Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
On 24.08.2016 14:23, Petr Vobornik wrote: On 08/24/2016 12:21 PM, Martin Basti wrote: On 24.08.2016 11:25, Christian Heimes wrote: On 2016-08-23 12:42, Petr Vobornik wrote: On 08/11/2016 04:13 PM, Martin Basti wrote: On 08.08.2016 16:10, Christian Heimes wrote: The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 ACK for master For 4.3, it requires new patch Martin bump I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is much simpler than in 4.4. It's not possible to hook the clean-up code to server_del like I did for 4.4. I would have to rewrite and redesign the patch completely which I neither have the time nor resources to at the moment. I vote for WONTFIX for 4.3. +1 works for me Martin^2 Christian Pushed to master: c346a2d1d19dea645d5afbc9578e7d6049d36275 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
On 08/24/2016 12:21 PM, Martin Basti wrote: > > > On 24.08.2016 11:25, Christian Heimes wrote: >> On 2016-08-23 12:42, Petr Vobornik wrote: >>> On 08/11/2016 04:13 PM, Martin Basti wrote: On 08.08.2016 16:10, Christian Heimes wrote: > The server-del plugin now removes the Custodia keys for encryption and > key signing from LDAP. > > https://fedorahosted.org/freeipa/ticket/6015 > > ACK for master For 4.3, it requires new patch Martin >>> bump >> I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is >> much simpler than in 4.4. It's not possible to hook the clean-up code to >> server_del like I did for 4.4. I would have to rewrite and redesign the >> patch completely which I neither have the time nor resources to at the >> moment. >> >> I vote for WONTFIX for 4.3. > +1 works for me > > Martin^2 >> >> Christian >> -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
On 24.08.2016 11:25, Christian Heimes wrote: On 2016-08-23 12:42, Petr Vobornik wrote: On 08/11/2016 04:13 PM, Martin Basti wrote: On 08.08.2016 16:10, Christian Heimes wrote: The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 ACK for master For 4.3, it requires new patch Martin bump I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is much simpler than in 4.4. It's not possible to hook the clean-up code to server_del like I did for 4.4. I would have to rewrite and redesign the patch completely which I neither have the time nor resources to at the moment. I vote for WONTFIX for 4.3. +1 Martin^2 Christian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
On 2016-08-23 12:42, Petr Vobornik wrote: > On 08/11/2016 04:13 PM, Martin Basti wrote: >> >> >> On 08.08.2016 16:10, Christian Heimes wrote: >>> The server-del plugin now removes the Custodia keys for encryption and >>> key signing from LDAP. >>> >>> https://fedorahosted.org/freeipa/ticket/6015 >>> >>> >> ACK for master >> >> For 4.3, it requires new patch >> >> Martin >> > > bump I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is much simpler than in 4.4. It's not possible to hook the clean-up code to server_del like I did for 4.4. I would have to rewrite and redesign the patch completely which I neither have the time nor resources to at the moment. I vote for WONTFIX for 4.3. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
On 08/11/2016 04:13 PM, Martin Basti wrote: > > > On 08.08.2016 16:10, Christian Heimes wrote: >> The server-del plugin now removes the Custodia keys for encryption and >> key signing from LDAP. >> >> https://fedorahosted.org/freeipa/ticket/6015 >> >> > ACK for master > > For 4.3, it requires new patch > > Martin > bump -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
On 08.08.2016 16:10, Christian Heimes wrote: The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 ACK for master For 4.3, it requires new patch Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
From be4d66075d108fd9188a3a0b906bace6f6ea5122 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 8 Aug 2016 16:06:08 +0200
Subject: [PATCH] Remove Custodia server keys from LDAP
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
---
ipalib/constants.py | 1 +
ipaserver/plugins/server.py | 29 +
2 files changed, 30 insertions(+)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 0574bb3aa457dd79a6d64f6b8a6b57161d32da92..9b351e260f15211330521453b3ffcd41433a04bb 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -124,6 +124,7 @@ DEFAULT_CONFIG = (
('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))),
('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))),
('container_dnsservers', DN(('cn', 'servers'), ('cn', 'dns'))),
+('container_custodia', DN(('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'))),
# Ports, hosts, and URIs:
('xmlrpc_uri', 'http://localhost:/ipa/xml'),
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b245dcf72a2f9f32f52ec9acf68d96c69d6169c5..d62c0232c5e33642e44a088dbfd9f10675d733f4 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -609,6 +609,32 @@ class server_del(LDAPDelete):
message=_("Failed to remove server %(master)s from server "
"list: %(err)s") % dict(master=master, err=e)))
+def _remove_server_custodia_keys(self, ldap, master):
+"""
+Delete all Custodia encryption and signing keys
+"""
+conn = self.Backend.ldap2
+env = self.api.env
+# search for memberPrincipal=*/fqdn@realm
+member_filter = ldap.make_filter_from_attr(
+'memberPrincipal', "/{}@{}".format(master, env.realm),
+exact=False, leading_wildcard=True, trailing_wildcard=False)
+custodia_subtree = DN(env.container_custodia, env.basedn)
+try:
+entries = conn.get_entries(custodia_subtree,
+ ldap.SCOPE_SUBTREE,
+ filter=member_filter)
+for entry in entries:
+conn.delete_entry(entry)
+except errors.NotFound:
+pass
+except Exception as e:
+self.add_message(
+messages.ServerRemovalWarning(
+message=_(
+"Failed to clean up Custodia keys for "
+"%(master)s: %(err)s") % dict(master=master, err=e)))
+
def _remove_server_host_services(self, ldap, master):
"""
delete server kerberos key and all its svc principals
@@ -682,6 +708,9 @@ class server_del(LDAPDelete):
# remove the references to master's ldap/http principals
self._remove_server_principal_references(pkey)
+# remove Custodia encryption and signing keys
+self._remove_server_custodia_keys(ldap, pkey)
+
# finally destroy all Kerberos principals
self._remove_server_host_services(ldap, pkey)
--
2.7.4
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
