[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ I guess it should. Could you please file a ticket? """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-296931927 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Thanks, now this is ready to be pushed :) """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296920348 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][+ack] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ @martbab, this sounds like a typical instance of a we will do it later = we will do it never situation. IMO we should remove the superfluous check right away, as that would give us more incentive to actually implement the test. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296916627 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 realsobek commented: """ It was my fault. I knew how to squash two unpushed commits, but squashing two pushed commits was beyond me. Thanks for your comment in #716 I had a look again and I managed it this time. :) I squashed the last two commits (see `git log`) in my branch with `git rebase --interactive HEAD~2` and pushed the result to my fork with `git push origin master --force` """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296823122 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][synchronized] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Author: realsobek Title: #714: fix minor typo in ipa-adtrust-install.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/714/head:pr714 git checkout pr714 From 3ab52cf1d04eb8e0e4a52bfe12ee6d1adaf90e06 Mon Sep 17 00:00:00 2001 From: realsobek Date: Sat, 15 Apr 2017 13:52:44 +0200 Subject: [PATCH] fix minor typos in ipa-adtrust-install.1 --- install/tools/man/ipa-adtrust-install.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index ef3c23b..5924d16 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -26,7 +26,7 @@ Adds all necessary objects and configuration to allow an IPA server to create a trust to an Active Directory domain. This requires that the IPA server is already installed and configured. -Please note you will not be able to estabilish an trust to an Active Directory +Please note you will not be able to establish a trust to an Active Directory domain unless the realm name of the IPA server matches its domain name. ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][opened] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728
Author: HonzaCholasta
Title: #728: ipa-cacert-manage: add --external-ca-type
Action: opened
PR body:
"""
**server upgrade: always fix certmonger tracking request**
Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.
This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.
**cainstance: use correct profile for lightweight CA certificates**
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.
The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.
Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.
Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.
**renew agent: allow reusing existing certs**
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.
Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.
This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.
**renew agent: always export CSR on IPA CA certificate renewal**
Make sure a CSR is exported for the IPA CA whenever certmonger detects that
the CA certificate is about to expire.
This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA
instead of the `ipaCSRExport` virtual profile to export the CSR.
**renew agent: get rid of virtual profiles**
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
**ipa-cacert-manage: add --external-ca-type**
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.
This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:
```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```
https://pagure.io/freeipa/issue/5799
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/728/head:pr728
git checkout pr728
From b7ead617441712d6d7286ac66a2b2feea97f72af Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 24 Apr 2017 05:24:24 +
Subject: [PATCH 1/7] renew agent: respect CA renewal master setting
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.
This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)
Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.
https://pagure.io/freeipa/issue/5799
---
install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
ipaserver/install/cainstance.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7a3d955..f253fd9 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -535,7 +535,7 @@ def main():
profile = os.environ.get('CERTMONGER_CA_PROFILE')
if is_replicated():
-if profile or is_renewal_master():
+if is_renewal_master():
handler = request_and_store_cert
else:
handler = retrieve_cert_continuous
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 84d60bf..336299c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -823,7 +823,7 @@ def __request_ra_certificate(self):
"-out", chain_file.name,
], stdin=data, capture_output=False)
-agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
+agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT,
"--dbdir", self.tmp_agent_db,
"--nickname", "ipa-ca-agent",
"--cafile", chain_file.name,
From 6a64cc75f17ce029b487ff6c5bdd46bcd05c645d Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Tue, 28 Feb 2017 10:55:54 +
Subject:
[Freeipa-devel] [freeipa PR#711][+pushed] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#711][comment] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes MartinBasti commented: """ master: * 0c0af8cf7adf61ef03ba1240ecbdecef7fa15275 compat-manage: behave the same for all users * ddbbb1c58e8a4fec8129e7d1e941c54660af6a69 Move the compat plugin setup at the end of install * 645615958d4b0f9e6dd8a5ff2541952abb588d55 compat: ignore cn=topology,cn=ipa,cn=etc subtree * 68c8ddf1871efe7ef78ce153573d522aefecfdfa compat plugin: Update link to slapi-nis project ipa-4-5: * 4fa7718c6ad03a7cf534313d5c50d78d4863fe6e compat-manage: behave the same for all users * 7364c1360c4e2271667f3a08d8d504b3cd813e2f Move the compat plugin setup at the end of install * e691877c24e722d4fc91fed34cd31cc102879c1a compat: ignore cn=topology,cn=ipa,cn=etc subtree * efe096040aefdeea37afcf2671506982d8522f47 compat plugin: Update link to slapi-nis project """ See the full comment at https://github.com/freeipa/freeipa/pull/711#issuecomment-296700686 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#711][closed] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][closed] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727 Author: tiran Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/727/head:pr727 git checkout pr727 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][+pushed] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][comment] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 MartinBasti commented: """ master: * ad0843047779b55848425eaba0385034d6893446 Regenerate ASN.1 code with asn1c 0.9.28 * 9b443b908fe6fb9c11f9b76552bf4fef2c3b2be5 Replace _BSD_SOURCE with _DEFAULT_SOURCE """ See the full comment at https://github.com/freeipa/freeipa/pull/727#issuecomment-296699132 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][+ack] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#711][+ack] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#720][+ack] tox: use pylint 1.6.x for now
URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#720][synchronized] tox: use pylint 1.6.x for now
URL: https://github.com/freeipa/freeipa/pull/720 Author: tiran Title: #720: tox: use pylint 1.6.x for now Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/720/head:pr720 git checkout pr720 From c629f1ac97f73e3c4d4a23bcde5b769319368e74 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 19 Apr 2017 10:58:11 +0200 Subject: [PATCH] tox: use pylint 1.6.x for now FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x until all issues have been addressed. Related: https://pagure.io/freeipa/issue/6874 Signed-off-by: Christian Heimes --- .wheelconstraints.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.wheelconstraints.in b/.wheelconstraints.in index eba4ec9..ba37de7 100644 --- a/.wheelconstraints.in +++ b/.wheelconstraints.in @@ -9,3 +9,5 @@ ipapython == @VERSION@ ipaserver == @VERSION@ ipatests == @VERSION@ +# see https://pagure.io/freeipa/issue/6874 +pylint < 1.7 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#720][comment] tox: use pylint 1.6.x for now
URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now MartinBasti commented: """ pylint and pylint3 targets are failing ``` MAKEFLAGS= /tmp/freeipa/.tox/pylint2/bin/python -m pip wheel \ --disable-pip-version-check \ --constraint .wheelconstraints \ --find-links ./dist/wheels \ --find-links ./dist/bundle \ --wheel-dir ./dist/bundle \ ipaclient ipalib ipapython ipaclient ipapython[certmonger] pylint < 1.7 /bin/sh: 1.7: No such file or directory Makefile:1249: recipe for target 'wheel_bundle' failed make: *** [wheel_bundle] Error 1 make: Leaving directory '/tmp/freeipa' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/720#issuecomment-296624447 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][+pushed] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][closed] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][comment] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… MartinBasti commented: """ master: * 434d9e539d24fe0110c5d6bf4a4342daf40d15d5 upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed ipa-4-5: * c05bd60585fb80e061b8582a648a65204c709f51 upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed """ See the full comment at https://github.com/freeipa/freeipa/pull/724#issuecomment-296617979 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#17][comment] settings: skip unconfigured values
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Title: #17: settings: skip unconfigured values MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/17#issuecomment-296617030 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have rewritten the PKINIT state reporting code as agreed with @abbra and also re-factored the installation/upgrade logic. @HonzaCholasta also requested to remove the local PKINIT check completely and have a test suite for that. On the one hand I tend to agree, on the other I would keep the check there for now until the password authentication test is implemented. Then remove the checks once we have coverage for it. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296613316 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From f3f48aa15587eccc8046f36d62397fee634f7090 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/8] Allow for configuration of all three PKINIT variants when
deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbinstance.py | 143 +--
1 file changed, 91 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..a86cd16 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
from ipaserver.install import replication
from ipaserver.install import ldapupdate
@@ -354,61 +355,80 @@ def _wait_for_replica_kdc_entry(self):
remote_ldap.gssapi_bind()
replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
-def setup_pkinit(self):
-if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_CERT)
-certs.install_key_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_KEY)
-else:
-subject = str(DN(('cn', self.fqdn), self.subject_base))
-krbtgt = "krbtgt/" + self.realm + "@" + self.realm
-certpath = (paths.KDC_CERT, paths.KDC_KEY)
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
-try:
-prev_helper = None
-if self.master_fqdn is None:
-ca_args = [
-paths.CERTMONGER_DOGTAG_SUBMIT,
-'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
-'--certfile', paths.RA_AGENT_PEM,
-'--keyfile', paths.RA_AGENT_KEY,
-'--cafile', paths.IPA_CA_CRT,
-'--agent-submit'
-]
-helper = " ".join(ca_args)
-prev_helper = certmonger.modify_ca_helper('IPA', helper)
-else:
-self._wait_for_replica_kdc_entry()
-
-certmonger.request_and_wait_for_cert(
-certpath,
-subject,
-krbtgt,
-dns=self.fqdn,
-storage='FILE',
-profile='KDCs_PKINIT_Certs')
-except dbus.DBusException as e:
-# if the certificate is already tracked, ignore the error
-name = e.get_dbus_name()
-if name != 'org.fedorahosted.certmonger.duplicate':
-root_logger.error("Failed to initiate the request: %s", e)
-return
-finally:
-if prev_helper is not None:
-certmonger.modify_ca_helper('IPA', prev_helper)
-
-# Finally copy the cacert in the krb directory so we don't
-# have any selinux issues with the file context
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper)
+
+certmonger.req
[Freeipa-devel] [freeipa PR#712][+ack] WebUI: Coverity fixes
URL: https://github.com/freeipa/freeipa/pull/712 Title: #712: WebUI: Coverity fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][opened] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727
Author: tiran
Title: #727: Regenerate ASN.1 code with asn1c 0.9.28
Action: opened
PR body:
"""
Regenerate ASN.1 code with asn1c 0.9.28
https://pagure.io/freeipa/issue/6818
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/727/head:pr727
git checkout pr727
From 6468a24595250eaec25d49ac80c0883a4892e093 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 24 Apr 2017 11:12:42 +0200
Subject: [PATCH 1/2] Regenerate ASN.1 code with asn1c 0.9.28
Closes: https://pagure.io/freeipa/issue/6818
Signed-off-by: Christian Heimes
---
asn1/asn1c/BIT_STRING.c | 26 +-
asn1/asn1c/GKCurrentKeys.c | 8 ++--
asn1/asn1c/GKCurrentKeys.h | 4 +-
asn1/asn1c/GKNewKeys.c | 10 ++--
asn1/asn1c/GKNewKeys.h | 4 +-
asn1/asn1c/GKReply.c| 10 ++--
asn1/asn1c/GKReply.h| 4 +-
asn1/asn1c/GetKeytabControl.c | 6 +--
asn1/asn1c/GetKeytabControl.h | 4 +-
asn1/asn1c/INTEGER.c| 72 ++--
asn1/asn1c/INTEGER.h| 8 ++--
asn1/asn1c/Int32.c | 10 ++--
asn1/asn1c/Int32.h | 4 +-
asn1/asn1c/KrbKey.c | 8 ++--
asn1/asn1c/KrbKey.h | 4 +-
asn1/asn1c/NativeEnumerated.c | 54 ++---
asn1/asn1c/NativeInteger.c | 16 +++
asn1/asn1c/OCTET_STRING.c | 103 ++--
asn1/asn1c/OCTET_STRING.h | 2 +-
asn1/asn1c/TypeValuePair.c | 8 ++--
asn1/asn1c/TypeValuePair.h | 4 +-
asn1/asn1c/asn_application.h| 6 +--
asn1/asn1c/asn_codecs.h | 14 +++---
asn1/asn1c/asn_codecs_prim.c| 16 +++
asn1/asn1c/asn_internal.h | 68 +-
asn1/asn1c/asn_system.h | 14 --
asn1/asn1c/ber_decoder.c| 4 +-
asn1/asn1c/ber_tlv_length.c | 2 +-
asn1/asn1c/constr_CHOICE.c | 94 ++--
asn1/asn1c/constr_CHOICE.h | 4 +-
asn1/asn1c/constr_SEQUENCE.c| 91 ++-
asn1/asn1c/constr_SEQUENCE.h| 6 +--
asn1/asn1c/constr_SEQUENCE_OF.c | 36 +++---
asn1/asn1c/constr_SET_OF.c | 47 +-
asn1/asn1c/constr_SET_OF.h | 2 +-
asn1/asn1c/constr_TYPE.c| 2 +-
asn1/asn1c/constr_TYPE.h| 18 +++
asn1/asn1c/constraints.h| 8 ++--
asn1/asn1c/der_encoder.c| 18 +++
asn1/asn1c/per_decoder.c| 8 ++--
asn1/asn1c/per_encoder.c| 4 +-
asn1/asn1c/per_opentype.c | 24 +-
asn1/asn1c/per_support.c| 8 ++--
asn1/asn1c/per_support.h| 8 ++--
asn1/asn1c/xer_decoder.c| 17 ---
asn1/asn1c/xer_decoder.h| 7 +--
asn1/asn1c/xer_encoder.c| 8 ++--
asn1/asn1c/xer_support.c| 16 ++-
48 files changed, 474 insertions(+), 445 deletions(-)
diff --git a/asn1/asn1c/BIT_STRING.c b/asn1/asn1c/BIT_STRING.c
index 9b98271..997ff41 100644
--- a/asn1/asn1c/BIT_STRING.c
+++ b/asn1/asn1c/BIT_STRING.c
@@ -9,7 +9,7 @@
/*
* BIT STRING basic type description.
*/
-static ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
+static const ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
(ASN_TAG_CLASS_UNIVERSAL | (3 << 2))
};
static asn_OCTET_STRING_specifics_t asn_DEF_BIT_STRING_specs = {
@@ -52,13 +52,13 @@ BIT_STRING_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
if(st && st->buf) {
if((st->size == 0 && st->bits_unused)
|| st->bits_unused < 0 || st->bits_unused > 7) {
- _ASN_CTFAIL(app_key, td, sptr,
+ ASN__CTFAIL(app_key, td, sptr,
"%s: invalid padding byte (%s:%d)",
td->name, __FILE__, __LINE__);
return -1;
}
} else {
- _ASN_CTFAIL(app_key, td, sptr,
+ ASN__CTFAIL(app_key, td, sptr,
"%s: value not given (%s:%d)",
td->name, __FILE__, __LINE__);
return -1;
@@ -86,7 +86,7 @@ BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
uint8_t *end;
if(!st || !st->buf)
- _ASN_ENCODE_FAILED;
+ ASN__ENCODE_FAILED;
er.encoded = 0;
@@ -101,9 +101,9 @@ BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
int nline = xcan?0:(((buf - st->buf) % 8) == 0);
if(p >= scend || nline) {
er.encoded += p - scratch;
- _ASN_CALLBACK(scratch, p - scratch);
+ ASN__CALLBACK(scratch, p - scratch);
p = scratch;
- if(nline) _i_ASN_TEXT_INDENT(1, ilevel);
+ if(nline) ASN__TEXT_INDENT(1, ilevel);
}
memcpy(p + 0, _bit_pattern[v >> 4], 4);
memcpy(p + 4, _bit_pattern[v & 0x0f], 4);
@@ -111,9 +111,9 @@ BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
}
if(!xcan && ((buf - st->buf) % 8) == 0)
- _i_ASN_TEXT_INDENT(1, ilevel);
+ ASN__TEXT_INDENT(1, ilevel);
er.encoded += p - scratch;
- _ASN_CALLBACK(scratch, p - scratch);
+ ASN__CALLBACK(scratch, p - scratch);
p = scratch;
if(buf == end) {
@@ -123,14 +123,14
[Freeipa-devel] [freeipa PR#726][synchronized] Add check for directory name
URL: https://github.com/freeipa/freeipa/pull/726
Author: Akasurde
Title: #726: Add check for directory name
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/726/head:pr726
git checkout pr726
From dfe0c85ae908b4afbbd014cbf8bcf4e9b81c066d Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Fri, 21 Apr 2017 10:11:38 +0530
Subject: [PATCH] Add check for directory name
Fix adds check to verify if user provided input is not
a directory when filename is required.
Fixes: https://pagure.io/freeipa/issue/6883
Signed-off-by: Abhijeet Kasurde
---
ipalib/util.py | 4
1 file changed, 4 insertions(+)
diff --git a/ipalib/util.py b/ipalib/util.py
index e9d4105..f0d9401 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -170,6 +170,10 @@ def check_writable_file(filename):
"""
if filename is None:
raise errors.FileError(reason=_('Filename is empty'))
+
+if not os.path.isfile(filename):
+raise errors.FileError(reason=_('Expected file but %(fname)s is not a '
+'regular file' % dict(fname=filename)))
try:
if os.path.exists(filename):
if not os.access(filename, os.W_OK):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#726][comment] Add check for directory name
URL: https://github.com/freeipa/freeipa/pull/726 Title: #726: Add check for directory name Akasurde commented: """ @tiran Do you think we should allow only files here ? """ See the full comment at https://github.com/freeipa/freeipa/pull/726#issuecomment-296579941 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Ah, I did not notice you made a second commit for this. Please, squash them. """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296573574 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][-ack] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#726][comment] Add check for directory name
URL: https://github.com/freeipa/freeipa/pull/726 Title: #726: Add check for directory name tiran commented: """ What about other types that might cause trouble, e.g. socket, fifo, device files, dangling symlinks? """ See the full comment at https://github.com/freeipa/freeipa/pull/726#issuecomment-296572324 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
