[Freeipa-devel] Don't work with Pagure right now
Hello, This morning I found out that "https://pagure.io/freeipa/"; resolves to a different project, originally https://pagure.io/freeIPA/. I pointed the problem to the developer of the system, we'll see what he can do about it, but for now, we're missing about 200 issues. Please, don't open any new issues, as that's just pointless and would only cause us problems as these would need to be merged back to our project (should it be recoverable, which I hope it should). Luckily enough, `git clone https://g...@pagure.io/freeipa.git` seemed to have resolved to the correct repo so our git repos should hopefully not be affected. Sorry for inconvenience, Standa -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][opened] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782
Author: felipevolpone
Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup
Action: opened
PR body:
"""
Improving usability of the "Add DNS Zones" popup in Web UI.
Ticket: https://pagure.io/freeipa/issue/6687
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/782/head:pr782
git checkout pr782
From 776528aec528c2169214929e892a225bb088af5d Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Thu, 11 May 2017 20:16:31 -0300
Subject: [PATCH] Improving GUI text in "Add DNS Zones" popup
---
install/ui/src/freeipa/dns.js | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index 1be8513..f2b110d 100644
--- a/install/ui/src/freeipa/dns.js
+++ b/install/ui/src/freeipa/dns.js
@@ -294,6 +294,11 @@ return {
height: 300,
sections: [
{
+name: 'dnszone_title',
+label: 'Select the required zone type.',
+fields: []
+},
+{
name: 'name',
layout: IPA.dnszone_name_section_layout,
fields: [
@@ -307,6 +312,7 @@ return {
$type: 'dnszone_name',
name: 'name_from_ip',
radio_name: 'dnszone_name_type',
+required: false,
validators: ['network']
}
]
@@ -750,9 +756,6 @@ IPA.add_dns_zone_name_policy = function() {
idnsname_w.input.prop('disabled', false);
name_from_ip_w.input.prop('disabled', true);
-idnsname_f.set_required(true);
-name_from_ip_f.set_required(false);
-
name_from_ip_f.reset();
});
@@ -760,9 +763,6 @@ IPA.add_dns_zone_name_policy = function() {
idnsname_w.input.prop('disabled', true);
name_from_ip_w.input.prop('disabled', false);
-idnsname_f.set_required(false);
-name_from_ip_f.set_required(true);
-
idnsname_f.reset();
});
};
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#781][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/781 Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN felipevolpone commented: """ Hi everyone, after a long long day, I did a great job deleting the branch from PR #773, then Github closed it. If someone knows how to reopen it, great. Otherwise, I create a new branch and this new PR. Sorry about that :( Notifying people that were following that thread: @stlaz @MartinBasti @frasertweedale @HonzaCholasta @pvoborni """ See the full comment at https://github.com/freeipa/freeipa/pull/781#issuecomment-300944178 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#781][opened] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/781
Author: felipevolpone
Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: opened
PR body:
"""
The code is not "production-ready", however, I would like to know if I'm on the
right path.
AFAIK we should check if the SAN extension is provided and if it has DNSName
info.
Fix: https://pagure.io/freeipa/issue/6663
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/781/head:pr781
git checkout pr781
From 0bea2f6601915dc4f194953ebfe450bef5ae70b2 Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Thu, 11 May 2017 20:21:57 -0300
Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN
---
ipaserver/plugins/cert.py | 11 +++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..09d3dba 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,17 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
cn = cns[-1].value # "most specific" is end of list
if principal_type in (SERVICE, HOST):
+
+has_dns_in_san_ext = False
+if ext_san:
+for gn in x509.process_othernames(ext_san.value):
+if isinstance(gn, cryptography.x509.general_name.DNSName):
+has_dns_in_san_ext = True
+
+if not ext_san or not has_dns_in_san_ext:
+print('Warning: The SAN extension '
+ 'should be provided. Please, check the RFC 2818.')
+
if not _dns_name_matches_principal(cn, principal, principal_obj):
raise errors.ValidationError(
name='csr',
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][closed] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/773/head:pr773 git checkout pr773 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][synchronized] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773
From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Tue, 9 May 2017 17:06:55 -0300
Subject: [PATCH 1/2] warn in cert-request if CSR doesn't contain SAN
---
ipaserver/plugins/cert.py | 12
1 file changed, 12 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..aa960ab 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
cn = cns[-1].value # "most specific" is end of list
if principal_type in (SERVICE, HOST):
+
+has_dns_in_san_ext = False
+if ext_san:
+for gn in x509.process_othernames(ext_san.value):
+if isinstance(gn, cryptography.x509.general_name.DNSName):
+has_dns_in_san_ext = True
+
+if not ext_san or not has_dns_in_san_ext:
+print('Warning: The SAN extension '
+ 'should be provided. Please, check the RFC 2818.')
+
+
if not _dns_name_matches_principal(cn, principal, principal_obj):
raise errors.ValidationError(
name='csr',
From 9b60d7e904269743e0a4d19821139738db5e02e9 Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Thu, 11 May 2017 19:53:56 -0300
Subject: [PATCH 2/2] Improving GUI text in "Add DNS Zone" popup.
---
install/ui/src/freeipa/dns.js | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index 1be8513..f2b110d 100644
--- a/install/ui/src/freeipa/dns.js
+++ b/install/ui/src/freeipa/dns.js
@@ -294,6 +294,11 @@ return {
height: 300,
sections: [
{
+name: 'dnszone_title',
+label: 'Select the required zone type.',
+fields: []
+},
+{
name: 'name',
layout: IPA.dnszone_name_section_layout,
fields: [
@@ -307,6 +312,7 @@ return {
$type: 'dnszone_name',
name: 'name_from_ip',
radio_name: 'dnszone_name_type',
+required: false,
validators: ['network']
}
]
@@ -750,9 +756,6 @@ IPA.add_dns_zone_name_policy = function() {
idnsname_w.input.prop('disabled', false);
name_from_ip_w.input.prop('disabled', true);
-idnsname_f.set_required(true);
-name_from_ip_f.set_required(false);
-
name_from_ip_f.reset();
});
@@ -760,9 +763,6 @@ IPA.add_dns_zone_name_policy = function() {
idnsname_w.input.prop('disabled', true);
name_from_ip_w.input.prop('disabled', false);
-idnsname_f.set_required(false);
-name_from_ip_f.set_required(true);
-
idnsname_f.reset();
});
};
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#777][closed] ipa-kra-install manpage: document domain-level 1
URL: https://github.com/freeipa/freeipa/pull/777 Author: flo-renaud Title: #777: ipa-kra-install manpage: document domain-level 1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/777/head:pr777 git checkout pr777 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#777][+pushed] ipa-kra-install manpage: document domain-level 1
URL: https://github.com/freeipa/freeipa/pull/777 Title: #777: ipa-kra-install manpage: document domain-level 1 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#777][comment] ipa-kra-install manpage: document domain-level 1
URL: https://github.com/freeipa/freeipa/pull/777 Title: #777: ipa-kra-install manpage: document domain-level 1 MartinBasti commented: """ master: * f3e1efdcf5db5da2c3c42d3d58be172943f20bce ipa-kra-install manpage: document domain-level 1 ipa-4-5: * 72d2e9e4c312576e1a62e210b4e5d9696bc70609 ipa-kra-install manpage: document domain-level 1 """ See the full comment at https://github.com/freeipa/freeipa/pull/777#issuecomment-300818344 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][closed] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Author: dkupka Title: #779: [master, 4.5] Bump version of ipa.conf file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/779/head:pr779 git checkout pr779 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][comment] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file MartinBasti commented: """ master: * 9d32e61ba548e7e940f165c0ec8df0b4bfd210bd Bump version of ipa.conf file ipa-4-5: * 76e5ac59579f36f28bb247bf3173e95e57ee4af4 Bump version of ipa.conf file """ See the full comment at https://github.com/freeipa/freeipa/pull/779#issuecomment-300816972 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][+pushed] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#765][+pushed] [4.5 backport] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires MartinBasti commented: """ ipa-4-5: * ecccd6cb843c44093449cc45a7d94bb14fa65513 spec file: bump python-netaddr Requires """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300815982 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#765][closed] [4.5 backport] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/765 Author: MartinBasti Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/765/head:pr765 git checkout pr765 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#777][+ack] ipa-kra-install manpage: document domain-level 1
URL: https://github.com/freeipa/freeipa/pull/777 Title: #777: ipa-kra-install manpage: document domain-level 1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][+ack] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
Title: #757: ca, kra install: validate DM password
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password
Extract copy-pasted code to a single function.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek
---
install/tools/ipa-ca-install | 40 +---
1 file changed, 17 insertions(+), 23 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
return safe_options, options, filename
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
check_creds(options, api.env.realm)
# get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
if (not options.promote and not options.admin_password and
not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
options.realm_name = api.env.realm
options.domain_name = api.env.domain
From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator
Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek
---
ipaserver/install/installutils.py | 16
1 file changed, 16 insertions(+)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
from ipapython import ipautil, admintool, version
from ipapython.admintool import ScriptError
from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
from ipalib.util import validate_hostname
from ipalib import api, errors, x509
from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
if len(password) < 8:
raise ValueError("Password must be at least 8 characters long")
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
correct = False
pwd = None
From fa43013e77cb81519468ebc592017213efa11cc8 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
Title: #757: ca, kra install: validate DM password
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password
Extract copy-pasted code to a single function.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek
---
install/tools/ipa-ca-install | 40 +---
1 file changed, 17 insertions(+), 23 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
return safe_options, options, filename
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
check_creds(options, api.env.realm)
# get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
if (not options.promote and not options.admin_password and
not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
options.realm_name = api.env.realm
options.domain_name = api.env.domain
From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator
Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek
---
ipaserver/install/installutils.py | 16
1 file changed, 16 insertions(+)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
from ipapython import ipautil, admintool, version
from ipapython.admintool import ScriptError
from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
from ipalib.util import validate_hostname
from ipalib import api, errors, x509
from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
if len(password) < 8:
raise ValueError("Password must be at least 8 characters long")
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
correct = False
pwd = None
From 6eef1901b9b04a889638c8f839e4f1132a310e98 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date
[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password MartinBasti commented: """ We have to use `sys.exit()` in this case, because I forgot that CA still uses old style installer. Without `sys.exit()` ti will always suggest user to uninstall server: ``` Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ``` We don't want to uninstall server due typo in password """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-300811680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][synchronized] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Author: dkupka Title: #779: [master, 4.5] Bump version of ipa.conf file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/779/head:pr779 git checkout pr779 From 75891c5a98e7acecf7cb85a6d87c4f4cf788ab22 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 11 May 2017 10:17:33 +0200 Subject: [PATCH] Bump version of ipa.conf file In commit 157831a287c64106eed4 the version bump was forgotten and therefore the ipa.conf file is not replaced during upgrade and login using certificate when single certificate is mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 --- install/conf/ipa.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 75c122e..a7ca5ce 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 25 - DO NOT REMOVE THIS LINE +# VERSION 26 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. felipevolpone commented: """ Done! Thank you Fraser :)) :+1: """ See the full comment at https://github.com/freeipa/freeipa/pull/736#issuecomment-300789100 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host felipevolpone commented: """ Cool :)) thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-300788709 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761
Author: felipevolpone
Title: #761: Fixing adding authenticator indicators to host
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/761/head:pr761
git checkout pr761
From 9a8dacc8df9fd877df971fa79396796b1b9ae30f Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Thu, 11 May 2017 10:26:03 -0300
Subject: [PATCH] Fixing adding authenticator indicators to host
The check for krbprincipalaux in the entries is now made
case-insensitively.
https://pagure.io/freeipa/issue/6911
---
ipaserver/plugins/host.py | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index dcadd54..1e1f9d8 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -884,7 +884,8 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
msg = 'Principal name already set, it is unchangeable.'
raise errors.ACIError(info=msg)
obj_classes = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in obj_classes:
+if 'krbprincipalaux' not in (item.lower() for item in
+ obj_classes):
obj_classes.append('krbprincipalaux')
entry_attrs['objectclass'] = obj_classes
@@ -920,7 +921,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
else:
_entry_attrs = ldap.get_entry(dn, ['objectclass'])
obj_classes = _entry_attrs['objectclass']
-if 'ieee802device' not in obj_classes:
+if 'ieee802device' not in (item.lower() for item in obj_classes):
obj_classes.append('ieee802device')
entry_attrs['objectclass'] = obj_classes
@@ -940,7 +941,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
else:
_entry_attrs = ldap.get_entry(dn, ['objectclass'])
obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-if 'ipasshhost' not in obj_classes:
+if 'ipasshhost' not in (item.lower() for item in obj_classes):
obj_classes.append('ipasshhost')
update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
@@ -949,14 +950,16 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
if 'objectclass' not in entry_attrs:
entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
+if 'krbticketpolicyaux' not in (item.lower() for item in
+entry_attrs['objectclass']):
entry_attrs['objectclass'].append('krbticketpolicyaux')
if 'krbprincipalauthind' in entry_attrs:
if 'objectclass' not in entry_attrs:
entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
+if 'krbprincipalaux' not in (item.lower() for item in
+ entry_attrs['objectclass']):
entry_attrs['objectclass'].append('krbprincipalaux')
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
Title: #736: Fixing the cert-request command comparing whole email address
case-sensitively.
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 6eb1169e3eab36678a2640718a7204a72247be91 Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Thu, 11 May 2017 10:20:02 -0300
Subject: [PATCH] Fixing the cert-request comparing whole email address
case-sensitively.
Now, the cert-request command compares the domain part of the
email case-insensitively.
https://pagure.io/freeipa/issue/5919
---
ipaserver/plugins/cert.py| 27 ---
ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++
2 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..fbda6ca 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
# fail if any email addr from DN does not appear in ldap entry
email_addrs = csr_obj.subject.get_attributes_for_oid(
cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+csr_emails = [attr.value for attr in email_addrs]
+if not _emails_are_valid(csr_emails,
+ principal_obj.get('mail', [])):
raise errors.ValidationError(
name='csr',
error=_(
@@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
"match requested principal") % gn.name)
elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
if principal_type == USER:
-if principal_obj and gn.value not in principal_obj.get(
-'mail', []):
+if not _emails_are_valid([gn.value],
+ principal_obj.get('mail', [])):
raise errors.ValidationError(
name='csr',
error=_(
@@ -953,6 +955,25 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
)
+def _emails_are_valid(csr_emails, principal_emails):
+"""
+Checks if any email address from certificate request does not
+appear in ldap entry, comparing the domain part case-insensitively.
+"""
+
+def lower_domain(email):
+email_splitted = email.split('@', 1)
+if len(email_splitted) > 1:
+email_splitted[1] = email_splitted[1].lower()
+
+return '@'.join(email_splitted)
+
+principal_emails_lower = set(map(lower_domain, principal_emails))
+csr_emails_lower = set(map(lower_domain, csr_emails))
+
+return csr_emails_lower.issubset(principal_emails_lower)
+
+
def principal_to_principal_type(principal):
if principal.is_user:
return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 51c20b6..0de5b75 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -251,6 +251,29 @@ def test_00010_cleanup(self):
res = api.Command['service_find'](self.service_princ)
assert res['count'] == 0
+def test_00011_emails_are_valid(self):
+"""
+Verify the different scenarios when checking if any email addr
+from DN or SAN extension does not appear in ldap entry.
+"""
+
+from ipaserver.plugins.cert import _emails_are_valid
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com',
+ u'anot...@email.com'])
+assert True == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'invalidEmailAddress']
+result = _emails_are_valid(email_addrs, [])
+assert False == result, result
+
@pytest.mark.tier1
class test_cert_find(XMLRPC_test):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Moving our wiki back to password login
On 05/09/2017 04:29 PM, Martin Kosek wrote: > Hello all, > > As some of you noticed, FreeIPA wiki authentication via OpenID was > broken in the last days. I suspect (but did get reply from Patrick who > running the Fedora infra yet) that it was caused by Fedora moving to > mode modern authentication protocol, i.e. from OpenID to OpenID Connect > (OIDC): > https://fedoraproject.org/wiki/Infrastructure/Authentication > > Unfortunately, I cannot make the OIDC login for our current FreeIPA > instance available, given that our wiki runs on OpenShift v2 which uses > PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26. > OIDC mediawiki authentication plugin is supported from 1.27 forward. > > So the wiki needs to be either: > - migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance > - migrated to OpenShift v3 (preferred) > to unblock us from this situation and get to proper OIDC authentication. > > However, this will need more time and preparation (which I do not even > have right now). For now, I simply disabled OpenID authentication in our > wiki and enabled password logins again! Anonymous account creation is > disabled to avoid spammers. However, given that we now enforce people to > be in a special group (editors) to fight the spammers, there is actually > no big functionality lost in this, except having to use yet another > password. > > To summarize, if you want to access the wiki again, please use the > password you may have had before we migrated to Fedora OpenID. If you do > not have the password yet, you should be able to simply reset it before > logging in and you should get an email (the mail part did not work for > martbab this afternoon, though). In the worst case, I can reset the > password for you, just shoot me an email. After finally reaching Patrick, I found out that Fedora still supports plain OpenID and it was likely just some interim error. I thus reverted the patch for simple password login and re-enabled OpenID logins again. Still, current situation with FreeIPA.org mediawiki version stays, we will be unable to upgrade the wiki or most of it's plugins until we move to a newer OpenShift instance. Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From fb20f2009298f8e6e79b66b028c28b7e35e5ee03 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/13] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil.write_tmp_file(
@@ -468,7 +473,7 @@
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT HonzaCholasta commented: """ @stlaz, FTFY. Also fixed wrong permissions on the CA-less KDC key file (props to @dkupka). The "preauthentication failed" with `--no-pkinit` is expected indeed. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300767441 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables
URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables MartinBasti commented: """ AFAIK nobody complains about this issue except me, and I'm fine with master only """ See the full comment at https://github.com/freeipa/freeipa/pull/745#issuecomment-300766961 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][comment] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file MartinBasti commented: """ Please use ticket https://pagure.io/freeipa/issue/6860 in commit message """ See the full comment at https://github.com/freeipa/freeipa/pull/779#issuecomment-300763946 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#780][opened] server-del: update defaultServerList in cn=default, ou=profile, $BASE
URL: https://github.com/freeipa/freeipa/pull/780
Author: flo-renaud
Title: #780: server-del: update defaultServerList in
cn=default,ou=profile,$BASE
Action: opened
PR body:
"""
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com
The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].
https://pagure.io/freeipa/issue/6943
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/780/head:pr780
git checkout pr780
From 44658742b50f39c9d20475ed0d2344b08c508f8c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 11 May 2017 11:41:23 +0200
Subject: [PATCH] server-del: update defaultServerList in
cn=default,ou=profile,$BASE
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com
The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].
https://pagure.io/freeipa/issue/6943
---
ipaserver/plugins/server.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b1ee472..04a5ff5 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -608,12 +608,12 @@ def _remove_server_principal_references(self, master):
dn = DN(('cn', 'default'), ('ou', 'profile'), env.basedn)
ret = conn.get_entry(dn)
srvlist = ret.single_value.get('defaultServerList', '')
-srvlist = srvlist[0].split()
+srvlist = srvlist.split()
if master in srvlist:
srvlist.remove(master)
attr = ' '.join(srvlist)
-mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)]
-conn.conn.modify_s(str(dn), mod)
+ret['defaultServerList'] = attr
+conn.update_entry(ret)
except (errors.NotFound, ldap.NO_SUCH_ATTRIBUTE,
ldap.TYPE_OR_VALUE_EXISTS):
pass
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#779][opened] [master, 4.5] Bump version of ipa.conf file
URL: https://github.com/freeipa/freeipa/pull/779 Author: dkupka Title: #779: [master, 4.5] Bump version of ipa.conf file Action: opened PR body: """ In commit 157831a287c64106eed4 the version bump was forgotten and therefore the ipa.conf file is not replaced during upgrade and login using certificate when single certificate is mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6944 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/779/head:pr779 git checkout pr779 From ecc9e047484e8448b1c769903c9fdb4cdb91934e Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 11 May 2017 10:17:33 +0200 Subject: [PATCH] Bump version of ipa.conf file In commit 157831a287c64106eed4 the version bump was forgotten and therefore the ipa.conf file is not replaced during upgrade and login using certificate when single certificate is mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6944 --- install/conf/ipa.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 75c122e..a7ca5ce 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 25 - DO NOT REMOVE THIS LINE +# VERSION 26 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
