=kdcproxy -WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py -WSGIScriptReloading Off - -
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta updated "Admins can write passwords" ACI to contain 'krbPasswordExpiration' as the "Admin can manage any entry" ACI already had 'krbPasswordExpiration' added. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290122377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 From 92126da02f7dea0bbe0b596d86ab538bc590fac1 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 29 Mar 2017 09:12:26 -0600 Subject: [PATCH] Add --password-expiration to allow admin to force user password expiration - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future --- ACI.txt | 2 +- API.txt | 18 -- VERSION.m4| 2 +- install/updates/20-aci.update | 2 +- ipalib/parameters.py | 16 ++-- ipaserver/plugins/baseuser.py | 4 ipaserver/plugins/user.py | 2 +- 7 files changed, 30 insertions(+), 16 deletions(-) diff --git a/ACI.txt b/ACI.txt index 9c7996c..185812a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 7594157..7850538 100644 --- a/API.txt +++ b/API.txt @@ -4828,7 +4828,7 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: stageuser_add/1 -args: 1,44,3 +args: 1,45,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', cli_name='radius') option: Str('ipatokenradiususername?', cli_name='radius_username') option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=True, cli_name='principal') option: Str('l?', cli_name='city') @@ -4933,7 +4934,7 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: ListOfPrimaryKeys('value') command: stageuser_find/1 -args: 1,53,4 +args: 1,54,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('carlicense*', autofill=False) @@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False) option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') option: Str('l?', autofill=False, cli_name='city') @@ -4993,7 +4995,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: stageuser_mod/1 -args: 1,46,3 +args: 1,47,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -5
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ The `admin` user is not allowed to write to the attribute: ``` $ kinit admin Password for ad...@abc.idm.lab.eng.brq.redhat.com: $ ipa user-mod jcholast --password-expiration=now ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=jcholast,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'. ``` Please update the "Admin can manage any entry" ACI in `install/updates/20-aci.update`. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290114123 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][opened] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Author: sumit-bose Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Action: opened PR body: """ Architecture specific paths should be avoided in the global Kerberos configuration because it is read e.g. by 32bit and 64bit libraries they are installed in parallel. Resolves https://pagure.io/freeipa/issue/6833 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/672/head:pr672 git checkout pr672 From 54460a33d3d95dbcaec56bf45999a39c10da60ed Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 29 Mar 2017 15:46:50 +0200 Subject: [PATCH] IPA-KDB: use relative path in ipa-certmap config snippet Architecture specific paths should be avoided in the global Kerberos configuration because it is read e.g. by 32bit and 64bit libraries they are installed in parallel. Resolves https://pagure.io/freeipa/issue/6833 --- daemons/ipa-kdb/Makefile.am | 12 daemons/ipa-kdb/ipa-certauth| 5 + daemons/ipa-kdb/ipa-certauth.in | 5 - 3 files changed, 9 insertions(+), 13 deletions(-) create mode 100644 daemons/ipa-kdb/ipa-certauth delete mode 100644 daemons/ipa-kdb/ipa-certauth.in diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 715666e..259bc3b 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -40,18 +40,16 @@ ipadb_la_SOURCES = \ ipa_kdb_audit_as.c \ $(NULL) +dist_noinst_DATA = ipa_kdb.exports + if BUILD_IPA_CERTAUTH_PLUGIN ipadb_la_SOURCES += ipa_kdb_certauth.c -%: %.in - sed \ - -e 's|@plugindir@|$(plugindir)|g' \ - '$(srcdir)/$@.in' >$@ - krb5confdir = $(sysconfdir)/krb5.conf.d krb5conf_DATA = ipa-certauth -CLEANFILES = $(krb5conf_DATA) +else +dist_noinst_DATA += ipa-certauth endif ipadb_la_LDFLAGS = \ @@ -105,8 +103,6 @@ ipa_kdb_tests_LDADD = \ -lsss_idmap \ $(NULL) -dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in - clean-local: rm -f tests/.dirstamp diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth new file mode 100644 index 000..6fde082 --- /dev/null +++ b/daemons/ipa-kdb/ipa-certauth @@ -0,0 +1,5 @@ +[plugins] + certauth = { + module = ipakdb:kdb/ipadb.so + enable_only = ipakdb + } diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in deleted file mode 100644 index eda89a2..000 --- a/daemons/ipa-kdb/ipa-certauth.in +++ /dev/null @@ -1,5 +0,0 @@ -[plugins] - certauth = { - module = ipakdb:@plugindir@/ipadb.so - enable_only = ipakdb - } -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 From 195b5b98defa5ac3ad90d75bc411a315fccfdd52 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 20 Mar 2017 13:23:44 +0200 Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent with the configuration FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 --- ipaserver/install/adtrustinstance.py | 12 1 file changed, 12 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0b18985..b4db055 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -27,6 +27,7 @@ import string import struct import re +import socket import six @@ -689,6 +690,15 @@ def __enable_compat_tree(self): except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) +def __validate_server_hostname(self): +hostname = socket.gethostname() +if hostname != self.fqdn: +raise ValueError("Host reports different name than configured: " + "'%s' versus '%s'. Samba requires to have " + "the same hostname or Kerberos principal " + "'cifs/%s' will not be found in Samba keytab." % + (hostname, self.fqdn, self.fqdn)) + def __start(self): try: self.start() @@ -804,6 +814,8 @@ def find_local_id_range(self): api.Backend.ldap2.add_entry(entry) def create_instance(self): +self.step("validate server hostname", + self.__validate_server_hostname) self.step("stopping smbd", self.__stop) self.step("creating samba domain object", \ self.__create_samba_domain_object) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ > @redhatrises, datetime.utcnow() is what I meant. Oh good. Ready for your review. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290089437 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][+ack] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][comment] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install stlaz commented: """ I actually did the review of https://github.com/freeipa/freeipa/pull/631 alongside this. I do not think the order of adding the anonymous principal and setting up PKINIT matters that much. From what I saw in Kerberos guides, it's usually actually done after PKINIT setup since until then, the anonymous principal is pretty much unusable. The problem was rather the testing of anonymous pkinit before the anonymous principal was added, that is just plainly weird and I'm glad that that's now fixed. ACK since this fixes the issues mentioned in comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/666#issuecomment-290088490 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#631][+ack] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Issue connecting through Clients
Hello all, I have an IPA setup with AD and DNS resides on AD and am having issues authenticating with my clients. Getting the Following error on my Clients: (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest3.brad.local (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/brad.lo...@ipa.brad.LOCAL not found in Kerberos database)] I don't think it is DNS because i can resolve both the IPA server and the client [root@bradltest3 ~]# host homeipa01.brad.local homeipa01.brad.local has address 11.10.10.17 [root@bradltest3 ~]# host 11.10.10.17 17.10.10.11.in-addr.arpa domain name pointer ipa-ca.ipa.brad.local. 17.10.10.11.in-addr.arpa domain name pointer homeipa01.brad.local. 17.10.10.11.in-addr.arpa domain name pointer homeipa01.ipa.brad.local. [root@bradltest3 ~]# host bradltest3.brad.local bradltest3.brad.local has address 11.10.10.24 [root@bradltest3 ~]# host 11.10.10.24 24.10.10.11.in-addr.arpa domain name pointer bradltest3.brad.local. I am at a loss on where to look next and any help or direction would be much appreciated. Thank you all in advance, Bradley Bishop -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ @redhatrises, `datetime.utcnow()` is what I meant. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290087879 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta used `datetime.utcnow()` as I couldn't find a reference for `datetime.utctime()` """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290086917 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][comment] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration abbra commented: """ Removed backslashes and also moved the check to be the first step when creating an instance. """ See the full comment at https://github.com/freeipa/freeipa/pull/629#issuecomment-290086797 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 From f79ec2d56bc8a16765633156a11d4cd9210795d9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 20 Mar 2017 13:23:44 +0200 Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent with the configuration FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 --- ipaserver/install/adtrustinstance.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0b18985..3527ca9 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -689,6 +689,15 @@ def __enable_compat_tree(self): except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) +def __validate_server_hostname(self): +hostname = socket.gethostname() +if hostname != self.fqdn: +raise ValueError("Host reports different name than configured: " + "'%s' versus '%s'. Samba requires to have " + "the same hostname or Kerberos principal " + "'cifs/%s' will not be found in Samba keytab." % + (hostname, self.fqdn, self.fqdn)) + def __start(self): try: self.start() @@ -804,6 +813,8 @@ def find_local_id_range(self): api.Backend.ldap2.add_entry(entry) def create_instance(self): +self.step("validate server hostname", + self.__validate_server_hostname) self.step("stopping smbd", self.__stop) self.step("creating samba domain object", \ self.__create_samba_domain_object) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][edited] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: edited Changed field: title Original value: """ Add --force-password-reset to user_mod in user.py """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][synchronized] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --force-password-reset to user_mod in user.py Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 From c773399e5f1bad48af3697eefc3c4a76598065cc Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 29 Mar 2017 07:10:13 -0600 Subject: [PATCH] Add --password-expiration to allow admin to force user password expiration - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future --- ACI.txt | 2 +- API.txt | 18 -- VERSION.m4| 2 +- ipalib/parameters.py | 16 ++-- ipaserver/plugins/baseuser.py | 4 ipaserver/plugins/user.py | 2 +- 6 files changed, 29 insertions(+), 15 deletions(-) diff --git a/ACI.txt b/ACI.txt index 9c7996c..185812a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 7594157..7850538 100644 --- a/API.txt +++ b/API.txt @@ -4828,7 +4828,7 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: stageuser_add/1 -args: 1,44,3 +args: 1,45,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', cli_name='radius') option: Str('ipatokenradiususername?', cli_name='radius_username') option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=True, cli_name='principal') option: Str('l?', cli_name='city') @@ -4933,7 +4934,7 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: ListOfPrimaryKeys('value') command: stageuser_find/1 -args: 1,53,4 +args: 1,54,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('carlicense*', autofill=False) @@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False) option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') option: Str('l?', autofill=False, cli_name='city') @@ -4993,7 +4995,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: stageuser_mod/1 -args: 1,46,3 +args: 1,47,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -5014,6 +5016,7 @@ option: Str('ipasshpubkey*', autofill=False,
[Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins
URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins HonzaCholasta commented: """ * With `force_client_compat=False`, the benefit is the client API matches the remote server API, the drawback is `api.finalize()` does RPC calls and touches schema cache (i.e. the current behavior). * With `force_client_compat=True`, the benefit is `api.finalize()` does no RPC calls nor does it touch schema cache, the drawback is that the client API is stuck at API version 2.164 (IPA 4.3.3). * Schema download exists to support newer servers versions without having to update the client. Compat plugins exist to support older server versions which do not have schema support. (See http://www.freeipa.org/page/V4/API_Compatiblity.) * *Optimistic try/fallback* is the current behavior which requires RPC calls in `api.finalize()` to detect the server's capabilities in order to reconstruct it's API locally. With this PR it's possible to skip this step and fall back to the behavior of IPA 4.3.3. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-290066211 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#12][synchronized] README.md: fix markdown formatting
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 From fc58afe13474e1eb8b572f89a63bd51dfacdbce1 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Thu, 23 Mar 2017 15:35:21 +0100 Subject: [PATCH] README.md: fix markdown formatting Fix some markdown formatting errors to properly render it on pagure and GitHub. --- README.md | 82 ++- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index de9cd1f..49f5b95 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,10 @@ -1. Introduction -=== +# 1. Introduction The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP database back-end capabilities. It requires dyndb interface which is present in BIND versions >= 9.11.0rc1. -2. Features -=== +# 2. Features * support for dynamic updates * SASL authentication @@ -16,8 +14,7 @@ in BIND versions >= 9.11.0rc1. * DNSSEC in-line signing is supported, including dynamic updates -3. Installation -=== +# 3. Installation To install the LDAP back-end, extract the tarball and go to the unpacked directory. Then follow these steps: @@ -47,14 +44,13 @@ You can use following commands to prepare latest source tree for compilation: $ cd bind-dyndb-ldap $ autoreconf -fvi -4. LDAP schema -== +# 4. LDAP schema You can find the complete LDAP schema in the documentation directory. An example zone ldif is available in the doc directory. -4.1 Master zone (idnsZone) --- +## 4.1 Master zone (idnsZone) + Object class `idnsZone` is equivalent to type `master` statement in `named.conf`. ### Attributes @@ -193,8 +189,8 @@ Object class `idnsZone` is equivalent to type `master` statement in `named.conf` Zone without NSEC3PARAM RR will use NSEC by default. -4.2 Forward zone (idnsForwardZone) --- +## 4.2 Forward zone (idnsForwardZone) + Object class `idnsForwardZone` is equivalent to type `forward` statement in named.conf. @@ -243,8 +239,8 @@ Unloaded empty zones will not be loaded back even if the forward zone is later deleted. The empty zones will be loaded on each BIND reload. -4.3 Global configuration object (idnsConfigObject) --- +## 4.3 Global configuration object (idnsConfigObject) + Object class idnsConfigObject provides global configuration common for all zones. @@ -261,8 +257,8 @@ for all zones. Syntax is the same as in forward zone, please see previous section. -4.4 Per-server configuration object (idnsServerConfigObject) - +## 4.4 Per-server configuration object (idnsServerConfigObject) + Object class idnsConfigObject provides global configuration common for all zones. A plugin instance will read configuration only from entries with matching idnsServerId. @@ -296,8 +292,8 @@ only from entries with matching idnsServerId. LIMITATION: Current plugin version supports only `ipalocation` variable -4.5 Record template (idnsTemplateObject) - +## 4.5 Record template (idnsTemplateObject) + Object class idnsTemplateObject provides facility for dynamic resource record generation. The template entry must contain idnsTemplateAttribute with string template. @@ -333,8 +329,7 @@ by the template string are defined. https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator -5. Configuration - +# 5. Configuration To configure dynamic loading of back-end, you must put a `dyndb` clause into your named.conf. The clause must then be followed by a @@ -354,12 +349,12 @@ curly brackets. Example: auth_method "none"; }; -5.1 Configuration options -- +## 5.1 Configuration options + List of configuration options follows: -5.1.1 LDAP connection -- +### 5.1.1 LDAP connection + * uri The Uniform Resource Identifier pointing to the LDAP server we @@ -451,8 +446,8 @@ List of configuration options follows: `/bin/hostname` output. -5.1.2 Special DNS features --- +### 5.1.2 Special DNS features + * fake_mname Ignore value of the idnsSOAmName (primary master DNS name) attribute @@ -476,8 +471,8 @@ List of configuration options follows: by idnsAllowDynUpdate attribute. -5.1.3 Plumbing --- +### 5.1.3 Plumbing + * verbose_checks (default no) Set this option to `yes` if you would like to log all failures @@ -495,8 +490,8 @@ List of configuration options follows: The path is relative to `directory` specified in BIND options. See section 6 (DNSS
[Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins
URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins tiran commented: """ I don't understand the implications of this change and the new flag: * What are the benefits and drawbacks of ```force_client_compat=False```? * What are the benefits and drawbacks of ```force_client_compat=True```? * Why does FreeIPA have schema download and compat plugins at all? * Why is this feature implemented as *either/or* option instead of *optimistic try/fallback*? New feature is missing unit and integration tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-290051095 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 martbab commented: """ @MartinBasti WebUI not working in DL0/--no-pkinit is beyond the scope of this PR. I am working on fixing that in a separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290052050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#12][opened] README.md: fix markdown formatting
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: opened PR body: """ Fix some markdown formatting errors to properly render it on pagure. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 https://assets-cdn.github.com/assets/frameworks-5b61aadc846f0818981ceec31b49c475fb084c163fdec5efbc2c21ef539092a9.css"; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/github-d19d0be9d15c75a401accbce6f46a15486c8257a298d27ebe08aa255ed1e5175.css"; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/site-c5a10f2dd52fbbd6c1316d032ac0ad965777a07143019844efd90707eb09d4c0.css"; media="all" rel="stylesheet" /> README.md: fix markdown formatting by tomaskrizek · Pull Request #12 · freeipa/bind-dyndb-ldap · GitHub https://github.com/fluidicon.png"; title="GitHub"> https://avatars2.githubusercontent.com/u/10220243?v=3&s=400"; property="og:image" />https://github.com/freeipa/bind-dyndb-ldap/pull/12"; property="og:url" /> https://assets-cdn.github.com/";> https://collector.githubapp.com/github-external/browser_event"; name="octolytics-event-url" /> span.labelstyle-b60205, .linked-labelstyle-b60205 { background-color: #b60205 !important; color: #fff !important;}.labelstyle-b60205.selected { background-color: #b60205 !important; color: #fff !important;}.label-select-menu .labelstyle-b60205.selected { background:rgba(182, 2, 5, 0.12) !important; color: #990104 !important;} span.labelstyle-0e8a16, .linked-labelstyle-0e8a16 { background-color: #0e8a16 !important; color: #fff !important;}.labelstyle-0e8a16.selected { background-color: #0e8a16 !important; color: #fff !important;}.label-select-menu .labelstyle-0e8a16.selected { background:rgba(14, 138, 22, 0.12) !important; color: #0f9918 !important;} span.labelstyle-1d76db, .linked-labelstyle-1d76db { background-color: #1d76db !important; color: #fff !important;}.labelstyle-1d76db.selected { background-color: #1d76db !important; color: #fff !important;}.label-select-menu .labelstyle-1d76db.selected { background:rgba(29, 118, 219, 0.12) !important; color: #145299 !important;} https://github.com/freeipa/bind-dyndb-ldap.git";> https://github.com/freeipa/bind-dyndb-ldap/commits/fix-markdown-in-readme.atom"; rel="alternate" title="Recent Commits to bind-dyndb-ldap:fix-markdown-in-readme" type="application/atom+xml"> https://api.github.com/_private/browser/stats";> https://api.github.com/_private/browser/errors";> https://assets-cdn.github.com/pinned-octocat.svg"; color="#00"> https://assets-cdn.github.com/favicon.ico";> Skip to content https://github.com/"; aria-label="Homepage" data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark"> Features Business Explore Pricing This repository Sign in or Sign up http://schema.org/SoftwareSourceCode";> Watch 6 Star 0 Fork 5 freeipa/bind-dyndb-ldap http://schema.org/BreadcrumbList"; role="navigation" data-pjax="#js-repo-pjax-container"> http://schema.org/ListItem"; itemprop="itemListElement"> Code http://schema.org/ListItem"; itemprop="itemListElement"> Pull requests 2 Projects 0 Wiki Pulse Graphs README.md: fix markdown formatting #12 Open tomaskrizek wants to merge 1 commit into freeipa:master base: master from tomaskrizek:fix-markdown-in-readme +10 −7 Conversation 0 Commits 1 Files changed 1
[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ Depends on PRs #475, #587, #594 """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-286665946 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][opened] [WIP] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: [WIP] Slim down dependencies Action: opened PR body: """ * Remove unused install requires * Correct dependencies for yubico otptoken * Properly report optional dependency for yubico otptoken * Make jinja2 an optional dependency and csrgen an optional plugin Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 From 230b7936c479d29416a580428db9f3448d65a125 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 29 Mar 2017 11:20:21 +0200 Subject: [PATCH] Slim down dependencies * Remove unused install requires * Correct dependencies for yubico otptoken * Properly report optional dependency for yubico otptoken * Make jinja2 an optional dependency and csrgen an optional plugin Signed-off-by: Christian Heimes --- ipaclient/plugins/csrgen.py | 8 +++- ipaclient/plugins/otptoken_yubikey.py | 11 --- ipaclient/setup.py| 6 ++ ipapython/setup.py| 2 -- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py index a0d99ef..0a9ede1 100644 --- a/ipaclient/plugins/csrgen.py +++ b/ipaclient/plugins/csrgen.py @@ -4,7 +4,6 @@ import six -from ipaclient.csrgen import CSRGenerator, FileRuleProvider from ipalib import api from ipalib import errors from ipalib import output @@ -15,6 +14,13 @@ from ipalib.text import _ from ipapython import dogtag +try: +import jinja2 # pylint: disable=unused-import +except ImportError: +raise errors.SkipPluginModule(reason=_("jinja2 is not installed.")) +else: +from ipaclient.csrgen import CSRGenerator, FileRuleProvider + if six.PY3: unicode = str diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py index 759b722..9993ec8 100644 --- a/ipaclient/plugins/otptoken_yubikey.py +++ b/ipaclient/plugins/otptoken_yubikey.py @@ -20,15 +20,20 @@ import os import six -import usb.core -import yubico from ipalib import _, api, IntEnum -from ipalib.errors import NotFound +from ipalib.errors import NotFound, SkipPluginModule from ipalib.frontend import Command, Method, Object from ipalib.plugable import Registry from ipalib.util import classproperty +try: +import usb.core +import yubico +except ImportError: +# python-yubico depends on pyusb +raise SkipPluginModule(reason=_("python-yubico is not installed.")) + if six.PY3: unicode = str diff --git a/ipaclient/setup.py b/ipaclient/setup.py index f5be7ea..5b02341 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -54,15 +54,13 @@ "cryptography", "ipalib", "ipapython", -"jinja2", -"python-yubico", -"pyusb", "qrcode", "six", ], extras_require={ "install": ["ipaplatform"], -"otptoken_yubikey": ["yubico", "usb"] +"otptoken_yubikey": ["python-yubico", "pyusb"], +"csrgen": ["jinja2"], }, zip_safe=False, ) diff --git a/ipapython/setup.py b/ipapython/setup.py index 2fc039f..491a5ed 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -41,13 +41,11 @@ "cryptography", "dnspython", "gssapi", -"jwcrypto", # "ipalib", # circular dependency "pyldap", "netaddr", "netifaces", "python-nss", -"requests", "six", ], extras_require={ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][edited] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: edited Changed field: body Original value: """ Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ All dependencies have been merged. PR is ready for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-287372325 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst tomaskrizek commented: """ @pemensik Hi, could you take a quick look at this change? I ran coverity and the issues were fixed. It might also be possible to remove the REQUIRE, but since I'm not sure whether `inst` is always non null in the new dyndb workflow, I added the check just to be sure. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-290026409 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#11][opened] Coverity: fix REVERSE_INULL for pevent->inst
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Author: tomaskrizek Title: #11: Coverity: fix REVERSE_INULL for pevent->inst Action: opened PR body: """ With the DynDB API changes, the ldap instance is acquired differently. Previously, obtaining the instance could fail when LDAP was disconnecting, thus the NULL check was necessary in the cleanup part. Now, inst is obtained directly from the API. I'm not sure what is the exact behaviour in edge cases such as LDAP disconnecting, so I perform the NULL check a bit earlier, just to be safe. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/11/head:pr11 git checkout pr11 From e5c29893a318c0f1571c9918ab2c7c23dca3c952 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 27 Mar 2017 19:41:05 +0200 Subject: [PATCH] Coverity: fix REVERSE_INULL for pevent->inst With the DynDB API changes, the ldap instance is acquired differently. Previously, obtaining the instance could fail when LDAP was disconnecting, thus the NULL check was necessary in the cleanup part. Now, inst is obtained directly from the API. I'm not sure what is the exact behaviour in edge cases such as LDAP disconnecting, so I perform the NULL check a bit earlier, just to be safe. --- src/ldap_helper.c | 42 +- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 1fa0ec9..e0c4b76 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3714,6 +3714,7 @@ update_zone(isc_task_t *task, isc_event_t *event) mctx = pevent->mctx; dns_name_init(&prevname, NULL); + REQUIRE(inst != NULL); INSIST(task == inst->task); /* For task-exclusive mode */ if (SYNCREPL_DEL(pevent->chgtype)) { @@ -3730,12 +3731,11 @@ update_zone(isc_task_t *task, isc_event_t *event) } cleanup: - if (inst != NULL) { - sync_concurr_limit_signal(inst->sctx); - sync_event_signal(inst->sctx, pevent); - if (dns_name_dynamic(&prevname)) - dns_name_free(&prevname, inst->mctx); - } + sync_concurr_limit_signal(inst->sctx); + sync_event_signal(inst->sctx, pevent); + if (dns_name_dynamic(&prevname)) + dns_name_free(&prevname, inst->mctx); + if (result != ISC_R_SUCCESS) log_error_r("update_zone (syncrepl) failed for %s. " "Zones can be outdated, run `rndc reload`", @@ -3760,14 +3760,14 @@ update_config(isc_task_t * task, isc_event_t *event) mctx = pevent->mctx; + REQUIRE(inst != NULL); INSIST(task == inst->task); /* For task-exclusive mode */ CHECK(ldap_parse_configentry(entry, inst)); cleanup: - if (inst != NULL) { - sync_concurr_limit_signal(inst->sctx); - sync_event_signal(inst->sctx, pevent); - } + sync_concurr_limit_signal(inst->sctx); + sync_event_signal(inst->sctx, pevent); + if (result != ISC_R_SUCCESS) log_error_r("update_config (syncrepl) failed for %s. " "Configuration can be outdated, run `rndc reload`", @@ -3790,14 +3790,14 @@ update_serverconfig(isc_task_t * task, isc_event_t *event) mctx = pevent->mctx; + REQUIRE(inst != NULL); INSIST(task == inst->task); /* For task-exclusive mode */ CHECK(ldap_parse_serverconfigentry(entry, inst)); cleanup: - if (inst != NULL) { - sync_concurr_limit_signal(inst->sctx); - sync_event_signal(inst->sctx, pevent); - } + sync_concurr_limit_signal(inst->sctx); + sync_event_signal(inst->sctx, pevent); + if (result != ISC_R_SUCCESS) log_error_r("update_serverconfig (syncrepl) failed for %s. " "Configuration can be outdated, run `rndc reload`", @@ -3860,6 +3860,7 @@ update_record(isc_task_t *task, isc_event_t *event) dns_name_init(&prevname, NULL); dns_name_init(&prevorigin, NULL); + REQUIRE(inst != NULL); CHECK(zr_get_zone_ptr(inst->zone_register, &entry->zone_name, &raw, &secure)); zone_found = ISC_TRUE; @@ -4020,13 +4021,12 @@ update_record(isc_task_t *task, isc_event_t *event) ldap_entry_logname(entry), pevent->chgtype); } - if (inst != NULL) { - sync_concurr_limit_signal(inst->sctx); - if (dns_name_dynamic(&prevname)) - dns_name_free(&prevname, inst->mctx); - if (dns_name_dynamic(&prevorigin)) - dns_name_free(&prevorigin, inst->mctx); - } + sync_concurr_limit_signal(inst->sctx); + if (dns_name_dynamic(&prevname)) + dns_name_free(&prevname, inst->mctx); + if (dns_name_dynamic(&prevorigin)) + dns_name_free(&prevorigin, inst->mctx); + if (raw != NULL) dns_zone_detach(&raw); if (secure != NULL) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tomaskrizek commented: """ master: * 67e5244cad72bef76de1c4df47a0c77a672fa861 server: make sure we test for sss_nss_getlistbycert ipa-4-5: * 8be6987da72dff0ebd4e02c946b45b5b1705d880 server: make sure we test for sss_nss_getlistbycert """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290022005 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][+pushed] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][closed] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/669/head:pr669 git checkout pr669 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][closed] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ master: * b18ee8b9dd3b1d0cfdc45373a7a56747e1f993a3 spec file: bump libsss_nss_idmap-devel BuildRequires ipa-4-5: * 127f7ce699677d8c689099eac350a54293a5009d spec file: bump libsss_nss_idmap-devel BuildRequires """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290021579 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][+pushed] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][synchronized] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 From c662f152c6d073d0d0a04a361802bb924aa0dc21 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 29 Mar 2017 07:14:24 + Subject: [PATCH] spec file: bump libsss_nss_idmap-devel BuildRequires Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6828 --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e7e39e8..829c3f0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,8 +121,8 @@ BuildRequires: libtevent-devel BuildRequires: libuuid-devel BuildRequires: libsss_idmap-devel BuildRequires: libsss_certmap-devel -# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) -BuildRequires: libsss_nss_idmap-devel >= 1.14.0 +# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050) +BuildRequires: libsss_nss_idmap-devel >= 1.15.3 BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: libunistring-devel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires HonzaCholasta commented: """ Changed ticket link to https://pagure.io/freeipa/issue/6828. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290020664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290019629 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][+ack] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][+ack] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert abbra commented: """ On the systems where pkg-config is available, positive result from pkg-config check means headers are available because pkg-config files are part of development sub-packages. Symbol check in a library is enough then. """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290016098 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires HonzaCholasta commented: """ Right. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290015269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 From 7c1f30c54efdee5ec687659c0ff7426fd1eabc8e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 15 Mar 2017 08:31:38 +0100 Subject: [PATCH 1/2] Add make patchcheck for developers Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 Signed-off-by: Christian Heimes --- Makefile.am | 31 ++- configure.ac | 12 ipatests/util.py | 28 ++-- 3 files changed, 56 insertions(+), 15 deletions(-) diff --git a/Makefile.am b/Makefile.am index af22315..2097030 100644 --- a/Makefile.am +++ b/Makefile.am @@ -152,6 +152,35 @@ JSLINT_TARGET = jslint endif WITH_JSLINT lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) +.PHONY: patchcheck +patchcheck: all +if ! WITH_POLINT + @echo "ERROR: polint not available"; exit 1 +endif +if ! WITH_PYLINT + @echo "ERROR: pylint not available"; exit 1 +endif +if ! WITH_JSLINT + @echo "ERROR: jslint not available"; exit 1 +endif +if ! WITH_PYTHON2 + @echo "ERROR: python2 not available"; exit 1 +endif + @ # run all linters, tests, and check with Python 2 + PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \ + --ipaclient-unittests + $(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check + $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint +if WITH_PYTHON3 + @ # just tests and pylint on Python 3 + PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \ + --ipaclient-unittests + $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint +else + @echo "WARNING: python3 not available" +endif + @echo "All tests passed." + .PHONY: $(top_builddir)/ipapython/version.py $(top_builddir)/ipapython/version.py: (cd $(top_builddir)/ipapython && make version.py) @@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py -name '*~' -o \ -name '*.py' -print -o \ -type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \ - echo "Pylint is running, please wait ..."; \ + echo "Pylint on $(PYTHON) is running, please wait ..."; \ PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \ --rcfile=$(top_srcdir)/pylintrc \ --load-plugins pylint_plugins \ diff --git a/configure.ac b/configure.ac index f5c5270..0174320 100644 --- a/configure.ac +++ b/configure.ac @@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then fi dnl --- +dnl - Check for Python 2/3 for patchcheck +dnl --- + +AC_PATH_PROG(PYTHON2, python2) +AC_SUBST([PYTHON2]) +AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"]) + +AC_PATH_PROG(PYTHON3, python3) +AC_SUBST([PYTHON3]) +AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"]) + +dnl --- dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/ dnl --- PKG_CHECK_EXISTS(cmocka, diff --git a/ipatests/util.py b/ipatests/util.py index d877dcc..575d5cc 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -194,9 +194,9 @@ class Fuzzy(object): Use of a regular expression by default implies the ``unicode`` type, so comparing with an ``str`` instance will evaluate to ``False``: ->>> phone.type - ->>> '123-456-7890' == phone +>>> phone.type is six.text_type +True +>>> b'123-456-7890' == phone False The *type* kwarg allows you to specify a type constraint, so you can force @@ -236,15 +236,15 @@ class Fuzzy(object): >>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True) >>> fuzzy.regex '.+' ->>> fuzzy.type - +>>> fuzzy.type is str +True >>> fuzzy.test # doctest:+ELLIPSIS at 0x...> To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well: >>> fuzzy # doctest:+ELLIPSIS -Fuzzy('.+', , at 0x...>) +Fuzzy('.+', <... 'str'>, at 0x...>) """ def __init__(self, regex=None, type=None, test=None): @@ -344,20 +344,20 @@ def assert_deepequal(expected, got, doc='', stack=tuple()): If the tests fails, it will raise an ``Asserti
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ Pushed a cleaner version of the previous changes, thanks @HonzaCholasta for the suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290012934 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ We still want to merge this PR to take care of the upstream BuildRequires though, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290012044 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#658][+ack] Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#658][comment] Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file stlaz commented: """ Works well, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/658#issuecomment-290014081 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/4] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt -if any(cert_file_req + cert_file_opt) and not all(cert_file_req): -raise RuntimeError( -"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " -"or --no-pkinit are required if any key file options are used." -) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) +if any(cert_file_req + cert_file_opt) and not all(cert_file_req): +raise RuntimeError( +"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " +"or --no-pkinit are required if any key file options are used." +) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 6620562bc9ec874723ae32b54a53734666ec4271 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py| 21 + 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..096cb01 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -332,9 +332,24 @@ def dirsrv_config_file(self, value): if not os.path.exists(value): raise ValueError("File %s does not exist." % value) +def _is_promote(self): +""" +:returns: True if domain level options correspond to domain level > 0 +""" +raise NotImplementedError() + def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) +# p
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tiran commented: """ AC_CHECK_LIB only checks for functions in libs. Compilation may still fail if header files and library are not in sync. IMHO we don't have to care about this broken case. LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290011518 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#670][opened] [Py3] session storage parameters must be bytes
URL: https://github.com/freeipa/freeipa/pull/670 Author: tiran Title: #670: [Py3] session storage parameters must be bytes Action: opened PR body: """ Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/670/head:pr670 git checkout pr670 From 6a2e09105dd347d74bc2c8dfbfc5c965d484a7ab Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 29 Mar 2017 09:45:05 +0200 Subject: [PATCH] [Py3] session storage parameters must be bytes Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes --- ipapython/session_storage.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index 6af064c..1443413 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -214,8 +214,8 @@ def krb5_errcheck(result, func, arguments): krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, ) krb5_free_unparsed_name.restype = None -CONF_REALM = "X-CACHECONF:" -CONF_NAME = "krb5_ccache_conf_data" +CONF_REALM = b"X-CACHECONF:" +CONF_NAME = b"krb5_ccache_conf_data" def store_data(princ_name, key, value): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ I submitted https://github.com/freeipa/freeipa/pull/669 for that """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290010251 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][opened] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: opened PR body: """ Fixes https://pagure.io/freeipa/issue/6828 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/669/head:pr669 git checkout pr669 From ffca2ba3b77e77bc89e80f48f4a2abe93b70732f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 29 Mar 2017 10:43:11 +0300 Subject: [PATCH] server: make sure we test for sss_nss_getlistbycert Fixes https://pagure.io/freeipa/issue/6828 --- server.m4 | 5 + 1 file changed, 5 insertions(+) diff --git a/server.m4 b/server.m4 index 5d5333e..346d73e 100644 --- a/server.m4 +++ b/server.m4 @@ -29,6 +29,11 @@ DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS" dnl -- sss_idmap is needed by the extdom exop -- PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) +AC_CHECK_LIB([sss_nss_idmap], + [sss_nss_getlistbycert], + [], + [AC_MSG_ERROR([Required sss_nss_getlistbycert symbol in sss_nss_idmap not found])], + []) dnl -- sss_certmap and certauth.h are needed by the IPA KDB certauth plugin -- PKG_CHECK_EXISTS([sss_certmap], -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 From 7c1f30c54efdee5ec687659c0ff7426fd1eabc8e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 15 Mar 2017 08:31:38 +0100 Subject: [PATCH] Add make patchcheck for developers Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 Signed-off-by: Christian Heimes --- Makefile.am | 31 ++- configure.ac | 12 ipatests/util.py | 28 ++-- 3 files changed, 56 insertions(+), 15 deletions(-) diff --git a/Makefile.am b/Makefile.am index af22315..2097030 100644 --- a/Makefile.am +++ b/Makefile.am @@ -152,6 +152,35 @@ JSLINT_TARGET = jslint endif WITH_JSLINT lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) +.PHONY: patchcheck +patchcheck: all +if ! WITH_POLINT + @echo "ERROR: polint not available"; exit 1 +endif +if ! WITH_PYLINT + @echo "ERROR: pylint not available"; exit 1 +endif +if ! WITH_JSLINT + @echo "ERROR: jslint not available"; exit 1 +endif +if ! WITH_PYTHON2 + @echo "ERROR: python2 not available"; exit 1 +endif + @ # run all linters, tests, and check with Python 2 + PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \ + --ipaclient-unittests + $(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check + $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint +if WITH_PYTHON3 + @ # just tests and pylint on Python 3 + PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \ + --ipaclient-unittests + $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint +else + @echo "WARNING: python3 not available" +endif + @echo "All tests passed." + .PHONY: $(top_builddir)/ipapython/version.py $(top_builddir)/ipapython/version.py: (cd $(top_builddir)/ipapython && make version.py) @@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py -name '*~' -o \ -name '*.py' -print -o \ -type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \ - echo "Pylint is running, please wait ..."; \ + echo "Pylint on $(PYTHON) is running, please wait ..."; \ PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \ --rcfile=$(top_srcdir)/pylintrc \ --load-plugins pylint_plugins \ diff --git a/configure.ac b/configure.ac index f5c5270..0174320 100644 --- a/configure.ac +++ b/configure.ac @@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then fi dnl --- +dnl - Check for Python 2/3 for patchcheck +dnl --- + +AC_PATH_PROG(PYTHON2, python2) +AC_SUBST([PYTHON2]) +AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"]) + +AC_PATH_PROG(PYTHON3, python3) +AC_SUBST([PYTHON3]) +AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"]) + +dnl --- dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/ dnl --- PKG_CHECK_EXISTS(cmocka, diff --git a/ipatests/util.py b/ipatests/util.py index d877dcc..575d5cc 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -194,9 +194,9 @@ class Fuzzy(object): Use of a regular expression by default implies the ``unicode`` type, so comparing with an ``str`` instance will evaluate to ``False``: ->>> phone.type - ->>> '123-456-7890' == phone +>>> phone.type is six.text_type +True +>>> b'123-456-7890' == phone False The *type* kwarg allows you to specify a type constraint, so you can force @@ -236,15 +236,15 @@ class Fuzzy(object): >>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True) >>> fuzzy.regex '.+' ->>> fuzzy.type - +>>> fuzzy.type is str +True >>> fuzzy.test # doctest:+ELLIPSIS at 0x...> To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well: >>> fuzzy # doctest:+ELLIPSIS -Fuzzy('.+', , at 0x...>) +Fuzzy('.+', <... 'str'>, at 0x...>) """ def __init__(self, regex=None, type=None, test=None): @@ -344,20 +344,20 @@ def assert_deepequal(expected, got, doc='', stack=tuple()): If the tests fails, it will raise an ``AssertionEr
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ No, It will make downstream harder because RHEL downstream will only have 1.15.2 with patches on top of that version. I have a pull request coming that actually checks for a specific function we know is part of those SSSD patches. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290009593 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ Do we also need to bump the version in `PKG_CHECK_MODULES` in `server.m4:31`? ``` PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290007481 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ @MartinBasti Even though this commit basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either `*-cert-file` option and requires them all, once it has it, it will say that these options can't be used with replica file. I will not fix that here, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290005415 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ @MartinBasti Even though this commit basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either `*-cert-file` option and requires them all, once it has it, it will say that these options can't be used with replica file. I will not fix that here, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290005415 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][opened] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: opened PR body: """ Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6826 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 From 6e689e106deb15043cc0e3d399d7755c24744fc0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 29 Mar 2017 07:14:24 + Subject: [PATCH] spec file: bump libsss_nss_idmap-devel BuildRequires Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6826 --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e7e39e8..829c3f0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,8 +121,8 @@ BuildRequires: libtevent-devel BuildRequires: libuuid-devel BuildRequires: libsss_idmap-devel BuildRequires: libsss_certmap-devel -# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) -BuildRequires: libsss_nss_idmap-devel >= 1.14.0 +# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050) +BuildRequires: libsss_nss_idmap-devel >= 1.15.3 BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: libunistring-devel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/4] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt -if any(cert_file_req + cert_file_opt) and not all(cert_file_req): -raise RuntimeError( -"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " -"or --no-pkinit are required if any key file options are used." -) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) +if any(cert_file_req + cert_file_opt) and not all(cert_file_req): +raise RuntimeError( +"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " +"or --no-pkinit are required if any key file options are used." +) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 835dbe9dbecfe02ec26a98d52bb4c8c9c2b4cb8a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py| 16 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..6fd4957 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -335,6 +335,22 @@ def dirsrv_config_file(self, value): def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) +is_dl0 = ( +# in server-install, we have the domain_level option +(hasattr(self, 'domain_level') and + self.domain_level == constants.DOMAIN_LEVEL_0) or +# on replica we have to decide depending on replica_file appearance +(ha