subject:"\[Freeipa\-devel\] \[PATCH\] 0015\-16 Allow multiple krbprincipalnames \+ test"

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-24 Thread Martin Kosek

On 09/22/2014 05:02 PM, Alexander Bokovoy wrote:
 On Mon, 22 Sep 2014, Simo Sorce wrote:
 On Mon, 22 Sep 2014 15:36:01 +0200
 David Kupka dku...@redhat.com wrote:

 On 09/18/2014 09:42 PM, Martin Kosek wrote:
  On 09/18/2014 09:11 PM, Simo Sorce wrote:
  On Thu, 18 Sep 2014 14:57:45 -0400
  Rob Crittenden rcrit...@redhat.com wrote:
 
  Martin Kosek wrote:
  On 09/18/2014 04:06 PM, David Kupka wrote:
  On 09/18/2014 03:44 PM, Rob Crittenden wrote:
  David Kupka wrote:
  https://fedorahosted.org/freeipa/ticket/4421
 
  You are removing an ACI in this patch. It is always possible it
  is no longer needed. Did you test all the client enrollment
  scenarios?
 
  rob
 
 
  As far as I'm aware I'm not removing any ACI. I'm modifying ACI
  so it is possible to add krbPrincipalName to host even when
  there is already one (or more). And adding one ACI to allow
  writing krbCanonicalName to host. But I'm still not really
  familiar with ACI so please correct me if I'm wrong.
 
 
  What refers to is probably the update in ACI.txt - the ACI
  alternative to API.txt. David updated an ACI, not removed it.
 
  On that note, what is the reason for this permission change:
 
  -'ipapermtargetfilter': [
  -'(objectclass=ipahost)',
  -'(!(krbprincipalname=*))',
  -],
 
  ?
 
  Yes, this is exactly the change I was referring to. Permission
  changes within a plugin now translate automatically to ACI
  changes. Sorry I wasn't clearer.
 
  This ACI gets replaced with a much simpler one and I'm not 100%
  sure it will work with all enrollments:
 
  -aci: (targetattr = krbprincipalname)(targetfilter =
  ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
  permission:System: Add krbPrincipalName to a Host;allow (write)
  groupdn = ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  +aci: (targetattr = krbprincipalname)(targetfilter =
  (objectclass=ipahost))(version 3.0;acl permission:System: Add
  krbPrincipalName to a Host;allow (write) groupdn =
  ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  The first one restricts writing the attribute only if it isn't
  already set. The second lets it be changed unconditionally.
 
  Yeah this is wrong indeed, the point of the ACI is to allow
  setting the principal only when it is not already set, which is
  the OTP enrollment case. But if krbprincipal is set then this
  specific permission should not grant rights to change it.
 
  At least this was my understanding.
 
  Simo.
 
  Right. It seems to me we should add keep this permission intact and
  add a new permission allowing adding krbPrincipalName aliases. This
  would allow writing both krbPrincipalName and krbCanonicalName.
 
  Martin
 

 Thank you all for explanation and help. I rewrote the patch so it
 should work as requested now. Also I added tests to reassure the
 behavior is correct.


 Sorry for not catching this earlier, but should we also add new IPA
 MODRDN configuration ?
 We currently change krbPrincipalName if the user uid changes.

 However perhaps what we should do is instead to allows aliases only for
 service/host principals but not for ipa users, at least for now.
 I think it is sensible approach to limit aliases for service/host
 principals only.

Currently, David was only adding aliases for hosts - should we then expand the
logic also for services?

 Should we also change permissions so that host/service entries
 *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN
 configuration so that if a service/host krbprincipalname is changed
 then krbcanonicalname is too.
 Yes, host/service shouldn't be renamed. Additionally, this would make
 also their certificates obsolete, in certain sense.

Ok, this requirement will make it simpler. Here is the logic as I would see it:

1) Whenever an alias is added to existing service with the single
krbPrincipalName, also krbCanonicalName is added targetting the original value,
object is renamed to the CanonicalName.

2) Framework would prohibit changing the canonical name as that would always be
the first name used when running host-add. (if someone does that via
ldapmodify, that's their problem).

 Last but not least, and here I regret we may have a BIG issue, I just
 realize we use krbprincipalname in the Services DN, if we add
 additional values there does it mean we end up with a multivalued RDN ?
 Unfortunately, this is what happens right now if you add more than one
 krbprincipalname already. Things seem to work fine except you cannot
 address such objects in Web UI and CLI.
 
 That may be a problem, in such case should we rename services to use
 krbcanonicalname as the rnd instead ? We can do this in a compatible
 manner I think by renaming on the fly old entries if the still use
 krbprincipalname and changing our code to start always setting
 krbcanonicalname on new entries and set both canmonical

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-24 Thread Simo Sorce

On Wed, 24 Sep 2014 10:22:29 +0200
Martin Kosek mko...@redhat.com wrote:

 On 09/22/2014 05:02 PM, Alexander Bokovoy wrote:
  On Mon, 22 Sep 2014, Simo Sorce wrote:
  On Mon, 22 Sep 2014 15:36:01 +0200
  David Kupka dku...@redhat.com wrote:
 
  On 09/18/2014 09:42 PM, Martin Kosek wrote:
   On 09/18/2014 09:11 PM, Simo Sorce wrote:
   On Thu, 18 Sep 2014 14:57:45 -0400
   Rob Crittenden rcrit...@redhat.com wrote:
  
   Martin Kosek wrote:
   On 09/18/2014 04:06 PM, David Kupka wrote:
   On 09/18/2014 03:44 PM, Rob Crittenden wrote:
   David Kupka wrote:
   https://fedorahosted.org/freeipa/ticket/4421
  
   You are removing an ACI in this patch. It is always
   possible it is no longer needed. Did you test all the
   client enrollment scenarios?
  
   rob
  
  
   As far as I'm aware I'm not removing any ACI. I'm modifying
   ACI so it is possible to add krbPrincipalName to host even
   when there is already one (or more). And adding one ACI to
   allow writing krbCanonicalName to host. But I'm still not
   really familiar with ACI so please correct me if I'm wrong.
  
  
   What refers to is probably the update in ACI.txt - the ACI
   alternative to API.txt. David updated an ACI, not removed it.
  
   On that note, what is the reason for this permission change:
  
   -'ipapermtargetfilter': [
   -'(objectclass=ipahost)',
   -'(!(krbprincipalname=*))',
   -],
  
   ?
  
   Yes, this is exactly the change I was referring to. Permission
   changes within a plugin now translate automatically to ACI
   changes. Sorry I wasn't clearer.
  
   This ACI gets replaced with a much simpler one and I'm not
   100% sure it will work with all enrollments:
  
   -aci: (targetattr = krbprincipalname)(targetfilter =
   ((!(krbprincipalname=*))(objectclass=ipahost)))(version
   3.0;acl permission:System: Add krbPrincipalName to a
   Host;allow (write) groupdn = ldap:///cn=System: Add
   krbPrincipalName to a
   Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
  
   +aci: (targetattr = krbprincipalname)(targetfilter =
   (objectclass=ipahost))(version 3.0;acl permission:System:
   Add krbPrincipalName to a Host;allow (write) groupdn =
   ldap:///cn=System: Add krbPrincipalName to a
   Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
  
   The first one restricts writing the attribute only if it isn't
   already set. The second lets it be changed unconditionally.
  
   Yeah this is wrong indeed, the point of the ACI is to allow
   setting the principal only when it is not already set, which is
   the OTP enrollment case. But if krbprincipal is set then this
   specific permission should not grant rights to change it.
  
   At least this was my understanding.
  
   Simo.
  
   Right. It seems to me we should add keep this permission intact
   and add a new permission allowing adding krbPrincipalName
   aliases. This would allow writing both krbPrincipalName and
   krbCanonicalName.
  
   Martin
  
 
  Thank you all for explanation and help. I rewrote the patch so it
  should work as requested now. Also I added tests to reassure the
  behavior is correct.
 
 
  Sorry for not catching this earlier, but should we also add new IPA
  MODRDN configuration ?
  We currently change krbPrincipalName if the user uid changes.
 
  However perhaps what we should do is instead to allows aliases
  only for service/host principals but not for ipa users, at least
  for now.
  I think it is sensible approach to limit aliases for service/host
  principals only.
 
 Currently, David was only adding aliases for hosts - should we then
 expand the logic also for services?

I expect aliases will be used almost exclusively with services not
hosts.

  Should we also change permissions so that host/service entries
  *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN
  configuration so that if a service/host krbprincipalname is changed
  then krbcanonicalname is too.
  Yes, host/service shouldn't be renamed. Additionally, this would
  make also their certificates obsolete, in certain sense.
 
 Ok, this requirement will make it simpler. Here is the logic as I
 would see it:
 
 1) Whenever an alias is added to existing service with the single
 krbPrincipalName, also krbCanonicalName is added targetting the
 original value, object is renamed to the CanonicalName.

1.1) change the framework to start creating new services using
krbCanonicalName as RDN.

 2) Framework would prohibit changing the canonical name as that would
 always be the first name used when running host-add. (if someone does
 that via ldapmodify, that's their problem).

We should just prevent modrdn in cn=services and cn=accounts by
removing the ability to do so in existing permissions I think.

  Last but not least, and here I regret we may have a BIG issue, I
  just realize we use krbprincipalname in the Services DN, if we add
  additional values there does it mean we end up with a multivalued
  RDN ?
  Unfortunately, this

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-22 Thread David Kupka


On 09/18/2014 09:42 PM, Martin Kosek wrote:

On 09/18/2014 09:11 PM, Simo Sorce wrote:

On Thu, 18 Sep 2014 14:57:45 -0400
Rob Crittenden rcrit...@redhat.com wrote:


Martin Kosek wrote:

On 09/18/2014 04:06 PM, David Kupka wrote:

On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it
is no longer needed. Did you test all the client enrollment
scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
it is possible to add krbPrincipalName to host even when there is
already one (or more). And adding one ACI to allow writing
krbCanonicalName to host. But I'm still not really familiar with
ACI so please correct me if I'm wrong.



What refers to is probably the update in ACI.txt - the ACI
alternative to API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],

?


Yes, this is exactly the change I was referring to. Permission changes
within a plugin now translate automatically to ACI changes. Sorry I
wasn't clearer.

This ACI gets replaced with a much simpler one and I'm not 100% sure
it will work with all enrollments:

-aci: (targetattr = krbprincipalname)(targetfilter =
((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
permission:System: Add krbPrincipalName to a Host;allow (write)
groupdn = ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

+aci: (targetattr = krbprincipalname)(targetfilter =
(objectclass=ipahost))(version 3.0;acl permission:System: Add
krbPrincipalName to a Host;allow (write) groupdn =
ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

The first one restricts writing the attribute only if it isn't already
set. The second lets it be changed unconditionally.


Yeah this is wrong indeed, the point of the ACI is to allow setting the
principal only when it is not already set, which is the OTP enrollment
case. But if krbprincipal is set then this specific permission should
not grant rights to change it.

At least this was my understanding.

Simo.


Right. It seems to me we should add keep this permission intact and add
a new permission allowing adding krbPrincipalName aliases. This would
allow writing both krbPrincipalName and krbCanonicalName.

Martin



Thank you all for explanation and help. I rewrote the patch so it should 
work as requested now. Also I added tests to reassure the behavior is 
correct.


--
David Kupka
From 3e4a4ce3d951bd83ec046025f5acbfc7a0823f6e Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Tue, 2 Sep 2014 16:11:55 +0200
Subject: [PATCH] Allow multiple krbprincipalnames.

Allow user to specify multiple krbprincipalnames and  krbcanonicalname.
User must have IT specialist role or Host Administrators privilege
assigned.

https://fedorahosted.org/freeipa/ticket/4421
---
 ACI.txt|  2 ++
 API.txt|  2 +-
 ipalib/plugins/host.py | 50 --
 3 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 1e6bec0ece554fb2457fae0462c0c673a9b24e41..1ac48c938c86a42082e4eb9a2cbbc42d9eb6fe8d 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -98,6 +98,8 @@ dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify Hosts;allow (write) groupdn = ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = krbcanonicalname || krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify krbCanonicalName and krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Modify krbCanonicalName and krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: dc=ipa,dc=example
 aci: (targetattr = cn || createtimestamp || entryusn || macaddress || modifytimestamp || objectclass)(target = ldap:///cn=computers,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Host Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index bbd0f507b2faeec0239920cdcff28fe25d618e02..ef1f70397e7685161821a98a92ea575aa6eff532 100644
--- a/API.txt

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-22 Thread Simo Sorce

On Mon, 22 Sep 2014 15:36:01 +0200
David Kupka dku...@redhat.com wrote:

 On 09/18/2014 09:42 PM, Martin Kosek wrote:
  On 09/18/2014 09:11 PM, Simo Sorce wrote:
  On Thu, 18 Sep 2014 14:57:45 -0400
  Rob Crittenden rcrit...@redhat.com wrote:
 
  Martin Kosek wrote:
  On 09/18/2014 04:06 PM, David Kupka wrote:
  On 09/18/2014 03:44 PM, Rob Crittenden wrote:
  David Kupka wrote:
  https://fedorahosted.org/freeipa/ticket/4421
 
  You are removing an ACI in this patch. It is always possible it
  is no longer needed. Did you test all the client enrollment
  scenarios?
 
  rob
 
 
  As far as I'm aware I'm not removing any ACI. I'm modifying ACI
  so it is possible to add krbPrincipalName to host even when
  there is already one (or more). And adding one ACI to allow
  writing krbCanonicalName to host. But I'm still not really
  familiar with ACI so please correct me if I'm wrong.
 
 
  What refers to is probably the update in ACI.txt - the ACI
  alternative to API.txt. David updated an ACI, not removed it.
 
  On that note, what is the reason for this permission change:
 
  -'ipapermtargetfilter': [
  -'(objectclass=ipahost)',
  -'(!(krbprincipalname=*))',
  -],
 
  ?
 
  Yes, this is exactly the change I was referring to. Permission
  changes within a plugin now translate automatically to ACI
  changes. Sorry I wasn't clearer.
 
  This ACI gets replaced with a much simpler one and I'm not 100%
  sure it will work with all enrollments:
 
  -aci: (targetattr = krbprincipalname)(targetfilter =
  ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
  permission:System: Add krbPrincipalName to a Host;allow (write)
  groupdn = ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  +aci: (targetattr = krbprincipalname)(targetfilter =
  (objectclass=ipahost))(version 3.0;acl permission:System: Add
  krbPrincipalName to a Host;allow (write) groupdn =
  ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  The first one restricts writing the attribute only if it isn't
  already set. The second lets it be changed unconditionally.
 
  Yeah this is wrong indeed, the point of the ACI is to allow
  setting the principal only when it is not already set, which is
  the OTP enrollment case. But if krbprincipal is set then this
  specific permission should not grant rights to change it.
 
  At least this was my understanding.
 
  Simo.
 
  Right. It seems to me we should add keep this permission intact and
  add a new permission allowing adding krbPrincipalName aliases. This
  would allow writing both krbPrincipalName and krbCanonicalName.
 
  Martin
 
 
 Thank you all for explanation and help. I rewrote the patch so it
 should work as requested now. Also I added tests to reassure the
 behavior is correct.


Sorry for not catching this earlier, but should we also add new IPA
MODRDN configuration ?
We currently change krbPrincipalName if the user uid changes.

However perhaps what we should do is instead to allows aliases only for
service/host principals but not for ipa users, at least for now.

Should we also change permissions so that host/service entries
*cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN
configuration so that if a service/host krbprincipalname is changed
then krbcanonicalname is too.

Last but not least, and here I regret we may have a BIG issue, I just
realize we use krbprincipalname in the Services DN, if we add
additional values there does it mean we end up with a multivalued RDN ?
That may be a problem, in such case should we rename services to use
krbcanonicalname as the rnd instead ? We can do this in a compatible
manner I think by renaming on the fly old entries if the still use
krbprincipalname and changing our code to start always setting
krbcanonicalname on new entries and set both canmonical and principal
name on every new entry.

Opinions ?



-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-22 Thread Alexander Bokovoy


On Mon, 22 Sep 2014, Simo Sorce wrote:

On Mon, 22 Sep 2014 15:36:01 +0200
David Kupka dku...@redhat.com wrote:


On 09/18/2014 09:42 PM, Martin Kosek wrote:
 On 09/18/2014 09:11 PM, Simo Sorce wrote:
 On Thu, 18 Sep 2014 14:57:45 -0400
 Rob Crittenden rcrit...@redhat.com wrote:

 Martin Kosek wrote:
 On 09/18/2014 04:06 PM, David Kupka wrote:
 On 09/18/2014 03:44 PM, Rob Crittenden wrote:
 David Kupka wrote:
 https://fedorahosted.org/freeipa/ticket/4421

 You are removing an ACI in this patch. It is always possible it
 is no longer needed. Did you test all the client enrollment
 scenarios?

 rob


 As far as I'm aware I'm not removing any ACI. I'm modifying ACI
 so it is possible to add krbPrincipalName to host even when
 there is already one (or more). And adding one ACI to allow
 writing krbCanonicalName to host. But I'm still not really
 familiar with ACI so please correct me if I'm wrong.


 What refers to is probably the update in ACI.txt - the ACI
 alternative to API.txt. David updated an ACI, not removed it.

 On that note, what is the reason for this permission change:

 -'ipapermtargetfilter': [
 -'(objectclass=ipahost)',
 -'(!(krbprincipalname=*))',
 -],

 ?

 Yes, this is exactly the change I was referring to. Permission
 changes within a plugin now translate automatically to ACI
 changes. Sorry I wasn't clearer.

 This ACI gets replaced with a much simpler one and I'm not 100%
 sure it will work with all enrollments:

 -aci: (targetattr = krbprincipalname)(targetfilter =
 ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
 permission:System: Add krbPrincipalName to a Host;allow (write)
 groupdn = ldap:///cn=System: Add krbPrincipalName to a
 Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

 +aci: (targetattr = krbprincipalname)(targetfilter =
 (objectclass=ipahost))(version 3.0;acl permission:System: Add
 krbPrincipalName to a Host;allow (write) groupdn =
 ldap:///cn=System: Add krbPrincipalName to a
 Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

 The first one restricts writing the attribute only if it isn't
 already set. The second lets it be changed unconditionally.

 Yeah this is wrong indeed, the point of the ACI is to allow
 setting the principal only when it is not already set, which is
 the OTP enrollment case. But if krbprincipal is set then this
 specific permission should not grant rights to change it.

 At least this was my understanding.

 Simo.

 Right. It seems to me we should add keep this permission intact and
 add a new permission allowing adding krbPrincipalName aliases. This
 would allow writing both krbPrincipalName and krbCanonicalName.

 Martin


Thank you all for explanation and help. I rewrote the patch so it
should work as requested now. Also I added tests to reassure the
behavior is correct.



Sorry for not catching this earlier, but should we also add new IPA
MODRDN configuration ?
We currently change krbPrincipalName if the user uid changes.

However perhaps what we should do is instead to allows aliases only for
service/host principals but not for ipa users, at least for now.

I think it is sensible approach to limit aliases for service/host
principals only.



Should we also change permissions so that host/service entries
*cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN
configuration so that if a service/host krbprincipalname is changed
then krbcanonicalname is too.

Yes, host/service shouldn't be renamed. Additionally, this would make
also their certificates obsolete, in certain sense.


Last but not least, and here I regret we may have a BIG issue, I just
realize we use krbprincipalname in the Services DN, if we add
additional values there does it mean we end up with a multivalued RDN ?

Unfortunately, this is what happens right now if you add more than one
krbprincipalname already. Things seem to work fine except you cannot
address such objects in Web UI and CLI.


That may be a problem, in such case should we rename services to use
krbcanonicalname as the rnd instead ? We can do this in a compatible
manner I think by renaming on the fly old entries if the still use
krbprincipalname and changing our code to start always setting
krbcanonicalname on new entries and set both canmonical and principal
name on every new entry.

Sounds reasonable to me.

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-22 Thread Martin Kosek

On 09/22/2014 04:16 PM, Simo Sorce wrote:
 On Mon, 22 Sep 2014 15:36:01 +0200
 David Kupka dku...@redhat.com wrote:
 
 On 09/18/2014 09:42 PM, Martin Kosek wrote:
 On 09/18/2014 09:11 PM, Simo Sorce wrote:
 On Thu, 18 Sep 2014 14:57:45 -0400
 Rob Crittenden rcrit...@redhat.com wrote:

 Martin Kosek wrote:
 On 09/18/2014 04:06 PM, David Kupka wrote:
 On 09/18/2014 03:44 PM, Rob Crittenden wrote:
 David Kupka wrote:
 https://fedorahosted.org/freeipa/ticket/4421

 You are removing an ACI in this patch. It is always possible it
 is no longer needed. Did you test all the client enrollment
 scenarios?

 rob


 As far as I'm aware I'm not removing any ACI. I'm modifying ACI
 so it is possible to add krbPrincipalName to host even when
 there is already one (or more). And adding one ACI to allow
 writing krbCanonicalName to host. But I'm still not really
 familiar with ACI so please correct me if I'm wrong.


 What refers to is probably the update in ACI.txt - the ACI
 alternative to API.txt. David updated an ACI, not removed it.

 On that note, what is the reason for this permission change:

 -'ipapermtargetfilter': [
 -'(objectclass=ipahost)',
 -'(!(krbprincipalname=*))',
 -],

 ?

 Yes, this is exactly the change I was referring to. Permission
 changes within a plugin now translate automatically to ACI
 changes. Sorry I wasn't clearer.

 This ACI gets replaced with a much simpler one and I'm not 100%
 sure it will work with all enrollments:

 -aci: (targetattr = krbprincipalname)(targetfilter =
 ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
 permission:System: Add krbPrincipalName to a Host;allow (write)
 groupdn = ldap:///cn=System: Add krbPrincipalName to a
 Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

 +aci: (targetattr = krbprincipalname)(targetfilter =
 (objectclass=ipahost))(version 3.0;acl permission:System: Add
 krbPrincipalName to a Host;allow (write) groupdn =
 ldap:///cn=System: Add krbPrincipalName to a
 Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

 The first one restricts writing the attribute only if it isn't
 already set. The second lets it be changed unconditionally.

 Yeah this is wrong indeed, the point of the ACI is to allow
 setting the principal only when it is not already set, which is
 the OTP enrollment case. But if krbprincipal is set then this
 specific permission should not grant rights to change it.

 At least this was my understanding.

 Simo.

 Right. It seems to me we should add keep this permission intact and
 add a new permission allowing adding krbPrincipalName aliases. This
 would allow writing both krbPrincipalName and krbCanonicalName.

 Martin


 Thank you all for explanation and help. I rewrote the patch so it
 should work as requested now. Also I added tests to reassure the
 behavior is correct.
 
 
 Sorry for not catching this earlier, but should we also add new IPA
 MODRDN configuration ?
 We currently change krbPrincipalName if the user uid changes.
 
 However perhaps what we should do is instead to allows aliases only for
 service/host principals but not for ipa users, at least for now.

Right. But this patch does not allow aliases for users, so we do not do any
changes on that side.

 Should we also change permissions so that host/service entries
 *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN
 configuration so that if a service/host krbprincipalname is changed
 then krbcanonicalname is too.

Hmm, I think only admin is allowed to rename hosts right now. But you have a
good point about the renames though.

 Last but not least, and here I regret we may have a BIG issue, I just
 realize we use krbprincipalname in the Services DN, if we add
 additional values there does it mean we end up with a multivalued RDN ?

Oh, this one is a major issue then. It would mean that, yes. But is that a
problem? I think DS is OK with just one attribute from multi-valued attribute
to be in the DN, right? Though it may become awkward to manipulate in the
framework.

Another issue, are we handling the services correctly? They contain check for
the host existence  given they krbPrincipalName they are also bound to one of
the aliases actually. What if somebody creates a service for
alias.ipa.server.test and then deletes that alias? We will need to address it 
too.

 That may be a problem, in such case should we rename services to use
 krbcanonicalname as the rnd instead ? We can do this in a compatible
 manner I think by renaming on the fly old entries if the still use
 krbprincipalname and changing our code to start always setting
 krbcanonicalname on new entries and set both canmonical and principal
 name on every new entry.
 
 Opinions ?

I am a bit afraid of renaming all services, there may be a *lot* of them.
However, with new ACIs there should not be a problem having objects with
different RDNs.

I am thinking host plugin could change RDN to krbCanonicalName when a second

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-22 Thread Simo Sorce

On Mon, 22 Sep 2014 17:25:27 +0200
Martin Kosek mko...@redhat.com wrote:

 On 09/22/2014 04:16 PM, Simo Sorce wrote:
  On Mon, 22 Sep 2014 15:36:01 +0200
  David Kupka dku...@redhat.com wrote:
  
  On 09/18/2014 09:42 PM, Martin Kosek wrote:
  On 09/18/2014 09:11 PM, Simo Sorce wrote:
  On Thu, 18 Sep 2014 14:57:45 -0400
  Rob Crittenden rcrit...@redhat.com wrote:
 
  Martin Kosek wrote:
  On 09/18/2014 04:06 PM, David Kupka wrote:
  On 09/18/2014 03:44 PM, Rob Crittenden wrote:
  David Kupka wrote:
  https://fedorahosted.org/freeipa/ticket/4421
 
  You are removing an ACI in this patch. It is always possible
  it is no longer needed. Did you test all the client
  enrollment scenarios?
 
  rob
 
 
  As far as I'm aware I'm not removing any ACI. I'm modifying
  ACI so it is possible to add krbPrincipalName to host even
  when there is already one (or more). And adding one ACI to
  allow writing krbCanonicalName to host. But I'm still not
  really familiar with ACI so please correct me if I'm wrong.
 
 
  What refers to is probably the update in ACI.txt - the ACI
  alternative to API.txt. David updated an ACI, not removed it.
 
  On that note, what is the reason for this permission change:
 
  -'ipapermtargetfilter': [
  -'(objectclass=ipahost)',
  -'(!(krbprincipalname=*))',
  -],
 
  ?
 
  Yes, this is exactly the change I was referring to. Permission
  changes within a plugin now translate automatically to ACI
  changes. Sorry I wasn't clearer.
 
  This ACI gets replaced with a much simpler one and I'm not 100%
  sure it will work with all enrollments:
 
  -aci: (targetattr = krbprincipalname)(targetfilter =
  ((!(krbprincipalname=*))(objectclass=ipahost)))(version
  3.0;acl permission:System: Add krbPrincipalName to a
  Host;allow (write) groupdn = ldap:///cn=System: Add
  krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  +aci: (targetattr = krbprincipalname)(targetfilter =
  (objectclass=ipahost))(version 3.0;acl permission:System: Add
  krbPrincipalName to a Host;allow (write) groupdn =
  ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  The first one restricts writing the attribute only if it isn't
  already set. The second lets it be changed unconditionally.
 
  Yeah this is wrong indeed, the point of the ACI is to allow
  setting the principal only when it is not already set, which is
  the OTP enrollment case. But if krbprincipal is set then this
  specific permission should not grant rights to change it.
 
  At least this was my understanding.
 
  Simo.
 
  Right. It seems to me we should add keep this permission intact
  and add a new permission allowing adding krbPrincipalName
  aliases. This would allow writing both krbPrincipalName and
  krbCanonicalName.
 
  Martin
 
 
  Thank you all for explanation and help. I rewrote the patch so it
  should work as requested now. Also I added tests to reassure the
  behavior is correct.
  
  
  Sorry for not catching this earlier, but should we also add new IPA
  MODRDN configuration ?
  We currently change krbPrincipalName if the user uid changes.
  
  However perhaps what we should do is instead to allows aliases only
  for service/host principals but not for ipa users, at least for now.
 
 Right. But this patch does not allow aliases for users, so we do not
 do any changes on that side.
 
  Should we also change permissions so that host/service entries
  *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN
  configuration so that if a service/host krbprincipalname is changed
  then krbcanonicalname is too.
 
 Hmm, I think only admin is allowed to rename hosts right now. But you
 have a good point about the renames though.
 
  Last but not least, and here I regret we may have a BIG issue, I
  just realize we use krbprincipalname in the Services DN, if we add
  additional values there does it mean we end up with a multivalued
  RDN ?
 
 Oh, this one is a major issue then. It would mean that, yes. But is
 that a problem? I think DS is OK with just one attribute from
 multi-valued attribute to be in the DN, right? Though it may become
 awkward to manipulate in the framework.
 
 Another issue, are we handling the services correctly? They contain
 check for the host existence  given they krbPrincipalName they are
 also bound to one of the aliases actually. What if somebody creates a
 service for alias.ipa.server.test and then deletes that alias? We
 will need to address it too.
 
  That may be a problem, in such case should we rename services to use
  krbcanonicalname as the rnd instead ? We can do this in a compatible
  manner I think by renaming on the fly old entries if the still use
  krbprincipalname and changing our code to start always setting
  krbcanonicalname on new entries and set both canmonical and
  principal name on every new entry.
  
  Opinions ?
 
 I am a bit afraid of renaming all services, there

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-19 Thread Martin Kosek


On 09/18/2014 09:42 PM, Martin Kosek wrote:

On 09/18/2014 09:11 PM, Simo Sorce wrote:

On Thu, 18 Sep 2014 14:57:45 -0400
Rob Crittenden rcrit...@redhat.com wrote:


Martin Kosek wrote:

On 09/18/2014 04:06 PM, David Kupka wrote:

On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it
is no longer needed. Did you test all the client enrollment
scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
it is possible to add krbPrincipalName to host even when there is
already one (or more). And adding one ACI to allow writing
krbCanonicalName to host. But I'm still not really familiar with
ACI so please correct me if I'm wrong.



What refers to is probably the update in ACI.txt - the ACI
alternative to API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],

?


Yes, this is exactly the change I was referring to. Permission changes
within a plugin now translate automatically to ACI changes. Sorry I
wasn't clearer.

This ACI gets replaced with a much simpler one and I'm not 100% sure
it will work with all enrollments:

-aci: (targetattr = krbprincipalname)(targetfilter =
((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
permission:System: Add krbPrincipalName to a Host;allow (write)
groupdn = ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

+aci: (targetattr = krbprincipalname)(targetfilter =
(objectclass=ipahost))(version 3.0;acl permission:System: Add
krbPrincipalName to a Host;allow (write) groupdn =
ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

The first one restricts writing the attribute only if it isn't already
set. The second lets it be changed unconditionally.


Yeah this is wrong indeed, the point of the ACI is to allow setting the
principal only when it is not already set, which is the OTP enrollment
case. But if krbprincipal is set then this specific permission should
not grant rights to change it.

At least this was my understanding.

Simo.


Right. It seems to me we should add keep this permission intact and add a new
permission allowing adding krbPrincipalName aliases. This would allow writing
both krbPrincipalName and krbCanonicalName.

Martin


Simo, Rob - are you OK with this approach? I.e. having a new permission just 
for allowing adding aliases and not touching the enrollment-related permission?


I would assign that new permission to Host Administrators privilege by default.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-19 Thread Simo Sorce

On Fri, 19 Sep 2014 15:55:15 +0200
Martin Kosek mko...@redhat.com wrote:

 On 09/18/2014 09:42 PM, Martin Kosek wrote:
  On 09/18/2014 09:11 PM, Simo Sorce wrote:
  On Thu, 18 Sep 2014 14:57:45 -0400
  Rob Crittenden rcrit...@redhat.com wrote:
 
  Martin Kosek wrote:
  On 09/18/2014 04:06 PM, David Kupka wrote:
  On 09/18/2014 03:44 PM, Rob Crittenden wrote:
  David Kupka wrote:
  https://fedorahosted.org/freeipa/ticket/4421
 
  You are removing an ACI in this patch. It is always possible it
  is no longer needed. Did you test all the client enrollment
  scenarios?
 
  rob
 
 
  As far as I'm aware I'm not removing any ACI. I'm modifying ACI
  so it is possible to add krbPrincipalName to host even when
  there is already one (or more). And adding one ACI to allow
  writing krbCanonicalName to host. But I'm still not really
  familiar with ACI so please correct me if I'm wrong.
 
 
  What refers to is probably the update in ACI.txt - the ACI
  alternative to API.txt. David updated an ACI, not removed it.
 
  On that note, what is the reason for this permission change:
 
  -'ipapermtargetfilter': [
  -'(objectclass=ipahost)',
  -'(!(krbprincipalname=*))',
  -],
 
  ?
 
  Yes, this is exactly the change I was referring to. Permission
  changes within a plugin now translate automatically to ACI
  changes. Sorry I wasn't clearer.
 
  This ACI gets replaced with a much simpler one and I'm not 100%
  sure it will work with all enrollments:
 
  -aci: (targetattr = krbprincipalname)(targetfilter =
  ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
  permission:System: Add krbPrincipalName to a Host;allow (write)
  groupdn = ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  +aci: (targetattr = krbprincipalname)(targetfilter =
  (objectclass=ipahost))(version 3.0;acl permission:System: Add
  krbPrincipalName to a Host;allow (write) groupdn =
  ldap:///cn=System: Add krbPrincipalName to a
  Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
  The first one restricts writing the attribute only if it isn't
  already set. The second lets it be changed unconditionally.
 
  Yeah this is wrong indeed, the point of the ACI is to allow
  setting the principal only when it is not already set, which is
  the OTP enrollment case. But if krbprincipal is set then this
  specific permission should not grant rights to change it.
 
  At least this was my understanding.
 
  Simo.
 
  Right. It seems to me we should add keep this permission intact and
  add a new permission allowing adding krbPrincipalName aliases. This
  would allow writing both krbPrincipalName and krbCanonicalName.
 
  Martin
 
 Simo, Rob - are you OK with this approach? I.e. having a new
 permission just for allowing adding aliases and not touching the
 enrollment-related permission?
 
 I would assign that new permission to Host Administrators privilege
 by default.

Yeah, sounds like that would be better.
Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread David Kupka


https://fedorahosted.org/freeipa/ticket/4421
--
David Kupka
From 77faaa3c7887550b493f86f90f654da8e1f42eee Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Tue, 2 Sep 2014 16:11:55 +0200
Subject: [PATCH] Allow multiple krbprincipalnames.

Allow user to specify multiple krbprincipalnames and  krbcanonicalname.
User must have IT specialist role or Host Administrators privilege
assigned.

https://fedorahosted.org/freeipa/ticket/4421
---
 ACI.txt|  4 +++-
 API.txt|  2 +-
 ipalib/plugins/host.py | 21 +
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 1e6bec0ece554fb2457fae0462c0c673a9b24e41..2a83af6ffba230f2d6ba5ec521652dc2312ce6d0 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -85,7 +85,9 @@ aci: (targetattr = businesscategory || cn || createtimestamp || description ||
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add Hosts;allow (add) groupdn = ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = krbcanonicalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbCanonicalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbCanonicalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = enrolledby || objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Enroll a Host;allow (write) groupdn = ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index bbd0f507b2faeec0239920cdcff28fe25d618e02..ef1f70397e7685161821a98a92ea575aa6eff532 100644
--- a/API.txt
+++ b/API.txt
@@ -1884,7 +1884,7 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult
 option: Bool('ipakrbokasdelegate', attribute=False, autofill=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Bool('ipakrbrequirespreauth', attribute=False, autofill=False, cli_name='requires_pre_auth', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
-option: Str('krbprincipalname?', attribute=True, cli_name='principalname')
+option: Str('krbprincipalname?', attribute=True, cli_name='principalname', multivalue=True)
 option: Str('l', attribute=True, autofill=False, cli_name='locality', multivalue=False, required=False)
 option: Str('macaddress', attribute=True, autofill=False, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 570bbe56aa0a315a031051f9a895702ba7c35076..53c2b95b44063049d64e8ad96bd5e52f1e1cab48 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -303,16 +303,17 @@ class host(LDAPObject):
 # This will let it be added if the client ends up enrolling with
 # an administrator instead.
 'ipapermright': {'write'},
-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],
 'ipapermdefaultattr': {'krbprincipalname'},
 'replaces': [
 '(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(targetfilter = (!(krbprincipalname=*)))(targetattr = krbprincipalname)(version 3.0;acl permission:Add krbPrincipalName to a host; allow (write) groupdn = ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX;)',
 ],
 'default_privileges': {'Host Administrators', 'Host Enrollment'},
 },
+'System: Add krbCanonicalName to a Host': {
+'ipapermright': {'write'},
+'ipapermdefaultattr': {'krbcanonicalname'},
+'default_privileges': {'Host Administrators'},
+},
 'System: Enroll a Host': {
 'ipapermright': {'write'},
 'ipapermdefaultattr': {'objectclass', 'enrolledby'},
@@ -761,6 +762,7 @@ class host_mod(LDAPUpdate):

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread Martin Kosek

On 09/18/2014 10:19 AM, David Kupka wrote:
 +'System: Add krbCanonicalName to a Host': {
 +'ipapermright': {'write'},
 +'ipapermdefaultattr': {'krbcanonicalname'},
 +'default_privileges': {'Host Administrators'},
 +},

Would it make sense to add the krbCanonicalName to System: Add
krbPrincipalName to a Host permission as they are semantically connected? I.e.
having one ACI without the other does not make much sense?

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread David Kupka


On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it is no
longer needed. Did you test all the client enrollment scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is 
possible to add krbPrincipalName to host even when there is already one 
(or more). And adding one ACI to allow writing krbCanonicalName to host.
But I'm still not really familiar with ACI so please correct me if I'm 
wrong.


--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread Martin Kosek

On 09/18/2014 04:06 PM, David Kupka wrote:
 On 09/18/2014 03:44 PM, Rob Crittenden wrote:
 David Kupka wrote:
 https://fedorahosted.org/freeipa/ticket/4421

 You are removing an ACI in this patch. It is always possible it is no
 longer needed. Did you test all the client enrollment scenarios?

 rob

 
 As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is
 possible to add krbPrincipalName to host even when there is already one (or
 more). And adding one ACI to allow writing krbCanonicalName to host.
 But I'm still not really familiar with ACI so please correct me if I'm wrong.
 

What refers to is probably the update in ACI.txt - the ACI alternative to
API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],

?

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread Simo Sorce

On Thu, 18 Sep 2014 16:28:19 +0200
Martin Kosek mko...@redhat.com wrote:

 On 09/18/2014 04:06 PM, David Kupka wrote:
  On 09/18/2014 03:44 PM, Rob Crittenden wrote:
  David Kupka wrote:
  https://fedorahosted.org/freeipa/ticket/4421
 
  You are removing an ACI in this patch. It is always possible it is
  no longer needed. Did you test all the client enrollment scenarios?
 
  rob
 
  
  As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
  it is possible to add krbPrincipalName to host even when there is
  already one (or more). And adding one ACI to allow writing
  krbCanonicalName to host. But I'm still not really familiar with
  ACI so please correct me if I'm wrong.
  
 
 What refers to is probably the update in ACI.txt - the ACI
 alternative to API.txt. David updated an ACI, not removed it.
 
 On that note, what is the reason for this permission change:
 
 -'ipapermtargetfilter': [
 -'(objectclass=ipahost)',
 -'(!(krbprincipalname=*))',
 -],
 
 ?

I think also both the code and the  tests are missing to ensure that
the krbPrincipalName *also* *always* lists the krbCanonicalName.

I think with the current code you can end up in a situation where you
can have a value in KrbCanonicalName and completely different values in
KrbPrincipalName.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread David Kupka


On 09/18/2014 04:28 PM, Martin Kosek wrote:

On 09/18/2014 04:06 PM, David Kupka wrote:

On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it is no
longer needed. Did you test all the client enrollment scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is
possible to add krbPrincipalName to host even when there is already one (or
more). And adding one ACI to allow writing krbCanonicalName to host.
But I'm still not really familiar with ACI so please correct me if I'm wrong.



What refers to is probably the update in ACI.txt - the ACI alternative to
API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],

?


To allow additional krbPrincipalNames. This behavior is requested by the 
ticket.




Martin



--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread David Kupka




On 09/18/2014 04:40 PM, Simo Sorce wrote:

On Thu, 18 Sep 2014 16:28:19 +0200
Martin Kosek mko...@redhat.com wrote:


On 09/18/2014 04:06 PM, David Kupka wrote:

On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it is
no longer needed. Did you test all the client enrollment scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
it is possible to add krbPrincipalName to host even when there is
already one (or more). And adding one ACI to allow writing
krbCanonicalName to host. But I'm still not really familiar with
ACI so please correct me if I'm wrong.



What refers to is probably the update in ACI.txt - the ACI
alternative to API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],

?


I think also both the code and the  tests are missing to ensure that
the krbPrincipalName *also* *always* lists the krbCanonicalName.

I think with the current code you can end up in a situation where you
can have a value in KrbCanonicalName and completely different values in
KrbPrincipalName.


I didn't realize that there is such requirement although it's logical. I 
will fix it, thanks.




Simo.



--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread Rob Crittenden

Martin Kosek wrote:
 On 09/18/2014 04:06 PM, David Kupka wrote:
 On 09/18/2014 03:44 PM, Rob Crittenden wrote:
 David Kupka wrote:
 https://fedorahosted.org/freeipa/ticket/4421

 You are removing an ACI in this patch. It is always possible it is no
 longer needed. Did you test all the client enrollment scenarios?

 rob


 As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is
 possible to add krbPrincipalName to host even when there is already one (or
 more). And adding one ACI to allow writing krbCanonicalName to host.
 But I'm still not really familiar with ACI so please correct me if I'm wrong.

 
 What refers to is probably the update in ACI.txt - the ACI alternative to
 API.txt. David updated an ACI, not removed it.
 
 On that note, what is the reason for this permission change:
 
 -'ipapermtargetfilter': [
 -'(objectclass=ipahost)',
 -'(!(krbprincipalname=*))',
 -],
 
 ?

Yes, this is exactly the change I was referring to. Permission changes
within a plugin now translate automatically to ACI changes. Sorry I
wasn't clearer.

This ACI gets replaced with a much simpler one and I'm not 100% sure it
will work with all enrollments:

-aci: (targetattr = krbprincipalname)(targetfilter =
((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
permission:System: Add krbPrincipalName to a Host;allow (write)
groupdn = ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

+aci: (targetattr = krbprincipalname)(targetfilter =
(objectclass=ipahost))(version 3.0;acl permission:System: Add
krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System:
Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

The first one restricts writing the attribute only if it isn't already
set. The second lets it be changed unconditionally.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread Simo Sorce

On Thu, 18 Sep 2014 14:57:45 -0400
Rob Crittenden rcrit...@redhat.com wrote:

 Martin Kosek wrote:
  On 09/18/2014 04:06 PM, David Kupka wrote:
  On 09/18/2014 03:44 PM, Rob Crittenden wrote:
  David Kupka wrote:
  https://fedorahosted.org/freeipa/ticket/4421
 
  You are removing an ACI in this patch. It is always possible it
  is no longer needed. Did you test all the client enrollment
  scenarios?
 
  rob
 
 
  As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
  it is possible to add krbPrincipalName to host even when there is
  already one (or more). And adding one ACI to allow writing
  krbCanonicalName to host. But I'm still not really familiar with
  ACI so please correct me if I'm wrong.
 
  
  What refers to is probably the update in ACI.txt - the ACI
  alternative to API.txt. David updated an ACI, not removed it.
  
  On that note, what is the reason for this permission change:
  
  -'ipapermtargetfilter': [
  -'(objectclass=ipahost)',
  -'(!(krbprincipalname=*))',
  -],
  
  ?
 
 Yes, this is exactly the change I was referring to. Permission changes
 within a plugin now translate automatically to ACI changes. Sorry I
 wasn't clearer.
 
 This ACI gets replaced with a much simpler one and I'm not 100% sure
 it will work with all enrollments:
 
 -aci: (targetattr = krbprincipalname)(targetfilter =
 ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
 permission:System: Add krbPrincipalName to a Host;allow (write)
 groupdn = ldap:///cn=System: Add krbPrincipalName to a
 Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
 +aci: (targetattr = krbprincipalname)(targetfilter =
 (objectclass=ipahost))(version 3.0;acl permission:System: Add
 krbPrincipalName to a Host;allow (write) groupdn =
 ldap:///cn=System: Add krbPrincipalName to a
 Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 
 The first one restricts writing the attribute only if it isn't already
 set. The second lets it be changed unconditionally.

Yeah this is wrong indeed, the point of the ACI is to allow setting the
principal only when it is not already set, which is the OTP enrollment
case. But if krbprincipal is set then this specific permission should
not grant rights to change it.

At least this was my understanding.

Simo.



-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

2014-09-18 Thread Martin Kosek


On 09/18/2014 09:11 PM, Simo Sorce wrote:

On Thu, 18 Sep 2014 14:57:45 -0400
Rob Crittenden rcrit...@redhat.com wrote:


Martin Kosek wrote:

On 09/18/2014 04:06 PM, David Kupka wrote:

On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it
is no longer needed. Did you test all the client enrollment
scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
it is possible to add krbPrincipalName to host even when there is
already one (or more). And adding one ACI to allow writing
krbCanonicalName to host. But I'm still not really familiar with
ACI so please correct me if I'm wrong.



What refers to is probably the update in ACI.txt - the ACI
alternative to API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-'ipapermtargetfilter': [
-'(objectclass=ipahost)',
-'(!(krbprincipalname=*))',
-],

?


Yes, this is exactly the change I was referring to. Permission changes
within a plugin now translate automatically to ACI changes. Sorry I
wasn't clearer.

This ACI gets replaced with a much simpler one and I'm not 100% sure
it will work with all enrollments:

-aci: (targetattr = krbprincipalname)(targetfilter =
((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl
permission:System: Add krbPrincipalName to a Host;allow (write)
groupdn = ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

+aci: (targetattr = krbprincipalname)(targetfilter =
(objectclass=ipahost))(version 3.0;acl permission:System: Add
krbPrincipalName to a Host;allow (write) groupdn =
ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)

The first one restricts writing the attribute only if it isn't already
set. The second lets it be changed unconditionally.


Yeah this is wrong indeed, the point of the ACI is to allow setting the
principal only when it is not already set, which is the OTP enrollment
case. But if krbprincipal is set then this specific permission should
not grant rights to change it.

At least this was my understanding.

Simo.


Right. It seems to me we should add keep this permission intact and add a new 
permission allowing adding krbPrincipalName aliases. This would allow writing 
both krbPrincipalName and krbCanonicalName.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

19 matches

Site Navigation

Mail list logo

Footer information