From edewata at redhat.com Fri Jun 1 00:39:19 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 May 2012 19:39:19 -0500 Subject: [Freeipa-devel] [PATCH] 137 Instructions to generate cert use certutil instead of openssl In-Reply-To: <4FACFA12.80402@redhat.com> References: <4FACFA12.80402@redhat.com> Message-ID: <4FC80F37.5050600@redhat.com> On 5/11/2012 6:37 AM, Petr Vobornik wrote: > Instructions to generate certificate were changed. Now they use certutil > instead of openssl. In the example is also used option for specifying > key size. > > https://fedorahosted.org/freeipa/ticket/2725 This is already pushed, but the text probably could be improved a little bit, something like this: 1. Create a certificate database or use an existing one. To create a new database: # certutil -N -d See certutil documentation for more info. 2. Create a CSR with subject "CN=,O=", for example: # certutil -R -d -a -g -s 'CN=test.example.com,O=EXAMPLE.COM' 3. Copy and paste the CSR (from "-----BEGIN NEW CERTIFICATE REQUEST-----" to "-----END NEW CERTIFICATE REQUEST-----") into the text area below: Note, the '#' is meant to indicate the command prompt. The tag was not quite visible, most likely people won't see the tooltips for key size, so it might be better to mention explicitly. -- Endi S. Dewata From edewata at redhat.com Fri Jun 1 00:40:29 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 May 2012 19:40:29 -0500 Subject: [Freeipa-devel] [PATCHES] 138-145 Action panel for user password reset In-Reply-To: <4FBDF731.5090805@redhat.com> References: <4FBDF731.5090805@redhat.com> Message-ID: <4FC80F7D.7000009@redhat.com> ACK. Looks good. Some comments: 1. I suppose the select_action will always be the first action in any header_actions, and the action doesn't actually do anything. You might want to consider the '-- select action --' as part of the IPA.action_list_widget and add it automatically in init_options(), that way it doesn't have to be defined explicitly in all header_actions. 2. Ideally the Enable/Disable/Delete actions should only be enabled if the user has rights to do that, but this depends on ticket #2187. 3. I noticed that the second argument of observer's notify() is always the object that owns the observer. For example: that.observer = IPA.observer(); that.observer.notify([arg], that); Since the context doesn't change would it make sense to store the context in the observer itself? that.observer = IPA.observer({ context: that }); The arguments can also be passed as varargs: that.observer.notify(arg); that.observer.notify(arg1, arg2); On 5/24/2012 3:54 AM, Petr Vobornik wrote: > This bunch of patches implements new concept: action panel and it's > implementation in user page. > > First two patches refactorizes current action-list/control-buttons code > to prepare ground for following patches. Sorry for added review work > (could be done this way earlier). > > Patch descriptions: > > [PATCH] 138 Refactored action list and control buttons to use shared > list of actions > > This is a first step for implementing action panels which will also use > the shared list of actions. > > This effort changes the way how action list and control buttons are > defined. First all actions are defined on facet level - attribute > 'actions' in spec file. Implementation of action list widget is not > specified on facet level. It is left in facet header. A list of action > names used in action list can be now specified in facet spec in > 'header_actions' attribute. > Control buttons use similar concept. Facet by default is using > control_buttons_widget. Details and search facet are defining their own > default actions (refresh/add/remove/update/reset). Additional buttons > can be defined as array of action names on facet level in > control_buttons attribute. > > state_evaluators and state_listeners were united. They are called > state_evaluators but they uses state_listener concept, they are attached > to an event. For former state_evaluator the event is post_load. They are > defined in spec in state attribute. State object purpose is to aggregate > states from all state evaluators. It offers changed event to which can > other objects subscribe. It also has summary evaluator which evaluation > conditions. Summary evaluator creates summary status with human readable > description. It can be used by facet header. > > https://fedorahosted.org/freeipa/ticket/2248 > > > [PATCH] 139 Refactored entities to use changed actions concept > > It's continuation of previous refactoring effort. This part is changing > specs in entities to used changed concept. > > https://fedorahosted.org/freeipa/ticket/2248 > > [PATCH] 140 Action panel > > This patch implements action panel. Action panel is a box located in > facet details section which contains actions related to that > object/section. > > In spec file can be configured actions and title used in action panel. > Default title is 'Actions'. Actions are specified by their name. They > have to be defined in action collection in facet. > > https://fedorahosted.org/freeipa/ticket/2248 > > > [PATCH] 141 User password widget modified. > > Currently the user password is shown as follows in the details page: > Password: Reset Password > > This is inconsistent with the rest of the page because the 'Reset > Password' is an action, not the value of the password. > > Now password is shown as follows: > Password: ******* (if set) > Password: (if not set) > > Reset password link was removed as well the dialog for reset password > was removed from password widget. The dialog was moved to its own object > and can be now showed independently. An action for showing this dialog > should be created. > > https://fedorahosted.org/freeipa/ticket/2248 > > > [PATCH] 142 Action panel for user > > This patch adds action panel to user account section. The panel contain > an action for reseting user password. > > https://fedorahosted.org/freeipa/ticket/2248 > > [PATCH] 143 Added missing i18n in action list and action panel > > This patch adds strings to internal.py which were not translated in > action list/panel patches. > > https://fedorahosted.org/freeipa/ticket/2248 > > > [PATCH] 144 Add shadow to dialog > > This patch adds shadow to dialog used in Web UI. It looks cooler. > > https://fedorahosted.org/freeipa/ticket/2248 > > note: I didn't want to create new ticket just for this minor visual > enhancement. > > > [PATCH] 145 Enable reset password action according to attribute > perrmission > > This patch creates state_evaluator which creates permission states for > defined attribute. The state format is: attributeName_permissionChar. > > This evaluator is used for user_password attribute and it control > enabling/disabling of related action in user account action panel. > > https://fedorahosted.org/freeipa/ticket/2318 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Endi S. Dewata From edewata at redhat.com Fri Jun 1 00:40:38 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 May 2012 19:40:38 -0500 Subject: [Freeipa-devel] [PATCH] 146 Added cancel button to service unprovision dialog In-Reply-To: <4FBDFB43.7050308@redhat.com> References: <4FBDFB43.7050308@redhat.com> Message-ID: <4FC80F86.3040904@redhat.com> On 5/24/2012 4:11 AM, Petr Vobornik wrote: > Service unprovision dialog was missing a cancel button. The button was > added. > > https://fedorahosted.org/freeipa/ticket/1811 ACK. -- Endi S. Dewata From edewata at redhat.com Fri Jun 1 00:44:39 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 May 2012 19:44:39 -0500 Subject: [Freeipa-devel] [PATCH] 148 Removal of illegal options in JSON-RPC calls In-Reply-To: <4FBF9DEB.8050905@redhat.com> References: <4FBF9DEB.8050905@redhat.com> Message-ID: <4FC81077.1090700@redhat.com> On 5/25/2012 9:57 AM, Petr Vobornik wrote: > Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non > existent options. If such option is supplied command ends with error. It > uncovered several cases in Web UI. This patch is fixing these cases. > > Automember, Self-service and Delegation don't support 'pkey-only', > 'size-limit' and 'rights' option. Pagination and rights check were > disabled for them. > > Automount map adder dialog was sending options for indirect map even if > chosen type was direct (when those for indirect was filled earlier), > also it was sending non-existant 'method' option. > > https://fedorahosted.org/freeipa/ticket/2760 > > Note for reviewing: #2509 is partially done in Petr Viktorin's patch > #35. At this time it has a small issue regarding > automountmap_add_indirect command. ACK. I suppose if those options are added later the UI can be updated easily. -- Endi S. Dewata From edewata at redhat.com Fri Jun 1 00:44:53 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 May 2012 19:44:53 -0500 Subject: [Freeipa-devel] [PATCH] 149 Added links to netgroup member tables In-Reply-To: <4FBFB1FE.3070703@redhat.com> References: <4FBFB1FE.3070703@redhat.com> Message-ID: <4FC81085.4060406@redhat.com> On 5/25/2012 11:23 AM, Petr Vobornik wrote: > Tables with members in netgroup were missing links for navigation to > associated details pages. This patch adds these links. > > https://fedorahosted.org/freeipa/ticket/2670 ACK. -- Endi S. Dewata From edewata at redhat.com Fri Jun 1 00:46:29 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 May 2012 19:46:29 -0500 Subject: [Freeipa-devel] [PATCH] 150 Text widget's dirty state is changed on various input methods In-Reply-To: <4FC36507.6000305@redhat.com> References: <4FC36507.6000305@redhat.com> Message-ID: <4FC810E5.3030204@redhat.com> On 5/28/2012 6:44 AM, Petr Vobornik wrote: > on_value_changed event in textboxes and textareas was raised only on > keyboard input. If user used different input method such as paste or > browser undo and redo functions widget's on_value_changed event wasn't > raised and so dirty state wasn't changed as well. > > This patch adds listener to text's and textarea's 'input' event. Input > is a HTML 5 event which is raises on user initiated action. > Some of user initiated actions : > * Cut > * Copy > * Paste > * Undo > * Redo > * Clear > * Typing (like keyup) > * Form AutoFill > * User-invoked spellcheck corrections > * Input from Input Method Editor > > It should be supported by all recent versions of major browsers. IE > doesn't support it up to version 8. > > Listener for 'keyup' event was left in implementation for backward > compatibility with older browsers. This may cause firing on_value_change > twice but so far it shouldn't cause troubles. Yeah, if it becomes a problem later you might need to check the browser version and only listen to one of the events. ACK. -- Endi S. Dewata From mkosek at redhat.com Fri Jun 1 05:53:14 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 01 Jun 2012 07:53:14 +0200 Subject: [Freeipa-devel] [PATCH] 269 permission-find missed some results with --pkey-only option In-Reply-To: <4FC79187.2000607@redhat.com> References: <1338356743.3112.3.camel@priserak> <4FC6160B.3030405@redhat.com> <1338460924.2956.7.camel@balmora.brq.redhat.com> <4FC79187.2000607@redhat.com> Message-ID: <1338529994.27740.1.camel@balmora.brq.redhat.com> On Thu, 2012-05-31 at 17:43 +0200, Ondrej Hamada wrote: > On 05/31/2012 12:42 PM, Martin Kosek wrote: > > On Wed, 2012-05-30 at 14:43 +0200, Ondrej Hamada wrote: > >> On 05/30/2012 07:45 AM, Martin Kosek wrote: > >>> When permission-find post callback detected a --pkey-only option, > >>> it just terminated. However, this way the results that could have > >>> been added from aci_find matches were not included. > >>> > >>> Fix the post callback to go through the entire matching process. > >>> Also make sure that DNS permissions have a correct objectclass > >>> (ipapermission), otherwise such objects are not matched by the > >>> permission LDAP search. > >>> > >>> https://fedorahosted.org/freeipa/ticket/2658 > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-devel mailing list > >>> Freeipa-devel at redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >> Patch needs rebase > >> > >> It does not apply because of changes made to > >> ipalib/plugins/permission.py (by Rob's patch #1018) > >> > > Rebased version attached. > > > > Martin > ACK > Thanks. I just had to fix indentation of this block: + if truncated: + # size/time limit met, no need to search acis + return truncated It should be executed always, regardless to the pkey_only option value. Pushed to master. Martin From mkosek at redhat.com Fri Jun 1 08:46:33 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 01 Jun 2012 10:46:33 +0200 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <1337958871.5899.32.camel@balmora.brq.redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> Message-ID: <1338540393.27740.17.camel@balmora.brq.redhat.com> On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: > On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > This set of patches handles enabling psearch both for new installations > > > (patch 263) and upgraded IPA servers. > > > > > > For upgraded IPA servers I needed to make sure that psearch is not > > > enabled for every IPA package update, but at most once, when a user > > > updates to IPA with this patch for the first time (patch 264). This is > > > enabled by a new State store located in /var/lib/ipa/sysupgrade (patch > > > 262). > > > > > > I also improved the way we handled SELinux sebool updates (patch 265), > > > this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 > > > seconds as previously. Details are in the patches. > > > > > > Martin > > > > 262: > > The sysupgrade directory isn't created by the RPM install: > > > > mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade > > Fixed. > > > > > 263: > > > > It looks like zone_refresh is simply disabled in bindinstance.py, why > > not remove it completely? > > zone_refresh is used by bindinstance.py. ipa-server-install or > ipa-dns-install may be configured to use zone refresh instead of > persistent search mechanism to update the zones (e.g. --zone-refresh > 30). > > > > > 264: > > > > Small nit, worth doing case-insensitive compare of psearch enabled status? > > Petr2 told me that arg value for boolean configuration option is > case-insensitive, so we can do that - fixed. > > > > > We're updating named.conf in place so I don't know that we need to reset > > permissions. It at least shouldn't get modified by the write. > > Right, I was being too defensive. I removed the check. > > I made the upgrade more robust, now it won't crash for example when > named.conf does not exist. I also made sure the upgrade script works > correctly when the IPA is configured without DNS. > > Martin I rebased the patches for current master. I also slightly reworked patch 265, the error message printed in case of an unsuccessful setsebool was not printed right. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-262-3-add-sysupgrade-state-file.patch Type: text/x-patch Size: 9251 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-263-3-enable-persistent-search-by-default.patch Type: text/x-patch Size: 13484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch Type: text/x-patch Size: 11512 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-265-3-only-set-sebools-when-necessary.patch Type: text/x-patch Size: 5725 bytes Desc: not available URL: From pviktori at redhat.com Fri Jun 1 10:14:04 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 01 Jun 2012 12:14:04 +0200 Subject: [Freeipa-devel] [PATCH] 267 Allow relative DNS name in NS validator In-Reply-To: <1338476315.15462.1.camel@balmora.brq.redhat.com> References: <1338297105.30643.54.camel@balmora.brq.redhat.com> <4FC75933.9040008@redhat.com> <1338476315.15462.1.camel@balmora.brq.redhat.com> Message-ID: <4FC895EC.7070406@redhat.com> On 05/31/2012 04:58 PM, Martin Kosek wrote: > On Thu, 2012-05-31 at 13:42 +0200, Petr Viktorin wrote: >> On 05/29/2012 03:11 PM, Martin Kosek wrote: >>> Precallback validator was failing when a zone-relative name was >>> used as a NS record (for example record "ns" in a zone "example.com"). >>> However, this is valid in BIND and we should allow it as well. >>> >>> Imports in dns module had to be switched to absolute imports >>> (available from Python 2.5) to deal with a conflict of IPA dns >>> module and dnspython module. >>> >>> https://fedorahosted.org/freeipa/ticket/2630 >>> >> >> This works fine, but it breaks a test: >> >> ====================================================================== >> FAIL: test_dns[48]: dnsrecord_add: Try to add unresolvable NS record to >> u'testdnsres' using dnsrecord_add >> ---------------------------------------------------------------------- >> [...] >> >> expected = u"Nameserver 'does.not.exist' does not have a >> corresponding A/AAAA record" >> got = u"Nameserver 'does.not.exist.dnszone.test.' does not have a >> corresponding A/AAAA record" >> path = () >> > > I updated the tests to use an absolute DNS record. All DNS tests should > now succeed. > > Martin It works fine now, ACK. It would be nice to also test that the zone is appended, though. -- Petr? From mkosek at redhat.com Fri Jun 1 10:33:18 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 01 Jun 2012 12:33:18 +0200 Subject: [Freeipa-devel] [PATCH] 267 Allow relative DNS name in NS validator In-Reply-To: <4FC895EC.7070406@redhat.com> References: <1338297105.30643.54.camel@balmora.brq.redhat.com> <4FC75933.9040008@redhat.com> <1338476315.15462.1.camel@balmora.brq.redhat.com> <4FC895EC.7070406@redhat.com> Message-ID: <1338546798.27740.18.camel@balmora.brq.redhat.com> On Fri, 2012-06-01 at 12:14 +0200, Petr Viktorin wrote: > On 05/31/2012 04:58 PM, Martin Kosek wrote: > > On Thu, 2012-05-31 at 13:42 +0200, Petr Viktorin wrote: > >> On 05/29/2012 03:11 PM, Martin Kosek wrote: > >>> Precallback validator was failing when a zone-relative name was > >>> used as a NS record (for example record "ns" in a zone "example.com"). > >>> However, this is valid in BIND and we should allow it as well. > >>> > >>> Imports in dns module had to be switched to absolute imports > >>> (available from Python 2.5) to deal with a conflict of IPA dns > >>> module and dnspython module. > >>> > >>> https://fedorahosted.org/freeipa/ticket/2630 > >>> > >> > >> This works fine, but it breaks a test: > >> > >> ====================================================================== > >> FAIL: test_dns[48]: dnsrecord_add: Try to add unresolvable NS record to > >> u'testdnsres' using dnsrecord_add > >> ---------------------------------------------------------------------- > >> [...] > >> > >> expected = u"Nameserver 'does.not.exist' does not have a > >> corresponding A/AAAA record" > >> got = u"Nameserver 'does.not.exist.dnszone.test.' does not have a > >> corresponding A/AAAA record" > >> path = () > >> > > > > I updated the tests to use an absolute DNS record. All DNS tests should > > now succeed. > > > > Martin > > It works fine now, ACK. > > It would be nice to also test that the zone is appended, though. > Right, I added a test case also for a check of relative NS record and the respective error message. Pushed to master. Martin From simo at redhat.com Fri Jun 1 13:24:24 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 01 Jun 2012 09:24:24 -0400 Subject: [Freeipa-devel] About private ssh host keys in IPA Message-ID: <1338557064.8230.120.camel@willson.li.ssimo.org> This is about Ticket 1978 (originally rhbz746036). This RFE asks for storing private SSH Host Keys in FreeIPA. We have been triaging this ticket today, and I have to admit I am biased toward simply closing down the ticket. However we want to reach out community and interested parties that opened the tick to understand if there are reasons strong enough to consider implementing it. The reason I am against this is that in FreeIPA we already provide public Key integration. This means that when the host is re-installed new keys are loaded in IPA and clients do not get the obnoxious warning message that keys have changed, because enrolled clients (with the appropriate integration bits) trust FreeIPA so they do not need to ask the user to confirm on a key change. Storing Private Keys poses various liability issues, in order to be able to restore keys you need to give access to those keys to an admin, as there is no other way to authenticate just the host itself (it was just blown away and reinstalled). This means any admin account that can perform reinstalls need to have access to *read* private keys out of LDAP, which means that A) The central tenet of Asymetric authentication is that private keys are 'private'. B) keys are readable from LDAP to some accounts, any slight error in ACIs would risk exposing all private keys. C) most probably low level (junior admin) accounts will have read access to pretty much all private keys, because those admins are the one tasked with re-installs. However those admins are also the ones less trusted, yet by giving them access to private keys they are enabled to perform MITM attacks against pretty much any of the machines managed by FreeIPA. For these reasons I am against storing SSH Private Keys. I would like to know what are the reasons to instead implement this feature and the security considerations around those reasons. >From my point of view the balance between feature vs security issues trips in disfavor of implementing the feature but I am willing to be convinced otherwise if there are good reasons to, and security issues can be properly addressed with some clever scheme. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Jun 1 13:34:38 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 01 Jun 2012 09:34:38 -0400 Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: <1338557064.8230.120.camel@willson.li.ssimo.org> References: <1338557064.8230.120.camel@willson.li.ssimo.org> Message-ID: <1338557678.2665.7.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-06-01 at 09:24 -0400, Simo Sorce wrote: > This is about Ticket 1978 (originally rhbz746036). > > This RFE asks for storing private SSH Host Keys in FreeIPA. > > We have been triaging this ticket today, and I have to admit I am biased > toward simply closing down the ticket. > > However we want to reach out community and interested parties that > opened the tick to understand if there are reasons strong enough to > consider implementing it. > > The reason I am against this is that in FreeIPA we already provide > public Key integration. This means that when the host is re-installed > new keys are loaded in IPA and clients do not get the obnoxious warning > message that keys have changed, because enrolled clients (with the > appropriate integration bits) trust FreeIPA so they do not need to ask > the user to confirm on a key change. > > Storing Private Keys poses various liability issues, in order to be able > to restore keys you need to give access to those keys to an admin, as > there is no other way to authenticate just the host itself (it was just > blown away and reinstalled). > This means any admin account that can perform reinstalls need to have > access to *read* private keys out of LDAP, which means that > A) The central tenet of Asymetric authentication is that private keys > are 'private'. > B) keys are readable from LDAP to some accounts, any slight error in > ACIs would risk exposing all private keys. > C) most probably low level (junior admin) accounts will have read access > to pretty much all private keys, because those admins are the one tasked > with re-installs. However those admins are also the ones less trusted, > yet by giving them access to private keys they are enabled to perform > MITM attacks against pretty much any of the machines managed by FreeIPA. > > For these reasons I am against storing SSH Private Keys. I would like to > know what are the reasons to instead implement this feature and the > security considerations around those reasons. > >From my point of view the balance between feature vs security issues > trips in disfavor of implementing the feature but I am willing to be > convinced otherwise if there are good reasons to, and security issues > can be properly addressed with some clever scheme. For the record, I am also in favor of just closing the ticket. It's much safer and wiser to require re-provisioning of the public key in the FreeIPA server than it is to try storing the private key. I suspect that when we had the original conversation on IRC, it was before we had decided that FreeIPA would be managing public keys. I am firmly against ever storing host private keys in a central location. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From JR.Aquino at citrix.com Fri Jun 1 13:40:00 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 1 Jun 2012 13:40:00 +0000 Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: <1338557678.2665.7.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1338557064.8230.120.camel@willson.li.ssimo.org>, <1338557678.2665.7.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <8C3325B2-B5A3-4CEC-B241-AE3D164EC0FF@citrix.com> On Jun 1, 2012, at 6:35 AM, "Stephen Gallagher" wrote: > On Fri, 2012-06-01 at 09:24 -0400, Simo Sorce wrote: >> This is about Ticket 1978 (originally rhbz746036). >> >> This RFE asks for storing private SSH Host Keys in FreeIPA. >> >> We have been triaging this ticket today, and I have to admit I am biased >> toward simply closing down the ticket. >> >> However we want to reach out community and interested parties that >> opened the tick to understand if there are reasons strong enough to >> consider implementing it. >> >> The reason I am against this is that in FreeIPA we already provide >> public Key integration. This means that when the host is re-installed >> new keys are loaded in IPA and clients do not get the obnoxious warning >> message that keys have changed, because enrolled clients (with the >> appropriate integration bits) trust FreeIPA so they do not need to ask >> the user to confirm on a key change. >> >> Storing Private Keys poses various liability issues, in order to be able >> to restore keys you need to give access to those keys to an admin, as >> there is no other way to authenticate just the host itself (it was just >> blown away and reinstalled). >> This means any admin account that can perform reinstalls need to have >> access to *read* private keys out of LDAP, which means that >> A) The central tenet of Asymetric authentication is that private keys >> are 'private'. >> B) keys are readable from LDAP to some accounts, any slight error in >> ACIs would risk exposing all private keys. >> C) most probably low level (junior admin) accounts will have read access >> to pretty much all private keys, because those admins are the one tasked >> with re-installs. However those admins are also the ones less trusted, >> yet by giving them access to private keys they are enabled to perform >> MITM attacks against pretty much any of the machines managed by FreeIPA. >> >> For these reasons I am against storing SSH Private Keys. I would like to >> know what are the reasons to instead implement this feature and the >> security considerations around those reasons. >>> From my point of view the balance between feature vs security issues >> trips in disfavor of implementing the feature but I am willing to be >> convinced otherwise if there are good reasons to, and security issues >> can be properly addressed with some clever scheme. > > > For the record, I am also in favor of just closing the ticket. It's much > safer and wiser to require re-provisioning of the public key in the > FreeIPA server than it is to try storing the private key. I suspect that > when we had the original conversation on IRC, it was before we had > decided that FreeIPA would be managing public keys. I am firmly against > ever storing host private keys in a central location. +1 I am also for the public and against the private. From rcritten at redhat.com Fri Jun 1 14:35:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jun 2012 10:35:33 -0400 Subject: [Freeipa-devel] more HBAC service groups? Message-ID: <4FC8D335.9080902@redhat.com> We have an open ticket, https://fedorahosted.org/freeipa/ticket/1712, requesting to add more HBAC services groups by default to IPA. We're looking for suggestions on groups of services to add. We currently provide just two groups, ftp and sudo. thanks rob From rcritten at redhat.com Fri Jun 1 17:33:31 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jun 2012 13:33:31 -0400 Subject: [Freeipa-devel] [PATCH] 0055 Add more automount tests In-Reply-To: <4FBFA7CF.4050407@redhat.com> References: <4FBFA7CF.4050407@redhat.com> Message-ID: <4FC8FCEB.1080707@redhat.com> Petr Viktorin wrote: > Martin and Petr Voborn?k found an automount plugin bug in my patch 50. I > checked the automount test coverage and found that it isn't that great ? > not only automount-key-add-indirect with the parentmap flag, but the > import and tofiles commands weren't tested at all. > > This patch makes the situation a bit better. ACK, pushed to master. rob From jfenal at gmail.com Fri Jun 1 19:28:36 2012 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Fri, 1 Jun 2012 21:28:36 +0200 Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: <8C3325B2-B5A3-4CEC-B241-AE3D164EC0FF@citrix.com> References: <1338557064.8230.120.camel@willson.li.ssimo.org> <1338557678.2665.7.camel@sgallagh520.sgallagh.bos.redhat.com> <8C3325B2-B5A3-4CEC-B241-AE3D164EC0FF@citrix.com> Message-ID: 2012/6/1 JR Aquino > > > On Jun 1, 2012, at 6:35 AM, "Stephen Gallagher" > wrote: > > > On Fri, 2012-06-01 at 09:24 -0400, Simo Sorce wrote: > >> This is about Ticket 1978 (originally rhbz746036). > >> > >> This RFE asks for storing private SSH Host Keys in FreeIPA. > >> > >> We have been triaging this ticket today, and I have to admit I am biased > >> toward simply closing down the ticket. > >> > >> However we want to reach out community and interested parties that > >> opened the tick to understand if there are reasons strong enough to > >> consider implementing it. > >> > >> The reason I am against this is that in FreeIPA we already provide > >> public Key integration. This means that when the host is re-installed > >> new keys are loaded in IPA and clients do not get the obnoxious warning > >> message that keys have changed, because enrolled clients (with the > >> appropriate integration bits) trust FreeIPA so they do not need to ask > >> the user to confirm on a key change. > >> > >> Storing Private Keys poses various liability issues, in order to be able > >> to restore keys you need to give access to those keys to an admin, as > >> there is no other way to authenticate just the host itself (it was just > >> blown away and reinstalled). > >> This means any admin account that can perform reinstalls need to have > >> access to *read* private keys out of LDAP, which means that > >> A) The central tenet of Asymetric authentication is that private keys > >> are 'private'. > >> B) keys are readable from LDAP to some accounts, any slight error in > >> ACIs would risk exposing all private keys. > >> C) most probably low level (junior admin) accounts will have read access > >> to pretty much all private keys, because those admins are the one tasked > >> with re-installs. However those admins are also the ones less trusted, > >> yet by giving them access to private keys they are enabled to perform > >> MITM attacks against pretty much any of the machines managed by FreeIPA. > >> > >> For these reasons I am against storing SSH Private Keys. I would like to > >> know what are the reasons to instead implement this feature and the > >> security considerations around those reasons. > >>> From my point of view the balance between feature vs security issues > >> trips in disfavor of implementing the feature but I am willing to be > >> convinced otherwise if there are good reasons to, and security issues > >> can be properly addressed with some clever scheme. > > > > > > For the record, I am also in favor of just closing the ticket. It's much > > safer and wiser to require re-provisioning of the public key in the > > FreeIPA server than it is to try storing the private key. I suspect that > > when we had the original conversation on IRC, it was before we had > > decided that FreeIPA would be managing public keys. I am firmly against > > ever storing host private keys in a central location. > > +1 > > I am also for the public and against the private. > +1 -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Mon Jun 4 09:04:02 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 11:04:02 +0200 Subject: [Freeipa-devel] [PATCHES] 138-145 Action panel for user password reset In-Reply-To: <4FC80F7D.7000009@redhat.com> References: <4FBDF731.5090805@redhat.com> <4FC80F7D.7000009@redhat.com> Message-ID: <4FCC7A02.9040608@redhat.com> On 06/01/2012 02:40 AM, Endi Sukma Dewata wrote: > ACK. Looks good. Pushed to master. > > Some comments: > > 1. I suppose the select_action will always be the first action in any > header_actions, and the action doesn't actually do anything. You might > want to consider the '-- select action --' as part of the > IPA.action_list_widget and add it automatically in init_options(), that > way it doesn't have to be defined explicitly in all header_actions. Can be. If I do it, I will do it configurable with default to use the '-- select action --'. > > 2. Ideally the Enable/Disable/Delete actions should only be enabled if > the user has rights to do that, but this depends on ticket #2187. Yes. Also, I think enable and disable don't need #2187. > > 3. I noticed that the second argument of observer's notify() is always > the object that owns the observer. For example: > > that.observer = IPA.observer(); > that.observer.notify([arg], that); > > Since the context doesn't change would it make sense to store the > context in the observer itself? > > that.observer = IPA.observer({ context: that }); > > The arguments can also be passed as varargs: > > that.observer.notify(arg); > that.observer.notify(arg1, arg2); I like this idea. It simplifies things. > > > On 5/24/2012 3:54 AM, Petr Vobornik wrote: >> This bunch of patches implements new concept: action panel and it's >> implementation in user page. >> >> First two patches refactorizes current action-list/control-buttons code >> to prepare ground for following patches. Sorry for added review work >> (could be done this way earlier). >> >> Patch descriptions: >> >> [PATCH] 138 Refactored action list and control buttons to use shared >> list of actions >> >> This is a first step for implementing action panels which will also use >> the shared list of actions. >> >> This effort changes the way how action list and control buttons are >> defined. First all actions are defined on facet level - attribute >> 'actions' in spec file. Implementation of action list widget is not >> specified on facet level. It is left in facet header. A list of action >> names used in action list can be now specified in facet spec in >> 'header_actions' attribute. >> Control buttons use similar concept. Facet by default is using >> control_buttons_widget. Details and search facet are defining their own >> default actions (refresh/add/remove/update/reset). Additional buttons >> can be defined as array of action names on facet level in >> control_buttons attribute. >> >> state_evaluators and state_listeners were united. They are called >> state_evaluators but they uses state_listener concept, they are attached >> to an event. For former state_evaluator the event is post_load. They are >> defined in spec in state attribute. State object purpose is to aggregate >> states from all state evaluators. It offers changed event to which can >> other objects subscribe. It also has summary evaluator which evaluation >> conditions. Summary evaluator creates summary status with human readable >> description. It can be used by facet header. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> >> [PATCH] 139 Refactored entities to use changed actions concept >> >> It's continuation of previous refactoring effort. This part is changing >> specs in entities to used changed concept. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> [PATCH] 140 Action panel >> >> This patch implements action panel. Action panel is a box located in >> facet details section which contains actions related to that >> object/section. >> >> In spec file can be configured actions and title used in action panel. >> Default title is 'Actions'. Actions are specified by their name. They >> have to be defined in action collection in facet. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> >> [PATCH] 141 User password widget modified. >> >> Currently the user password is shown as follows in the details page: >> Password: Reset Password >> >> This is inconsistent with the rest of the page because the 'Reset >> Password' is an action, not the value of the password. >> >> Now password is shown as follows: >> Password: ******* (if set) >> Password: (if not set) >> >> Reset password link was removed as well the dialog for reset password >> was removed from password widget. The dialog was moved to its own object >> and can be now showed independently. An action for showing this dialog >> should be created. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> >> [PATCH] 142 Action panel for user >> >> This patch adds action panel to user account section. The panel contain >> an action for reseting user password. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> [PATCH] 143 Added missing i18n in action list and action panel >> >> This patch adds strings to internal.py which were not translated in >> action list/panel patches. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> >> [PATCH] 144 Add shadow to dialog >> >> This patch adds shadow to dialog used in Web UI. It looks cooler. >> >> https://fedorahosted.org/freeipa/ticket/2248 >> >> note: I didn't want to create new ticket just for this minor visual >> enhancement. >> >> >> [PATCH] 145 Enable reset password action according to attribute >> perrmission >> >> This patch creates state_evaluator which creates permission states for >> defined attribute. The state format is: attributeName_permissionChar. >> >> This evaluator is used for user_password attribute and it control >> enabling/disabling of related action in user account action panel. >> >> https://fedorahosted.org/freeipa/ticket/2318 >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Petr Vobornik From pvoborni at redhat.com Mon Jun 4 10:05:02 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 12:05:02 +0200 Subject: [Freeipa-devel] [PATCH] 150 Text widget's dirty state is changed on various input methods In-Reply-To: <4FC810E5.3030204@redhat.com> References: <4FC36507.6000305@redhat.com> <4FC810E5.3030204@redhat.com> Message-ID: <4FCC884E.4070308@redhat.com> On 06/01/2012 02:46 AM, Endi Sukma Dewata wrote: > On 5/28/2012 6:44 AM, Petr Vobornik wrote: >> on_value_changed event in textboxes and textareas was raised only on >> keyboard input. If user used different input method such as paste or >> browser undo and redo functions widget's on_value_changed event wasn't >> raised and so dirty state wasn't changed as well. >> >> This patch adds listener to text's and textarea's 'input' event. Input >> is a HTML 5 event which is raises on user initiated action. >> Some of user initiated actions : >> * Cut >> * Copy >> * Paste >> * Undo >> * Redo >> * Clear >> * Typing (like keyup) >> * Form AutoFill >> * User-invoked spellcheck corrections >> * Input from Input Method Editor >> >> It should be supported by all recent versions of major browsers. IE >> doesn't support it up to version 8. >> >> Listener for 'keyup' event was left in implementation for backward >> compatibility with older browsers. This may cause firing on_value_change >> twice but so far it shouldn't cause troubles. > > Yeah, if it becomes a problem later you might need to check the browser > version and only listen to one of the events. > > ACK. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Mon Jun 4 10:05:10 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 12:05:10 +0200 Subject: [Freeipa-devel] [PATCH] 149 Added links to netgroup member tables In-Reply-To: <4FC81085.4060406@redhat.com> References: <4FBFB1FE.3070703@redhat.com> <4FC81085.4060406@redhat.com> Message-ID: <4FCC8856.5040501@redhat.com> On 06/01/2012 02:44 AM, Endi Sukma Dewata wrote: > On 5/25/2012 11:23 AM, Petr Vobornik wrote: >> Tables with members in netgroup were missing links for navigation to >> associated details pages. This patch adds these links. >> >> https://fedorahosted.org/freeipa/ticket/2670 > > ACK. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Mon Jun 4 10:05:25 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 12:05:25 +0200 Subject: [Freeipa-devel] [PATCH] 148 Removal of illegal options in JSON-RPC calls In-Reply-To: <4FC81077.1090700@redhat.com> References: <4FBF9DEB.8050905@redhat.com> <4FC81077.1090700@redhat.com> Message-ID: <4FCC8865.4050701@redhat.com> On 06/01/2012 02:44 AM, Endi Sukma Dewata wrote: > On 5/25/2012 9:57 AM, Petr Vobornik wrote: >> Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non >> existent options. If such option is supplied command ends with error. It >> uncovered several cases in Web UI. This patch is fixing these cases. >> >> Automember, Self-service and Delegation don't support 'pkey-only', >> 'size-limit' and 'rights' option. Pagination and rights check were >> disabled for them. >> >> Automount map adder dialog was sending options for indirect map even if >> chosen type was direct (when those for indirect was filled earlier), >> also it was sending non-existant 'method' option. >> >> https://fedorahosted.org/freeipa/ticket/2760 >> >> Note for reviewing: #2509 is partially done in Petr Viktorin's patch >> #35. At this time it has a small issue regarding >> automountmap_add_indirect command. > > ACK. I suppose if those options are added later the UI can be updated > easily. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Mon Jun 4 10:05:34 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 12:05:34 +0200 Subject: [Freeipa-devel] [PATCH] 146 Added cancel button to service unprovision dialog In-Reply-To: <4FC80F86.3040904@redhat.com> References: <4FBDFB43.7050308@redhat.com> <4FC80F86.3040904@redhat.com> Message-ID: <4FCC886E.6020500@redhat.com> On 06/01/2012 02:40 AM, Endi Sukma Dewata wrote: > On 5/24/2012 4:11 AM, Petr Vobornik wrote: >> Service unprovision dialog was missing a cancel button. The button was >> added. >> >> https://fedorahosted.org/freeipa/ticket/1811 > > ACK. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Mon Jun 4 10:18:10 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 12:18:10 +0200 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FC53FA6.5030906@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> Message-ID: <4FCC8B62.2030600@redhat.com> On 05/29/2012 11:29 PM, Rob Crittenden wrote: > Petr Vobornik wrote: >> IPA web UI isn't functional when browser doesn't send http headers. >> >> This patch adds a functionality which sets Firefox >> network.http.sendRefererHeader configuration option to value '2' which >> enables it. >> >> Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader >> >> https://fedorahosted.org/freeipa/ticket/2778 > > Should we also add a message when referer is missing to check this > setting in about:config? I'm not sure what you have in mind. We set the referer option so why would user check it afterwards? Yes the ticket was about checking the option but: If user is configuring the browser he wants the browser configured. So we should set all options which are required. This is one of them. We have not been notifying the user what was set, so I didn't add such notification for this option now as well. We might want to notify the user what options were changed but it's not the topic of this ticket. > >> >> I was also thinking about upgrading the configure.jar. We had a ticket >> for it, which ended by documenting the steps. >> >> https://fedorahosted.org/freeipa/ticket/2311 >> http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/upgrading.html#ticket-delegation >> >> >> >> I think the documentation is wrong. In it we are rebuilding the .jar >> from /usr/share/ipa/html/preferences.html, this file is created on >> server install and it is never updated therefore the .jar won't be >> updated. The updated file is its template (the one changed in this >> patch). The template output is created in >> httpinstance.__setup_autoconfig() call. >> >> For my development purposes I took this code and created a script which >> rebuilds the .jar file (attached). Do we want to use it? > > Yes, I think it is worth having this somewhere, even if just on the wiki. > > rob -- Petr Vobornik From mkosek at redhat.com Mon Jun 4 11:43:46 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Jun 2012 13:43:46 +0200 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <1334243807.777.6.camel@balmora.brq.redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> Message-ID: <1338810226.30320.45.camel@balmora.brq.redhat.com> On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: > On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: > > Hi Martin! > > > > On Thu, 12 Apr 2012, Martin Kosek wrote: > ... > > >3) I would not try to import ipaserver.dcerpc every time the command is > > >executed: > > >+ try: > > >+ import ipaserver.dcerpc > > >+ except Exception, e: > > >+ raise errors.NotFound(name=_('AD Trust setup'), > > >+ reason=_('Cannot perform join operation without Samba > > >4 python bindings installed')) > > > > > >I would rather do it once in the beginning and set a flag: > > > > > >try: > > > import ipaserver.dcerpc > > > _bindings_installed = True > > >except Exception: > > > _bindings_installed = False > > > > > >... > > The idea was that this code is only executed on the server. We need to > > differentiate between: > > - running on client > > - running on server, no samba4 python bindings > > - running on server with samba4 python bindings > > > > By making it executed all time you are affecting the client code as > > well while with current approach it only affects server side. > > Across our code base, this situation is currently solved with this > condition: > > if api.env.in_server and api.env.context in ['lite', 'server']: > # try-import block > > > > > > > >+ def execute(self, *keys, **options): > > >+ # Join domain using full credentials and with random trustdom > > >+ # secret (will be generated by the join method) > > >+ trustinstance = None > > >+ if not _bindings_installed: > > >+ raise errors.NotFound(name=_('AD Trust setup'), > > >+ reason=_('Cannot perform join operation without Samba > > >4 python bindings installed')) > > > > > > > > >4) Another import inside a function: > > >+ def arcfour_encrypt(key, data): > > >+ from Crypto.Cipher import ARC4 > > >+ c = ARC4.new(key) > > >+ return c.encrypt(data) > > Same here, it is only needed on server side. > > > > Let us get consensus over 3) and 4) and I'll fix patches altogether (and > > push). > > > > Yeah, I would fix in the same way as 3). > > Martin > I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated, currently there is about a dozen test case errors, e.g. extra ipakrbprincipalalias attribute in services or new ipakrbprincipal objectclass for hosts 3) Replication did not work too well for me this time. ipa-replica-install reported just one issue during installation process: 2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation 2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV 2012-06-04T09:42:51Z DEBUG stdout= 2012-06-04T09:42:51Z DEBUG stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) ldapmodify: wrong attributeType at line 5, entry "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, dc=lab,dc=bos,dc=redhat,dc=com" 2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' returned non-zero exit status 247 But this may be just a symptom of some bigger issue. After the installation finished, DS did not start, it kept reporting Kerberos issues: [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for LDAPS requests [04/Jun/2012:05:46:00 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) errno 0 (Success) [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) When I run "ipactl restart", dirsrv started and I was able to kinit. 4) Patch "Add separate attribute to store trusted domain SID" still has a wrong service part of the principal to be removed (s/ldap/cifs): + dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix) + member_principal3 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm) + This leaves CIFS entry in the S4U2Proxy configuration even after replica uninstallation. Btw. these are the packages I use: 389-ds-base-1.2.10.4-2.fc17.x86_64 krb5-server-1.10-5.fc17.x86_64 samba4-4.0.0-123alpha21.fc17.x86_64 Martin From abokovoy at redhat.com Mon Jun 4 12:32:36 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 4 Jun 2012 15:32:36 +0300 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <1338810226.30320.45.camel@balmora.brq.redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> Message-ID: <20120604123236.GD25726@redhat.com> On Mon, 04 Jun 2012, Martin Kosek wrote: >I did another round of testing and this is what I found so far: > >1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed >that) > >2) Unit tests need to be updated, currently there is about a dozen test >case errors, e.g. extra ipakrbprincipalalias attribute in services or >new ipakrbprincipal objectclass for hosts Ok, will fix. >3) Replication did not work too well for me this time. >ipa-replica-install reported just one issue during installation process: > >2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation >2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h >vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D >cn=Directory Manager -y /tmp/tmppqaAdV >2012-06-04T09:42:51Z DEBUG stdout= >2012-06-04T09:42:51Z DEBUG >stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) >ldapmodify: wrong attributeType at line 5, entry >"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, >dc=lab,dc=bos,dc=redhat,dc=com" > >2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: >Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v >-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' >returned non-zero exit status 247 Found and fixed. The issue was in not following RFC2849 when specifying multiple changetype operations, you need to split their definitions by a single line with '-' on it. I squashed the fix back to the original patch. >But this may be just a symptom of some bigger issue. After the >installation finished, DS did not start, it kept reporting Kerberos >issues: > >[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial >credentials for principal >[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab >[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) >[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All >Interfaces port 389 for LDAP requests >[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for >LDAPS requests >[04/Jun/2012:05:46:00 -0400] - Listening >on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests >[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >GSS failure. Minor code may provide more information (Credentials cache >file '/tmp/krb5cc_498' not found)) errno 0 (Success) >[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform >interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - >agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication >bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >provide more information (Credentials cache file '/tmp/krb5cc_498' not >found)) > >When I run "ipactl restart", dirsrv started and I was able to kinit. Maybe it is timing issue? >4) Patch "Add separate attribute to store trusted domain SID" still has >a wrong service part of the principal to be removed (s/ldap/cifs): > >+ dn3 = DN(u'cn=ipa-cifs-delegation-targets', >api.env.container_s4u2proxy, self.suffix) >+ member_principal3 = "ldap/%(fqdn)s@%(realm)s" % >dict(fqdn=replica, realm=realm) >+ > >This leaves CIFS entry in the S4U2Proxy configuration even after replica >uninstallation. Fixed and squashed back to the original patch. >Btw. these are the packages I use: >389-ds-base-1.2.10.4-2.fc17.x86_64 >krb5-server-1.10-5.fc17.x86_64 >samba4-4.0.0-123alpha21.fc17.x86_64 Same here. For me anything newer 1.2.10.4-2 will blow 389-ds. -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 4 12:41:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Jun 2012 14:41:42 +0200 Subject: [Freeipa-devel] [PATCH] 270 Improve migration NotFound error Message-ID: <1338813702.30320.46.camel@balmora.brq.redhat.com> When no user/group was found, migration plugin reported an ambiguous error about invalid container. But the root cause may be for example in a wrong list of user/group objectclasses. Report both in the error message to avoid user confusion. User/group objectclass attribute is now also marked as required. Without the list of objectclasses, an invalid LDAP search is produced. https://fedorahosted.org/freeipa/ticket/2206 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-270-improve-migration-notfound-error.patch Type: text/x-patch Size: 5181 bytes Desc: not available URL: From pviktori at redhat.com Mon Jun 4 14:56:11 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 04 Jun 2012 16:56:11 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Framework for admin/install tools, with ipa-ldap-updater Message-ID: <4FCCCC8B.1030903@redhat.com> Currently, FreeIPA's install/admin scripts are long pieces of code that aren't very reusable, importable, or testable. They have been extended over time with features such as logging and error handling, but since each tool was extended individually, there is much inconsistency and code duplication. This patch starts a framework which the admin tools can use, and converts ipa-ldap-updater to use the framework. In an earlier patch I found that improving a particular functionality in all the commands is not workable, so I want to tackle this one tool at a time. I'm starting with ipa-ldap-updater, because it's pretty small, doesn't use DNs (I don't want conflicts with John's work), and has the interesting --upgrade option. The framework does these tasks: - Parse options - Select tool to run (see below) - Validate options - Set up logging - Run the tool code - Handle any errors - Log success/failure The base class has some defaults for these that the tools can extend/override. To handle the case where one script does two different things (ipa-ldap-updater with/without --upgrade, or ipa-server-install with/without --uninstall), I want to split the tool in two classes rather than have repeated ifs in the code. This meant that option parsing (and initializing the parser) has to be done before creating an instance of the tool. I use a factory classmethod. I put the admintool base class in ipapython/ as it should be useful for ipa-client-install as well. First part of the work for: https://fedorahosted.org/freeipa/ticket/2652 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0056-Framework-for-admin-install-tools-with-ipa-ldap-upda.patch Type: text/x-patch Size: 28953 bytes Desc: not available URL: From pviktori at redhat.com Mon Jun 4 15:22:02 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 04 Jun 2012 17:22:02 +0200 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users Message-ID: <4FCCD29A.90805@redhat.com> An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a warning in that case. https://fedorahosted.org/freeipa/ticket/2621 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0057-Skip-the-fix_replica_memberof-updater-plugin-for-non.patch Type: text/x-patch Size: 1394 bytes Desc: not available URL: From simo at redhat.com Mon Jun 4 15:51:11 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 04 Jun 2012 11:51:11 -0400 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <4FCCD29A.90805@redhat.com> References: <4FCCD29A.90805@redhat.com> Message-ID: <1338825071.8230.217.camel@willson.li.ssimo.org> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: > An update plugin needed root privileges, and aborted the update if an > ordinary user user ran it. > With this patch the plugin is skipped with a warning in that case. > > https://fedorahosted.org/freeipa/ticket/2621 Hi Petr, I am not sure I like the proposed solution. If there is a legitimate reason to run this plugin as non-root (eg admin user) then you should change the connection part to try to use GSSAPI auth over ldap when non-root, not just throw a warning. If there is no reason for anyone but root to run this script then we should just abort if not root IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Mon Jun 4 15:59:43 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Jun 2012 17:59:43 +0200 Subject: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default Message-ID: <1338825583.3321.2.camel@balmora.brq.redhat.com> For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy to construct for regular users, we should rather fill it by default and let users just switch the policy on or off. https://fedorahosted.org/freeipa/ticket/2441 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-271-fill-new-dns-zone-update-policy-by-default.patch Type: text/x-patch Size: 9244 bytes Desc: not available URL: From pvoborni at redhat.com Mon Jun 4 16:05:11 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 04 Jun 2012 18:05:11 +0200 Subject: [Freeipa-devel] [PATCH] 151, 152 Removal of illegal options in association dialog Message-ID: <4FCCDCB7.5070902@redhat.com> [PATCH] 152 Removal of illegal options in association dialog: Association dialogs were using non-existent options for find commands. It causes error when #2509 is implemented. Now when creating a find command a check for options existence is performed. Option is not used if not present in metadata. It fixes the issue. To be able to do the this check properly patch 151 is required. [PATCH] 151 Change json serialization to serialize useful data: json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We * mostly CLI specific option attribues are not send. * attributes evaluated to false or None are not send * options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata. In the end the raw amount of data send is aproximately the same. This patch is needed for Web UI to determine which option it can use in which commands. https://fedorahosted.org/freeipa/ticket/2760 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0151-Change-json-serialization-to-serialize-useful-data.patch Type: text/x-patch Size: 5489 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0152-Removal-of-illegal-options-in-association-dialog.patch Type: text/x-patch Size: 1412 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 5 02:39:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 22:39:05 -0400 Subject: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default In-Reply-To: <1338825583.3321.2.camel@balmora.brq.redhat.com> References: <1338825583.3321.2.camel@balmora.brq.redhat.com> Message-ID: <4FCD7149.1060709@redhat.com> Martin Kosek wrote: > For security reasons, dynamic updates are not enabled for new DNS > zones. In order to enable the dynamic zone securely, user needs to > allow dynamic updates and create a zone update policy. > > The policy is not easy to construct for regular users, we should > rather fill it by default and let users just switch the policy > on or off. > > https://fedorahosted.org/freeipa/ticket/2441 I think the example should be something like: Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: ipa dnszone-mod example.com --dynamic-update=TRUE This is the equivalent of: ipa dnszone-mod example.com --dynamic-update=TRUE \\ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;" Otherwise ACK. rob From rcritten at redhat.com Tue Jun 5 02:59:54 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 22:59:54 -0400 Subject: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC In-Reply-To: <1337985380.16840.643.camel@willson.li.ssimo.org> References: <1337985380.16840.643.camel@willson.li.ssimo.org> Message-ID: <4FCD762A.4020809@redhat.com> Simo Sorce wrote: > The original ldap driver we used up to 2.2 had 2 options admins could > set to limit the amount of writes to the database on certain auditing > related operations. > In particular disable_last_success is really important to reduce the > load on database servers. > > I have implemented ticket #2734 with a little twist. Instead of adding > local options in krb5.conf I create global options in the LDAP tree, so > that all KDCs in the domain have the same configuration. > > The 2 new options can be set in ipaConfigString attribute of the > cn=ipaConfig object under cn=etc,$SUFFIX > > These are: > KDC:Disable Last Success > KDC:Disable Lockout > > The first string if set will disable updating the krbLastSuccessfulAuth > field in the service/user entry. > The second one will prevent changing any of the Lockout related fields > and will effectively disable lockout policies. > > I think we may want to set the first one by default in future. > The last successful auth field is not very interesting in general and is > cause for a lot of writes that pressure a lot the LDAP server and get > replicated everywhere with a storm multiplier effect we'd like to avoid. > > The lockout one instead happen only when there are failed authentication > attempt, this means it never happens when keytabs are used for example. > And even with users it should happen rarely enough that traking lockouts > by default make leaving these writes on by default is a good tradeoff. > > Note that simply setting the lockout policy to never lockout is *not* > equivalent to setting KDC:Disable Lockout, as it does not prevent writes > to the database. > > I've tested setting KDC:Disable Last Success and it effectively prevent > MOD operation from showing up in the server access log. > > Any change to these configuration options requires a reconnection from > the KDC to the LDAP server, the simplest way to cause that is to restart > the KDC service. > > Simo. In ipadb_get_global_configs() should there be a call to LOG_OOM()? Also, if ipadb_simple_search() or ipadb_get_global_configs() fails should we log the result code when non-zero? rob From rcritten at redhat.com Tue Jun 5 03:01:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 23:01:33 -0400 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FCC8B62.2030600@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> Message-ID: <4FCD768D.3090001@redhat.com> Petr Vobornik wrote: > On 05/29/2012 11:29 PM, Rob Crittenden wrote: >> Petr Vobornik wrote: >>> IPA web UI isn't functional when browser doesn't send http headers. >>> >>> This patch adds a functionality which sets Firefox >>> network.http.sendRefererHeader configuration option to value '2' which >>> enables it. >>> >>> Possible values: >>> http://kb.mozillazine.org/Network.http.sendRefererHeader >>> >>> https://fedorahosted.org/freeipa/ticket/2778 >> >> Should we also add a message when referer is missing to check this >> setting in about:config? > > I'm not sure what you have in mind. We set the referer option so why > would user check it afterwards? > > Yes the ticket was about checking the option but: If user is configuring > the browser he wants the browser configured. So we should set all > options which are required. This is one of them. We have not been > notifying the user what was set, so I didn't add such notification for > this option now as well. > > We might want to notify the user what options were changed but it's not > the topic of this ticket. I was thinking more for already configured browsers who then later mess with this value. It fails in a very non-obvious way. rob From rcritten at redhat.com Tue Jun 5 03:13:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 23:13:33 -0400 Subject: [Freeipa-devel] [PATCH] 270 Improve migration NotFound error In-Reply-To: <1338813702.30320.46.camel@balmora.brq.redhat.com> References: <1338813702.30320.46.camel@balmora.brq.redhat.com> Message-ID: <4FCD795D.6030602@redhat.com> Martin Kosek wrote: > When no user/group was found, migration plugin reported an ambiguous > error about invalid container. But the root cause may be for example > in a wrong list of user/group objectclasses. Report both in the error > message to avoid user confusion. > > User/group objectclass attribute is now also marked as required. > Without the list of objectclasses, an invalid LDAP search is > produced. > > https://fedorahosted.org/freeipa/ticket/2206 ACK. The output is a lot readable, you might reconsider having it in parens. A separate sentence or separated by a colon may be more readable. rob From rcritten at redhat.com Tue Jun 5 03:49:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 23:49:44 -0400 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <1338540393.27740.17.camel@balmora.brq.redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> Message-ID: <4FCD81D8.9000609@redhat.com> Martin Kosek wrote: > On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: >> On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> This set of patches handles enabling psearch both for new installations >>>> (patch 263) and upgraded IPA servers. >>>> >>>> For upgraded IPA servers I needed to make sure that psearch is not >>>> enabled for every IPA package update, but at most once, when a user >>>> updates to IPA with this patch for the first time (patch 264). This is >>>> enabled by a new State store located in /var/lib/ipa/sysupgrade (patch >>>> 262). >>>> >>>> I also improved the way we handled SELinux sebool updates (patch 265), >>>> this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 >>>> seconds as previously. Details are in the patches. >>>> >>>> Martin >>> >>> 262: >>> The sysupgrade directory isn't created by the RPM install: >>> >>> mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade >> >> Fixed. >> >>> >>> 263: >>> >>> It looks like zone_refresh is simply disabled in bindinstance.py, why >>> not remove it completely? >> >> zone_refresh is used by bindinstance.py. ipa-server-install or >> ipa-dns-install may be configured to use zone refresh instead of >> persistent search mechanism to update the zones (e.g. --zone-refresh >> 30). >> >>> >>> 264: >>> >>> Small nit, worth doing case-insensitive compare of psearch enabled status? >> >> Petr2 told me that arg value for boolean configuration option is >> case-insensitive, so we can do that - fixed. >> >>> >>> We're updating named.conf in place so I don't know that we need to reset >>> permissions. It at least shouldn't get modified by the write. >> >> Right, I was being too defensive. I removed the check. >> >> I made the upgrade more robust, now it won't crash for example when >> named.conf does not exist. I also made sure the upgrade script works >> correctly when the IPA is configured without DNS. >> >> Martin > > I rebased the patches for current master. I also slightly reworked patch > 265, the error message printed in case of an unsuccessful setsebool was > not printed right. > > Martin Trailing whitespace in 264: # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch Applying: Enable psearch on upgrades /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing whitespace. root_logger.error('Cannot update connections in %s: %s', warning: 1 line adds whitespace errors. I don't think the DNS detection is adequate in 264, testing for named.conf is not enough. What if someone is running a non-IPA DNS server on the box? I know that I've recently done similar config changes but in 265 is using line.startswith() going to be fragile? In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other patch. In the 'for setting, state' loop should it be catching a CalledProcessException rather than raw Exception? I think that is all that should be raised there. I did an upgrade and it seemed to work ok, ended up with these scary messages in /var/log/messages: Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP server Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server was lost Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: Can't contact LDAP server Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP server Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server was lost Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: Can't contact LDAP server Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] - Information: Non-Secure Port Disabled Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed to obtain ldap error code Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server was lost Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: Can't contact LDAP server Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed to obtain ldap error code Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server was lost DNS does seem to be working fine from the cli. The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in the test cleanup. I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: Program received signal SIGABRT, Aborted. [Switching to Thread 0x7f68e50db700 (LWP 19367)] 0x00007f68e6188915 in raise () from /lib64/libc.so.6 (gdb) where #0 0x00007f68e6188915 in raise () from /lib64/libc.so.6 #1 0x00007f68e618a0c8 in abort () from /lib64/libc.so.6 #2 0x00007f68e91171fb in assertion_failed (file=, line=, type=, cond=) at ./main.c:219 #3 0x00007f68e73a6c3a in isc_assertion_failed ( file=file at entry=0x7f68e8a82deb "zone.c", line=, type=type at entry=isc_assertiontype_require, cond=cond at entry=0x7f68e8a82fe7 "zone->db != ((void *)0)") at assertions.c:57 #4 0x00007f68e8a2ba67 in zone_detachdb (zone=) at zone.c:12944 #5 zone_detachdb (zone=0x7f68dc57fef0) at zone.c:12943 #6 0x00007f68e8a2baa1 in zone_unload (zone=zone at entry=0x7f68dc57fef0) at zone.c:9092 #7 0x00007f68e8a2fcc4 in dns_zone_unload (zone=0x7f68dc57fef0) at zone.c:9040 #8 0x00007f68e3584b9e in ldap_delete_zone2 (inst=inst at entry=0x7f68e90b0f10, name=name at entry=0x7f68e50dad10, lock=lock at entry=isc_boolean_true) at ldap_helper.c:786 #9 0x00007f68e3586554 in ldap_delete_zone (dn=, inst=0x7f68e90b0f10, lock=) at ldap_helper.c:811 #10 update_action (task=, event=0x7f68e37de6a0) at ldap_helper.c:2763 #11 0x00007f68e73c613e in dispatch (manager=0x7f68e908f010) at task.c:1109 #12 run (uap=0x7f68e908f010) at task.c:1279 #13 0x00007f68e6d7bd14 in start_thread () from /lib64/libpthread.so.0 #14 0x00007f68e624494d in clone () from /lib64/libc.so.6 rob From william at firstyear.id.au Tue Jun 5 05:14:12 2012 From: william at firstyear.id.au (William Brown) Date: Tue, 05 Jun 2012 14:44:12 +0930 Subject: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default In-Reply-To: <4FCD7149.1060709@redhat.com> References: <1338825583.3321.2.camel@balmora.brq.redhat.com> <4FCD7149.1060709@redhat.com> Message-ID: <4FCD95A4.3070503@firstyear.id.au> > I think the example should be something like: > > Modify the zone to allow dynamic updates for hosts own records in > realm EXAMPLE.COM: > ipa dnszone-mod example.com --dynamic-update=TRUE > > This is the equivalent of: > ipa dnszone-mod example.com --dynamic-update=TRUE \\ > --update-policy="grant EXAMPLE.COM krb5-self * A; grant > EXAMPLE.COM krb5-self * AAAA;" > What about reverse zones? -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 945 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Tue Jun 5 06:42:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 08:42:42 +0200 Subject: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default In-Reply-To: <4FCD7149.1060709@redhat.com> References: <1338825583.3321.2.camel@balmora.brq.redhat.com> <4FCD7149.1060709@redhat.com> Message-ID: <1338878562.28796.1.camel@balmora.brq.redhat.com> On Mon, 2012-06-04 at 22:39 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > For security reasons, dynamic updates are not enabled for new DNS > > zones. In order to enable the dynamic zone securely, user needs to > > allow dynamic updates and create a zone update policy. > > > > The policy is not easy to construct for regular users, we should > > rather fill it by default and let users just switch the policy > > on or off. > > > > https://fedorahosted.org/freeipa/ticket/2441 > > I think the example should be something like: > > Modify the zone to allow dynamic updates for hosts own records in > realm EXAMPLE.COM: > ipa dnszone-mod example.com --dynamic-update=TRUE > > This is the equivalent of: > ipa dnszone-mod example.com --dynamic-update=TRUE \\ > --update-policy="grant EXAMPLE.COM krb5-self * A; grant > EXAMPLE.COM krb5-self * AAAA;" Right, I did that change. > > Otherwise ACK. > > rob Thanks. I also found out that I forgot to update DNS unit tests, so I fixed that as well before pushing. Pushed to master. Martin From mkosek at redhat.com Tue Jun 5 06:55:49 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 08:55:49 +0200 Subject: [Freeipa-devel] [PATCH] 270 Improve migration NotFound error In-Reply-To: <4FCD795D.6030602@redhat.com> References: <1338813702.30320.46.camel@balmora.brq.redhat.com> <4FCD795D.6030602@redhat.com> Message-ID: <1338879349.28796.2.camel@balmora.brq.redhat.com> On Mon, 2012-06-04 at 23:13 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > When no user/group was found, migration plugin reported an ambiguous > > error about invalid container. But the root cause may be for example > > in a wrong list of user/group objectclasses. Report both in the error > > message to avoid user confusion. > > > > User/group objectclass attribute is now also marked as required. > > Without the list of objectclasses, an invalid LDAP search is > > produced. > > > > https://fedorahosted.org/freeipa/ticket/2206 > > ACK. The output is a lot readable, you might reconsider having it in > parens. A separate sentence or separated by a colon may be more readable. > > rob I tried different formats, but the former approach still seemed to me as the most readable, so I kept that :-) Pushed to master. Martin From mkosek at redhat.com Tue Jun 5 07:32:34 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 09:32:34 +0200 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <4FCD81D8.9000609@redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> <4FCD81D8.9000609@redhat.com> Message-ID: <1338881554.28796.23.camel@balmora.brq.redhat.com> On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: > >> On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> This set of patches handles enabling psearch both for new installations > >>>> (patch 263) and upgraded IPA servers. > >>>> > >>>> For upgraded IPA servers I needed to make sure that psearch is not > >>>> enabled for every IPA package update, but at most once, when a user > >>>> updates to IPA with this patch for the first time (patch 264). This is > >>>> enabled by a new State store located in /var/lib/ipa/sysupgrade (patch > >>>> 262). > >>>> > >>>> I also improved the way we handled SELinux sebool updates (patch 265), > >>>> this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 > >>>> seconds as previously. Details are in the patches. > >>>> > >>>> Martin > >>> > >>> 262: > >>> The sysupgrade directory isn't created by the RPM install: > >>> > >>> mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade > >> > >> Fixed. > >> > >>> > >>> 263: > >>> > >>> It looks like zone_refresh is simply disabled in bindinstance.py, why > >>> not remove it completely? > >> > >> zone_refresh is used by bindinstance.py. ipa-server-install or > >> ipa-dns-install may be configured to use zone refresh instead of > >> persistent search mechanism to update the zones (e.g. --zone-refresh > >> 30). > >> > >>> > >>> 264: > >>> > >>> Small nit, worth doing case-insensitive compare of psearch enabled status? > >> > >> Petr2 told me that arg value for boolean configuration option is > >> case-insensitive, so we can do that - fixed. > >> > >>> > >>> We're updating named.conf in place so I don't know that we need to reset > >>> permissions. It at least shouldn't get modified by the write. > >> > >> Right, I was being too defensive. I removed the check. > >> > >> I made the upgrade more robust, now it won't crash for example when > >> named.conf does not exist. I also made sure the upgrade script works > >> correctly when the IPA is configured without DNS. > >> > >> Martin > > > > I rebased the patches for current master. I also slightly reworked patch > > 265, the error message printed in case of an unsuccessful setsebool was > > not printed right. > > > > Martin > > Trailing whitespace in 264: > > # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch > Applying: Enable psearch on upgrades > /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing > whitespace. > root_logger.error('Cannot update connections in %s: > %s', > warning: 1 line adds whitespace errors. Fixed. > > I don't think the DNS detection is adequate in 264, testing for > named.conf is not enough. What if someone is running a non-IPA DNS > server on the box? I assume you are referring to this line: + if not bindinstance.named_conf_exists(): It checks both if the named.conf exists + if it has bind-dyndb-ldap configured for IPA: if line.startswith('dynamic-db "ipa"'): > > I know that I've recently done similar config changes but in 265 is > using line.startswith() going to be fragile? I assume you mean patch 264. This should be OK - user would need to mess with the configuration generated by our install scripts to break it. But in this case, other regex-es would fail too. I did not want to get too wild with regex-es to keep it simple and safe. The worst case scenario should be that named.conf is not updated and psearch is not turned on. > > In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other > patch. I assume you mean patch 265. I had this change moved to 264 right after I sent the patches :-) > > In the 'for setting, state' loop should it be catching a > CalledProcessException rather than raw Exception? I think that is all > that should be raised there. Right, fixed. > > I did an upgrade and it seemed to work ok, ended up with these scary > messages in /var/log/messages: > > Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP > server > Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server > was lost > Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: > Can't contact LDAP server > Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to > handle LDAP connection error. Reconnection in 60s > Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP > server > Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server > was lost > Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: > Can't contact LDAP server > Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] > - Information: Non-Secure Port Disabled > Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed > to obtain ldap error code > Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server > was lost > Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: > Can't contact LDAP server > Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to > handle LDAP connection error. Reconnection in 60s > Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed > to obtain ldap error code > Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server > was lost > > DNS does seem to be working fine from the cli. I think this was caused by ipa-ldap-updater which shut down the Directory Server to perform the LDAP upgrade. Btw I asked Petr to file a ticket for bind-dyndb-ldap to report when it report success after when it returns back from an error state: https://fedorahosted.org/bind-dyndb-ldap/ticket/71 This way, we cannot know that the LDAP connection has been restored besides doing a test DNS query. > > The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in > the test cleanup. > > I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: > > Program received signal SIGABRT, Aborted. > [Switching to Thread 0x7f68e50db700 (LWP 19367)] > 0x00007f68e6188915 in raise () from /lib64/libc.so.6 > (gdb) where > #0 0x00007f68e6188915 in raise () from /lib64/libc.so.6 > #1 0x00007f68e618a0c8 in abort () from /lib64/libc.so.6 > #2 0x00007f68e91171fb in assertion_failed (file=, > line=, type=, cond=) > at ./main.c:219 > #3 0x00007f68e73a6c3a in isc_assertion_failed ( > file=file at entry=0x7f68e8a82deb "zone.c", line=, > type=type at entry=isc_assertiontype_require, > cond=cond at entry=0x7f68e8a82fe7 "zone->db != ((void *)0)") > at assertions.c:57 > #4 0x00007f68e8a2ba67 in zone_detachdb (zone=) at > zone.c:12944 > #5 zone_detachdb (zone=0x7f68dc57fef0) at zone.c:12943 > #6 0x00007f68e8a2baa1 in zone_unload (zone=zone at entry=0x7f68dc57fef0) > at zone.c:9092 > #7 0x00007f68e8a2fcc4 in dns_zone_unload (zone=0x7f68dc57fef0) at > zone.c:9040 > #8 0x00007f68e3584b9e in ldap_delete_zone2 > (inst=inst at entry=0x7f68e90b0f10, > name=name at entry=0x7f68e50dad10, lock=lock at entry=isc_boolean_true) > at ldap_helper.c:786 > #9 0x00007f68e3586554 in ldap_delete_zone (dn=, > inst=0x7f68e90b0f10, lock=) at ldap_helper.c:811 > #10 update_action (task=, event=0x7f68e37de6a0) > at ldap_helper.c:2763 > #11 0x00007f68e73c613e in dispatch (manager=0x7f68e908f010) at task.c:1109 > #12 run (uap=0x7f68e908f010) at task.c:1279 > #13 0x00007f68e6d7bd14 in start_thread () from /lib64/libpthread.so.0 > #14 0x00007f68e624494d in clone () from /lib64/libc.so.6 > > rob Thanks for digging out the traceback, I already reported this error to bind-dyndb-ldap: https://bugzilla.redhat.com/show_bug.cgi?id=827401 Petr, what's the status of this bug? I guess we cannot push this set of patches to enable the psearch by default until this is fixed. Otherwise bind-dyndb-ldap would crash _every_ DNS unit test case. Updated set of patches attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-262-4-add-sysupgrade-state-file.patch Type: text/x-patch Size: 9251 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-263-4-enable-persistent-search-by-default.patch Type: text/x-patch Size: 13503 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-264-4-enable-psearch-on-upgrades.patch Type: text/x-patch Size: 11511 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-265-4-only-set-sebools-when-necessary.patch Type: text/x-patch Size: 4948 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 5 08:01:07 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 10:01:07 +0200 Subject: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default In-Reply-To: <4FCD95A4.3070503@firstyear.id.au> References: <1338825583.3321.2.camel@balmora.brq.redhat.com> <4FCD7149.1060709@redhat.com> <4FCD95A4.3070503@firstyear.id.au> Message-ID: <1338883267.28796.27.camel@balmora.brq.redhat.com> On Tue, 2012-06-05 at 14:44 +0930, William Brown wrote: > > I think the example should be something like: > > > > Modify the zone to allow dynamic updates for hosts own records in > > realm EXAMPLE.COM: > > ipa dnszone-mod example.com --dynamic-update=TRUE > > > > This is the equivalent of: > > ipa dnszone-mod example.com --dynamic-update=TRUE \\ > > --update-policy="grant EXAMPLE.COM krb5-self * A; grant > > EXAMPLE.COM krb5-self * AAAA;" > > > > What about reverse zones? With the patch I just pushed is the update policy for reverse zone automatically generated as well: # ipa dnszone-add 3.2.1.in-addr.arpa. --name-server=ns.example.com Administrator e-mail address [hostmaster.3.2.1.in-addr.arpa.]: Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 2012060501 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; # ipa dnszone-mod 3.2.1.in-addr.arpa. --dynamic-update=TRUE Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 2012060501 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; With the second change, dynamic updates for the reverse zone are enabled without users having to be knowledgeable about BIND update policy format. Martin From mkosek at redhat.com Tue Jun 5 08:06:37 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 10:06:37 +0200 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <1338825071.8230.217.camel@willson.li.ssimo.org> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> Message-ID: <1338883597.28796.31.camel@balmora.brq.redhat.com> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: > On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: > > An update plugin needed root privileges, and aborted the update if an > > ordinary user user ran it. > > With this patch the plugin is skipped with a warning in that case. > > > > https://fedorahosted.org/freeipa/ticket/2621 > > Hi Petr, > I am not sure I like the proposed solution. > > If there is a legitimate reason to run this plugin as non-root (eg admin > user) then you should change the connection part to try to use GSSAPI > auth over ldap when non-root, not just throw a warning. > > If there is no reason for anyone but root to run this script then we > should just abort if not root IMO. > > Simo. > I would keep this script runable for root users only. Regularly, this should not be run manually but as a part of RPM update which is done by root. It is being run manually only when something is broken anyway and I am not convinced that non-root users should be involved in such recovery. Martin From mkosek at redhat.com Tue Jun 5 08:47:04 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 10:47:04 +0200 Subject: [Freeipa-devel] [PATCH] 272 Fix dnszone-mod --forwader option help string Message-ID: <1338886024.28796.33.camel@balmora.brq.redhat.com> Pushed under the one-liner rule. --- Help should not point to global forwarders but rather to per-zone conditional forwarders. https://fedorahosted.org/freeipa/ticket/2717 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-272-fix-dnszone-mod-forwader-option-help-string.patch Type: text/x-patch Size: 1116 bytes Desc: not available URL: From pviktori at redhat.com Tue Jun 5 08:53:16 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Jun 2012 10:53:16 +0200 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <1338883597.28796.31.camel@balmora.brq.redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> Message-ID: <4FCDC8FC.6040406@redhat.com> On 06/05/2012 10:06 AM, Martin Kosek wrote: > On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>> An update plugin needed root privileges, and aborted the update if an >>> ordinary user user ran it. >>> With this patch the plugin is skipped with a warning in that case. >>> >>> https://fedorahosted.org/freeipa/ticket/2621 >> >> Hi Petr, >> I am not sure I like the proposed solution. >> >> If there is a legitimate reason to run this plugin as non-root (eg admin >> user) then you should change the connection part to try to use GSSAPI >> auth over ldap when non-root, not just throw a warning. >> >> If there is no reason for anyone but root to run this script then we >> should just abort if not root IMO. >> >> Simo. >> > > I would keep this script runable for root users only. Regularly, this > should not be run manually but as a part of RPM update which is done by > root. It is being run manually only when something is broken anyway and > I am not convinced that non-root users should be involved in such > recovery. > > Martin > Thanks for the advice. The attached patch only allows root to run ipa-ldap-updater. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0057-02-Only-allow-root-to-run-ipa-ldap-updater.patch Type: text/x-patch Size: 1668 bytes Desc: not available URL: From sbose at redhat.com Tue Jun 5 10:19:47 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 5 Jun 2012 12:19:47 +0200 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <20120604123236.GD25726@redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> <20120604123236.GD25726@redhat.com> Message-ID: <20120605101947.GE8124@localhost.localdomain> On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: > On Mon, 04 Jun 2012, Martin Kosek wrote: > >I did another round of testing and this is what I found so far: > > > >1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed > >that) > > > >2) Unit tests need to be updated, currently there is about a dozen test > >case errors, e.g. extra ipakrbprincipalalias attribute in services or > >new ipakrbprincipal objectclass for hosts > Ok, will fix. > > >3) Replication did not work too well for me this time. > >ipa-replica-install reported just one issue during installation process: > > > >2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation > >2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h > >vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D > >cn=Directory Manager -y /tmp/tmppqaAdV > >2012-06-04T09:42:51Z DEBUG stdout= > >2012-06-04T09:42:51Z DEBUG > >stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) > >ldapmodify: wrong attributeType at line 5, entry > >"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, > >dc=lab,dc=bos,dc=redhat,dc=com" > > > >2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: > >Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v > >-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' > >returned non-zero exit status 247 > Found and fixed. The issue was in not following RFC2849 when specifying > multiple changetype operations, you need to split their definitions by a > single line with '-' on it. > > I squashed the fix back to the original patch. > > >But this may be just a symptom of some bigger issue. After the > >installation finished, DS did not start, it kept reporting Kerberos > >issues: > > > >[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial > >credentials for principal > >[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab > >[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) > >[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All > >Interfaces port 389 for LDAP requests > >[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for > >LDAPS requests > >[04/Jun/2012:05:46:00 -0400] - Listening > >on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests > >[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: > >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >GSS failure. Minor code may provide more information (Credentials cache > >file '/tmp/krb5cc_498' not found)) errno 0 (Success) > >[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform > >interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > >[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - > >agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication > >bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > >generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > >provide more information (Credentials cache file '/tmp/krb5cc_498' not > >found)) > > > >When I run "ipactl restart", dirsrv started and I was able to kinit. > Maybe it is timing issue? > > > >4) Patch "Add separate attribute to store trusted domain SID" still has > >a wrong service part of the principal to be removed (s/ldap/cifs): > > > >+ dn3 = DN(u'cn=ipa-cifs-delegation-targets', > >api.env.container_s4u2proxy, self.suffix) > >+ member_principal3 = "ldap/%(fqdn)s@%(realm)s" % > >dict(fqdn=replica, realm=realm) > >+ > > > >This leaves CIFS entry in the S4U2Proxy configuration even after replica > >uninstallation. > Fixed and squashed back to the original patch. > > >Btw. these are the packages I use: > >389-ds-base-1.2.10.4-2.fc17.x86_64 > >krb5-server-1.10-5.fc17.x86_64 > >samba4-4.0.0-123alpha21.fc17.x86_64 > Same here. For me anything newer 1.2.10.4-2 will blow 389-ds. I tested your latest tree against w2k8r2 and was able to create an validate the trust. So ACK to the functional part. bye, Sumit > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From pviktori at redhat.com Tue Jun 5 10:39:43 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Jun 2012 12:39:43 +0200 Subject: [Freeipa-devel] [PATCH] 0058 Prevent deletion of the last admin Message-ID: <4FCDE1EF.40704@redhat.com> Raise an error when trying to delete the last user from the 'admins' group The 'admin' group name seems like something that shouldn't be hardcoded, but that's how it's done in the webui and some of our ACIs, and I don't see another solution short of adding a new attribute. https://fedorahosted.org/freeipa/ticket/2564 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0058-Prevent-deletion-of-the-last-admin.patch Type: text/x-patch Size: 4179 bytes Desc: not available URL: From simo at redhat.com Tue Jun 5 12:16:11 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 05 Jun 2012 08:16:11 -0400 Subject: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC In-Reply-To: <4FCD762A.4020809@redhat.com> References: <1337985380.16840.643.camel@willson.li.ssimo.org> <4FCD762A.4020809@redhat.com> Message-ID: <1338898571.8230.252.camel@willson.li.ssimo.org> On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > The original ldap driver we used up to 2.2 had 2 options admins could > > set to limit the amount of writes to the database on certain auditing > > related operations. > > In particular disable_last_success is really important to reduce the > > load on database servers. > > > > I have implemented ticket #2734 with a little twist. Instead of adding > > local options in krb5.conf I create global options in the LDAP tree, so > > that all KDCs in the domain have the same configuration. > > > > The 2 new options can be set in ipaConfigString attribute of the > > cn=ipaConfig object under cn=etc,$SUFFIX > > > > These are: > > KDC:Disable Last Success > > KDC:Disable Lockout > > > > The first string if set will disable updating the krbLastSuccessfulAuth > > field in the service/user entry. > > The second one will prevent changing any of the Lockout related fields > > and will effectively disable lockout policies. > > > > I think we may want to set the first one by default in future. > > The last successful auth field is not very interesting in general and is > > cause for a lot of writes that pressure a lot the LDAP server and get > > replicated everywhere with a storm multiplier effect we'd like to avoid. > > > > The lockout one instead happen only when there are failed authentication > > attempt, this means it never happens when keytabs are used for example. > > And even with users it should happen rarely enough that traking lockouts > > by default make leaving these writes on by default is a good tradeoff. > > > > Note that simply setting the lockout policy to never lockout is *not* > > equivalent to setting KDC:Disable Lockout, as it does not prevent writes > > to the database. > > > > I've tested setting KDC:Disable Last Success and it effectively prevent > > MOD operation from showing up in the server access log. > > > > Any change to these configuration options requires a reconnection from > > the KDC to the LDAP server, the simplest way to cause that is to restart > > the KDC service. > > > > Simo. > > In ipadb_get_global_configs() should there be a call to LOG_OOM()? > > Also, if ipadb_simple_search() or ipadb_get_global_configs() fails > should we log the result code when non-zero? Well this code runs in the KDC, not in DIRSRV so LOG_OOM() wouldn't work. Perhaps we should add KDC_LOG() macros, but that would be a separate task imo. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Tue Jun 5 12:42:37 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 05 Jun 2012 14:42:37 +0200 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FCD768D.3090001@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> <4FCD768D.3090001@redhat.com> Message-ID: <4FCDFEBD.5060908@redhat.com> On 06/05/2012 05:01 AM, Rob Crittenden wrote: > Petr Vobornik wrote: >> On 05/29/2012 11:29 PM, Rob Crittenden wrote: >>> Petr Vobornik wrote: >>>> IPA web UI isn't functional when browser doesn't send http headers. >>>> >>>> This patch adds a functionality which sets Firefox >>>> network.http.sendRefererHeader configuration option to value '2' which >>>> enables it. >>>> >>>> Possible values: >>>> http://kb.mozillazine.org/Network.http.sendRefererHeader >>>> >>>> https://fedorahosted.org/freeipa/ticket/2778 >>> >>> Should we also add a message when referer is missing to check this >>> setting in about:config? >> >> I'm not sure what you have in mind. We set the referer option so why >> would user check it afterwards? >> >> Yes the ticket was about checking the option but: If user is configuring >> the browser he wants the browser configured. So we should set all >> options which are required. This is one of them. We have not been >> notifying the user what was set, so I didn't add such notification for >> this option now as well. >> >> We might want to notify the user what options were changed but it's not >> the topic of this ticket. > > I was thinking more for already configured browsers who then later mess > with this value. It fails in a very non-obvious way. > > rob I'm attaching a patch which slightly changes the displayed error message from: Missing or invalid HTTP Referer, missing to: Missing HTTP referer. You have to configure your browser to send HTTP referer header. Also I think we should document how to set it manually. We already have documentation for the rest of browser configuration. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0153-Custom-Web-UI-error-message-for-IPA-error-911.patch Type: text/x-patch Size: 2895 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 5 12:59:02 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 08:59:02 -0400 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <1338883597.28796.31.camel@balmora.brq.redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> Message-ID: <4FCE0296.8030002@redhat.com> Martin Kosek wrote: > On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>> An update plugin needed root privileges, and aborted the update if an >>> ordinary user user ran it. >>> With this patch the plugin is skipped with a warning in that case. >>> >>> https://fedorahosted.org/freeipa/ticket/2621 >> >> Hi Petr, >> I am not sure I like the proposed solution. >> >> If there is a legitimate reason to run this plugin as non-root (eg admin >> user) then you should change the connection part to try to use GSSAPI >> auth over ldap when non-root, not just throw a warning. >> >> If there is no reason for anyone but root to run this script then we >> should just abort if not root IMO. >> >> Simo. >> > > I would keep this script runable for root users only. Regularly, this > should not be run manually but as a part of RPM update which is done by > root. It is being run manually only when something is broken anyway and > I am not convinced that non-root users should be involved in such > recovery. I'd agree if root was actually needed for this. It is only needed because we're using ldapi and relying on autobind. The real trick is that this doesn't use GSSAPI. Many updates require the DM password. So the question becomes, do we have the DM password available in the plugin to bind if we're not running a root? rob From rcritten at redhat.com Tue Jun 5 13:00:39 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 09:00:39 -0400 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <4FCDC8FC.6040406@redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> <4FCDC8FC.6040406@redhat.com> Message-ID: <4FCE02F7.5070103@redhat.com> Petr Viktorin wrote: > On 06/05/2012 10:06 AM, Martin Kosek wrote: >> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>>> An update plugin needed root privileges, and aborted the update if an >>>> ordinary user user ran it. >>>> With this patch the plugin is skipped with a warning in that case. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2621 >>> >>> Hi Petr, >>> I am not sure I like the proposed solution. >>> >>> If there is a legitimate reason to run this plugin as non-root (eg admin >>> user) then you should change the connection part to try to use GSSAPI >>> auth over ldap when non-root, not just throw a warning. >>> >>> If there is no reason for anyone but root to run this script then we >>> should just abort if not root IMO. >>> >>> Simo. >>> >> >> I would keep this script runable for root users only. Regularly, this >> should not be run manually but as a part of RPM update which is done by >> root. It is being run manually only when something is broken anyway and >> I am not convinced that non-root users should be involved in such >> recovery. >> >> Martin >> > > Thanks for the advice. The attached patch only allows root to run > ipa-ldap-updater. NACK. It is very handy for developers to be able to run ipa-ldap-updater to test update files. rob From sigbjorn at nixtra.com Tue Jun 5 13:18:25 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 5 Jun 2012 15:18:25 +0200 (CEST) Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: <1338557064.8230.120.camel@willson.li.ssimo.org> References: <1338557064.8230.120.camel@willson.li.ssimo.org> Message-ID: <25010.213.225.75.97.1338902305.squirrel@www.nixtra.com> On Fri, June 1, 2012 15:24, Simo Sorce wrote: > This is about Ticket 1978 (originally rhbz746036). > > > This RFE asks for storing private SSH Host Keys in FreeIPA. > > > We have been triaging this ticket today, and I have to admit I am biased > toward simply closing down the ticket. > > However we want to reach out community and interested parties that > opened the tick to understand if there are reasons strong enough to consider implementing it. > > The reason I am against this is that in FreeIPA we already provide > public Key integration. This means that when the host is re-installed new keys are loaded in IPA > and clients do not get the obnoxious warning message that keys have changed, because enrolled > clients (with the appropriate integration bits) trust FreeIPA so they do not need to ask the user > to confirm on a key change. > > Storing Private Keys poses various liability issues, in order to be able > to restore keys you need to give access to those keys to an admin, as there is no other way to > authenticate just the host itself (it was just blown away and reinstalled). This means any admin > account that can perform reinstalls need to have access to *read* private keys out of LDAP, which > means that A) The central tenet of Asymetric authentication is that private keys > are 'private'. B) keys are readable from LDAP to some accounts, any slight error in > ACIs would risk exposing all private keys. > C) most probably low level (junior admin) accounts will have read access > to pretty much all private keys, because those admins are the one tasked with re-installs. However > those admins are also the ones less trusted, yet by giving them access to private keys they are > enabled to perform MITM attacks against pretty much any of the machines managed by FreeIPA. > > > For these reasons I am against storing SSH Private Keys. I would like to > know what are the reasons to instead implement this feature and the security considerations around > those reasons. >> From my point of view the balance between feature vs security issues >> > trips in disfavor of implementing the feature but I am willing to be convinced otherwise if there > are good reasons to, and security issues can be properly addressed with some clever scheme. > I think there has been some confusion here. What I was looking for was a way to prevent the users from receiving a message when ssh'ing into a host that's been reinstalled, that the host's key has changed. I believe will become availabe in the future version IPA 2.2 / RHEL 6.3? Regards, Siggi From mkosek at redhat.com Tue Jun 5 13:55:36 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Jun 2012 15:55:36 +0200 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects Message-ID: <1338904536.28796.41.camel@balmora.brq.redhat.com> This set of patches 1) Adds a support for uni-directional remote membership to baseldap plugin (like service->host membership in service managedby attribute) - patch 272 2) Adds a support for service->host membership to host plugin using the new interface - patch 273 Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-272-add-global-support-for-remote-attribute-members.patch Type: text/x-patch Size: 21110 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-273-add-service-membership-to-host-objects.patch Type: text/x-patch Size: 2671 bytes Desc: not available URL: From pviktori at redhat.com Tue Jun 5 14:15:40 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Jun 2012 16:15:40 +0200 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <4FCE02F7.5070103@redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> <4FCDC8FC.6040406@redhat.com> <4FCE02F7.5070103@redhat.com> Message-ID: <4FCE148C.8030700@redhat.com> On 06/05/2012 03:00 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/05/2012 10:06 AM, Martin Kosek wrote: >>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>>>> An update plugin needed root privileges, and aborted the update if an >>>>> ordinary user user ran it. >>>>> With this patch the plugin is skipped with a warning in that case. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2621 >>>> >>>> Hi Petr, >>>> I am not sure I like the proposed solution. >>>> >>>> If there is a legitimate reason to run this plugin as non-root (eg >>>> admin >>>> user) then you should change the connection part to try to use GSSAPI >>>> auth over ldap when non-root, not just throw a warning. >>>> >>>> If there is no reason for anyone but root to run this script then we >>>> should just abort if not root IMO. >>>> >>>> Simo. >>>> >>> >>> I would keep this script runable for root users only. Regularly, this >>> should not be run manually but as a part of RPM update which is done by >>> root. It is being run manually only when something is broken anyway and >>> I am not convinced that non-root users should be involved in such >>> recovery. >>> >>> Martin >>> >> >> Thanks for the advice. The attached patch only allows root to run >> ipa-ldap-updater. > > NACK. It is very handy for developers to be able to run ipa-ldap-updater > to test update files. > > rob Developers can run it as root, I don't see a problem here. -- Petr? From rcritten at redhat.com Tue Jun 5 14:18:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 10:18:04 -0400 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <4FCE148C.8030700@redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> <4FCDC8FC.6040406@redhat.com> <4FCE02F7.5070103@redhat.com> <4FCE148C.8030700@redhat.com> Message-ID: <4FCE151C.90603@redhat.com> Petr Viktorin wrote: > On 06/05/2012 03:00 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 06/05/2012 10:06 AM, Martin Kosek wrote: >>>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >>>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>>>>> An update plugin needed root privileges, and aborted the update if an >>>>>> ordinary user user ran it. >>>>>> With this patch the plugin is skipped with a warning in that case. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2621 >>>>> >>>>> Hi Petr, >>>>> I am not sure I like the proposed solution. >>>>> >>>>> If there is a legitimate reason to run this plugin as non-root (eg >>>>> admin >>>>> user) then you should change the connection part to try to use GSSAPI >>>>> auth over ldap when non-root, not just throw a warning. >>>>> >>>>> If there is no reason for anyone but root to run this script then we >>>>> should just abort if not root IMO. >>>>> >>>>> Simo. >>>>> >>>> >>>> I would keep this script runable for root users only. Regularly, this >>>> should not be run manually but as a part of RPM update which is done by >>>> root. It is being run manually only when something is broken anyway and >>>> I am not convinced that non-root users should be involved in such >>>> recovery. >>>> >>>> Martin >>>> >>> >>> Thanks for the advice. The attached patch only allows root to run >>> ipa-ldap-updater. >> >> NACK. It is very handy for developers to be able to run ipa-ldap-updater >> to test update files. >> >> rob > > Developers can run it as root, I don't see a problem here. I'd really rather not. This does nothing requiring root permissions, it's all done over LDAP. I'd rather trade not running some plugins than always requiring root. rob From jfenal at gmail.com Tue Jun 5 14:38:35 2012 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Tue, 5 Jun 2012 16:38:35 +0200 Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: <25010.213.225.75.97.1338902305.squirrel@www.nixtra.com> References: <1338557064.8230.120.camel@willson.li.ssimo.org> <25010.213.225.75.97.1338902305.squirrel@www.nixtra.com> Message-ID: 2012/6/5 Sigbjorn Lie > > > On Fri, June 1, 2012 15:24, Simo Sorce wrote: > > This is about Ticket 1978 (originally rhbz746036). > > > > > > This RFE asks for storing private SSH Host Keys in FreeIPA. > > > > > > We have been triaging this ticket today, and I have to admit I am biased > > toward simply closing down the ticket. > > > > However we want to reach out community and interested parties that > > opened the tick to understand if there are reasons strong enough to > consider implementing it. > > > > The reason I am against this is that in FreeIPA we already provide > > public Key integration. This means that when the host is re-installed > new keys are loaded in IPA > > and clients do not get the obnoxious warning message that keys have > changed, because enrolled > > clients (with the appropriate integration bits) trust FreeIPA so they do > not need to ask the user > > to confirm on a key change. > > > > Storing Private Keys poses various liability issues, in order to be able > > to restore keys you need to give access to those keys to an admin, as > there is no other way to > > authenticate just the host itself (it was just blown away and > reinstalled). This means any admin > > account that can perform reinstalls need to have access to *read* > private keys out of LDAP, which > > means that A) The central tenet of Asymetric authentication is that > private keys > > are 'private'. B) keys are readable from LDAP to some accounts, any > slight error in > > ACIs would risk exposing all private keys. > > C) most probably low level (junior admin) accounts will have read access > > to pretty much all private keys, because those admins are the one tasked > with re-installs. However > > those admins are also the ones less trusted, yet by giving them access > to private keys they are > > enabled to perform MITM attacks against pretty much any of the machines > managed by FreeIPA. > > > > > > For these reasons I am against storing SSH Private Keys. I would like to > > know what are the reasons to instead implement this feature and the > security considerations around > > those reasons. > >> From my point of view the balance between feature vs security issues > >> > > trips in disfavor of implementing the feature but I am willing to be > convinced otherwise if there > > are good reasons to, and security issues can be properly addressed with > some clever scheme. > > > > > I think there has been some confusion here. What I was looking for was a > way to prevent the users > from receiving a message when ssh'ing into a host that's been reinstalled, > that the host's key has > changed. > > I believe will become availabe in the future version IPA 2.2 / RHEL 6.3? > So what you're looking for is an automatic deployment of known_hosts in a centralised way (/etc/ssh) each time a new machine is deployed in an IPA domain ? Regards, J. -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 5 16:43:56 2012 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Jun 2012 12:43:56 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <20120605101947.GE8124@localhost.localdomain> Message-ID: ----- Original Message ----- > On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: > > On Mon, 04 Jun 2012, Martin Kosek wrote: > > >I did another round of testing and this is what I found so far: > > > > > >1) freeipa.spec.in was missing python-crypto BuildRequires (you > > >fixed > > >that) > > > > > >2) Unit tests need to be updated, currently there is about a dozen > > >test > > >case errors, e.g. extra ipakrbprincipalalias attribute in services > > >or > > >new ipakrbprincipal objectclass for hosts > > Ok, will fix. > > > > >3) Replication did not work too well for me this time. > > >ipa-replica-install reported just one issue during installation > > >process: > > > > > >2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy > > >delegation > > >2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h > > >vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D > > >cn=Directory Manager -y /tmp/tmppqaAdV > > >2012-06-04T09:42:51Z DEBUG stdout= > > >2012-06-04T09:42:51Z DEBUG > > >stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) > > >ldapmodify: wrong attributeType at line 5, entry > > >"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, > > >dc=lab,dc=bos,dc=redhat,dc=com" > > > > > >2012-06-04T09:42:51Z CRITICAL Failed to load > > >replica-s4u2proxy.ldif: > > >Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v > > >-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' > > >returned non-zero exit status 247 > > Found and fixed. The issue was in not following RFC2849 when > > specifying > > multiple changetype operations, you need to split their definitions > > by a > > single line with '-' on it. > > > > I squashed the fix back to the original patch. > > > > >But this may be just a symptom of some bigger issue. After the > > >installation finished, DS did not start, it kept reporting > > >Kerberos > > >issues: Does ps -ef|grep slapd show the ns-slapd process running? > > > > > >[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get > > >initial > > >credentials for principal > > >[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in > > >keytab > > >[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see > > >e-text)) > > >[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All > > >Interfaces port 389 for LDAP requests > > >[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port > > >636 for > > >LDAPS requests > > >[04/Jun/2012:05:46:00 -0400] - Listening > > >on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests These last three lines mean the server is up and running. > > >[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - > > >Error: > > >could not perform interactive bind for id [] mech [GSSAPI]: LDAP > > >error > > >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: > > >Unspecified > > >GSS failure. Minor code may provide more information (Credentials > > >cache > > >file '/tmp/krb5cc_498' not found)) errno 0 (Success) > > >[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not > > >perform > > >interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > > >[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - > > >agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): > > >Replication > > >bind with GSSAPI auth failed: LDAP error -2 (Local error) > > >(SASL(-1): > > >generic failure: GSSAPI Error: Unspecified GSS failure. Minor > > >code may > > >provide more information (Credentials cache file '/tmp/krb5cc_498' > > >not > > >found)) These error messages should only appear at startup, and should go away once all of the ipa components (especially kdc) are up and running. > > > > > >When I run "ipactl restart", dirsrv started and I was able to > > >kinit. > > Maybe it is timing issue? > > > > > > >4) Patch "Add separate attribute to store trusted domain SID" > > >still has > > >a wrong service part of the principal to be removed (s/ldap/cifs): > > > > > >+ dn3 = DN(u'cn=ipa-cifs-delegation-targets', > > >api.env.container_s4u2proxy, self.suffix) > > >+ member_principal3 = "ldap/%(fqdn)s@%(realm)s" % > > >dict(fqdn=replica, realm=realm) > > >+ > > > > > >This leaves CIFS entry in the S4U2Proxy configuration even after > > >replica > > >uninstallation. > > Fixed and squashed back to the original patch. > > > > >Btw. these are the packages I use: > > >389-ds-base-1.2.10.4-2.fc17.x86_64 > > >krb5-server-1.10-5.fc17.x86_64 > > >samba4-4.0.0-123alpha21.fc17.x86_64 > > Same here. For me anything newer 1.2.10.4-2 will blow 389-ds. > > > I tested your latest tree against w2k8r2 and was able to create an > validate the trust. So ACK to the functional part. > > bye, > Sumit > > > > > -- > > / Alexander Bokovoy > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > From pviktori at redhat.com Tue Jun 5 16:53:52 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Jun 2012 18:53:52 +0200 Subject: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users In-Reply-To: <4FCE151C.90603@redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> <4FCDC8FC.6040406@redhat.com> <4FCE02F7.5070103@redhat.com> <4FCE148C.8030700@redhat.com> <4FCE151C.90603@redhat.com> Message-ID: <4FCE39A0.2000706@redhat.com> On 06/05/2012 04:18 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/05/2012 03:00 PM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> On 06/05/2012 10:06 AM, Martin Kosek wrote: >>>>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >>>>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>>>>>> An update plugin needed root privileges, and aborted the update >>>>>>> if an >>>>>>> ordinary user user ran it. >>>>>>> With this patch the plugin is skipped with a warning in that case. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2621 >>>>>> >>>>>> Hi Petr, >>>>>> I am not sure I like the proposed solution. >>>>>> >>>>>> If there is a legitimate reason to run this plugin as non-root (eg >>>>>> admin >>>>>> user) then you should change the connection part to try to use GSSAPI >>>>>> auth over ldap when non-root, not just throw a warning. >>>>>> >>>>>> If there is no reason for anyone but root to run this script then we >>>>>> should just abort if not root IMO. >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> I would keep this script runable for root users only. Regularly, this >>>>> should not be run manually but as a part of RPM update which is >>>>> done by >>>>> root. It is being run manually only when something is broken anyway >>>>> and >>>>> I am not convinced that non-root users should be involved in such >>>>> recovery. >>>>> >>>>> Martin >>>>> >>>> >>>> Thanks for the advice. The attached patch only allows root to run >>>> ipa-ldap-updater. >>> >>> NACK. It is very handy for developers to be able to run ipa-ldap-updater >>> to test update files. >>> >>> rob >> >> Developers can run it as root, I don't see a problem here. > > I'd really rather not. This does nothing requiring root permissions, > it's all done over LDAP. I'd rather trade not running some plugins than > always requiring root. > > rob > Thanks for info on how the tool is used. I looked into it deeper. The proper fix would be to use the ldap2 backend here, instead of the IPAdmin. That's ticket 2660, and it'll be quite a lot of work to get ReplicationManager and tools that depend on that ported. But, I think it makes sense to require root if (and only if) plugins are run. Justification below. Would that work for your use case? There are currently three modes ipa-ldap-updater can run in: 1) --upgrade (needs root, runs plugins) 2) no --upgrade, either no files specified or --plugins (doesn't need root, runs plugins) 3) no --upgrade, specific files specified without --plugins (doesn't need root, doesn't run plugins) I propose to make mode 2 require root. There are two major uses of the script: install/upgrade (first two modes), and a developer testing update files (third or possibly second mode). Install/upgrade is always run as root, and the developer usually doesn't need to run the plugins (if they do, they should run as root anyway, so that some (parts of) plugins aren't skipped). Some of the plugins ask to restart the DS. Without root privileges, the restart (but not the rest of the plugin) is skipped. I think this is just asking for trouble. Some plugins (or parts of plugins) don't need root, but I don't think singling these out and testing both cases is worth the effort. -- Petr? From edewata at redhat.com Tue Jun 5 18:38:52 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jun 2012 13:38:52 -0500 Subject: [Freeipa-devel] [PATCH] 151, 152 Removal of illegal options in association dialog In-Reply-To: <4FCCDCB7.5070902@redhat.com> References: <4FCCDCB7.5070902@redhat.com> Message-ID: <4FCE523C.6030108@redhat.com> If I understood correctly the json_exclude_attrs already defines the list of attributes to be excluded, so is it still necessary to define json_only_presence_options which basically will remove all attributes except name? Suppose later you're writing the UI console where you can type the CLI commands in the UI, do you think attributes like doc would be needed to show in the command help? If this is fine then ACK on both. Btw, the static test data (i.e. ipa_init_*.json) should be updated as well. You might want to create some scripts in install/ui/test/bin to update these files similar to update_ipa_init.sh. On 6/4/2012 11:05 AM, Petr Vobornik wrote: > [PATCH] 152 Removal of illegal options in association dialog: > > Association dialogs were using non-existent options for find commands. > It causes error when #2509 is implemented. > > Now when creating a find command a check for options existence is > performed. Option is not used if not present in metadata. It fixes the > issue. > > To be able to do the this check properly patch 151 is required. > > [PATCH] 151 Change json serialization to serialize useful data: > > json_metadata command creates and sends metadata needed by Web UI. It > uses __json__ method for serialization of commands, options, objects... > . A lot of data sent was useless for Web UI and some usefull information > were missing. We > * mostly CLI specific option attribues are not send. > * attributes evaluated to false or None are not send > * options which are send are not got from takes_aptions attribute but by > get_options() method. It finally sends usefull option collection for > commands part of metadata. > > In the end the raw amount of data send is aproximately the same. > > This patch is needed for Web UI to determine which option it can use in > which commands. > > https://fedorahosted.org/freeipa/ticket/2760 -- Endi S. Dewata From rcritten at redhat.com Tue Jun 5 19:46:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 15:46:05 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount Message-ID: <4FCE61FD.80801@redhat.com> Here is a tool that can be used to configure automount in an IPA client. It can use either SSSD or autofs for automount. It also configures NFSv4 on the client so secure maps will work. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1023-automount.patch Type: text/x-diff Size: 24447 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 5 20:29:46 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 16:29:46 -0400 Subject: [Freeipa-devel] [PATCH] 41-2 During ipa-client-install verify forward and reverse dns lookup of server In-Reply-To: References: <0E422ADE-6BC6-4085-A9EE-262403C7670E@citrixonline.com> <2BAFC1AA-C712-418B-B3C6-92D655193A28@citrixonline.com> Message-ID: <4FCE6C3A.7020501@redhat.com> JR Aquino wrote: > On Feb 28, 2012, at 10:43 AM, JR Aquino wrote: > >> On Feb 23, 2012, at 3:56 PM, JR Aquino wrote: >> >>> ipa-server-install has a method for validating forward and reverse via ipaserver/install/installutils.py >>> ipa-client-install does not currently have an equivalent >>> This patch adds valid_dns to ipapython/ipautil.py to validate foward and reverse DNS >>> This patch adds the valid_dns test in ipa-client/ipa-install/ipa-client-install to validate the dns of the FreeIPA server >>> >>> https://fedorahosted.org/freeipa/ticket/2438 >> >> Rebased and corrected patch >> >> > > NEW Rebased and corrected patch Is it possible to rebase this to master? I looked at it briefly and there is going to be an import loop if you try adding this to ipapython/ipautil. I'm not sure if the best solution is to move some things from ipalib/util into ipapython/ipautil or not, but it is certainly the simplest. I think the approach is right, the code has just shifted significantly since 2.2 (new DNS resolver). thanks rob From rcritten at redhat.com Tue Jun 5 21:16:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 17:16:23 -0400 Subject: [Freeipa-devel] 43 Inherit nssldap security access settings during replica install In-Reply-To: <4F4EA672.5080206@redhat.com> References: <6325AF7E-0C3C-4729-AF4F-D24E6FE08572@citrixonline.com> <4F4EA672.5080206@redhat.com> Message-ID: <4FCE7727.9060204@redhat.com> Rob Crittenden wrote: > JR Aquino wrote: >> When making adjustments to increase the bind security settings of a >> FreeIPA server, it is best practice to inherit those settings when >> installing a new replica server. >> >> Inherit the following bind security settings when performing a replica >> install: >> 'nsslapd-allow-unauthenticated-binds', >> 'nsslapd-require-secure-binds', >> 'nsslapd-allow-anonymous-access', >> 'nsslapd-minssf' >> >> https://fedorahosted.org/freeipa/ticket/1930 >> > > NACK > > There is a connection helper in service.py you can use, ldap_connect(). > > Use it like: > > if not self.admin_conn: > self.ldap_connect() > > x = self.conn.addEntry(foo) I rebased the patch to master and re-worked it a bit. JR, what do you think? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: jr43.patch Type: text/x-diff Size: 3134 bytes Desc: not available URL: From sigbjorn at nixtra.com Tue Jun 5 21:02:50 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 05 Jun 2012 23:02:50 +0200 Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: References: <1338557064.8230.120.camel@willson.li.ssimo.org> <25010.213.225.75.97.1338902305.squirrel@www.nixtra.com> Message-ID: <4FCE73FA.4050701@nixtra.com> On 06/05/2012 04:38 PM, J?r?me Fenal wrote: > 2012/6/5 Sigbjorn Lie > > > > > On Fri, June 1, 2012 15:24, Simo Sorce wrote: > > This is about Ticket 1978 (originally rhbz746036). > > > > > > This RFE asks for storing private SSH Host Keys in FreeIPA. > > > > > > We have been triaging this ticket today, and I have to admit I > am biased > > toward simply closing down the ticket. > > > > However we want to reach out community and interested parties that > > opened the tick to understand if there are reasons strong enough > to consider implementing it. > > > > The reason I am against this is that in FreeIPA we already provide > > public Key integration. This means that when the host is > re-installed new keys are loaded in IPA > > and clients do not get the obnoxious warning message that keys > have changed, because enrolled > > clients (with the appropriate integration bits) trust FreeIPA so > they do not need to ask the user > > to confirm on a key change. > > > > Storing Private Keys poses various liability issues, in order to > be able > > to restore keys you need to give access to those keys to an > admin, as there is no other way to > > authenticate just the host itself (it was just blown away and > reinstalled). This means any admin > > account that can perform reinstalls need to have access to > *read* private keys out of LDAP, which > > means that A) The central tenet of Asymetric authentication is > that private keys > > are 'private'. B) keys are readable from LDAP to some accounts, > any slight error in > > ACIs would risk exposing all private keys. > > C) most probably low level (junior admin) accounts will have > read access > > to pretty much all private keys, because those admins are the > one tasked with re-installs. However > > those admins are also the ones less trusted, yet by giving them > access to private keys they are > > enabled to perform MITM attacks against pretty much any of the > machines managed by FreeIPA. > > > > > > For these reasons I am against storing SSH Private Keys. I would > like to > > know what are the reasons to instead implement this feature and > the security considerations around > > those reasons. > >> From my point of view the balance between feature vs security > issues > >> > > trips in disfavor of implementing the feature but I am willing > to be convinced otherwise if there > > are good reasons to, and security issues can be properly > addressed with some clever scheme. > > > > > I think there has been some confusion here. What I was looking for > was a way to prevent the users > from receiving a message when ssh'ing into a host that's been > reinstalled, that the host's key has > changed. > > I believe will become availabe in the future version IPA 2.2 / > RHEL 6.3? > > > So what you're looking for is an automatic deployment of known_hosts > in a centralised way (/etc/ssh) each time a new machine is deployed > in an IPA domain ? > No, I would like not having to update the existing known_hosts when a host is re-installed. Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 5 21:35:19 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 17:35:19 -0400 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <1338904536.28796.41.camel@balmora.brq.redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> Message-ID: <4FCE7B97.7020003@redhat.com> Martin Kosek wrote: > This set of patches > 1) Adds a support for uni-directional remote membership to baseldap > plugin (like service->host membership in service managedby attribute) - > patch 272 > 2) Adds a support for service->host membership to host plugin using the > new interface - patch 273 > > Martin Have you tried this in the UI? Are these new relationships already handled? rob From rcritten at redhat.com Tue Jun 5 21:43:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 17:43:06 -0400 Subject: [Freeipa-devel] [PATCH] 0058 Prevent deletion of the last admin In-Reply-To: <4FCDE1EF.40704@redhat.com> References: <4FCDE1EF.40704@redhat.com> Message-ID: <4FCE7D6A.6090209@redhat.com> Petr Viktorin wrote: > Raise an error when trying to delete the last user from the 'admins' > group > > The 'admin' group name seems like something that shouldn't be hardcoded, > but that's how it's done in the webui and some of our ACIs, and I don't > see another solution short of adding a new attribute. > > > https://fedorahosted.org/freeipa/ticket/2564 > This looks ok, I think it should go further and prevent the last member to be removed from the admins group too. rob From dpal at redhat.com Wed Jun 6 02:23:07 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jun 2012 22:23:07 -0400 Subject: [Freeipa-devel] About private ssh host keys in IPA In-Reply-To: <4FCE73FA.4050701@nixtra.com> References: <1338557064.8230.120.camel@willson.li.ssimo.org> <25010.213.225.75.97.1338902305.squirrel@www.nixtra.com> <4FCE73FA.4050701@nixtra.com> Message-ID: <4FCEBF0B.4060106@redhat.com> On 06/05/2012 05:02 PM, Sigbjorn Lie wrote: > On 06/05/2012 04:38 PM, J?r?me Fenal wrote: >> 2012/6/5 Sigbjorn Lie > >> >> >> >> On Fri, June 1, 2012 15:24, Simo Sorce wrote: >> > This is about Ticket 1978 (originally rhbz746036). >> > >> > >> > This RFE asks for storing private SSH Host Keys in FreeIPA. >> > >> > >> > We have been triaging this ticket today, and I have to admit I >> am biased >> > toward simply closing down the ticket. >> > >> > However we want to reach out community and interested parties that >> > opened the tick to understand if there are reasons strong >> enough to consider implementing it. >> > >> > The reason I am against this is that in FreeIPA we already provide >> > public Key integration. This means that when the host is >> re-installed new keys are loaded in IPA >> > and clients do not get the obnoxious warning message that keys >> have changed, because enrolled >> > clients (with the appropriate integration bits) trust FreeIPA >> so they do not need to ask the user >> > to confirm on a key change. >> > >> > Storing Private Keys poses various liability issues, in order >> to be able >> > to restore keys you need to give access to those keys to an >> admin, as there is no other way to >> > authenticate just the host itself (it was just blown away and >> reinstalled). This means any admin >> > account that can perform reinstalls need to have access to >> *read* private keys out of LDAP, which >> > means that A) The central tenet of Asymetric authentication is >> that private keys >> > are 'private'. B) keys are readable from LDAP to some accounts, >> any slight error in >> > ACIs would risk exposing all private keys. >> > C) most probably low level (junior admin) accounts will have >> read access >> > to pretty much all private keys, because those admins are the >> one tasked with re-installs. However >> > those admins are also the ones less trusted, yet by giving them >> access to private keys they are >> > enabled to perform MITM attacks against pretty much any of the >> machines managed by FreeIPA. >> > >> > >> > For these reasons I am against storing SSH Private Keys. I >> would like to >> > know what are the reasons to instead implement this feature and >> the security considerations around >> > those reasons. >> >> From my point of view the balance between feature vs security >> issues >> >> >> > trips in disfavor of implementing the feature but I am willing >> to be convinced otherwise if there >> > are good reasons to, and security issues can be properly >> addressed with some clever scheme. >> > >> >> >> I think there has been some confusion here. What I was looking >> for was a way to prevent the users >> from receiving a message when ssh'ing into a host that's been >> reinstalled, that the host's key has >> changed. >> >> I believe will become availabe in the future version IPA 2.2 / >> RHEL 6.3? >> >> >> So what you're looking for is an automatic deployment of known_hosts >> in a centralised way (/etc/ssh) each time a new machine is deployed >> in an IPA domain ? >> > > No, I would like not having to update the existing known_hosts when a > host is re-installed. > But the ssh feature of IPA and SSSD will automatically maintain known_hosts for you so it looks like the problem will be solved with what we have in 2.2 have you given it a try? > > Rgds, > Siggi > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jun 6 06:01:40 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 06 Jun 2012 08:01:40 +0200 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <4FCE7B97.7020003@redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> <4FCE7B97.7020003@redhat.com> Message-ID: <1338962500.9625.2.camel@balmora.brq.redhat.com> On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > This set of patches > > 1) Adds a support for uni-directional remote membership to baseldap > > plugin (like service->host membership in service managedby attribute) - > > patch 272 > > 2) Adds a support for service->host membership to host plugin using the > > new interface - patch 273 > > > > Martin > > Have you tried this in the UI? Are these new relationships already handled? > > rob I just checked that I didn't break anything in the host page. But with this patch, we could add a tab with a list of services for a selected host. I will check with Petr if the information we provide are enough. Martin From pvoborni at redhat.com Wed Jun 6 07:11:33 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 06 Jun 2012 09:11:33 +0200 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <1338962500.9625.2.camel@balmora.brq.redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> <4FCE7B97.7020003@redhat.com> <1338962500.9625.2.camel@balmora.brq.redhat.com> Message-ID: <4FCF02A5.90206@redhat.com> On 06/06/2012 08:01 AM, Martin Kosek wrote: > On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> This set of patches >>> 1) Adds a support for uni-directional remote membership to baseldap >>> plugin (like service->host membership in service managedby attribute) - >>> patch 272 >>> 2) Adds a support for service->host membership to host plugin using the >>> new interface - patch 273 >>> >>> Martin >> >> Have you tried this in the UI? Are these new relationships already handled? >> >> rob > > I just checked that I didn't break anything in the host page. But with > this patch, we could add a tab with a list of services for a selected > host. I will check with Petr if the information we provide are enough. > > Martin > Provided information is sufficient for implementation of UI part. -- Petr Vobornik From mkosek at redhat.com Wed Jun 6 07:17:15 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 06 Jun 2012 09:17:15 +0200 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <4FCF02A5.90206@redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> <4FCE7B97.7020003@redhat.com> <1338962500.9625.2.camel@balmora.brq.redhat.com> <4FCF02A5.90206@redhat.com> Message-ID: <1338967035.9625.3.camel@balmora.brq.redhat.com> On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote: > On 06/06/2012 08:01 AM, Martin Kosek wrote: > > On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> This set of patches > >>> 1) Adds a support for uni-directional remote membership to baseldap > >>> plugin (like service->host membership in service managedby attribute) - > >>> patch 272 > >>> 2) Adds a support for service->host membership to host plugin using the > >>> new interface - patch 273 > >>> > >>> Martin > >> > >> Have you tried this in the UI? Are these new relationships already handled? > >> > >> rob > > > > I just checked that I didn't break anything in the host page. But with > > this patch, we could add a tab with a list of services for a selected > > host. I will check with Petr if the information we provide are enough. > > > > Martin > > > > Provided information is sufficient for implementation of UI part. > Thanks Petr, I created a ticket for Web UI to implement this new relationship: https://fedorahosted.org/freeipa/ticket/2812 Martin From pviktori at redhat.com Wed Jun 6 09:32:13 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 06 Jun 2012 11:32:13 +0200 Subject: [Freeipa-devel] [PATCH] 0057 Only allow root to run update plugins In-Reply-To: <4FCE39A0.2000706@redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> <4FCDC8FC.6040406@redhat.com> <4FCE02F7.5070103@redhat.com> <4FCE148C.8030700@redhat.com> <4FCE151C.90603@redhat.com> <4FCE39A0.2000706@redhat.com> Message-ID: <4FCF239D.6050102@redhat.com> On 06/05/2012 06:53 PM, Petr Viktorin wrote: > On 06/05/2012 04:18 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 06/05/2012 03:00 PM, Rob Crittenden wrote: >>>> Petr Viktorin wrote: >>>>> On 06/05/2012 10:06 AM, Martin Kosek wrote: >>>>>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >>>>>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>>>>>>> An update plugin needed root privileges, and aborted the update >>>>>>>> if an >>>>>>>> ordinary user user ran it. >>>>>>>> With this patch the plugin is skipped with a warning in that case. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/2621 >>>>>>> >>>>>>> Hi Petr, >>>>>>> I am not sure I like the proposed solution. >>>>>>> >>>>>>> If there is a legitimate reason to run this plugin as non-root (eg >>>>>>> admin >>>>>>> user) then you should change the connection part to try to use >>>>>>> GSSAPI >>>>>>> auth over ldap when non-root, not just throw a warning. >>>>>>> >>>>>>> If there is no reason for anyone but root to run this script then we >>>>>>> should just abort if not root IMO. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> I would keep this script runable for root users only. Regularly, this >>>>>> should not be run manually but as a part of RPM update which is >>>>>> done by >>>>>> root. It is being run manually only when something is broken anyway >>>>>> and >>>>>> I am not convinced that non-root users should be involved in such >>>>>> recovery. >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> Thanks for the advice. The attached patch only allows root to run >>>>> ipa-ldap-updater. >>>> >>>> NACK. It is very handy for developers to be able to run >>>> ipa-ldap-updater >>>> to test update files. >>>> >>>> rob >>> >>> Developers can run it as root, I don't see a problem here. >> >> I'd really rather not. This does nothing requiring root permissions, >> it's all done over LDAP. I'd rather trade not running some plugins than >> always requiring root. >> >> rob >> > > Thanks for info on how the tool is used. I looked into it deeper. > The proper fix would be to use the ldap2 backend here, instead of the > IPAdmin. That's ticket 2660, and it'll be quite a lot of work to get > ReplicationManager and tools that depend on that ported. > > > But, I think it makes sense to require root if (and only if) plugins are > run. Justification below. Would that work for your use case? > > > There are currently three modes ipa-ldap-updater can run in: > 1) --upgrade (needs root, runs plugins) > 2) no --upgrade, either no files specified or --plugins (doesn't need > root, runs plugins) > 3) no --upgrade, specific files specified without --plugins (doesn't > need root, doesn't run plugins) > > I propose to make mode 2 require root. > > There are two major uses of the script: install/upgrade (first two > modes), and a developer testing update files (third or possibly second > mode). Install/upgrade is always run as root, and the developer usually > doesn't need to run the plugins (if they do, they should run as root > anyway, so that some (parts of) plugins aren't skipped). > > Some of the plugins ask to restart the DS. Without root privileges, the > restart (but not the rest of the plugin) is skipped. I think this is > just asking for trouble. > Some plugins (or parts of plugins) don't need root, but I don't think > singling these out and testing both cases is worth the effort. > > The attached patch that implements the above. I re-ordered the code a bit to put the checks before the DM password prompt, so you don't enter the password only to find out you had to use sudo or different options. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0057-03-Only-allow-root-to-run-update-plugins.patch Type: text/x-patch Size: 3758 bytes Desc: not available URL: From pviktori at redhat.com Wed Jun 6 09:34:52 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 06 Jun 2012 11:34:52 +0200 Subject: [Freeipa-devel] [PATCH] 0059 Fix update plugin order Message-ID: <4FCF243C.8040907@redhat.com> While messing with the ipa-ldap-updater, I found the order method was using an algorithm that could give incorrect results. I'm submitting a fix in an extra patch, as it's largely unrelated and shouldn't be so controversial. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0059-Fix-update-plugin-order.patch Type: text/x-patch Size: 1856 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jun 6 09:50:53 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 6 Jun 2012 12:50:53 +0300 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <1338810226.30320.45.camel@balmora.brq.redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> Message-ID: <20120606095053.GK25726@redhat.com> On Mon, 04 Jun 2012, Martin Kosek wrote: >2) Unit tests need to be updated, currently there is about a dozen test >case errors, e.g. extra ipakrbprincipalalias attribute in services or >new ipakrbprincipal objectclass for hosts I did run unit tests. All passed except two which are not related to trusts code and were failing before as well. All other issues found during previous rounds of the review are fixed and squashed in patches in my fedorapeople's tree. ====================================================================== FAIL: test_automember[39]: host_add: Create u'web5.ipa.local' ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in func = lambda: self.check(nice, **test) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check self.check_output(nice, cmd, args, options, expected, extra_check) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output assert_deepequal(expected, got, nice) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal assert_deepequal(e_sub, g_sub, doc, stack + (key,)) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 325, in assert_deepequal doc, sorted(missing), sorted(extra), expected, got, stack AssertionError: assert_deepequal: dict keys mismatch. test_automember[39]: host_add: Create u'web5.ipa.local' missing keys = [] extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup'] expected = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', 'has_keytab': False, 'description': [u'Test host 3'], 'objectclass': [u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux', u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn': [u'web5.ipa.local'], 'has_password': False, 'ipauniqueid': [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$', , None)], 'krbprincipalname': [u'host/web5.ipa.local at IPA.LOCAL'], 'managedby_host': [u'web5.ipa.local']} got = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', 'has_keytab': False, 'description': (u'Test host 3',), 'objectclass': (u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost', u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',), 'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',), 'has_password': False, 'ipauniqueid': (u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname': (u'host/web5.ipa.local at IPA.LOCAL',), 'managedby_host': (u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)} path = ('result',) ====================================================================== FAIL: test_group[21]: group_find: Search for all groups ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in func = lambda: self.check(nice, **test) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check self.check_output(nice, cmd, args, options, expected, extra_check) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output assert_deepequal(expected, got, nice) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal assert_deepequal(e_sub, g_sub, doc, stack + (key,)) File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 339, in assert_deepequal VALUE % (doc, expected, got, stack) AssertionError: assert_deepequal: expected != got. test_group[21]: group_find: Search for all groups expected = 5 got = 6 path = ('count',) ---------------------------------------------------------------------- Ran 1407 tests in 358.194s FAILED (errors=2, failures=2) ====================================================================== FAILED under '/usr/bin/python2.7' ** FAIL ** -- / Alexander Bokovoy From pvoborni at redhat.com Wed Jun 6 11:07:25 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 06 Jun 2012 13:07:25 +0200 Subject: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC In-Reply-To: <1337985380.16840.643.camel@willson.li.ssimo.org> References: <1337985380.16840.643.camel@willson.li.ssimo.org> Message-ID: <4FCF39ED.3090403@redhat.com> On 05/26/2012 12:36 AM, Simo Sorce wrote: > The original ldap driver we used up to 2.2 had 2 options admins could > set to limit the amount of writes to the database on certain auditing > related operations. > In particular disable_last_success is really important to reduce the > load on database servers. > > I have implemented ticket #2734 with a little twist. Instead of adding > local options in krb5.conf I create global options in the LDAP tree, so > that all KDCs in the domain have the same configuration. > > The 2 new options can be set in ipaConfigString attribute of the > cn=ipaConfig object under cn=etc,$SUFFIX > > These are: > KDC:Disable Last Success > KDC:Disable Lockout > 8><------------------------------ > > Simo. > Attaching patch which adds these two new configuration values to Web UI. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0154-Update-of-serverconfig-ipaconfigstring-options.patch Type: text/x-patch Size: 1442 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 6 12:12:53 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 06 Jun 2012 14:12:53 +0200 Subject: [Freeipa-devel] [PATCH] 151, 152 Removal of illegal options in association dialog In-Reply-To: <4FCE523C.6030108@redhat.com> References: <4FCCDCB7.5070902@redhat.com> <4FCE523C.6030108@redhat.com> Message-ID: <4FCF4945.8000905@redhat.com> On 06/05/2012 08:38 PM, Endi Sukma Dewata wrote: > If I understood correctly the json_exclude_attrs already defines the > list of attributes to be excluded, so is it still necessary to define > json_only_presence_options which basically will remove all attributes > except name? Suppose later you're writing the UI console where you can > type the CLI commands in the UI, do you think attributes like doc would > be needed to show in the command help? Depends on the implementation :). I think doc, labels and such would be very useful. In such case the missing attributes might be a problem. But it can be overcame by supplying it in other way because of the nature of the options in only_presences list (their attrs are same everywhere). Ideally I would not use the json_only_presence_options but it saves quite a lot of data. Btw, regarding the response size: if indentation in json.dump is disabled it save about 3/4 of the size - very handy. I don't want to do it yet because the ouput is not very readable (for devels). I think enabling gzip compression for /ipa/session/json might be a way too. > > If this is fine then ACK on both. I'm not sure if my reasoning can be considered 'fine'. > > Btw, the static test data (i.e. ipa_init_*.json) should be updated as > well. You might want to create some scripts in install/ui/test/bin to > update these files similar to update_ipa_init.sh. Ah, I forget to update it. I have a script which can handle both. I'll include updated ipa_init_object.json and ipa_init_command.json when pushing #152. I'm attaching the script, if you are interested. It works with form-based auth, so I can query test machine from devel machine without test's krb5.conf. I'm using the script for generating other .json files. I haven't put to git because of my frequent personal changes which might not be useful for others. > > > On 6/4/2012 11:05 AM, Petr Vobornik wrote: >> [PATCH] 152 Removal of illegal options in association dialog: >> >> Association dialogs were using non-existent options for find commands. >> It causes error when #2509 is implemented. >> >> Now when creating a find command a check for options existence is >> performed. Option is not used if not present in metadata. It fixes the >> issue. >> >> To be able to do the this check properly patch 151 is required. >> >> [PATCH] 151 Change json serialization to serialize useful data: >> >> json_metadata command creates and sends metadata needed by Web UI. It >> uses __json__ method for serialization of commands, options, objects... >> . A lot of data sent was useless for Web UI and some usefull information >> were missing. We >> * mostly CLI specific option attribues are not send. >> * attributes evaluated to false or None are not send >> * options which are send are not got from takes_aptions attribute but by >> get_options() method. It finally sends usefull option collection for >> commands part of metadata. >> >> In the end the raw amount of data send is aproximately the same. >> >> This patch is needed for Web UI to determine which option it can use in >> which commands. >> >> https://fedorahosted.org/freeipa/ticket/2760 > > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-json.py Type: text/x-python Size: 17822 bytes Desc: not available URL: From pviktori at redhat.com Wed Jun 6 12:51:56 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 06 Jun 2012 14:51:56 +0200 Subject: [Freeipa-devel] [PATCH] 0058 Prevent deletion of the last admin In-Reply-To: <4FCE7D6A.6090209@redhat.com> References: <4FCDE1EF.40704@redhat.com> <4FCE7D6A.6090209@redhat.com> Message-ID: <4FCF526C.3070607@redhat.com> On 06/05/2012 11:43 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> Raise an error when trying to delete the last user from the 'admins' >> group >> >> The 'admin' group name seems like something that shouldn't be hardcoded, >> but that's how it's done in the webui and some of our ACIs, and I don't >> see another solution short of adding a new attribute. >> >> >> https://fedorahosted.org/freeipa/ticket/2564 >> > > This looks ok, I think it should go further and prevent the last member > to be removed from the admins group too. > > rob This updated patch prevents that, plus removing the admins group itself. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0058-02-Prevent-deletion-of-the-last-admin.patch Type: text/x-patch Size: 8900 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 6 13:05:54 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 06 Jun 2012 15:05:54 +0200 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth Message-ID: <1338987954.9625.19.camel@balmora.brq.redhat.com> You can use the attached script (changepw.py) to test the PW change interface from command line (on IPA server). --- IPA server web form-based authentication allows logins for users which for some reason cannot use Kerberos authentication. However, when a password for such users expires, they are unable change the password via web interface. This patch adds a new WSGI script attached to URL /ipa/session/change_password which can be accessed without authentication and which provides password change capability for web services. The actual password change in the script is processed with kpasswd to be consistent with /ipa/session/login_password. Password result is passed both in the resulting HTML page, but also in HTTP headers for easier parsing in web services: X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text https://fedorahosted.org/freeipa/ticket/2276 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-274-password-change-capability-for-form-based-auth.patch Type: text/x-patch Size: 10223 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: changepw.py Type: text/x-python Size: 1271 bytes Desc: not available URL: From pviktori at redhat.com Wed Jun 6 13:47:51 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 06 Jun 2012 15:47:51 +0200 Subject: [Freeipa-devel] FreeIPA test coverage Message-ID: <4FCF5F87.6020307@redhat.com> Hello, I've put some coverage reports, including some older data, here: http://fedorapeople.org/~pviktori/freeipa-htmlcov/ As you can see we're mostly slowly getting better in this regard. To see where tests are missing, click a report, then sort by the number of "missing" lines. Currently, the install code is worst (no surprise here). Of course, test coverage is only useful as a rough metric, not as an end to itself. For example, removing well-tested but unused code hurts the performance but (slightly) helps the project. I plan to put new reports up about twice a month. -- Petr? From edewata at redhat.com Wed Jun 6 15:23:35 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jun 2012 10:23:35 -0500 Subject: [Freeipa-devel] [PATCH] 151, 152 Removal of illegal options in association dialog In-Reply-To: <4FCF4945.8000905@redhat.com> References: <4FCCDCB7.5070902@redhat.com> <4FCE523C.6030108@redhat.com> <4FCF4945.8000905@redhat.com> Message-ID: <4FCF75F7.5050304@redhat.com> On 6/6/2012 7:12 AM, Petr Vobornik wrote: > On 06/05/2012 08:38 PM, Endi Sukma Dewata wrote: >> If I understood correctly the json_exclude_attrs already defines the >> list of attributes to be excluded, so is it still necessary to define >> json_only_presence_options which basically will remove all attributes >> except name? Suppose later you're writing the UI console where you can >> type the CLI commands in the UI, do you think attributes like doc would >> be needed to show in the command help? > > Depends on the implementation :). I think doc, labels and such would be > very useful. In such case the missing attributes might be a problem. But > it can be overcame by supplying it in other way because of the nature of > the options in only_presences list (their attrs are same everywhere). > > Ideally I would not use the json_only_presence_options but it saves > quite a lot of data. > > Btw, regarding the response size: if indentation in json.dump is > disabled it save about 3/4 of the size - very handy. I don't want to do > it yet because the ouput is not very readable (for devels). I think > enabling gzip compression for /ipa/session/json might be a way too. > >> If this is fine then ACK on both. > > I'm not sure if my reasoning can be considered 'fine'. If you already have a plan how to handle it later then it's fine. The code works as is, so I don't have any objection to push it now. About the indentation, how about adding a parameter to compress the output? So the UI can add something like 'compress=true' when pulling the metadata, then for now the server can just remove the indentations. Later you can add gzip compression too. For development you can still open the URL without this parameter and you'll get a nicely formatted output. >> Btw, the static test data (i.e. ipa_init_*.json) should be updated as >> well. You might want to create some scripts in install/ui/test/bin to >> update these files similar to update_ipa_init.sh. > > Ah, I forget to update it. I have a script which can handle both. I'll > include updated ipa_init_object.json and ipa_init_command.json when > pushing #152. > > I'm attaching the script, if you are interested. It works with > form-based auth, so I can query test machine from devel machine without > test's krb5.conf. I'm using the script for generating other .json files. > I haven't put to git because of my frequent personal changes which might > not be useful for others. Looks good. If you want you can also put it in a personal git repo, but just make sure they don't contain private information. Or make it configurable, and you can use a private wrapper script to supply your environment-specific settings. I'm doing something similar for PKI: http://fedorapeople.org/gitweb?p=edewata/public_git/pki-dev.git;a=tree This is a lower priority, but it might be useful to document how to setup a server (including the data) that can be used to generate the static test data. It can be step-by-step instructions or scripts. -- Endi S. Dewata From pvoborni at redhat.com Wed Jun 6 15:59:10 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 06 Jun 2012 17:59:10 +0200 Subject: [Freeipa-devel] [PATCH] 155 Action panel for host enrollment Message-ID: <4FCF7E4E.8000000@redhat.com> Widgets in host enrollment sections were modified. They now serve only for displaying of has_key and has_password status. Functionality for setting otp and unprovisioning was moved to separate dialogs. Execution points for opening of these dialogs are items in new action panel in enrollment section. https://fedorahosted.org/freeipa/ticket/2251 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0155-Action-panel-for-host-enrollment.patch Type: text/x-patch Size: 19242 bytes Desc: not available URL: From spoore at redhat.com Wed Jun 6 21:49:14 2012 From: spoore at redhat.com (Scott Poore) Date: Wed, 06 Jun 2012 17:49:14 -0400 (EDT) Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: <57c608cf-2b25-4ab8-9db1-9ad4db9c14a5@zmail09.collab.prod.int.phx2.redhat.com> Message-ID: Running this by the mailing list to see if I should open an RFE. Should we have the ability to install replicas where the host entries already exist in IPA? So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? Thoughts? Scott -- Scott Poore Senior Quality Assurance Engineer Red Hat, Inc. From rcritten at redhat.com Thu Jun 7 03:08:38 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jun 2012 23:08:38 -0400 Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: References: Message-ID: <4FD01B36.2040308@redhat.com> Scott Poore wrote: > Running this by the mailing list to see if I should open an RFE. > > Should we have the ability to install replicas where the host entries already exist in IPA? > > So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? > > Thoughts? I asked Scott to pose this to the list. I'm a little uneasy about it but perhaps I'm just paranoid. This isn't proposing that an enrolled client be able to become a replica, but right now if a host entry exists for a target replica server we require it be removed before proceeding. The reason being we don't know what else is associated with that host (well, we do, but it sure seems like a lot of work to fetch it all). The host could already have an HTTP server, for example. Or it could have other certs or services. So the question is, is it adequate to require the removal or should we go through the trouble to see if there are any conflicting services? We don't have a TGT when preparing a replica so this would mean a bit of manual LDAP work which could very well be a pain source in the future. rob From mkosek at redhat.com Thu Jun 7 07:48:41 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 07 Jun 2012 09:48:41 +0200 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <20120606095053.GK25726@redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> <20120606095053.GK25726@redhat.com> Message-ID: <1339055321.7369.1.camel@balmora.brq.redhat.com> On Wed, 2012-06-06 at 12:50 +0300, Alexander Bokovoy wrote: > On Mon, 04 Jun 2012, Martin Kosek wrote: > >2) Unit tests need to be updated, currently there is about a dozen test > >case errors, e.g. extra ipakrbprincipalalias attribute in services or > >new ipakrbprincipal objectclass for hosts > I did run unit tests. All passed except two which are not related to > trusts code and were failing before as well. All other issues found > during previous rounds of the review are fixed and squashed in patches > in my fedorapeople's tree. > > ====================================================================== > FAIL: test_automember[39]: host_add: Create u'web5.ipa.local' > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest > self.test(*self.arg) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in > func = lambda: self.check(nice, **test) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check > self.check_output(nice, cmd, args, options, expected, extra_check) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output > assert_deepequal(expected, got, nice) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal > assert_deepequal(e_sub, g_sub, doc, stack + (key,)) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 325, in assert_deepequal > doc, sorted(missing), sorted(extra), expected, got, stack > AssertionError: assert_deepequal: dict keys mismatch. > test_automember[39]: host_add: Create u'web5.ipa.local' > missing keys = [] > extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup'] > expected = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', > 'has_keytab': False, 'description': [u'Test host 3'], 'objectclass': > [u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject', > u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux', > u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn': > [u'web5.ipa.local'], 'has_password': False, 'ipauniqueid': > [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$', > , None)], 'krbprincipalname': > [u'host/web5.ipa.local at IPA.LOCAL'], 'managedby_host': > [u'web5.ipa.local']} > got = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', > 'has_keytab': False, 'description': (u'Test host 3',), 'objectclass': > (u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice', > u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost', > u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',), > 'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',), > 'has_password': False, 'ipauniqueid': > (u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname': > (u'host/web5.ipa.local at IPA.LOCAL',), 'managedby_host': > (u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)} > path = ('result',) > > ====================================================================== > FAIL: test_group[21]: group_find: Search for all groups > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest > self.test(*self.arg) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in > func = lambda: self.check(nice, **test) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check > self.check_output(nice, cmd, args, options, expected, extra_check) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output > assert_deepequal(expected, got, nice) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal > assert_deepequal(e_sub, g_sub, doc, stack + (key,)) > File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 339, in assert_deepequal > VALUE % (doc, expected, got, stack) > AssertionError: assert_deepequal: expected != got. > test_group[21]: group_find: Search for all groups > expected = 5 > got = 6 > path = ('count',) > > ---------------------------------------------------------------------- > Ran 1407 tests in 358.194s > > FAILED (errors=2, failures=2) > ====================================================================== > FAILED under '/usr/bin/python2.7' > > ** FAIL ** > It may have been an issue on my side. I will open a ticket if I hit a unit test error again. I did a next round of review for your patches, I did not find any show-stopper why not to push your patches. Lets get them grilled also by other team members :-)I just logged one issue I found with ipa-adtrust-install: https://fedorahosted.org/freeipa/ticket/2815 ACK. Pushed all 13 patches to master. Martin From abokovoy at redhat.com Thu Jun 7 07:56:58 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 7 Jun 2012 10:56:58 +0300 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <1339055321.7369.1.camel@balmora.brq.redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> <20120606095053.GK25726@redhat.com> <1339055321.7369.1.camel@balmora.brq.redhat.com> Message-ID: <20120607075658.GM25726@redhat.com> On Thu, 07 Jun 2012, Martin Kosek wrote: >It may have been an issue on my side. I will open a ticket if I hit a >unit test error again. > >I did a next round of review for your patches, I did not find any >show-stopper why not to push your patches. Lets get them grilled also by >other team members :-)I just logged one issue I found with >ipa-adtrust-install: >https://fedorahosted.org/freeipa/ticket/2815 I think we should do check on whether we he valid ticket prior to do configuration, similar to how we do check DM password availability. Besides the keytab fetch we also need to create the service which requires appropriate admin permissions. >ACK. Pushed all 13 patches to master. Great! Thanks for the thorough review. Sumit, please rebase and send your remaining patches for review. -- / Alexander Bokovoy From pvoborni at redhat.com Thu Jun 7 08:52:58 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 07 Jun 2012 10:52:58 +0200 Subject: [Freeipa-devel] [PATCH] 156 Action panel for service provisioning Message-ID: <4FD06BEA.3020905@redhat.com> Service provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog. Action for action panel and all required status evaluators for enabling/disabling of that action were also created. https://fedorahosted.org/freeipa/ticket/2252 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0156-Action-panel-for-service-provisioning.patch Type: text/x-patch Size: 9911 bytes Desc: not available URL: From sbose at redhat.com Thu Jun 7 09:27:29 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 7 Jun 2012 11:27:29 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120323125234.GU2301@localhost.localdomain> References: <20120323125234.GU2301@localhost.localdomain> Message-ID: <20120607092729.GM8124@localhost.localdomain> On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: > Hi, > > these two patches introduce a new extended operation to the IPA server > which can be used by clients in the IPA domain to obtain information > about users and groups from trusted domains. Currently this exop is used > by the sssd sub-domain patch to map user names from a trusted AD domain > to a SID and back. There is also some code for other kind of requests > which might become useful in future, e.g. with trusted IPA domain. > > I added some unit test and added check for the check unit test framework > for C (http://check.sourceforge.net/) which is used by sssd as well. I > modified the spec file that the test is run during the build of the > packages. I hope this is ok. > > The patches depend on the idmap library patch which was ACKed recently > on sssd-devel and as mentioned before the sub-domain patches on > sssd-devel can only be fully tested with an IPA server which has these > patches applied. > > Since Alexander is currently rewriting parts of the ipa-adtrust-install > utility I stand back from adding activation code for the exop to > ipa-adtrust-install and will send a patch when Alexander's changes are > available. So currently extdom-extop-conf.ldif has to be loaded manually > after replacing $SUFFIX to activate the new exop. > > bye, > Sumit Please find a rebased version of the patches which work on top of Alexander's latest series of patches. The patches now also contain the loading of extdom-extop-conf.ldif and the activation of winbind. bye, Sumit -------------- next part -------------- From 25c893670d60b3308a60f57130827d2e0465ec58 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 12 Dec 2011 11:32:06 +0100 Subject: [PATCH] Add configure check for C Unit-Test framework check The framework can be found at http://check.sourceforge.net. --- daemons/configure.ac | 10 ++++++++++ 1 Datei ge?ndert, 10 Zeilen hinzugef?gt(+) diff --git a/daemons/configure.ac b/daemons/configure.ac index deaa47358445fa552f5a9b53c9b65a9550b71d9e..547c907f3c6327507e7b01f7642c7db4a7409391 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -240,6 +240,16 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +dnl --------------------------------------------------------------------------- +dnl - Check for check unit test framework http://check.sourceforge.net/ +dnl --------------------------------------------------------------------------- +PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) +if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' library, you will be unable to run all tests in the 'make check' suite]) +else + AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers])) +fi +AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir -- 1.7.10.2 -------------- next part -------------- From b29b4da58619c7497c078480274066e1eef285d5 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 30 Nov 2011 13:29:10 +0100 Subject: [PATCH] Add external domain extop DS plugin This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back. --- daemons/configure.ac | 19 +- daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 74 +++ .../ipa-extdom-extop/ipa-extdom-extop-conf.ldif | 16 + .../ipa-extdom-extop/ipa_extdom.h | 153 ++++++ .../ipa-extdom-extop/ipa_extdom_common.c | 498 ++++++++++++++++++++ .../ipa-extdom-extop/ipa_extdom_extop.c | 236 ++++++++++ .../ipa-extdom-extop/ipa_extdom_tests.c | 203 ++++++++ freeipa.spec.in | 8 + ipaserver/install/adtrustinstance.py | 14 +- ipaserver/install/service.py | 3 +- 11 Dateien ge?ndert, 1222 Zeilen hinzugef?gt(+), 3 Zeilen entfernt(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/README create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c diff --git a/daemons/configure.ac b/daemons/configure.ac index 547c907f3c6327507e7b01f7642c7db4a7409391..8f026883569700fc0cd1c60b314cc87ccdbc8c57 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -237,8 +237,19 @@ PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) PKG_CHECK_MODULES([NDR], [ndr]) PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" +SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +AC_CHECK_HEADERS([samba-4.0/wbclient.h], + , + [AC_MSG_ERROR([samba-4.0/wbclient.h not found])], + [#include + #include ]) +AC_CHECK_LIB([wbclient], + [wbcLookupSid], + [WBCLIENT_LIBS="$SAMBA40EXTRA_LIBPATH -lwbclient"], + [AC_MSG_ERROR([libwbclient does not have wbcLookupSid])], + [$SAMBA40EXTRA_LIBPATH]) +AC_SUBST(WBCLIENT_LIBS) dnl --------------------------------------------------------------------------- dnl - Check for check unit test framework http://check.sourceforge.net/ @@ -251,6 +262,11 @@ else fi AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) +dnl -- dirsrv is needed for the extdom unit tests -- +PKG_CHECK_MODULES([DIRSRV], [dirsrv]) +dnl -- sss_idmap is needed by the extdom exop -- +PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) + dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir dnl --------------------------------------------------------------------------- @@ -320,6 +336,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile + ipa-slapi-plugins/ipa-extdom-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 29b985e69424c9f2ce453ea3607cdb0e936bcce2..01b8bc330bb9525b54ac3e0493e311d2cafb64e7 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -6,6 +6,7 @@ SUBDIRS = \ ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ + ipa-extdom-extop \ ipa-uuid \ ipa-version \ ipa-winsync \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..d93e094b95510cf0ec99b7f7c38ff261c56f310e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -0,0 +1,74 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ + -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WBCLIENT_CFLAGS) \ + $(WARN_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_extdom_extop.la \ + $(NULL) + +libipa_extdom_extop_la_SOURCES = \ + ipa_extdom_extop.c \ + ipa_extdom_common.c \ + $(NULL) + +libipa_extdom_extop_la_LDFLAGS = -avoid-version + +libipa_extdom_extop_la_LIBADD = \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +if HAVE_CHECK +TESTS = extdom_tests +check_PROGRAMS = extdom_tests +endif + +extdom_tests_SOURCES = \ + ipa_extdom_tests.c \ + ipa_extdom_common.c \ + $(NULL) +extdom_tests_CFLAGS = $(CHECK_CFLAGS) +extdom_tests_LDFLAGS = \ + -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \ + $(NULL) +extdom_tests_LDADD = \ + $(CHECK_LIBS) \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(DIRSRV_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-extdom-extop-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + README \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/README b/daemons/ipa-slapi-plugins/ipa-extdom-extop/README new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..ec51ed26f127410901972053c86a49930d217d82 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=ipa_extdom_extop,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: ipa_extdom_extop +nsslapd-pluginpath: libipa_extdom_extop +nsslapd-plugininitfunc: ipa_extdom_init +nsslapd-plugintype: extendedop +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_extdom_extop +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: RedHat +nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h new file mode 100644 index 0000000000000000000000000000000000000000..bcb3f16ed45d7d36237f95794481377d5306605e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -0,0 +1,153 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _IPA_EXTDOM_H_ +#define _IPA_EXTDOM_H_ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include + + +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" +#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" +#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" + +#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME + +enum input_types { + INP_SID = 1, + INP_NAME, + INP_POSIX_UID, + INP_POSIX_GID +}; + +enum request_types { + REQ_SIMPLE = 1, + REQ_FULL +}; + +enum response_types { + RESP_SID = 1, + RESP_NAME, + RESP_USER, + RESP_GROUP +}; + +struct extdom_req { + enum input_types input_type; + enum request_types request_type; + union { + char *sid; + struct { + char *domain_name; + char *object_name; + } name; + struct { + char *domain_name; + uid_t uid; + } posix_uid; + struct { + char *domain_name; + gid_t gid; + } posix_gid; + } data; +}; + +struct extdom_res { + enum response_types response_type; + union { + char *sid; + struct { + const char *domain_name; + const char *object_name; + } name; + struct { + const char *domain_name; + const char *user_name; + uid_t uid; + gid_t gid; + } user; + struct { + const char *domain_name; + const char *group_name; + gid_t gid; + } group; + } data; +}; + +struct ipa_extdom_ctx { + Slapi_ComponentId *plugin_id; + char *base_dn; +}; + +struct domain_info { + char *flat_name; + char *sid; + char *guid; + struct sss_idmap_ctx *idmap_ctx; +}; + +int parse_request_data(struct berval *req_val, struct extdom_req **_req); +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res); +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res); +int pack_response(struct extdom_res *res, struct berval **ret_val); +#endif /* _IPA_EXTDOM_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c new file mode 100644 index 0000000000000000000000000000000000000000..294b00d50dd76c6541831b5c53bf70a4d377dcc3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -0,0 +1,498 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 /* for asprintf() */ +#endif + +#include +#include + +#include "ipa_extdom.h" +#include "util.h" + +int parse_request_data(struct berval *req_val, struct extdom_req **_req) +{ + BerElement *ber = NULL; + ber_tag_t tag; + ber_int_t input_type; + ber_int_t request_type; + ber_int_t id; + struct extdom_req *req; + +/* We expect the following request: + * ExtdomRequestValue ::= SEQUENCE { + * inputType ENUMERATED { + * sid (1), + * name (2), + * posix uid (3), + * posix gid (3) + * }, + * requestType ENUMERATED { + * simple (1), + * full (2) + * }, + * data InputData + * } + * + * InputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData + * uid PosixUid, + * gid PosixGid + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUid ::= SEQUENCE { + * domain_name OCTET STRING, + * uid INTEGER + * } + * + * PosixGid ::= SEQUENCE { + * domain_name OCTET STRING, + * gid INTEGER + * } + */ + + if (req_val == NULL || req_val->bv_val == NULL || req_val->bv_len == 0) { + return LDAP_PROTOCOL_ERROR; + } + + ber = ber_init(req_val); + if (ber == NULL) { + return LDAP_PROTOCOL_ERROR; + } + + tag = ber_scanf(ber, "{ee", &input_type, &request_type); + if (tag == LBER_ERROR) { + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + + req = calloc(sizeof(struct extdom_req), 1); + if (req == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + req->input_type = input_type; + req->request_type = request_type; + + switch (req->input_type) { + case INP_NAME: + tag = ber_scanf(ber, "{aa}}", &req->data.name.domain_name, + &req->data.name.object_name); + break; + case INP_SID: + tag = ber_scanf(ber, "a}", &req->data.sid); + break; + case INP_POSIX_UID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_uid.domain_name, + &id); + req->data.posix_uid.uid = (uid_t) id; + break; + case INP_POSIX_GID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_gid.domain_name, + &id); + req->data.posix_gid.gid = (gid_t) id; + break; + default: + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + ber_free(ber, 1); + if (tag == LBER_ERROR) { + return LDAP_PROTOCOL_ERROR; + } + + *_req = req; + + return LDAP_SUCCESS; +} + +static void free_domain_info(struct domain_info *domain_info) +{ + if (domain_info == NULL) { + return; + } + + sss_idmap_free(domain_info->idmap_ctx); + slapi_ch_free((void **) &domain_info->guid); + slapi_ch_free((void **) &domain_info->sid); + slapi_ch_free((void **) &domain_info->flat_name); + free(domain_info); +} + +/* TODO: A similar call is used in ipa_cldap_netlogon.c, maybe a candidate for + * a common library */ +static int get_domain_info(struct ipa_extdom_ctx *ctx, const char *domain_name, + struct domain_info **_domain_info) +{ + struct domain_info *domain_info = NULL; + Slapi_PBlock *pb = NULL; + Slapi_Entry **e = NULL; + char *filter = NULL; + int ret; + enum idmap_error_code err; + struct sss_idmap_range range; + + pb = slapi_pblock_new(); + if (pb == NULL) { + return ENOMEM; + } + + ret = asprintf(&filter, "(&(|(cn=%s)(ipaNTTrustPartner=%s)(ipaNTFlatName=%s))(objectclass=ipaNTTrustedDomain))", + domain_name, domain_name, domain_name); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + slapi_search_internal_set_pb(pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, filter, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + if (ret != EOK) { + ret = ENOENT; + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); + if (!e || !e[0] || e[1]) { + /* no matches or too many matches */ + ret = ENOENT; + goto done; + } + + domain_info = calloc(1, sizeof(struct domain_info)); + if (domain_info == NULL) { + ret = ENOMEM; + goto done; + } + + domain_info->guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID"); + domain_info->sid = slapi_entry_attr_get_charptr(e[0], + "ipaNTTrustedDomainSID"); + domain_info->flat_name = slapi_entry_attr_get_charptr(e[0], + "ipaNTFlatName"); + + /* TODO: read range from LDAP server */ + range.min = 200000; + range.max = 400000; + + err = sss_idmap_init(NULL, NULL, NULL, &domain_info->idmap_ctx); + if (err == IDMAP_SUCCESS) { + err = sss_idmap_add_domain(domain_info->idmap_ctx, domain_name, + domain_info->sid, &range); + } + if (err != IDMAP_SUCCESS) { + free_domain_info(domain_info); + ret = EFAULT; + goto done; + } + + *_domain_info = domain_info; + + ret = 0; + +done: + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + free(filter); + return ret; + +} + +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res) +{ + wbcErr werr; + int ret; + struct wbcDomainSid sid; + char *domain_name; + char *name; + enum wbcSidType name_type; + struct domain_info *domain_info = NULL; + + ret = get_domain_info(ctx, req->data.name.domain_name, &domain_info); + if (ret != 0) { + return LDAP_OPERATIONS_ERROR; + } + + switch (req->input_type) { + case INP_SID: + werr = wbcStringToSid(req->data.sid, &sid); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + werr = wbcLookupSid(&sid, &domain_name, &name, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, domain_name, name, &sid, + name_type, res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + case INP_NAME: + werr = wbcLookupName(domain_info->flat_name, + req->data.name.object_name, &sid, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, req->data.name.domain_name, + req->data.name.object_name, &sid, name_type, + res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + default: + ret = LDAP_PROTOCOL_ERROR; + goto done; + } + + ret = LDAP_SUCCESS; + +done: + free_domain_info(domain_info); + + return ret; +} + +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res) +{ + int ret = EFAULT; + int len; + struct extdom_res *res; + uint32_t id; + enum idmap_error_code err; + char sid_str[WBC_SID_STRING_BUFLEN + 1]; + + res = malloc(sizeof(struct extdom_res)); + if (res == NULL) { + return ENOMEM; + } + + switch (req->request_type) { + case REQ_SIMPLE: + switch (req->input_type) { + case INP_SID: + res->response_type = RESP_NAME; + res->data.name.domain_name = domain_name; + res->data.name.object_name = name; + break; + case INP_NAME: + res->response_type = RESP_SID; + + len = wbcSidToStringBuf(sid, sid_str, + WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + res->data.sid = sid_str; + break; + default: + ret = EINVAL; + goto done; + } + break; + case REQ_FULL: + len = wbcSidToStringBuf(sid, sid_str, WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + err = sss_idmap_sid_to_unix(domain_info->idmap_ctx, sid_str, &id); + if (err != IDMAP_SUCCESS) { + ret = EINVAL; + goto done; + } + switch (name_type) { + case WBC_SID_NAME_USER: + res->response_type = RESP_USER; + res->data.user.domain_name = domain_name; + res->data.user.user_name = name; + + res->data.user.uid = (uid_t) id; + + /* We use MPGs for external users */ + res->data.user.gid = (gid_t) id; + break; + case WBC_SID_NAME_DOM_GRP: + res->response_type = RESP_GROUP; + res->data.group.domain_name = domain_name; + res->data.group.group_name = name; + + res->data.group.gid = (gid_t) id; + break; + default: + ret = EINVAL; + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *_res = res; + } else { + free(res); + } + + return ret; +} + +int pack_response(struct extdom_res *res, struct berval **ret_val) +{ + BerElement *ber = NULL; + int ret; + +/* We send to follwing response: + * ExtdomResponseValue ::= SEQUENCE { + * responseType ENUMERATED { + * sid (1), + * name (2), + * posix_user (3), + * posix_group (4) + * }, + * data OutputData + * } + * + * OutputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData, + * user PosixUser, + * group PosixGroup + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUser ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER + * gid INTEGER + * } + * + * PosixGroup ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER + * } + */ + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + switch (res->response_type) { + case RESP_SID: + ret = ber_printf(ber,"{es}", res->response_type, res->data.sid); + break; + case RESP_NAME: + ret = ber_printf(ber,"{e{ss}}", res->response_type, + res->data.name.domain_name, + res->data.name.object_name); + break; + case RESP_USER: + ret = ber_printf(ber,"{e{ssii}}", res->response_type, + res->data.user.domain_name, + res->data.user.user_name, + res->data.user.uid, + res->data.user.gid); + break; + case RESP_GROUP: + ret = ber_printf(ber,"{e{ssi}}", res->response_type, + res->data.group.domain_name, + res->data.group.group_name, + res->data.group.gid); + break; + default: + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ret = ber_flatten(ber, ret_val); + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ber_free(ber, 1); + + return LDAP_SUCCESS; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c new file mode 100644 index 0000000000000000000000000000000000000000..cf2db333ad57940dc06c3bdb6990b6548ffc0040 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -0,0 +1,236 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include "ipa_extdom.h" +#include "util.h" + +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" + +Slapi_PluginDesc ipa_extdom_plugin_desc = { + IPA_EXTDOM_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_EXTDOM_PLUGIN_DESC +}; + +static char *ipa_extdom_oid_list[] = { + EXOP_EXTDOM_OID, + NULL +}; + +static char *ipa_extdom_name_list[] = { + IPA_EXTDOM_PLUGIN_DESC, + NULL +}; + +static int ipa_extdom_start(Slapi_PBlock *pb) +{ + return LDAP_SUCCESS; +} + +static int ipa_extdom_extop(Slapi_PBlock *pb) +{ + char *oid = NULL; + char *err_msg = NULL; + int rc; + int ret; + struct berval *req_val = NULL; + struct berval *ret_val = NULL; + struct extdom_req *req = NULL; + struct extdom_res *res = NULL; + struct ipa_extdom_ctx *ctx; + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Could not get OID value from request.\n"; + goto done; + } + LOG("Received extended operation request with OID %s\n", oid); + + if (strcasecmp(oid, EXOP_EXTDOM_OID) != 0) { + return SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; + } + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &req_val); + if (ret != 0) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Missing request data.\n"; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Missing plugin context.\n"; + goto done; + } + + ret = parse_request_data(req_val, &req); + if (ret != LDAP_SUCCESS) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Cannot parse request data.\n"; + goto done; + } + + ret = handle_request(ctx, req, &res); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to handle the request.\n"; + goto done; + } + + ret = pack_response(res, &ret_val); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to pack the response.\n"; + goto done; + } + + ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXOP_EXTDOM_OID); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the OID for the response.\n"; + goto done; + } + + ret = slapi_pblock_set( pb, SLAPI_EXT_OP_RET_VALUE, ret_val); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the value for the response.\n"; + goto done; + } + + rc = LDAP_SUCCESS; + +done: + free(req); + free(res); + if (err_msg != NULL) { + LOG(err_msg); + } + slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); + return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; +} + +static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) +{ + struct ipa_extdom_ctx *ctx; + Slapi_Entry *e; + int ret; + + ctx = calloc(1, sizeof(struct ipa_extdom_ctx)); + if (!ctx) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (NULL == ctx->plugin_id)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &e); + if (!e) { + LOG_FATAL("Plugin configuration not found!\n"); + return -1; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(e, "nsslapd-basedn"); + if (!ctx->base_dn) { + LOG_FATAL("Base DN not found in plugin configuration not found!\n"); + return -1; + } + + +done: + if (ret) { + free(ctx); + } else { + *_ctx = ctx; + } + return ret; +} + +int ipa_extdom_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_extdom_ctx *extdom_ctx; + + ret = ipa_extdom_init_ctx(pb, &extdom_ctx); + if (ret) { + LOG_FATAL("Failed ot initialize external domain extended operation.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01); + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *)&ipa_extdom_plugin_desc); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *)ipa_extdom_start); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, + ipa_extdom_oid_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, + ipa_extdom_name_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, + (void *)ipa_extdom_extop); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, extdom_ctx); + } + if (ret) { + LOG("Failed to set plug-in version, function, and OID.\n" ); + return -1; + } + + return 0; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c new file mode 100644 index 0000000000000000000000000000000000000000..acb6ae2844eafe938a293a964efa2afe31e32b9e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c @@ -0,0 +1,203 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include + +#include "ipa_extdom.h" +#include "util.h" + +char req_sid[] = {0x30, 0x11, 0x0a, 0x01, 0x01, 0x0a, 0x01, 0x01, 0x04, 0x09, \ + 0x53, 0x2d, 0x31, 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char req_nam[] = {0x30, 0x16, 0x0a, 0x01, 0x02, 0x0a, 0x01, 0x01, 0x30, 0x0e, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, \ + 0x74, 0x65, 0x73, 0x74}; +char req_uid[] = {0x30, 0x14, 0x0a, 0x01, 0x03, 0x0a, 0x01, 0x01, 0x30, 0x0c, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x02, \ + 0x30, 0x39}; +char req_gid[] = {0x30, 0x15, 0x0a, 0x01, 0x04, 0x0a, 0x01, 0x01, 0x30, 0x0d, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x03, \ + 0x00, 0xd4, 0x31}; + +char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ + 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74}; +char res_uid[] = {0x30, 0x17, 0x0a, 0x01, 0x03, 0x30, 0x12, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74, 0x02, 0x02, 0x30, 0x39}; +char res_gid[] = {0x30, 0x1e, 0x0a, 0x01, 0x04, 0x30, 0x19, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x0a, 0x74, 0x65, 0x73, \ + 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x02, 0x03, 0x00, \ + 0xd4, 0x31}; + +#define TEST_SID "S-1-2-3-4" +#define TEST_DOMAIN_NAME "DOMAIN" + +START_TEST(test_encode) +{ + int ret; + struct extdom_res res; + struct berval *resp_val; + + res.response_type = RESP_SID; + res.data.sid = TEST_SID; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_sid) == resp_val->bv_len && + memcmp(res_sid, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); + + res.response_type = RESP_NAME; + res.data.name.domain_name = TEST_DOMAIN_NAME; + res.data.name.object_name = "test"; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_nam) == resp_val->bv_len && + memcmp(res_nam, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); +} +END_TEST + +START_TEST(test_decode) +{ + struct berval req_val; + struct extdom_req *req; + int ret; + + req_val.bv_val = req_sid; + req_val.bv_len = sizeof(req_sid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, "parse_request_data() failed."); + fail_unless(req->input_type == INP_SID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.sid, "S-1-2-3-4") == 0, + "parse_request_data() returned unexpected sid"); + free(req); + + req_val.bv_val = req_nam; + req_val.bv_len = sizeof(req_nam); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_NAME, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.name.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(strcmp(req->data.name.object_name, "test") == 0, + "parse_request_data() returned unexpected object name"); + free(req); + + req_val.bv_val = req_uid; + req_val.bv_len = sizeof(req_uid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_UID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_uid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_uid.uid == 12345, + "parse_request_data() returned unexpected uid [%d]", + req->data.posix_uid.uid); + free(req); + + req_val.bv_val = req_gid; + req_val.bv_len = sizeof(req_gid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_GID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_gid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_gid.gid == 54321, + "parse_request_data() returned unexpected gid [%d]", + req->data.posix_gid.gid); + free(req); +} +END_TEST + +Suite * ipa_extdom_suite(void) +{ + Suite *s = suite_create("IPA extdom"); + + TCase *tc_core = tcase_create("Core"); + tcase_add_test(tc_core, test_decode); + tcase_add_test(tc_core, test_encode); + /* TODO: add test for create_response() */ + suite_add_tcase(s, tc_core); + + return s; +} + +int main(void) +{ + int number_failed; + + Suite *s = ipa_extdom_suite (); + SRunner *sr = srunner_create (s); + srunner_run_all (sr, CK_VERBOSE); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/freeipa.spec.in b/freeipa.spec.in index e15c79d5d7919418a86fdcdacc0e54c464df59c7..80a6876e4d307db8e091f1fb671eaf6d63d0dfb7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -80,6 +80,8 @@ BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-dns BuildRequires: python-crypto +BuildRequires: check >= 0.9.5 +BuildRequires: libsss_idmap-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -316,6 +318,7 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all cd selinux # This isn't multi-process make capable yet make all +cd ../daemons ; make check %else make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client %endif @@ -349,6 +352,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -617,6 +621,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so %attr(755,root,root) %{plugin_dir}/libipa_lockout.so %attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %dir %{_localstatedir}/cache/ipa @@ -700,6 +705,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Mon Jun 4 2012 Sumit Bose - 2.99.0-32 +- Add extdom extop plugin + * Mon Jun 4 2012 Alexander Bokovoy - 2.99.0-31 - Add python-crypto to build dependencies for AD server-side code diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 5f74054316ed714cc5cab004b497033dc4b47adf..0e9e9ef245a0897dfee9bcb0940d0de35c1bfd61 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -223,6 +223,12 @@ class ADTRUSTInstance(service.Service): except: pass + def __add_extdom_module(self): + try: + self._ldap_mod("ipa-extdom-extop-conf.ldif", self.sub_dict) + except: + pass + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -380,7 +386,12 @@ class ADTRUSTInstance(service.Service): self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.info("ADTRUST Service startup entry already exists.") - pass + + try: + self.ldap_enable('EXTID', self.fqdn, self.dm_password, \ + self.suffix) + except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: + root_logger.info("EXTID Service startup entry already exists.") def __setup_sub_dict(self): self.sub_dict = dict(REALM = self.realm_name, @@ -430,6 +441,7 @@ class ADTRUSTInstance(service.Service): self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) + self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) if not self.no_msdcs: self.step("adding special DNS service records", \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a3d09fcd633a851a67ef94b2025f1afb605d3d84..5cc7ae639db3fe2aa3805a90e0902f10f277064c 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -42,7 +42,8 @@ SERVICE_LIST = { 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), - 'ADTRUST':('smb', 60) + 'ADTRUST':('smb', 60), + 'EXTID':('winbind', 70) } def print_msg(message, output_fd=sys.stdout): -- 1.7.10.2 From pviktori at redhat.com Thu Jun 7 09:31:07 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 07 Jun 2012 11:31:07 +0200 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <1339055321.7369.1.camel@balmora.brq.redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> <20120606095053.GK25726@redhat.com> <1339055321.7369.1.camel@balmora.brq.redhat.com> Message-ID: <4FD074DB.6090905@redhat.com> On 06/07/2012 09:48 AM, Martin Kosek wrote: > On Wed, 2012-06-06 at 12:50 +0300, Alexander Bokovoy wrote: >> On Mon, 04 Jun 2012, Martin Kosek wrote: >>> 2) Unit tests need to be updated, currently there is about a dozen test >>> case errors, e.g. extra ipakrbprincipalalias attribute in services or >>> new ipakrbprincipal objectclass for hosts >> I did run unit tests. All passed except two which are not related to >> trusts code and were failing before as well. All other issues found >> during previous rounds of the review are fixed and squashed in patches >> in my fedorapeople's tree. >> >> ====================================================================== >> FAIL: test_automember[39]: host_add: Create u'web5.ipa.local' >> ---------------------------------------------------------------------- >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest >> self.test(*self.arg) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in >> func = lambda: self.check(nice, **test) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check >> self.check_output(nice, cmd, args, options, expected, extra_check) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output >> assert_deepequal(expected, got, nice) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal >> assert_deepequal(e_sub, g_sub, doc, stack + (key,)) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 325, in assert_deepequal >> doc, sorted(missing), sorted(extra), expected, got, stack >> AssertionError: assert_deepequal: dict keys mismatch. >> test_automember[39]: host_add: Create u'web5.ipa.local' >> missing keys = [] >> extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup'] >> expected = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', >> 'has_keytab': False, 'description': [u'Test host 3'], 'objectclass': >> [u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject', >> u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux', >> u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn': >> [u'web5.ipa.local'], 'has_password': False, 'ipauniqueid': >> [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$', >> , None)], 'krbprincipalname': >> [u'host/web5.ipa.local at IPA.LOCAL'], 'managedby_host': >> [u'web5.ipa.local']} >> got = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', >> 'has_keytab': False, 'description': (u'Test host 3',), 'objectclass': >> (u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice', >> u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost', >> u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',), >> 'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',), >> 'has_password': False, 'ipauniqueid': >> (u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname': >> (u'host/web5.ipa.local at IPA.LOCAL',), 'managedby_host': >> (u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)} >> path = ('result',) >> >> ====================================================================== >> FAIL: test_group[21]: group_find: Search for all groups >> ---------------------------------------------------------------------- >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest >> self.test(*self.arg) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in >> func = lambda: self.check(nice, **test) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check >> self.check_output(nice, cmd, args, options, expected, extra_check) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output >> assert_deepequal(expected, got, nice) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal >> assert_deepequal(e_sub, g_sub, doc, stack + (key,)) >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 339, in assert_deepequal >> VALUE % (doc, expected, got, stack) >> AssertionError: assert_deepequal: expected != got. >> test_group[21]: group_find: Search for all groups >> expected = 5 >> got = 6 >> path = ('count',) >> >> ---------------------------------------------------------------------- >> Ran 1407 tests in 358.194s >> >> FAILED (errors=2, failures=2) >> ====================================================================== >> FAILED under '/usr/bin/python2.7' >> >> ** FAIL ** >> > > It may have been an issue on my side. I will open a ticket if I hit a > unit test error again. > > I did a next round of review for your patches, I did not find any > show-stopper why not to push your patches. Lets get them grilled also by > other team members :-)I just logged one issue I found with > ipa-adtrust-install: > https://fedorahosted.org/freeipa/ticket/2815 > > ACK. Pushed all 13 patches to master. > > Martin > I tried building, and found that samba4-devel needs to be in BuildRequires. Without it, make-lint complains. Attaching the one-liner fix. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: Add-samba4-python-to-BuildRequires.patch Type: text/x-patch Size: 775 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 7 09:32:13 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 07 Jun 2012 11:32:13 +0200 Subject: [Freeipa-devel] [PATCH] 151, 152 Removal of illegal options in association dialog In-Reply-To: <4FCF75F7.5050304@redhat.com> References: <4FCCDCB7.5070902@redhat.com> <4FCE523C.6030108@redhat.com> <4FCF4945.8000905@redhat.com> <4FCF75F7.5050304@redhat.com> Message-ID: <4FD0751D.1080801@redhat.com> Added json metadata update to patch #152 (attached zipped) and both PUSHed to master. On 06/06/2012 05:23 PM, Endi Sukma Dewata wrote: > On 6/6/2012 7:12 AM, Petr Vobornik wrote: >> On 06/05/2012 08:38 PM, Endi Sukma Dewata wrote: >>> If I understood correctly the json_exclude_attrs already defines the >>> list of attributes to be excluded, so is it still necessary to define >>> json_only_presence_options which basically will remove all attributes >>> except name? Suppose later you're writing the UI console where you can >>> type the CLI commands in the UI, do you think attributes like doc would >>> be needed to show in the command help? >> >> Depends on the implementation :). I think doc, labels and such would be >> very useful. In such case the missing attributes might be a problem. But >> it can be overcame by supplying it in other way because of the nature of >> the options in only_presences list (their attrs are same everywhere). >> >> Ideally I would not use the json_only_presence_options but it saves >> quite a lot of data. >> >> Btw, regarding the response size: if indentation in json.dump is >> disabled it save about 3/4 of the size - very handy. I don't want to do >> it yet because the ouput is not very readable (for devels). I think >> enabling gzip compression for /ipa/session/json might be a way too. >> >>> If this is fine then ACK on both. >> >> I'm not sure if my reasoning can be considered 'fine'. > > If you already have a plan how to handle it later then it's fine. The > code works as is, so I don't have any objection to push it now. > > About the indentation, how about adding a parameter to compress the > output? So the UI can add something like 'compress=true' when pulling > the metadata, then for now the server can just remove the indentations. > Later you can add gzip compression too. For development you can still > open the URL without this parameter and you'll get a nicely formatted > output. > >>> Btw, the static test data (i.e. ipa_init_*.json) should be updated as >>> well. You might want to create some scripts in install/ui/test/bin to >>> update these files similar to update_ipa_init.sh. >> >> Ah, I forget to update it. I have a script which can handle both. I'll >> include updated ipa_init_object.json and ipa_init_command.json when >> pushing #152. >> >> I'm attaching the script, if you are interested. It works with >> form-based auth, so I can query test machine from devel machine without >> test's krb5.conf. I'm using the script for generating other .json files. >> I haven't put to git because of my frequent personal changes which might >> not be useful for others. > > Looks good. If you want you can also put it in a personal git repo, but > just make sure they don't contain private information. Or make it > configurable, and you can use a private wrapper script to supply your > environment-specific settings. I'm doing something similar for PKI: > http://fedorapeople.org/gitweb?p=edewata/public_git/pki-dev.git;a=tree Nice collection of scripts :) > > This is a lower priority, but it might be useful to document how to > setup a server (including the data) that can be used to generate the > static test data. It can be step-by-step instructions or scripts. > Sounds good. Ideally would be fine to have some scripts which will fill test server with data. And then generate static data from it. But I really don't know who would like to write those filling scripts because it sounds like a boring task. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0152-1-Removal-of-illegal-options-in-association-dialog.patch.zip Type: application/zip Size: 62613 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 7 09:37:05 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 07 Jun 2012 11:37:05 +0200 Subject: [Freeipa-devel] [PATCH] 0050 Fail on unknown Command options In-Reply-To: <1338214566.5538.11.camel@balmora.brq.redhat.com> References: <4F8E97F6.2070703@redhat.com> <1336392614.29911.13.camel@balmora.brq.redhat.com> <4FABA16A.10802@redhat.com> <1336982456.4344.28.camel@balmora.brq.redhat.com> <1336984817.4344.43.camel@balmora.brq.redhat.com> <4FB0FEDB.4020806@redhat.com> <1337068555.10688.20.camel@balmora.brq.redhat.com> <4FB23F9B.10000@redhat.com> <1337155089.2963.10.camel@balmora.brq.redhat.com> <4FB3674A.1010402@redhat.com> <1337170298.2963.16.camel@balmora.brq.redhat.com> <4FBF32D3.1060302@redhat.com> <4FC381A3.7020000@redhat.com> <1338214566.5538.11.camel@balmora.brq.redhat.com> Message-ID: <4FD07641.7000707@redhat.com> On 05/28/2012 04:16 PM, Martin Kosek wrote: > On Mon, 2012-05-28 at 15:46 +0200, Petr Vobornik wrote: >> On 05/25/2012 09:20 AM, Petr Vobornik wrote: >>> On 05/16/2012 02:11 PM, Martin Kosek wrote: >>>> On Wed, 2012-05-16 at 10:37 +0200, Petr Viktorin wrote: >>>>> On 05/16/2012 09:58 AM, Martin Kosek wrote: >>>>>> On Tue, 2012-05-15 at 13:35 +0200, Petr Viktorin wrote: >>>>>>> On 05/15/2012 09:55 AM, Martin Kosek wrote: >>>>>>>> On Mon, 2012-05-14 at 14:47 +0200, Petr Viktorin wrote: >>>>>>>>> The final part of rejecting unknown Command arguments: enable the >>>>>>>>> validation, add tests. >>>>>>>>> Also fix up things that were changed since the previous patches. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/2509 >> >> 8><------------------ >> >>>>> >>>>> Attaching a rebased patch. >>>>> >>>> >>>> Yup, this one is fine. Now, I did not find issues in the patch itself, >>>> tests are clean. >>>> >>>> However, thanks to this new check I found issues in Web UI (automember, >>>> selfservice, delegation screen) which use illegal options and which >>>> should be fixed before we push your patch: >>>> >>>> https://fedorahosted.org/freeipa/ticket/2760 >>>> >>>> Martin >>>> >>> >>> I found an issue in automountmap_add_indirect. It complains that 'key' >>> is unknown option. >> >> I found another options which were functional and now it complains: >> * hbacsvcgroup_find: no_hbacsvc >> * hbacsvc_find: not_in_hbacsvcgroup >> * same issue in sudo commands and sudo command groups. >> >> I didn't check all relationships, so it may be broken elsewhere as well. >> > > I don't think this is an error on server side - it never had filter > options like these in the modules you referenced (though we may add them > as an RFE when needed). > > When you pass these options in the UI to the server side, its just NOOP > - or an error when Petr's patch is applied. > > Martin > All issues found in Web UI are fixed. -- Petr Vobornik From mkosek at redhat.com Thu Jun 7 09:43:23 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 07 Jun 2012 11:43:23 +0200 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <4FD074DB.6090905@redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> <20120606095053.GK25726@redhat.com> <1339055321.7369.1.camel@balmora.brq.redhat.com> <4FD074DB.6090905@redhat.com> Message-ID: <1339062203.7369.2.camel@balmora.brq.redhat.com> On Thu, 2012-06-07 at 11:31 +0200, Petr Viktorin wrote: > On 06/07/2012 09:48 AM, Martin Kosek wrote: > > On Wed, 2012-06-06 at 12:50 +0300, Alexander Bokovoy wrote: > >> On Mon, 04 Jun 2012, Martin Kosek wrote: > >>> 2) Unit tests need to be updated, currently there is about a dozen test > >>> case errors, e.g. extra ipakrbprincipalalias attribute in services or > >>> new ipakrbprincipal objectclass for hosts > >> I did run unit tests. All passed except two which are not related to > >> trusts code and were failing before as well. All other issues found > >> during previous rounds of the review are fixed and squashed in patches > >> in my fedorapeople's tree. > >> > >> ====================================================================== > >> FAIL: test_automember[39]: host_add: Create u'web5.ipa.local' > >> ---------------------------------------------------------------------- > >> Traceback (most recent call last): > >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest > >> self.test(*self.arg) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in > >> func = lambda: self.check(nice, **test) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check > >> self.check_output(nice, cmd, args, options, expected, extra_check) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output > >> assert_deepequal(expected, got, nice) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal > >> assert_deepequal(e_sub, g_sub, doc, stack + (key,)) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 325, in assert_deepequal > >> doc, sorted(missing), sorted(extra), expected, got, stack > >> AssertionError: assert_deepequal: dict keys mismatch. > >> test_automember[39]: host_add: Create u'web5.ipa.local' > >> missing keys = [] > >> extra keys = ['memberof_hostgroup', 'memberofindirect_netgroup'] > >> expected = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', > >> 'has_keytab': False, 'description': [u'Test host 3'], 'objectclass': > >> [u'ipasshhost', u'ipaSshGroupOfPubKeys', u'ieee802device', u'ipaobject', > >> u'nshost', u'ipahost', u'pkiuser', u'ipaservice', u'krbprincipalaux', > >> u'krbprincipal', u'top'], 'l': [u'Undisclosed location 1'], 'fqdn': > >> [u'web5.ipa.local'], 'has_password': False, 'ipauniqueid': > >> [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$', > >> , None)], 'krbprincipalname': > >> [u'host/web5.ipa.local at IPA.LOCAL'], 'managedby_host': > >> [u'web5.ipa.local']} > >> got = {'dn': u'fqdn=web5.ipa.local,cn=computers,cn=accounts,dc=ipa,dc=local', > >> 'has_keytab': False, 'description': (u'Test host 3',), 'objectclass': > >> (u'ipaobject', u'nshost', u'ipahost', u'pkiuser', u'ipaservice', > >> u'krbprincipalaux', u'krbprincipal', u'ieee802device', u'ipasshhost', > >> u'top', u'ipaSshGroupOfPubKeys'), 'l': (u'Undisclosed location 1',), > >> 'fqdn': (u'web5.ipa.local',), 'memberof_hostgroup': (u'hostgroup2',), > >> 'has_password': False, 'ipauniqueid': > >> (u'd08fbcb4-afb9-11e1-b06b-5254007ad848',), 'krbprincipalname': > >> (u'host/web5.ipa.local at IPA.LOCAL',), 'managedby_host': > >> (u'web5.ipa.local',), 'memberofindirect_netgroup': (u'hostgroup2',)} > >> path = ('result',) > >> > >> ====================================================================== > >> FAIL: test_group[21]: group_find: Search for all groups > >> ---------------------------------------------------------------------- > >> Traceback (most recent call last): > >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest > >> self.test(*self.arg) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 249, in > >> func = lambda: self.check(nice, **test) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 264, in check > >> self.check_output(nice, cmd, args, options, expected, extra_check) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/test_xmlrpc/xmlrpc_test.py", line 290, in check_output > >> assert_deepequal(expected, got, nice) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 331, in assert_deepequal > >> assert_deepequal(e_sub, g_sub, doc, stack + (key,)) > >> File "/root/rpmbuild/BUILD/freeipa-2.99.0GIT0b74e24/tests/util.py", line 339, in assert_deepequal > >> VALUE % (doc, expected, got, stack) > >> AssertionError: assert_deepequal: expected != got. > >> test_group[21]: group_find: Search for all groups > >> expected = 5 > >> got = 6 > >> path = ('count',) > >> > >> ---------------------------------------------------------------------- > >> Ran 1407 tests in 358.194s > >> > >> FAILED (errors=2, failures=2) > >> ====================================================================== > >> FAILED under '/usr/bin/python2.7' > >> > >> ** FAIL ** > >> > > > > It may have been an issue on my side. I will open a ticket if I hit a > > unit test error again. > > > > I did a next round of review for your patches, I did not find any > > show-stopper why not to push your patches. Lets get them grilled also by > > other team members :-)I just logged one issue I found with > > ipa-adtrust-install: > > https://fedorahosted.org/freeipa/ticket/2815 > > > > ACK. Pushed all 13 patches to master. > > > > Martin > > > > I tried building, and found that samba4-devel needs to be in > BuildRequires. Without it, make-lint complains. Attaching the one-liner fix. > Right. ACK, pushed to master. Martin From mkosek at redhat.com Thu Jun 7 09:48:06 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 07 Jun 2012 11:48:06 +0200 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion Message-ID: <1339062486.7369.3.camel@balmora.brq.redhat.com> When invalid data is passed, an unhandled decimal exception could be raised in Decimal number conversion. Handle the exception more gracefully and report proper ipalib.errors.ConversionError. https://fedorahosted.org/freeipa/ticket/2705 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-275-do-not-crash-in-decimal-parameter-conversion.patch Type: text/x-patch Size: 3072 bytes Desc: not available URL: From sbose at redhat.com Thu Jun 7 10:07:13 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 7 Jun 2012 12:07:13 +0200 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local Message-ID: <20120607100713.GN8124@localhost.localdomain> Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. This first patch is just a minor cleanup which is not related to the ticket. The second make create_keys() a public function so the it can be called by the ipasam plugin as well. Finally the third patch removes the kadmin.local call and calls the KEYTAB_SET_OID extented operation instead. bye, Sumit From sbose at redhat.com Thu Jun 7 10:09:32 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 7 Jun 2012 12:09:32 +0200 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <20120607100713.GN8124@localhost.localdomain> References: <20120607100713.GN8124@localhost.localdomain> Message-ID: <20120607100932.GO8124@localhost.localdomain> now with patches :-) On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: > Hi, > > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. > > This first patch is just a minor cleanup which is not related to the > ticket. The second make create_keys() a public function so the it can be > called by the ipasam plugin as well. Finally the third patch removes the > kadmin.local call and calls the KEYTAB_SET_OID extented operation > instead. > > bye, > Sumit -------------- next part -------------- From adf2c4145587b5505a74beb9f3b0893781ae3119 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 20 Dec 2011 13:56:00 +0100 Subject: [PATCH] ipasam: remove unused struct elements --- daemons/ipa-sam/ipa_sam.c | 11 ----------- 1 Datei ge?ndert, 11 Zeilen entfernt(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 3e88050670c5d2bc760d9de0806f9ea1a164c0d3..2627025a8f2f757ca62c58b541c002f46e7c3be1 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -182,17 +182,6 @@ do { \ #define HAS_KRB_TICKET_POLICY_AUX (1<<9) struct ipasam_privates { - NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *, - struct samu *sampass); - NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *, - struct samu *sampass); - NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods, - TALLOC_CTX *tmp_ctx, const char *name, - uint32_t acb_info, uint32_t *rid); - NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods, - TALLOC_CTX *tmp_ctx, - const char *name, - uint32_t *rid); char *realm; char *base_dn; char *trust_dn; -- 1.7.10.2 -------------- next part -------------- From 2f2e777838c1258e45e6185f99ec9806163e5dc7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 13 Mar 2012 10:29:00 +0100 Subject: [PATCH] Move some krb5 keys related functions from ipa-client to util --- ipa-client/ipa-getkeytab.c | 381 +------------------------------------------- util/ipa_krb5.c | 362 +++++++++++++++++++++++++++++++++++++++++ util/ipa_krb5.h | 36 +++++ 3 Dateien ge?ndert, 403 Zeilen hinzugef?gt(+), 376 Zeilen entfernt(-) diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 7d7b971769cccece5dfe36934f6c73e5986df877..ca6e63413d64060afb802b1e807920ffaac2bb31 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -41,30 +41,6 @@ #include "ipa_krb5.h" #include "ipa-client-common.h" -/* Salt types */ -#define NO_SALT -1 -#define KRB5_KDB_SALTTYPE_NORMAL 0 -#define KRB5_KDB_SALTTYPE_V4 1 -#define KRB5_KDB_SALTTYPE_NOREALM 2 -#define KRB5_KDB_SALTTYPE_ONLYREALM 3 -#define KRB5_KDB_SALTTYPE_SPECIAL 4 -#define KRB5_KDB_SALTTYPE_AFS3 5 - -#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1" -#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2" - -struct krb_key_salt { - krb5_enctype enctype; - krb5_int32 salttype; - krb5_keyblock key; - krb5_data salt; -}; - -struct keys_container { - krb5_int32 nkeys; - struct krb_key_salt *ksdata; -}; - static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit) { sasl_interact_t *in = NULL; @@ -122,357 +98,6 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s return ret; } -static void free_keys_contents(krb5_context krbctx, struct keys_container *keys) -{ - struct krb_key_salt *ksdata; - int i; - - ksdata = keys->ksdata; - for (i = 0; i < keys->nkeys; i++) { - krb5_free_keyblock_contents(krbctx, &ksdata[i].key); - krb5_free_data_contents(krbctx, &ksdata[i].salt); - } - free(ksdata); - - keys->ksdata = NULL; - keys->nkeys = 0; -} - -/* Determines Encryption and Salt types, - * allocates key_salt data storage, - * filters out equivalent encodings, - * returns 0 if no enctypes available, >0 if enctypes are available */ -static int prep_ksdata(krb5_context krbctx, const char *str, - struct keys_container *keys) -{ - struct krb_key_salt *ksdata; - krb5_error_code krberr; - int n, i, j, nkeys; - - if (str == NULL) { - krb5_enctype *ktypes; - - krberr = krb5_get_permitted_enctypes(krbctx, &ktypes); - if (krberr) { - fprintf(stderr, _("No system preferred enctypes ?!\n")); - return 0; - } - - for (n = 0; ktypes[n]; n++) /* count */ ; - - ksdata = calloc(n + 1, sizeof(struct krb_key_salt)); - if (NULL == ksdata) { - fprintf(stderr, _("Out of memory!?\n")); - return 0; - } - - for (i = 0; i < n; i++) { - ksdata[i].enctype = ktypes[i]; - ksdata[i].salttype = KRB5_KDB_SALTTYPE_NORMAL; - } - - ipa_krb5_free_ktypes(krbctx, ktypes); - - nkeys = i; - - } else { - char *tmp, *t, *p, *q; - - t = tmp = strdup(str); - if (!tmp) { - fprintf(stderr, _("Out of memory\n")); - return 0; - } - - /* count */ - n = 0; - while ((p = strchr(t, ','))) { - t = p+1; - n++; - } - n++; /* count the last one that is 0 terminated instead */ - - /* at the end we will have at most n entries + 1 terminating */ - ksdata = calloc(n + 1, sizeof(struct krb_key_salt)); - if (!ksdata) { - fprintf(stderr, _("Out of memory\n")); - return 0; - } - - for (i = 0, j = 0, t = tmp; i < n; i++) { - - p = strchr(t, ','); - if (p) *p = '\0'; - - q = strchr(t, ':'); - if (q) *q++ = '\0'; - - krberr = krb5_string_to_enctype(t, &ksdata[j].enctype); - if (krberr != 0) { - fprintf(stderr, - _("Warning unrecognized encryption type: [%s]\n"), t); - if (p) t = p + 1; - continue; - } - if (p) t = p + 1; - - if (!q) { - ksdata[j].salttype = KRB5_KDB_SALTTYPE_NORMAL; - j++; - continue; - } - - krberr = krb5_string_to_salttype(q, &ksdata[j].salttype); - if (krberr != 0) { - fprintf(stderr, - _("Warning unrecognized salt type: [%s]\n"), q); - continue; - } - - j++; - } - - nkeys = j; - - free(tmp); - } - - /* Check we don't already have a key with a similar encoding, - * it would just produce redundant data and this is what the - * MIT code do anyway */ - - for (i = 0, n = 0; i < nkeys; i++ ) { - krb5_boolean similar = 0; - - for (j = 0; j < i; j++) { - krberr = krb5_c_enctype_compare(krbctx, - ksdata[j].enctype, - ksdata[i].enctype, - &similar); - if (krberr) { - free_keys_contents(krbctx, keys); - free(ksdata); - fprintf(stderr, _("Enctype comparison failed!\n")); - return 0; - } - if (similar && - (ksdata[j].salttype == ksdata[i].salttype)) { - break; - } - } - if (j < i) { - /* redundant encoding, remove it, and shift others */ - int x; - for (x = i; x < nkeys-1; x++) { - ksdata[x].enctype = ksdata[x+1].enctype; - ksdata[x].salttype = ksdata[x+1].salttype; - } - continue; - } - /* count only confirmed enc/salt tuples */ - n++; - } - - keys->nkeys = n; - keys->ksdata = ksdata; - - return n; -} - -static int create_keys(krb5_context krbctx, - krb5_principal princ, - char *password, - const char *enctypes_string, - struct keys_container *keys) -{ - struct krb_key_salt *ksdata; - krb5_error_code krberr; - krb5_data key_password; - krb5_data *realm = NULL; - int i, nkeys; - int ret; - - ret = prep_ksdata(krbctx, enctypes_string, keys); - if (ret == 0) return 0; - - ksdata = keys->ksdata; - nkeys = keys->nkeys; - - if (password) { - key_password.data = password; - key_password.length = strlen(password); - - realm = krb5_princ_realm(krbctx, princ); - } - - for (i = 0; i < nkeys; i++) { - krb5_data *salt; - - if (!password) { - /* cool, random keys */ - krberr = krb5_c_make_random_key(krbctx, - ksdata[i].enctype, - &ksdata[i].key); - if (krberr) { - fprintf(stderr, _("Failed to create random key!\n")); - return 0; - } - /* set the salt to NO_SALT as the key was random */ - ksdata[i].salttype = NO_SALT; - continue; - } - - /* Make keys using password and required salt */ - switch (ksdata[i].salttype) { - case KRB5_KDB_SALTTYPE_ONLYREALM: - krberr = krb5_copy_data(krbctx, realm, &salt); - if (krberr) { - fprintf(stderr, _("Failed to create key!\n")); - return 0; - } - - ksdata[i].salt.length = salt->length; - ksdata[i].salt.data = malloc(salt->length); - if (!ksdata[i].salt.data) { - fprintf(stderr, _("Out of memory!\n")); - return 0; - } - memcpy(ksdata[i].salt.data, salt->data, salt->length); - krb5_free_data(krbctx, salt); - break; - - case KRB5_KDB_SALTTYPE_NOREALM: - krberr = ipa_krb5_principal2salt_norealm(krbctx, princ, &ksdata[i].salt); - if (krberr) { - fprintf(stderr, _("Failed to create key!\n")); - return 0; - } - break; - - case KRB5_KDB_SALTTYPE_NORMAL: - krberr = krb5_principal2salt(krbctx, princ, &ksdata[i].salt); - if (krberr) { - fprintf(stderr, _("Failed to create key!\n")); - return 0; - } - break; - - /* no KRB5_KDB_SALTTYPE_V4, we do not support krb v4 */ - - case KRB5_KDB_SALTTYPE_AFS3: - /* Comment from MIT sources: - * * Why do we do this? Well, the afs_mit_string_to_key - * * needs to use strlen, and the realm is not NULL - * * terminated.... - */ - ksdata[i].salt.data = (char *)malloc(realm->length + 1); - if (NULL == ksdata[i].salt.data) { - fprintf(stderr, _("Out of memory!\n")); - return 0; - } - memcpy((char *)ksdata[i].salt.data, - (char *)realm->data, realm->length); - ksdata[i].salt.data[realm->length] = '\0'; - /* AFS uses a special length (UGLY) */ - ksdata[i].salt.length = SALT_TYPE_AFS_LENGTH; - break; - - default: - fprintf(stderr, _("Bad or unsupported salt type (%d)!\n"), - ksdata[i].salttype); - return 0; - } - - krberr = krb5_c_string_to_key(krbctx, - ksdata[i].enctype, - &key_password, - &ksdata[i].salt, - &ksdata[i].key); - if (krberr) { - fprintf(stderr, _("Failed to create key!\n")); - return 0; - } - - /* set back salt length to real value if AFS3 */ - if (ksdata[i].salttype == KRB5_KDB_SALTTYPE_AFS3) { - ksdata[i].salt.length = realm->length; - } - } - - return nkeys; -} - -static struct berval *create_key_control(struct keys_container *keys, - const char *principalName) -{ - struct krb_key_salt *ksdata; - struct berval *bval; - BerElement *be; - int ret, i; - - be = ber_alloc_t(LBER_USE_DER); - if (!be) { - return NULL; - } - - ret = ber_printf(be, "{s{", principalName); - if (ret == -1) { - ber_free(be, 1); - return NULL; - } - - ksdata = keys->ksdata; - for (i = 0; i < keys->nkeys; i++) { - - /* we set only the EncryptionKey and salt, no s2kparams */ - - ret = ber_printf(be, "{t[{t[i]t[o]}]", - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - (ber_int_t)ksdata[i].enctype, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - (char *)ksdata[i].key.contents, (ber_len_t)ksdata[i].key.length); - - if (ret == -1) { - ber_free(be, 1); - return NULL; - } - - if (ksdata[i].salttype == NO_SALT) { - ret = ber_printf(be, "}"); - continue; - } - - /* we have to pass a salt structure */ - ret = ber_printf(be, "t[{t[i]t[o]}]}", - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - (ber_int_t)ksdata[i].salttype, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - (char *)ksdata[i].salt.data, (ber_len_t)ksdata[i].salt.length); - - if (ret == -1) { - ber_free(be, 1); - return NULL; - } - } - - ret = ber_printf(be, "}}"); - if (ret == -1) { - ber_free(be, 1); - return NULL; - } - - ret = ber_flatten(be, &bval); - if (ret == -1) { - ber_free(be, 1); - return NULL; - } - - ber_free(be, 1); - return bval; -} - int filter_keys(krb5_context krbctx, struct keys_container *keys, ber_int_t *enctypes) { @@ -854,6 +479,7 @@ int main(int argc, const char *argv[]) krb5_keytab kt; int kvno; int i, ret; + char *err_msg; ret = init_gettext(); if (ret) { @@ -955,8 +581,11 @@ int main(int argc, const char *argv[]) } /* create key material */ - ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys); + ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys, &err_msg); if (!ret) { + if (err_msg != NULL) { + fprintf(stderr, "%s", err_msg); + } fprintf(stderr, _("Failed to create key material\n")); exit(8); } diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c index 0e82b2380baa5a93ffab1f3eccc8b0597b4ebb83..0240c079ecd38271e5dbb36ec8c6a091001cfce7 100644 --- a/util/ipa_krb5.c +++ b/util/ipa_krb5.c @@ -26,6 +26,9 @@ #include #include +#include +#define _(STRING) gettext(STRING) + #include "ipa_krb5.h" /* Salt types */ @@ -530,3 +533,362 @@ krb5_error_code filter_key_salt_tuples(krb5_context context, return 0; } +struct berval *create_key_control(struct keys_container *keys, + const char *principalName) +{ + struct krb_key_salt *ksdata; + struct berval *bval; + BerElement *be; + int ret, i; + + be = ber_alloc_t(LBER_USE_DER); + if (!be) { + return NULL; + } + + ret = ber_printf(be, "{s{", principalName); + if (ret == -1) { + ber_free(be, 1); + return NULL; + } + + ksdata = keys->ksdata; + for (i = 0; i < keys->nkeys; i++) { + + /* we set only the EncryptionKey and salt, no s2kparams */ + + ret = ber_printf(be, "{t[{t[i]t[o]}]", + (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), + (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), + (ber_int_t)ksdata[i].enctype, + (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), + (char *)ksdata[i].key.contents, (ber_len_t)ksdata[i].key.length); + + if (ret == -1) { + ber_free(be, 1); + return NULL; + } + + if (ksdata[i].salttype == NO_SALT) { + ret = ber_printf(be, "}"); + continue; + } + + /* we have to pass a salt structure */ + ret = ber_printf(be, "t[{t[i]t[o]}]}", + (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), + (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), + (ber_int_t)ksdata[i].salttype, + (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), + (char *)ksdata[i].salt.data, (ber_len_t)ksdata[i].salt.length); + + if (ret == -1) { + ber_free(be, 1); + return NULL; + } + } + + ret = ber_printf(be, "}}"); + if (ret == -1) { + ber_free(be, 1); + return NULL; + } + + ret = ber_flatten(be, &bval); + if (ret == -1) { + ber_free(be, 1); + return NULL; + } + + ber_free(be, 1); + return bval; +} + +void free_keys_contents(krb5_context krbctx, struct keys_container *keys) +{ + struct krb_key_salt *ksdata; + int i; + + ksdata = keys->ksdata; + for (i = 0; i < keys->nkeys; i++) { + krb5_free_keyblock_contents(krbctx, &ksdata[i].key); + krb5_free_data_contents(krbctx, &ksdata[i].salt); + } + free(ksdata); + + keys->ksdata = NULL; + keys->nkeys = 0; +} + +/* Determines Encryption and Salt types, + * allocates key_salt data storage, + * filters out equivalent encodings, + * returns 0 if no enctypes available, >0 if enctypes are available */ +static int prep_ksdata(krb5_context krbctx, const char *str, + struct keys_container *keys, + char **err_msg) +{ + struct krb_key_salt *ksdata; + krb5_error_code krberr; + int n, i, j, nkeys; + + *err_msg = NULL; + + if (str == NULL) { + krb5_enctype *ktypes; + + krberr = krb5_get_permitted_enctypes(krbctx, &ktypes); + if (krberr) { + *err_msg = _("No system preferred enctypes ?!\n"); + return 0; + } + + for (n = 0; ktypes[n]; n++) /* count */ ; + + ksdata = calloc(n + 1, sizeof(struct krb_key_salt)); + if (NULL == ksdata) { + *err_msg = _("Out of memory!?\n"); + return 0; + } + + for (i = 0; i < n; i++) { + ksdata[i].enctype = ktypes[i]; + ksdata[i].salttype = KRB5_KDB_SALTTYPE_NORMAL; + } + + ipa_krb5_free_ktypes(krbctx, ktypes); + + nkeys = i; + + } else { + char *tmp, *t, *p, *q; + + t = tmp = strdup(str); + if (!tmp) { + *err_msg = _("Out of memory\n"); + return 0; + } + + /* count */ + n = 0; + while ((p = strchr(t, ','))) { + t = p+1; + n++; + } + n++; /* count the last one that is 0 terminated instead */ + + /* at the end we will have at most n entries + 1 terminating */ + ksdata = calloc(n + 1, sizeof(struct krb_key_salt)); + if (!ksdata) { + *err_msg = _("Out of memory\n"); + return 0; + } + + for (i = 0, j = 0, t = tmp; i < n; i++) { + + p = strchr(t, ','); + if (p) *p = '\0'; + + q = strchr(t, ':'); + if (q) *q++ = '\0'; + + krberr = krb5_string_to_enctype(t, &ksdata[j].enctype); + if (krberr != 0) { + *err_msg = _("Warning unrecognized encryption type.\n"); + if (p) t = p + 1; + continue; + } + if (p) t = p + 1; + + if (!q) { + ksdata[j].salttype = KRB5_KDB_SALTTYPE_NORMAL; + j++; + continue; + } + + krberr = krb5_string_to_salttype(q, &ksdata[j].salttype); + if (krberr != 0) { + *err_msg = _("Warning unrecognized salt type.\n"); + continue; + } + + j++; + } + + nkeys = j; + + free(tmp); + } + + /* Check we don't already have a key with a similar encoding, + * it would just produce redundant data and this is what the + * MIT code do anyway */ + + for (i = 0, n = 0; i < nkeys; i++ ) { + krb5_boolean similar = 0; + + for (j = 0; j < i; j++) { + krberr = krb5_c_enctype_compare(krbctx, + ksdata[j].enctype, + ksdata[i].enctype, + &similar); + if (krberr) { + free_keys_contents(krbctx, keys); + free(ksdata); + *err_msg = _("Enctype comparison failed!\n"); + return 0; + } + if (similar && + (ksdata[j].salttype == ksdata[i].salttype)) { + break; + } + } + if (j < i) { + /* redundant encoding, remove it, and shift others */ + int x; + for (x = i; x < nkeys-1; x++) { + ksdata[x].enctype = ksdata[x+1].enctype; + ksdata[x].salttype = ksdata[x+1].salttype; + } + continue; + } + /* count only confirmed enc/salt tuples */ + n++; + } + + keys->nkeys = n; + keys->ksdata = ksdata; + + return n; +} + +int create_keys(krb5_context krbctx, + krb5_principal princ, + char *password, + const char *enctypes_string, + struct keys_container *keys, + char **err_msg) +{ + struct krb_key_salt *ksdata; + krb5_error_code krberr; + krb5_data key_password; + krb5_data *realm = NULL; + int i, nkeys; + int ret; + + *err_msg = NULL; + + ret = prep_ksdata(krbctx, enctypes_string, keys, err_msg); + if (ret == 0) return 0; + + ksdata = keys->ksdata; + nkeys = keys->nkeys; + + if (password) { + key_password.data = password; + key_password.length = strlen(password); + + realm = krb5_princ_realm(krbctx, princ); + } + + for (i = 0; i < nkeys; i++) { + krb5_data *salt; + + if (!password) { + /* cool, random keys */ + krberr = krb5_c_make_random_key(krbctx, + ksdata[i].enctype, + &ksdata[i].key); + if (krberr) { + *err_msg = _("Failed to create random key!\n"); + return 0; + } + /* set the salt to NO_SALT as the key was random */ + ksdata[i].salttype = NO_SALT; + continue; + } + + /* Make keys using password and required salt */ + switch (ksdata[i].salttype) { + case KRB5_KDB_SALTTYPE_ONLYREALM: + krberr = krb5_copy_data(krbctx, realm, &salt); + if (krberr) { + *err_msg = _("Failed to create key!\n"); + return 0; + } + + ksdata[i].salt.length = salt->length; + ksdata[i].salt.data = malloc(salt->length); + if (!ksdata[i].salt.data) { + *err_msg = _("Out of memory!\n"); + return 0; + } + memcpy(ksdata[i].salt.data, salt->data, salt->length); + krb5_free_data(krbctx, salt); + break; + + case KRB5_KDB_SALTTYPE_NOREALM: + krberr = ipa_krb5_principal2salt_norealm(krbctx, princ, + &ksdata[i].salt); + if (krberr) { + *err_msg = _("Failed to create key!\n"); + return 0; + } + break; + + case KRB5_KDB_SALTTYPE_NORMAL: + krberr = krb5_principal2salt(krbctx, princ, &ksdata[i].salt); + if (krberr) { + *err_msg = _("Failed to create key!\n"); + return 0; + } + break; + + /* no KRB5_KDB_SALTTYPE_V4, we do not support krb v4 */ + + case KRB5_KDB_SALTTYPE_AFS3: + /* Comment from MIT sources: + * * Why do we do this? Well, the afs_mit_string_to_key + * * needs to use strlen, and the realm is not NULL + * * terminated.... + */ + ksdata[i].salt.data = (char *)malloc(realm->length + 1); + if (NULL == ksdata[i].salt.data) { + *err_msg = _("Out of memory!\n"); + return 0; + } + memcpy((char *)ksdata[i].salt.data, + (char *)realm->data, realm->length); + ksdata[i].salt.data[realm->length] = '\0'; + /* AFS uses a special length (UGLY) */ + ksdata[i].salt.length = SALT_TYPE_AFS_LENGTH; + break; + + default: + *err_msg = _("Bad or unsupported salt type.\n"); +/* FIXME: + fprintf(stderr, _("Bad or unsupported salt type (%d)!\n"), + ksdata[i].salttype); +*/ + return 0; + } + + krberr = krb5_c_string_to_key(krbctx, + ksdata[i].enctype, + &key_password, + &ksdata[i].salt, + &ksdata[i].key); + if (krberr) { + *err_msg = _("Failed to create key!\n"); + return 0; + } + + /* set back salt length to real value if AFS3 */ + if (ksdata[i].salttype == KRB5_KDB_SALTTYPE_AFS3) { + ksdata[i].salt.length = realm->length; + } + } + + return nkeys; +} + diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h index f0513d109d2db9233cfc9b2dc3a6ab421587167a..97ffc47b5017507cd58e130755cfe050a287b30c 100644 --- a/util/ipa_krb5.h +++ b/util/ipa_krb5.h @@ -4,6 +4,30 @@ #include #include +struct krb_key_salt { + krb5_enctype enctype; + krb5_int32 salttype; + krb5_keyblock key; + krb5_data salt; +}; + +struct keys_container { + krb5_int32 nkeys; + struct krb_key_salt *ksdata; +}; + +/* Salt types */ +#define NO_SALT -1 +#define KRB5_KDB_SALTTYPE_NORMAL 0 +#define KRB5_KDB_SALTTYPE_V4 1 +#define KRB5_KDB_SALTTYPE_NOREALM 2 +#define KRB5_KDB_SALTTYPE_ONLYREALM 3 +#define KRB5_KDB_SALTTYPE_SPECIAL 4 +#define KRB5_KDB_SALTTYPE_AFS3 5 + +#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1" +#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2" + void ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val); @@ -36,4 +60,16 @@ krb5_error_code filter_key_salt_tuples(krb5_context context, krb5_key_salt_tuple *req, int n_req, krb5_key_salt_tuple *supp, int n_supp, krb5_key_salt_tuple **res, int *n_res); + +void free_keys_contents(krb5_context krbctx, struct keys_container *keys); + +struct berval *create_key_control(struct keys_container *keys, + const char *principalName); + +int create_keys(krb5_context krbctx, + krb5_principal princ, + char *password, + const char *enctypes_string, + struct keys_container *keys, + char **err_msg); #endif /* __IPA_KRB5_H_ */ -- 1.7.10.2 -------------- next part -------------- From 73eaf78c31bf5e228ba50ce51fc8857454fb4f17 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 13 Mar 2012 14:06:02 +0100 Subject: [PATCH] Use exop instead of kadmin.local --- daemons/ipa-sam/Makefile.am | 6 +++ daemons/ipa-sam/ipa_sam.c | 101 ++++++++++++++++++++++++++++---------- install/updates/60-trusts.update | 4 ++ 3 Dateien ge?ndert, 84 Zeilen hinzugef?gt(+), 27 Zeilen entfernt(-) diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am index b5b9b0b75b276ac14b01ce35bae63af539e596fc..275cce629385b1719544a7832a00e9ee6664b739 100644 --- a/daemons/ipa-sam/Makefile.am +++ b/daemons/ipa-sam/Makefile.am @@ -7,6 +7,9 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \ -lsmbconf \ $(NULL) +KRB5_UTIL_DIR=../../util +KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c + INCLUDES = \ -I. \ -I$(srcdir) \ @@ -18,6 +21,7 @@ INCLUDES = \ -DDATADIR=\""$(datadir)"\" \ -DLDAPIDIR=\""$(localstatedir)/run"\" \ -DHAVE_LDAP \ + -I $(KRB5_UTIL_DIR) \ $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ @@ -34,6 +38,7 @@ plugin_LTLIBRARIES = \ ipasam_la_SOURCES = \ ipa_sam.c \ + $(KRB5_UTIL_SRCS) \ $(NULL) ipasam_la_LDFLAGS = \ @@ -43,6 +48,7 @@ ipasam_la_LDFLAGS = \ ipasam_la_LIBADD = \ $(LDAP_LIBS) \ + $(KRB5_LIBS) \ $(TALLOC_LIBS) \ $(SAMBAUTIL_LIBS) \ $(NDR_LIBS) \ diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 2627025a8f2f757ca62c58b541c002f46e7c3be1..851df8c62f0ffb159610ce0ac311463233eea497 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -9,6 +9,7 @@ #include #include #include +#include #include @@ -28,17 +29,7 @@ #include #include -#include - -/* TODO: remove if smbrunsecret() is removed */ -typedef struct connection_structi {} connection_struct; -struct current_user { - connection_struct *conn; - uint16_t vuid; - struct security_unix_token ut; - struct security_token *nt_user_token; -}; -extern struct current_user current_user; +#include "ipa_krb5.h" /* from drsblobs.h */ struct AuthInfoNone { @@ -104,7 +95,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* avai char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */ bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */ bool strnequal(const char *s1,const char *s2,size_t n); /* available in libutil_str.so */ -int smbrunsecret(const char *cmd, const char *secret); /* available in libsmbconf.so */ bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */ bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ @@ -1382,6 +1372,76 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, return true; } +static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, + TALLOC_CTX *mem_ctx, + const char *princ, const char *pwd, + const char *base_dn) +{ + int ret; + krb5_error_code krberr; + krb5_context krbctx; + krb5_principal service_princ; + struct keys_container keys; + char *err_msg; + struct berval *reqdata = NULL; + struct berval *retdata = NULL; + char *retoid; + + krberr = krb5_init_context(&krbctx); + if (krberr != 0) { + DEBUG(1, ("krb5_init_context failed.\n")); + ret = krberr; + goto done; + } + + krberr = krb5_parse_name(krbctx, princ, &service_princ); + if (krberr != 0) { + DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ)); + ret = krberr; + goto done; + } + + ret = create_keys(krbctx, service_princ, discard_const(pwd), NULL, &keys, &err_msg); + if (!ret) { + if (err_msg != NULL) { + DEBUG(1, ("create_keys returned [%s]\n", err_msg)); + } + goto done; + } + + reqdata = create_key_control(&keys, princ); + if (reqdata == NULL) { + DEBUG(1, ("Failed to create reqdata!\n")); + ret= ENOMEM; + goto done; + } + + ret = smbldap_extended_operation(ldap_state->smbldap_state, + KEYTAB_SET_OID, reqdata, NULL, NULL, + &retoid, &retdata); + if (ret != LDAP_SUCCESS) { + DEBUG(1, ("smbldap_extended_operation failed!\n")); + goto done; + } + + /* So far we do not care abot the result */ + ldap_memfree(retoid); + if (retdata != NULL) { + ber_bvfree(retdata); + } + + ret = 0; +done: + if (reqdata != NULL) { + ber_bvfree(reqdata); + } + free_keys_contents(krbctx, &keys); + krb5_free_principal(krbctx, service_princ); + krb5_free_context(krbctx); + + return ret; +} + static bool set_krb_princ(struct ldapsam_privates *ldap_state, TALLOC_CTX *mem_ctx, const char *princ, const char *pwd, @@ -1450,22 +1510,9 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, return false; } - /* TODO: Call the appropriate expo if ipasam is part of the FreeIPA - * source tree */ - inp = talloc_asprintf(mem_ctx, "change_password -pw %s %s", pwd, princ); - if (inp == NULL) { - return false; - } - - uid_t save_uid = current_user.ut.uid; - gid_t save_gid = current_user.ut.gid; - current_user.ut.uid = 0; - current_user.ut.gid = 0; - ret = smbrunsecret("kadmin.local", inp); - current_user.ut.uid = save_uid; - current_user.ut.gid = save_gid; + ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, pwd, base_dn); if (ret != 0) { - DEBUG(1, ("calling kadmin.local failed.\n")); + DEBUG(1, ("set_cross_realm_pw failed.\n")); return false; } diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index cfd1ad7e5f83bd64c5934d270090754bbe9e9e36..a05f89cc83e3683b5d2deab59fdb930486a20e86 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -60,3 +60,7 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || # Samba user should be able to read NT passwords to authenticate dn: $SUFFIX add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' + +# Samba user should be able to create cross domain principals +dn: cn=trusts,$SUFFIX +add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create cross domain principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' -- 1.7.10.2 From pspacek at redhat.com Thu Jun 7 12:46:56 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 07 Jun 2012 14:46:56 +0200 Subject: [Freeipa-devel] [PATCH] 0021 Fix crash on reload with persistent search enabled Message-ID: <4FD0A2C0.4040503@redhat.com> Hello, this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/78: Crash on reload with persistent search enabled. Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0021-Fix-crash-during-BIND-reload-with-persistent-search.patch Type: text/x-patch Size: 884 bytes Desc: not available URL: From simo at redhat.com Thu Jun 7 12:57:30 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 07 Jun 2012 08:57:30 -0400 Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: <4FD01B36.2040308@redhat.com> References: <4FD01B36.2040308@redhat.com> Message-ID: <1339073850.8230.407.camel@willson.li.ssimo.org> On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: > Scott Poore wrote: > > Running this by the mailing list to see if I should open an RFE. > > > > Should we have the ability to install replicas where the host entries already exist in IPA? > > > > So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? > > > > Thoughts? > > I asked Scott to pose this to the list. I'm a little uneasy about it but > perhaps I'm just paranoid. > > This isn't proposing that an enrolled client be able to become a > replica, but right now if a host entry exists for a target replica > server we require it be removed before proceeding. > > The reason being we don't know what else is associated with that host > (well, we do, but it sure seems like a lot of work to fetch it all). The > host could already have an HTTP server, for example. Or it could have > other certs or services. > > So the question is, is it adequate to require the removal or should we > go through the trouble to see if there are any conflicting services? We > don't have a TGT when preparing a replica so this would mean a bit of > manual LDAP work which could very well be a pain source in the future. Uhmm why should we care at replica preparation time ? All the kerberos keys are created at install time, is it for certs ? In that case I would suggest we defer creation of certs to install time so it becomes non-issue. At install time we detect if certs/keys are already available (and functional) and we just reuse them if so. What am I missing ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 7 12:59:25 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 07 Jun 2012 08:59:25 -0400 Subject: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master) In-Reply-To: <20120607075658.GM25726@redhat.com> References: <20120403104135.GD23171@redhat.com> <20120403145749.GD8996@localhost.localdomain> <1334242615.777.3.camel@balmora.brq.redhat.com> <20120412150803.GA24623@redhat.com> <1334243807.777.6.camel@balmora.brq.redhat.com> <1338810226.30320.45.camel@balmora.brq.redhat.com> <20120606095053.GK25726@redhat.com> <1339055321.7369.1.camel@balmora.brq.redhat.com> <20120607075658.GM25726@redhat.com> Message-ID: <1339073965.8230.408.camel@willson.li.ssimo.org> On Thu, 2012-06-07 at 10:56 +0300, Alexander Bokovoy wrote: > On Thu, 07 Jun 2012, Martin Kosek wrote: > >It may have been an issue on my side. I will open a ticket if I hit a > >unit test error again. > > > >I did a next round of review for your patches, I did not find any > >show-stopper why not to push your patches. Lets get them grilled also by > >other team members :-)I just logged one issue I found with > >ipa-adtrust-install: > >https://fedorahosted.org/freeipa/ticket/2815 > I think we should do check on whether we he valid ticket prior to do > configuration, similar to how we do check DM password availability. > Besides the keytab fetch we also need to create the service which > requires appropriate admin permissions. > > > >ACK. Pushed all 13 patches to master. > Great! Thanks for the thorough review. Excellent news! Thanks a lot to all involved for the great work done! Simo. > Sumit, please rebase and send your remaining patches for review. > -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jun 7 13:16:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 09:16:23 -0400 Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: <1339073850.8230.407.camel@willson.li.ssimo.org> References: <4FD01B36.2040308@redhat.com> <1339073850.8230.407.camel@willson.li.ssimo.org> Message-ID: <4FD0A9A7.5090901@redhat.com> Simo Sorce wrote: > On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: >> Scott Poore wrote: >>> Running this by the mailing list to see if I should open an RFE. >>> >>> Should we have the ability to install replicas where the host entries already exist in IPA? >>> >>> So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? >>> >>> Thoughts? >> >> I asked Scott to pose this to the list. I'm a little uneasy about it but >> perhaps I'm just paranoid. >> >> This isn't proposing that an enrolled client be able to become a >> replica, but right now if a host entry exists for a target replica >> server we require it be removed before proceeding. >> >> The reason being we don't know what else is associated with that host >> (well, we do, but it sure seems like a lot of work to fetch it all). The >> host could already have an HTTP server, for example. Or it could have >> other certs or services. >> >> So the question is, is it adequate to require the removal or should we >> go through the trouble to see if there are any conflicting services? We >> don't have a TGT when preparing a replica so this would mean a bit of >> manual LDAP work which could very well be a pain source in the future. > > Uhmm why should we care at replica preparation time ? > All the kerberos keys are created at install time, is it for certs ? > In that case I would suggest we defer creation of certs to install time > so it becomes non-issue. > At install time we detect if certs/keys are already available (and > functional) and we just reuse them if so. > > What am I missing ? > > Simo. > The problem isn't at prepare time, it is at install time. In order to generate the certs on the fly we would have to prompt for a user with permissions to issue certs along with the DM password when installing. You already got grumpy when we started asking for a user when doing the conn-check. rob From simo at redhat.com Thu Jun 7 13:20:52 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 07 Jun 2012 09:20:52 -0400 Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: <4FD0A9A7.5090901@redhat.com> References: <4FD01B36.2040308@redhat.com> <1339073850.8230.407.camel@willson.li.ssimo.org> <4FD0A9A7.5090901@redhat.com> Message-ID: <1339075252.8230.410.camel@willson.li.ssimo.org> On Thu, 2012-06-07 at 09:16 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: > >> Scott Poore wrote: > >>> Running this by the mailing list to see if I should open an RFE. > >>> > >>> Should we have the ability to install replicas where the host entries already exist in IPA? > >>> > >>> So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? > >>> > >>> Thoughts? > >> > >> I asked Scott to pose this to the list. I'm a little uneasy about it but > >> perhaps I'm just paranoid. > >> > >> This isn't proposing that an enrolled client be able to become a > >> replica, but right now if a host entry exists for a target replica > >> server we require it be removed before proceeding. > >> > >> The reason being we don't know what else is associated with that host > >> (well, we do, but it sure seems like a lot of work to fetch it all). The > >> host could already have an HTTP server, for example. Or it could have > >> other certs or services. > >> > >> So the question is, is it adequate to require the removal or should we > >> go through the trouble to see if there are any conflicting services? We > >> don't have a TGT when preparing a replica so this would mean a bit of > >> manual LDAP work which could very well be a pain source in the future. > > > > Uhmm why should we care at replica preparation time ? > > All the kerberos keys are created at install time, is it for certs ? > > In that case I would suggest we defer creation of certs to install time > > so it becomes non-issue. > > At install time we detect if certs/keys are already available (and > > functional) and we just reuse them if so. > > > > What am I missing ? > > > > Simo. > > > > The problem isn't at prepare time, it is at install time. > > In order to generate the certs on the fly we would have to prompt for a > user with permissions to issue certs along with the DM password when > installing. You already got grumpy when we started asking for a user > when doing the conn-check. I understand that, maybe we should just defer it, as I said earlier I would like us to go and use only the admin user at install time, and the admin user would have those privileges. Simo. -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Thu Jun 7 13:33:18 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 07 Jun 2012 15:33:18 +0200 Subject: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable Message-ID: <4FD0AD9E.3080907@redhat.com> Hello, this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: bind-dyndb-ldap crashes during zone unload when NS is not resolvable. During investigation I found other two suspicious places. This patch adds only comment near to them. Any changes (as necessary) will be in separate patch. Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0022-Fix-crash-during-zone-unload-when-NS-is-not-resolvab.patch Type: text/x-patch Size: 2025 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 7 13:51:57 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 07 Jun 2012 15:51:57 +0200 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <1338881554.28796.23.camel@balmora.brq.redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> <4FCD81D8.9000609@redhat.com> <1338881554.28796.23.camel@balmora.brq.redhat.com> Message-ID: <4FD0B1FD.4030605@redhat.com> On 06/05/2012 09:32 AM, Martin Kosek wrote: > Thanks for digging out the traceback, I already reported this error to > bind-dyndb-ldap: > https://bugzilla.redhat.com/show_bug.cgi?id=827401 > > Petr, what's the status of this bug? I guess we cannot push this set of > patches to enable the psearch by default until this is fixed. Otherwise > bind-dyndb-ldap would crash_every_ DNS unit test case. > > Updated set of patches attached. > > Martin Patch is on the list. I'm on PTO from tomorrow, please ask Adam to build new package for Fedora as necessary. Petr^2 Spacek From mkosek at redhat.com Thu Jun 7 14:03:46 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 07 Jun 2012 16:03:46 +0200 Subject: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable In-Reply-To: <4FD0AD9E.3080907@redhat.com> References: <4FD0AD9E.3080907@redhat.com> Message-ID: <1339077826.24163.6.camel@balmora.brq.redhat.com> On Thu, 2012-06-07 at 15:33 +0200, Petr Spacek wrote: > Hello, > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: > bind-dyndb-ldap crashes during zone unload when NS is not resolvable. > > During investigation I found other two suspicious places. This patch adds only > comment near to them. Any changes (as necessary) will be in separate patch. > > Petr^2 Spacek Thanks Petr for investigation and quick fix! Adam, if this pass your review, I think it would be great to have an F17 build at least in koji so that we can switch psearch on by default so that other developers start testing it (with the new bind-dyndb-ldap build so that their unit tests do not crash named). Thanks, Martin From atkac at redhat.com Thu Jun 7 15:29:32 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 7 Jun 2012 17:29:32 +0200 Subject: [Freeipa-devel] [PATCH] 0021 Fix crash on reload with persistent search enabled In-Reply-To: <4FD0A2C0.4040503@redhat.com> References: <4FD0A2C0.4040503@redhat.com> Message-ID: <20120607152931.GA21686@redhat.com> On Thu, Jun 07, 2012 at 02:46:56PM +0200, Petr Spacek wrote: > Hello, > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/78: > Crash on reload with persistent search enabled. Thanks, pushed to master. > From ea1119e533a5171586ef8a3bddf66138ccb88b7e Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Thu, 7 Jun 2012 14:42:40 +0200 > Subject: [PATCH] Fix crash during BIND reload with persistent search enabled. > https://fedorahosted.org/bind-dyndb-ldap/ticket/78 > Signed-off-by: Petr Spacek > > --- > src/ldap_helper.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 5965d30e51fa50fcb4b38d35e023a529fd6a121f..dc4fdf5e9f6c8661337fe0cffb1437bc16515075 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -3078,7 +3078,7 @@ static isc_threadresult_t > ldap_psearch_watcher(isc_threadarg_t arg) > { > ldap_instance_t *inst = (ldap_instance_t *)arg; > - ldap_connection_t *conn; > + ldap_connection_t *conn = NULL; > struct timeval tv; > int ret, cnt; > isc_result_t result; > -- > 1.7.7.6 > -- Adam Tkac, Red Hat, Inc. From atkac at redhat.com Thu Jun 7 15:31:38 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 7 Jun 2012 17:31:38 +0200 Subject: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable In-Reply-To: <4FD0AD9E.3080907@redhat.com> References: <4FD0AD9E.3080907@redhat.com> Message-ID: <20120607153137.GB21686@redhat.com> On Thu, Jun 07, 2012 at 03:33:18PM +0200, Petr Spacek wrote: > Hello, > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: > bind-dyndb-ldap crashes during zone unload when NS is not > resolvable. > > During investigation I found other two suspicious places. This patch > adds only comment near to them. Any changes (as necessary) will be > in separate patch. Thanks, pushed to master. > From 970984bc84556ac1355de9f67eb4de20c823f4ce Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Thu, 7 Jun 2012 15:27:27 +0200 > Subject: [PATCH] Fix crash during zone unload when NS is not resolvable. > https://fedorahosted.org/bind-dyndb-ldap/ticket/77 > Signed-off-by: Petr Spacek > > --- > src/ldap_helper.c | 11 +++++++++-- > 1 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 5965d30e51fa50fcb4b38d35e023a529fd6a121f..a1ef9a27e5d1b031a53e779d58b7490bd3d41d05 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -30,6 +30,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -788,7 +789,12 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock) > freeze = ISC_TRUE; > } > > - dns_zone_unload(zone); > + /* Do not unload partially loaded zones, they have incomplete structures. */ > + dns_db_t *dbp = NULL; > + if (dns_zone_getdb(zone,&dbp) != DNS_R_NOTLOADED) { > + dns_db_detach(&dbp); /* dns_zone_getdb() attaches DB implicitly */ > + dns_zone_unload(zone); > + } > CHECK(dns_zt_unmount(inst->view->zonetable, zone)); > CHECK(zr_del_zone(inst->zone_register, name)); > dns_zonemgr_releasezone(inst->zmgr, zone); > @@ -1013,7 +1019,7 @@ ldap_parse_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) > > /* Check if we are already serving given zone */ > result = zr_get_zone_ptr(inst->zone_register, &name, &zone); > - if (result != ISC_R_SUCCESS) { > + if (result != ISC_R_SUCCESS) { /* TODO: What about other errors? */ > CHECK(create_zone(inst, &name, &zone)); > CHECK(zr_add_zone(inst->zone_register, zone, dn)); > publish = ISC_TRUE; > @@ -2760,6 +2766,7 @@ update_action(isc_task_t *task, isc_event_t *event) > mctx = pevent->mctx; > > result = manager_get_ldap_instance(pevent->dbname, &inst); > + /* TODO: Can it happen? */ > if (result != ISC_R_SUCCESS) > goto cleanup; > > -- > 1.7.7.6 > -- Adam Tkac, Red Hat, Inc. From rcritten at redhat.com Thu Jun 7 15:44:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 11:44:05 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FCE61FD.80801@redhat.com> References: <4FCE61FD.80801@redhat.com> Message-ID: <4FD0CC45.6080803@redhat.com> Rob Crittenden wrote: > Here is a tool that can be used to configure automount in an IPA client. > It can use either SSSD or autofs for automount. It also configures NFSv4 > on the client so secure maps will work. rebased patch -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1023-2-automount.patch Type: text/x-diff Size: 24003 bytes Desc: not available URL: From atkac at redhat.com Thu Jun 7 15:51:08 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 7 Jun 2012 17:51:08 +0200 Subject: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable In-Reply-To: <1339077826.24163.6.camel@balmora.brq.redhat.com> References: <4FD0AD9E.3080907@redhat.com> <1339077826.24163.6.camel@balmora.brq.redhat.com> Message-ID: <20120607155107.GA23825@redhat.com> On Thu, Jun 07, 2012 at 04:03:46PM +0200, Martin Kosek wrote: > On Thu, 2012-06-07 at 15:33 +0200, Petr Spacek wrote: > > Hello, > > > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: > > bind-dyndb-ldap crashes during zone unload when NS is not resolvable. > > > > During investigation I found other two suspicious places. This patch adds only > > comment near to them. Any changes (as necessary) will be in separate patch. > > > > Petr^2 Spacek > > Thanks Petr for investigation and quick fix! > > Adam, if this pass your review, I think it would be great to have an F17 > build at least in koji so that we can switch psearch on by default so > that other developers start testing it (with the new bind-dyndb-ldap > build so that their unit tests do not crash named). The patch was ok and update has been submitted to bodhi. It should be in updates-testing very soon. Regards, Adam -- Adam Tkac, Red Hat, Inc. From rcritten at redhat.com Thu Jun 7 17:52:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 13:52:43 -0400 Subject: [Freeipa-devel] [PATCH] 1024 add client session support Message-ID: <4FD0EA6B.3040801@redhat.com> This adds client session support. The session key is stored in the kernel key ring. Your first request should go to /ipa/session/xml where it should be rejected with a 401. The next will go to /ipa/xml which will be accepted. This should all be invisible to the client. Subsequent requests should go to /ipa/session/xml which should let you in with the cookie. You can add the -vv option after ipa to see fully what is going on, e.g. ipa -vv user-show admin To manage your keyring use the keyctl command like: $ keyctl list @s 2 keys in keyring: 353548226: --alswrv 1000 -1 keyring: _uid.1000 941350591: --alswrv 1000 1000 user: ipa_session_cookie To remove a key: $ keyctl unlink 941350591 @s rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1024-session.patch Type: text/x-diff Size: 27467 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 7 18:58:37 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 14:58:37 -0400 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD0EA6B.3040801@redhat.com> References: <4FD0EA6B.3040801@redhat.com> Message-ID: <4FD0F9DD.6040504@redhat.com> Rob Crittenden wrote: > This adds client session support. The session key is stored in the > kernel key ring. > > Your first request should go to /ipa/session/xml where it should be > rejected with a 401. The next will go to /ipa/xml which will be > accepted. This should all be invisible to the client. > > Subsequent requests should go to /ipa/session/xml which should let you > in with the cookie. > > You can add the -vv option after ipa to see fully what is going on, e.g. > ipa -vv user-show admin > > To manage your keyring use the keyctl command like: > > $ keyctl list @s > 2 keys in keyring: > 353548226: --alswrv 1000 -1 keyring: _uid.1000 > 941350591: --alswrv 1000 1000 user: ipa_session_cookie > > To remove a key: > > $ keyctl unlink 941350591 @s > > rob Hmm, this doesn't play too nice with the lite-server. Let me see if I can track it down. The ccache is being removed, probably as part of the session code. Sessions don't make sense with the lite server since it uses the local ccache directly. rob From rcritten at redhat.com Thu Jun 7 19:14:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 15:14:51 -0400 Subject: [Freeipa-devel] [PATCH] 0058 Prevent deletion of the last admin In-Reply-To: <4FCF526C.3070607@redhat.com> References: <4FCDE1EF.40704@redhat.com> <4FCE7D6A.6090209@redhat.com> <4FCF526C.3070607@redhat.com> Message-ID: <4FD0FDAB.5050508@redhat.com> Petr Viktorin wrote: > On 06/05/2012 11:43 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> Raise an error when trying to delete the last user from the 'admins' >>> group >>> >>> The 'admin' group name seems like something that shouldn't be hardcoded, >>> but that's how it's done in the webui and some of our ACIs, and I don't >>> see another solution short of adding a new attribute. >>> >>> >>> https://fedorahosted.org/freeipa/ticket/2564 >>> >> >> This looks ok, I think it should go further and prevent the last member >> to be removed from the admins group too. >> >> rob > > This updated patch prevents that, plus removing the admins group itself. > > ACK, pushed to master. rob From rcritten at redhat.com Thu Jun 7 19:29:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 15:29:43 -0400 Subject: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC In-Reply-To: <1338898571.8230.252.camel@willson.li.ssimo.org> References: <1337985380.16840.643.camel@willson.li.ssimo.org> <4FCD762A.4020809@redhat.com> <1338898571.8230.252.camel@willson.li.ssimo.org> Message-ID: <4FD10127.5000603@redhat.com> Simo Sorce wrote: > On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> The original ldap driver we used up to 2.2 had 2 options admins could >>> set to limit the amount of writes to the database on certain auditing >>> related operations. >>> In particular disable_last_success is really important to reduce the >>> load on database servers. >>> >>> I have implemented ticket #2734 with a little twist. Instead of adding >>> local options in krb5.conf I create global options in the LDAP tree, so >>> that all KDCs in the domain have the same configuration. >>> >>> The 2 new options can be set in ipaConfigString attribute of the >>> cn=ipaConfig object under cn=etc,$SUFFIX >>> >>> These are: >>> KDC:Disable Last Success >>> KDC:Disable Lockout >>> >>> The first string if set will disable updating the krbLastSuccessfulAuth >>> field in the service/user entry. >>> The second one will prevent changing any of the Lockout related fields >>> and will effectively disable lockout policies. >>> >>> I think we may want to set the first one by default in future. >>> The last successful auth field is not very interesting in general and is >>> cause for a lot of writes that pressure a lot the LDAP server and get >>> replicated everywhere with a storm multiplier effect we'd like to avoid. >>> >>> The lockout one instead happen only when there are failed authentication >>> attempt, this means it never happens when keytabs are used for example. >>> And even with users it should happen rarely enough that traking lockouts >>> by default make leaving these writes on by default is a good tradeoff. >>> >>> Note that simply setting the lockout policy to never lockout is *not* >>> equivalent to setting KDC:Disable Lockout, as it does not prevent writes >>> to the database. >>> >>> I've tested setting KDC:Disable Last Success and it effectively prevent >>> MOD operation from showing up in the server access log. >>> >>> Any change to these configuration options requires a reconnection from >>> the KDC to the LDAP server, the simplest way to cause that is to restart >>> the KDC service. >>> >>> Simo. >> >> In ipadb_get_global_configs() should there be a call to LOG_OOM()? >> >> Also, if ipadb_simple_search() or ipadb_get_global_configs() fails >> should we log the result code when non-zero? > > Well this code runs in the KDC, not in DIRSRV so LOG_OOM() wouldn't > work. > Perhaps we should add KDC_LOG() macros, but that would be a separate > task imo. > > Simo. > Ah, right, sorry about that. I opened a separate ticket to improve logging in the ipa-kdb module. ACK, pushed to master and ipa-2-2. rob From rcritten at redhat.com Thu Jun 7 19:31:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 15:31:25 -0400 Subject: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC In-Reply-To: <4FCF39ED.3090403@redhat.com> References: <1337985380.16840.643.camel@willson.li.ssimo.org> <4FCF39ED.3090403@redhat.com> Message-ID: <4FD1018D.1010401@redhat.com> Petr Vobornik wrote: > On 05/26/2012 12:36 AM, Simo Sorce wrote: >> The original ldap driver we used up to 2.2 had 2 options admins could >> set to limit the amount of writes to the database on certain auditing >> related operations. >> In particular disable_last_success is really important to reduce the >> load on database servers. >> >> I have implemented ticket #2734 with a little twist. Instead of adding >> local options in krb5.conf I create global options in the LDAP tree, so >> that all KDCs in the domain have the same configuration. >> >> The 2 new options can be set in ipaConfigString attribute of the >> cn=ipaConfig object under cn=etc,$SUFFIX >> >> These are: >> KDC:Disable Last Success >> KDC:Disable Lockout >> > > 8><------------------------------ > >> >> Simo. >> > > Attaching patch which adds these two new configuration values to Web UI. ACK, pushed to master. rob From dpal at redhat.com Thu Jun 7 19:40:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 07 Jun 2012 15:40:57 -0400 Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: <1339075252.8230.410.camel@willson.li.ssimo.org> References: <4FD01B36.2040308@redhat.com> <1339073850.8230.407.camel@willson.li.ssimo.org> <4FD0A9A7.5090901@redhat.com> <1339075252.8230.410.camel@willson.li.ssimo.org> Message-ID: <4FD103C9.4000907@redhat.com> On 06/07/2012 09:20 AM, Simo Sorce wrote: > On Thu, 2012-06-07 at 09:16 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: >>>> Scott Poore wrote: >>>>> Running this by the mailing list to see if I should open an RFE. >>>>> >>>>> Should we have the ability to install replicas where the host entries already exist in IPA? >>>>> >>>>> So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? >>>>> >>>>> Thoughts? >>>> I asked Scott to pose this to the list. I'm a little uneasy about it but >>>> perhaps I'm just paranoid. >>>> >>>> This isn't proposing that an enrolled client be able to become a >>>> replica, but right now if a host entry exists for a target replica >>>> server we require it be removed before proceeding. >>>> >>>> The reason being we don't know what else is associated with that host >>>> (well, we do, but it sure seems like a lot of work to fetch it all). The >>>> host could already have an HTTP server, for example. Or it could have >>>> other certs or services. >>>> >>>> So the question is, is it adequate to require the removal or should we >>>> go through the trouble to see if there are any conflicting services? We >>>> don't have a TGT when preparing a replica so this would mean a bit of >>>> manual LDAP work which could very well be a pain source in the future. >>> Uhmm why should we care at replica preparation time ? >>> All the kerberos keys are created at install time, is it for certs ? >>> In that case I would suggest we defer creation of certs to install time >>> so it becomes non-issue. >>> At install time we detect if certs/keys are already available (and >>> functional) and we just reuse them if so. >>> >>> What am I missing ? >>> >>> Simo. >>> >> The problem isn't at prepare time, it is at install time. >> >> In order to generate the certs on the fly we would have to prompt for a >> user with permissions to issue certs along with the DM password when >> installing. You already got grumpy when we started asking for a user >> when doing the conn-check. > I understand that, maybe we should just defer it, as I said earlier I > would like us to go and use only the admin user at install time, and the > admin user would have those privileges. > > Simo. > IMO when you do replica prepare it should do an extra lookup to see if the host already exists and been enrolled, i.e. keys or cert have been provisioned. If it finds the host record it should bail out with a warning. An override option like --force can be introduced to clean the system. I assume that replica prepare would also create a host entry for the replica but not update it until replica is provisioned. Then when we install replica it should take over the system. It still leaves room for the user to shoot himself in the foot by creating a replica package but then installing a client. I do not know if we can prevent this join operation on the server or not. If the fact that replica package was created is recorded in LDAP then we probably can. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Jun 7 21:26:45 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 17:26:45 -0400 Subject: [Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica In-Reply-To: <4FD103C9.4000907@redhat.com> References: <4FD01B36.2040308@redhat.com> <1339073850.8230.407.camel@willson.li.ssimo.org> <4FD0A9A7.5090901@redhat.com> <1339075252.8230.410.camel@willson.li.ssimo.org> <4FD103C9.4000907@redhat.com> Message-ID: <4FD11C95.5070205@redhat.com> Dmitri Pal wrote: > On 06/07/2012 09:20 AM, Simo Sorce wrote: >> On Thu, 2012-06-07 at 09:16 -0400, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote: >>>>> Scott Poore wrote: >>>>>> Running this by the mailing list to see if I should open an RFE. >>>>>> >>>>>> Should we have the ability to install replicas where the host entries already exist in IPA? >>>>>> >>>>>> So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command? >>>>>> >>>>>> Thoughts? >>>>> I asked Scott to pose this to the list. I'm a little uneasy about it but >>>>> perhaps I'm just paranoid. >>>>> >>>>> This isn't proposing that an enrolled client be able to become a >>>>> replica, but right now if a host entry exists for a target replica >>>>> server we require it be removed before proceeding. >>>>> >>>>> The reason being we don't know what else is associated with that host >>>>> (well, we do, but it sure seems like a lot of work to fetch it all). The >>>>> host could already have an HTTP server, for example. Or it could have >>>>> other certs or services. >>>>> >>>>> So the question is, is it adequate to require the removal or should we >>>>> go through the trouble to see if there are any conflicting services? We >>>>> don't have a TGT when preparing a replica so this would mean a bit of >>>>> manual LDAP work which could very well be a pain source in the future. >>>> Uhmm why should we care at replica preparation time ? >>>> All the kerberos keys are created at install time, is it for certs ? >>>> In that case I would suggest we defer creation of certs to install time >>>> so it becomes non-issue. >>>> At install time we detect if certs/keys are already available (and >>>> functional) and we just reuse them if so. >>>> >>>> What am I missing ? >>>> >>>> Simo. >>>> >>> The problem isn't at prepare time, it is at install time. >>> >>> In order to generate the certs on the fly we would have to prompt for a >>> user with permissions to issue certs along with the DM password when >>> installing. You already got grumpy when we started asking for a user >>> when doing the conn-check. >> I understand that, maybe we should just defer it, as I said earlier I >> would like us to go and use only the admin user at install time, and the >> admin user would have those privileges. >> >> Simo. >> > IMO when you do replica prepare it should do an extra lookup to see if > the host already exists and been enrolled, i.e. keys or cert have been > provisioned. If it finds the host record it should bail out with a > warning. An override option like --force can be introduced to clean the > system. I assume that replica prepare would also create a host entry for > the replica but not update it until replica is provisioned. > Then when we install replica it should take over the system. It still > leaves room for the user to shoot himself in the foot by creating a > replica package but then installing a client. I do not know if we can > prevent this join operation on the server or not. If the fact that > replica package was created is recorded in LDAP then we probably can. > It is just as easy to catch this at install time, which we do now, and provide the user with the info they need to proceed. Eventually we are going to do this entirely on-line so there will be no prepare step. It may be nice to take an enrolled client and promote it into being a replica too. I was just wondering if I was being overly paranoid in requiring that a host be removed from IPA (therefore removing any existing certs and services it may have) before allowing it to become a replica. rob From rcritten at redhat.com Fri Jun 8 02:25:08 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 22:25:08 -0400 Subject: [Freeipa-devel] [PATCH] 0057 Only allow root to run update plugins In-Reply-To: <4FCF239D.6050102@redhat.com> References: <4FCCD29A.90805@redhat.com> <1338825071.8230.217.camel@willson.li.ssimo.org> <1338883597.28796.31.camel@balmora.brq.redhat.com> <4FCDC8FC.6040406@redhat.com> <4FCE02F7.5070103@redhat.com> <4FCE148C.8030700@redhat.com> <4FCE151C.90603@redhat.com> <4FCE39A0.2000706@redhat.com> <4FCF239D.6050102@redhat.com> Message-ID: <4FD16284.3020201@redhat.com> Petr Viktorin wrote: > On 06/05/2012 06:53 PM, Petr Viktorin wrote: >> On 06/05/2012 04:18 PM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> On 06/05/2012 03:00 PM, Rob Crittenden wrote: >>>>> Petr Viktorin wrote: >>>>>> On 06/05/2012 10:06 AM, Martin Kosek wrote: >>>>>>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: >>>>>>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: >>>>>>>>> An update plugin needed root privileges, and aborted the update >>>>>>>>> if an >>>>>>>>> ordinary user user ran it. >>>>>>>>> With this patch the plugin is skipped with a warning in that case. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/2621 >>>>>>>> >>>>>>>> Hi Petr, >>>>>>>> I am not sure I like the proposed solution. >>>>>>>> >>>>>>>> If there is a legitimate reason to run this plugin as non-root (eg >>>>>>>> admin >>>>>>>> user) then you should change the connection part to try to use >>>>>>>> GSSAPI >>>>>>>> auth over ldap when non-root, not just throw a warning. >>>>>>>> >>>>>>>> If there is no reason for anyone but root to run this script >>>>>>>> then we >>>>>>>> should just abort if not root IMO. >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> >>>>>>> I would keep this script runable for root users only. Regularly, >>>>>>> this >>>>>>> should not be run manually but as a part of RPM update which is >>>>>>> done by >>>>>>> root. It is being run manually only when something is broken anyway >>>>>>> and >>>>>>> I am not convinced that non-root users should be involved in such >>>>>>> recovery. >>>>>>> >>>>>>> Martin >>>>>>> >>>>>> >>>>>> Thanks for the advice. The attached patch only allows root to run >>>>>> ipa-ldap-updater. >>>>> >>>>> NACK. It is very handy for developers to be able to run >>>>> ipa-ldap-updater >>>>> to test update files. >>>>> >>>>> rob >>>> >>>> Developers can run it as root, I don't see a problem here. >>> >>> I'd really rather not. This does nothing requiring root permissions, >>> it's all done over LDAP. I'd rather trade not running some plugins than >>> always requiring root. >>> >>> rob >>> >> >> Thanks for info on how the tool is used. I looked into it deeper. >> The proper fix would be to use the ldap2 backend here, instead of the >> IPAdmin. That's ticket 2660, and it'll be quite a lot of work to get >> ReplicationManager and tools that depend on that ported. >> >> >> But, I think it makes sense to require root if (and only if) plugins are >> run. Justification below. Would that work for your use case? >> >> >> There are currently three modes ipa-ldap-updater can run in: >> 1) --upgrade (needs root, runs plugins) >> 2) no --upgrade, either no files specified or --plugins (doesn't need >> root, runs plugins) >> 3) no --upgrade, specific files specified without --plugins (doesn't >> need root, doesn't run plugins) >> >> I propose to make mode 2 require root. >> >> There are two major uses of the script: install/upgrade (first two >> modes), and a developer testing update files (third or possibly second >> mode). Install/upgrade is always run as root, and the developer usually >> doesn't need to run the plugins (if they do, they should run as root >> anyway, so that some (parts of) plugins aren't skipped). >> >> Some of the plugins ask to restart the DS. Without root privileges, the >> restart (but not the rest of the plugin) is skipped. I think this is >> just asking for trouble. >> Some plugins (or parts of plugins) don't need root, but I don't think >> singling these out and testing both cases is worth the effort. >> >> > > The attached patch that implements the above. I re-ordered the code a > bit to put the checks before the DM password prompt, so you don't enter > the password only to find out you had to use sudo or different options. I'll try to live with not being able to run plugins as non-root. If it turns out to be very painful to develop w/o it I'll open a new ticket. ACK, pushed to master. rob From rcritten at redhat.com Fri Jun 8 02:28:15 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 22:28:15 -0400 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <1338987954.9625.19.camel@balmora.brq.redhat.com> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> Message-ID: <4FD1633F.4090601@redhat.com> Martin Kosek wrote: > You can use the attached script (changepw.py) to test the PW change > interface from command line (on IPA server). > > --- > > IPA server web form-based authentication allows logins for users > which for some reason cannot use Kerberos authentication. However, > when a password for such users expires, they are unable change the > password via web interface. > > This patch adds a new WSGI script attached to URL > /ipa/session/change_password which can be accessed without > authentication and which provides password change capability > for web services. > > The actual password change in the script is processed with kpasswd > to be consistent with /ipa/session/login_password. > > Password result is passed both in the resulting HTML page, but > also in HTTP headers for easier parsing in web services: > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text > > https://fedorahosted.org/freeipa/ticket/2276 It is probably more efficient to change the password using ldap. Simo, do you know of an advantage of using one over the other? Better password policy reporting may be reason enough. rob From rcritten at redhat.com Fri Jun 8 02:38:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 22:38:51 -0400 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <1339062486.7369.3.camel@balmora.brq.redhat.com> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> Message-ID: <4FD165BB.7030604@redhat.com> Martin Kosek wrote: > When invalid data is passed, an unhandled decimal exception could > be raised in Decimal number conversion. Handle the exception > more gracefully and report proper ipalib.errors.ConversionError. > > https://fedorahosted.org/freeipa/ticket/2705 I'm being pedantic but I think the Decimal special values need to be handled better. Using Infinity returns a rather odd message: $ ipa dnsrecord-add example.com Record name: foo Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, AAAA DNS resource record type: LOC LOC Degrees Latitude: 90 [LOC Minutes Latitude]: 59 [LOC Seconds Latitude]: 999999999999999999999999999999999999999999999999999999999999999999999 >>> LOC Seconds Latitude: quantize result has too many digits for current context [LOC Seconds Latitude]: Infinity >>> LOC Seconds Latitude: quantize with one INF And using NaN raises an unhandled exception: [LOC Seconds Latitude]: NaN ipa: ERROR: InvalidOperation: comparison involving NaN Traceback (most recent call last): File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run kw = self.argv_to_keyword_arguments(cmd, argv[1:]) File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in argv_to_keyword_arguments self.prompt_interactively(cmd, kw) File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in prompt_interactively callback(kw) File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, in interactive_prompt_callback user_options = param.prompt_parts(self.Backend) File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in prompt_parts self.__get_part_param(backend, part, user_options, default) File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in __get_part_param output_kw[name] = part(raw) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in __call__ self.validate(value, supplied=self.name in kw) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in validate self._validate_scalar(value) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in _validate_scalar error = rule(ugettext, value) File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in _rule_minvalue if value < self.minvalue: File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ ans = self._compare_check_nans(other, context) File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans self) File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error raise error(explanation) InvalidOperation: comparison involving NaN ipa: ERROR: an internal error has occurred Otherwise it does what it should. rob From rcritten at redhat.com Fri Jun 8 02:39:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 22:39:48 -0400 Subject: [Freeipa-devel] [PATCH] 0059 Fix update plugin order In-Reply-To: <4FCF243C.8040907@redhat.com> References: <4FCF243C.8040907@redhat.com> Message-ID: <4FD165F4.2010608@redhat.com> Petr Viktorin wrote: > While messing with the ipa-ldap-updater, I found the order method was > using an algorithm that could give incorrect results. I'm submitting a > fix in an extra patch, as it's largely unrelated and shouldn't be so > controversial. Can you open a ticket on this? We like to have a ticket for every commit (minus a random one-liner here and there). thanks rob From rcritten at redhat.com Fri Jun 8 02:55:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 22:55:51 -0400 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD0F9DD.6040504@redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> Message-ID: <4FD169B7.3030906@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> This adds client session support. The session key is stored in the >> kernel key ring. >> >> Your first request should go to /ipa/session/xml where it should be >> rejected with a 401. The next will go to /ipa/xml which will be >> accepted. This should all be invisible to the client. >> >> Subsequent requests should go to /ipa/session/xml which should let you >> in with the cookie. >> >> You can add the -vv option after ipa to see fully what is going on, e.g. >> ipa -vv user-show admin >> >> To manage your keyring use the keyctl command like: >> >> $ keyctl list @s >> 2 keys in keyring: >> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >> 941350591: --alswrv 1000 1000 user: ipa_session_cookie >> >> To remove a key: >> >> $ keyctl unlink 941350591 @s >> >> rob > > Hmm, this doesn't play too nice with the lite-server. Let me see if I > can track it down. The ccache is being removed, probably as part of the > session code. Sessions don't make sense with the lite server since it > uses the local ccache directly. Updated patch. Don't clean up the ccache if in the lite-server. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1024-2-session.patch Type: text/x-diff Size: 27515 bytes Desc: not available URL: From simo at redhat.com Fri Jun 8 03:07:15 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 07 Jun 2012 23:07:15 -0400 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <4FD1633F.4090601@redhat.com> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> <4FD1633F.4090601@redhat.com> Message-ID: <1339124835.8230.487.camel@willson.li.ssimo.org> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > You can use the attached script (changepw.py) to test the PW change > > interface from command line (on IPA server). > > > > --- > > > > IPA server web form-based authentication allows logins for users > > which for some reason cannot use Kerberos authentication. However, > > when a password for such users expires, they are unable change the > > password via web interface. > > > > This patch adds a new WSGI script attached to URL > > /ipa/session/change_password which can be accessed without > > authentication and which provides password change capability > > for web services. > > > > The actual password change in the script is processed with kpasswd > > to be consistent with /ipa/session/login_password. > > > > Password result is passed both in the resulting HTML page, but > > also in HTTP headers for easier parsing in web services: > > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} > > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text > > > > https://fedorahosted.org/freeipa/ticket/2276 > > It is probably more efficient to change the password using ldap. Simo, > do you know of an advantage of using one over the other? Better password > policy reporting may be reason enough. Yes you'll get better error reporting, plus forking out kpasswd is quite ugly, the python ldap code should be able to use the ldap passwd extend op quite easily. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri Jun 8 07:02:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 08 Jun 2012 09:02:42 +0200 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <1338881554.28796.23.camel@balmora.brq.redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> <4FCD81D8.9000609@redhat.com> <1338881554.28796.23.camel@balmora.brq.redhat.com> Message-ID: <1339138962.3385.3.camel@balmora.brq.redhat.com> On Tue, 2012-06-05 at 09:32 +0200, Martin Kosek wrote: > On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: > > >> On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: > > >>> Martin Kosek wrote: > > >>>> This set of patches handles enabling psearch both for new installations > > >>>> (patch 263) and upgraded IPA servers. > > >>>> > > >>>> For upgraded IPA servers I needed to make sure that psearch is not > > >>>> enabled for every IPA package update, but at most once, when a user > > >>>> updates to IPA with this patch for the first time (patch 264). This is > > >>>> enabled by a new State store located in /var/lib/ipa/sysupgrade (patch > > >>>> 262). > > >>>> > > >>>> I also improved the way we handled SELinux sebool updates (patch 265), > > >>>> this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 > > >>>> seconds as previously. Details are in the patches. > > >>>> > > >>>> Martin > > >>> > > >>> 262: > > >>> The sysupgrade directory isn't created by the RPM install: > > >>> > > >>> mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade > > >> > > >> Fixed. > > >> > > >>> > > >>> 263: > > >>> > > >>> It looks like zone_refresh is simply disabled in bindinstance.py, why > > >>> not remove it completely? > > >> > > >> zone_refresh is used by bindinstance.py. ipa-server-install or > > >> ipa-dns-install may be configured to use zone refresh instead of > > >> persistent search mechanism to update the zones (e.g. --zone-refresh > > >> 30). > > >> > > >>> > > >>> 264: > > >>> > > >>> Small nit, worth doing case-insensitive compare of psearch enabled status? > > >> > > >> Petr2 told me that arg value for boolean configuration option is > > >> case-insensitive, so we can do that - fixed. > > >> > > >>> > > >>> We're updating named.conf in place so I don't know that we need to reset > > >>> permissions. It at least shouldn't get modified by the write. > > >> > > >> Right, I was being too defensive. I removed the check. > > >> > > >> I made the upgrade more robust, now it won't crash for example when > > >> named.conf does not exist. I also made sure the upgrade script works > > >> correctly when the IPA is configured without DNS. > > >> > > >> Martin > > > > > > I rebased the patches for current master. I also slightly reworked patch > > > 265, the error message printed in case of an unsuccessful setsebool was > > > not printed right. > > > > > > Martin > > > > Trailing whitespace in 264: > > > > # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch > > Applying: Enable psearch on upgrades > > /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing > > whitespace. > > root_logger.error('Cannot update connections in %s: > > %s', > > warning: 1 line adds whitespace errors. > > Fixed. > > > > > I don't think the DNS detection is adequate in 264, testing for > > named.conf is not enough. What if someone is running a non-IPA DNS > > server on the box? > > I assume you are referring to this line: > + if not bindinstance.named_conf_exists(): > > It checks both if the named.conf exists + if it has bind-dyndb-ldap > configured for IPA: > if line.startswith('dynamic-db "ipa"'): > > > > > I know that I've recently done similar config changes but in 265 is > > using line.startswith() going to be fragile? > > I assume you mean patch 264. This should be OK - user would need to mess > with the configuration generated by our install scripts to break it. But > in this case, other regex-es would fail too. I did not want to get too > wild with regex-es to keep it simple and safe. The worst case scenario > should be that named.conf is not updated and psearch is not turned on. > > > > > In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other > > patch. > > I assume you mean patch 265. I had this change moved to 264 right after > I sent the patches :-) > > > > > In the 'for setting, state' loop should it be catching a > > CalledProcessException rather than raw Exception? I think that is all > > that should be raised there. > > Right, fixed. > > > > > I did an upgrade and it seemed to work ok, ended up with these scary > > messages in /var/log/messages: > > > > Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP > > server > > Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server > > was lost > > Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: > > Can't contact LDAP server > > Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to > > handle LDAP connection error. Reconnection in 60s > > Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP > > server > > Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server > > was lost > > Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: > > Can't contact LDAP server > > Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] > > - Information: Non-Secure Port Disabled > > Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed > > to obtain ldap error code > > Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server > > was lost > > Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: > > Can't contact LDAP server > > Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to > > handle LDAP connection error. Reconnection in 60s > > Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed > > to obtain ldap error code > > Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server > > was lost > > > > DNS does seem to be working fine from the cli. > > I think this was caused by ipa-ldap-updater which shut down the > Directory Server to perform the LDAP upgrade. > > Btw I asked Petr to file a ticket for bind-dyndb-ldap to report when it > report success after when it returns back from an error state: > https://fedorahosted.org/bind-dyndb-ldap/ticket/71 > This way, we cannot know that the LDAP connection has been restored > besides doing a test DNS query. > > > > > The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in > > the test cleanup. > > > > I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: > > > > Program received signal SIGABRT, Aborted. > > [Switching to Thread 0x7f68e50db700 (LWP 19367)] > > 0x00007f68e6188915 in raise () from /lib64/libc.so.6 > > (gdb) where > > #0 0x00007f68e6188915 in raise () from /lib64/libc.so.6 > > #1 0x00007f68e618a0c8 in abort () from /lib64/libc.so.6 > > #2 0x00007f68e91171fb in assertion_failed (file=, > > line=, type=, cond=) > > at ./main.c:219 > > #3 0x00007f68e73a6c3a in isc_assertion_failed ( > > file=file at entry=0x7f68e8a82deb "zone.c", line=, > > type=type at entry=isc_assertiontype_require, > > cond=cond at entry=0x7f68e8a82fe7 "zone->db != ((void *)0)") > > at assertions.c:57 > > #4 0x00007f68e8a2ba67 in zone_detachdb (zone=) at > > zone.c:12944 > > #5 zone_detachdb (zone=0x7f68dc57fef0) at zone.c:12943 > > #6 0x00007f68e8a2baa1 in zone_unload (zone=zone at entry=0x7f68dc57fef0) > > at zone.c:9092 > > #7 0x00007f68e8a2fcc4 in dns_zone_unload (zone=0x7f68dc57fef0) at > > zone.c:9040 > > #8 0x00007f68e3584b9e in ldap_delete_zone2 > > (inst=inst at entry=0x7f68e90b0f10, > > name=name at entry=0x7f68e50dad10, lock=lock at entry=isc_boolean_true) > > at ldap_helper.c:786 > > #9 0x00007f68e3586554 in ldap_delete_zone (dn=, > > inst=0x7f68e90b0f10, lock=) at ldap_helper.c:811 > > #10 update_action (task=, event=0x7f68e37de6a0) > > at ldap_helper.c:2763 > > #11 0x00007f68e73c613e in dispatch (manager=0x7f68e908f010) at task.c:1109 > > #12 run (uap=0x7f68e908f010) at task.c:1279 > > #13 0x00007f68e6d7bd14 in start_thread () from /lib64/libpthread.so.0 > > #14 0x00007f68e624494d in clone () from /lib64/libc.so.6 > > > > rob > > Thanks for digging out the traceback, I already reported this error to > bind-dyndb-ldap: > https://bugzilla.redhat.com/show_bug.cgi?id=827401 > > Petr, what's the status of this bug? I guess we cannot push this set of > patches to enable the psearch by default until this is fixed. Otherwise > bind-dyndb-ldap would crash _every_ DNS unit test case. > > Updated set of patches attached. > > Martin Petr^2 fixed the bug in bind-dyndb-ldap causing it to crash during DNS unit tests. A re-tested the new version with IPA and it worked fine. Attached a rebased set of patches with proper bind-dyndb-ldap version enforced. I would like this to get acked soon so that psearch is tested by a broader audience and we are able to stabilize it faster. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-262-5-add-sysupgrade-state-file.patch Type: text/x-patch Size: 9263 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-263-5-enable-persistent-search-by-default.patch Type: text/x-patch Size: 14532 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-264-5-enable-psearch-on-upgrades.patch Type: text/x-patch Size: 11511 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-265-5-only-set-sebools-when-necessary.patch Type: text/x-patch Size: 4965 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 8 07:45:24 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 08 Jun 2012 09:45:24 +0200 Subject: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable In-Reply-To: <20120607155107.GA23825@redhat.com> References: <4FD0AD9E.3080907@redhat.com> <1339077826.24163.6.camel@balmora.brq.redhat.com> <20120607155107.GA23825@redhat.com> Message-ID: <1339141524.3385.13.camel@balmora.brq.redhat.com> On Thu, 2012-06-07 at 17:51 +0200, Adam Tkac wrote: > On Thu, Jun 07, 2012 at 04:03:46PM +0200, Martin Kosek wrote: > > On Thu, 2012-06-07 at 15:33 +0200, Petr Spacek wrote: > > > Hello, > > > > > > this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: > > > bind-dyndb-ldap crashes during zone unload when NS is not resolvable. > > > > > > During investigation I found other two suspicious places. This patch adds only > > > comment near to them. Any changes (as necessary) will be in separate patch. > > > > > > Petr^2 Spacek > > > > Thanks Petr for investigation and quick fix! > > > > Adam, if this pass your review, I think it would be great to have an F17 > > build at least in koji so that we can switch psearch on by default so > > that other developers start testing it (with the new bind-dyndb-ldap > > build so that their unit tests do not crash named). > > The patch was ok and update has been submitted to bodhi. It should be in > updates-testing very soon. > > Regards, Adam > Thanks a lot Adam! I tested the new bind-dyndb-ldap version and it fixed the issue I found - karma++. I sent a rebased patch to enable psearch in IPA by default - lets get it grilled :-) Martin From pviktori at redhat.com Fri Jun 8 10:09:34 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Jun 2012 12:09:34 +0200 Subject: [Freeipa-devel] [PATCH] 0060 Clean keytabs before installing new keys into them Message-ID: <4FD1CF5E.8030509@redhat.com> This removes old principals for the newly installed realm from /etc/krb5.keytab before client installation. The ticket also mentioned doing this for server/replica installs, but in that case the keytab is removed and created from scratch. https://fedorahosted.org/freeipa/ticket/2698 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0060-Clean-keytabs-before-installing-new-keys-into-them.patch Type: text/x-patch Size: 2019 bytes Desc: not available URL: From pviktori at redhat.com Fri Jun 8 10:31:08 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Jun 2012 12:31:08 +0200 Subject: [Freeipa-devel] [PATCH] 0059 Fix update plugin order In-Reply-To: <4FD165F4.2010608@redhat.com> References: <4FCF243C.8040907@redhat.com> <4FD165F4.2010608@redhat.com> Message-ID: <4FD1D46C.8070509@redhat.com> On 06/08/2012 04:39 AM, Rob Crittenden wrote: > Petr Viktorin wrote: >> While messing with the ipa-ldap-updater, I found the order method was >> using an algorithm that could give incorrect results. I'm submitting a >> fix in an extra patch, as it's largely unrelated and shouldn't be so >> controversial. > > Can you open a ticket on this? We like to have a ticket for every commit > (minus a random one-liner here and there). > > thanks > > rob > Created a ticket, and added a link to the commit message. https://fedorahosted.org/freeipa/ticket/2820 -- Petr? From pviktori at redhat.com Fri Jun 8 10:32:18 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Jun 2012 12:32:18 +0200 Subject: [Freeipa-devel] [PATCH] 0059 Fix update plugin order In-Reply-To: <4FD1D46C.8070509@redhat.com> References: <4FCF243C.8040907@redhat.com> <4FD165F4.2010608@redhat.com> <4FD1D46C.8070509@redhat.com> Message-ID: <4FD1D4B2.1010008@redhat.com> On 06/08/2012 12:31 PM, Petr Viktorin wrote: > On 06/08/2012 04:39 AM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> While messing with the ipa-ldap-updater, I found the order method was >>> using an algorithm that could give incorrect results. I'm submitting a >>> fix in an extra patch, as it's largely unrelated and shouldn't be so >>> controversial. >> >> Can you open a ticket on this? We like to have a ticket for every commit >> (minus a random one-liner here and there). >> >> thanks >> >> rob >> > > Created a ticket, and added a link to the commit message. > > https://fedorahosted.org/freeipa/ticket/2820 > ... and forgot to attach the patch. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0059-02-Fix-update-plugin-order.patch Type: text/x-patch Size: 1902 bytes Desc: not available URL: From jdennis at redhat.com Fri Jun 8 14:56:18 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 08 Jun 2012 10:56:18 -0400 Subject: [Freeipa-devel] keys[-1] idiom? Message-ID: <4FD21292.6000600@redhat.com> I frequently see this idiom in the code in plugins and pre/post callbacks: keys[-1] My understanding is that keys in the positional parameter list of the command, correct? keys always appears in a formal parameter list with the parameter "options", which I believe are the keyword arguments of the command (i.e. *args, **kwds) Thus keys[-1] would be the last positional parameter. What is special about it such that one can always reference the last positional parameter? (or have I misunderstood, if so please elucidate). If keys is the positional parameter list (e.g. *args) why is is called "keys"? That seems really confusing because keys usually has an entirely different meaning (i.e. keys of a dict). Why isn't it named "args"? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Jun 8 15:10:52 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Jun 2012 11:10:52 -0400 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <1339138962.3385.3.camel@balmora.brq.redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> <4FCD81D8.9000609@redhat.com> <1338881554.28796.23.camel@balmora.brq.redhat.com> <1339138962.3385.3.camel@balmora.brq.redhat.com> Message-ID: <4FD215FC.2050300@redhat.com> Martin Kosek wrote: > On Tue, 2012-06-05 at 09:32 +0200, Martin Kosek wrote: >> On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: >>>>> On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> This set of patches handles enabling psearch both for new installations >>>>>>> (patch 263) and upgraded IPA servers. >>>>>>> >>>>>>> For upgraded IPA servers I needed to make sure that psearch is not >>>>>>> enabled for every IPA package update, but at most once, when a user >>>>>>> updates to IPA with this patch for the first time (patch 264). This is >>>>>>> enabled by a new State store located in /var/lib/ipa/sysupgrade (patch >>>>>>> 262). >>>>>>> >>>>>>> I also improved the way we handled SELinux sebool updates (patch 265), >>>>>>> this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 >>>>>>> seconds as previously. Details are in the patches. >>>>>>> >>>>>>> Martin >>>>>> >>>>>> 262: >>>>>> The sysupgrade directory isn't created by the RPM install: >>>>>> >>>>>> mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade >>>>> >>>>> Fixed. >>>>> >>>>>> >>>>>> 263: >>>>>> >>>>>> It looks like zone_refresh is simply disabled in bindinstance.py, why >>>>>> not remove it completely? >>>>> >>>>> zone_refresh is used by bindinstance.py. ipa-server-install or >>>>> ipa-dns-install may be configured to use zone refresh instead of >>>>> persistent search mechanism to update the zones (e.g. --zone-refresh >>>>> 30). >>>>> >>>>>> >>>>>> 264: >>>>>> >>>>>> Small nit, worth doing case-insensitive compare of psearch enabled status? >>>>> >>>>> Petr2 told me that arg value for boolean configuration option is >>>>> case-insensitive, so we can do that - fixed. >>>>> >>>>>> >>>>>> We're updating named.conf in place so I don't know that we need to reset >>>>>> permissions. It at least shouldn't get modified by the write. >>>>> >>>>> Right, I was being too defensive. I removed the check. >>>>> >>>>> I made the upgrade more robust, now it won't crash for example when >>>>> named.conf does not exist. I also made sure the upgrade script works >>>>> correctly when the IPA is configured without DNS. >>>>> >>>>> Martin >>>> >>>> I rebased the patches for current master. I also slightly reworked patch >>>> 265, the error message printed in case of an unsuccessful setsebool was >>>> not printed right. >>>> >>>> Martin >>> >>> Trailing whitespace in 264: >>> >>> # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch >>> Applying: Enable psearch on upgrades >>> /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing >>> whitespace. >>> root_logger.error('Cannot update connections in %s: >>> %s', >>> warning: 1 line adds whitespace errors. >> >> Fixed. >> >>> >>> I don't think the DNS detection is adequate in 264, testing for >>> named.conf is not enough. What if someone is running a non-IPA DNS >>> server on the box? >> >> I assume you are referring to this line: >> + if not bindinstance.named_conf_exists(): >> >> It checks both if the named.conf exists + if it has bind-dyndb-ldap >> configured for IPA: >> if line.startswith('dynamic-db "ipa"'): >> >>> >>> I know that I've recently done similar config changes but in 265 is >>> using line.startswith() going to be fragile? >> >> I assume you mean patch 264. This should be OK - user would need to mess >> with the configuration generated by our install scripts to break it. But >> in this case, other regex-es would fail too. I did not want to get too >> wild with regex-es to keep it simple and safe. The worst case scenario >> should be that named.conf is not updated and psearch is not turned on. >> >>> >>> In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other >>> patch. >> >> I assume you mean patch 265. I had this change moved to 264 right after >> I sent the patches :-) >> >>> >>> In the 'for setting, state' loop should it be catching a >>> CalledProcessException rather than raw Exception? I think that is all >>> that should be raised there. >> >> Right, fixed. >> >>> >>> I did an upgrade and it seemed to work ok, ended up with these scary >>> messages in /var/log/messages: >>> >>> Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP >>> server >>> Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server >>> was lost >>> Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: >>> Can't contact LDAP server >>> Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to >>> handle LDAP connection error. Reconnection in 60s >>> Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP >>> server >>> Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server >>> was lost >>> Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: >>> Can't contact LDAP server >>> Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] >>> - Information: Non-Secure Port Disabled >>> Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed >>> to obtain ldap error code >>> Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server >>> was lost >>> Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: >>> Can't contact LDAP server >>> Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to >>> handle LDAP connection error. Reconnection in 60s >>> Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed >>> to obtain ldap error code >>> Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server >>> was lost >>> >>> DNS does seem to be working fine from the cli. >> >> I think this was caused by ipa-ldap-updater which shut down the >> Directory Server to perform the LDAP upgrade. >> >> Btw I asked Petr to file a ticket for bind-dyndb-ldap to report when it >> report success after when it returns back from an error state: >> https://fedorahosted.org/bind-dyndb-ldap/ticket/71 >> This way, we cannot know that the LDAP connection has been restored >> besides doing a test DNS query. >> >>> >>> The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in >>> the test cleanup. >>> >>> I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: >>> >>> Program received signal SIGABRT, Aborted. >>> [Switching to Thread 0x7f68e50db700 (LWP 19367)] >>> 0x00007f68e6188915 in raise () from /lib64/libc.so.6 >>> (gdb) where >>> #0 0x00007f68e6188915 in raise () from /lib64/libc.so.6 >>> #1 0x00007f68e618a0c8 in abort () from /lib64/libc.so.6 >>> #2 0x00007f68e91171fb in assertion_failed (file=, >>> line=, type=, cond=) >>> at ./main.c:219 >>> #3 0x00007f68e73a6c3a in isc_assertion_failed ( >>> file=file at entry=0x7f68e8a82deb "zone.c", line=, >>> type=type at entry=isc_assertiontype_require, >>> cond=cond at entry=0x7f68e8a82fe7 "zone->db != ((void *)0)") >>> at assertions.c:57 >>> #4 0x00007f68e8a2ba67 in zone_detachdb (zone=) at >>> zone.c:12944 >>> #5 zone_detachdb (zone=0x7f68dc57fef0) at zone.c:12943 >>> #6 0x00007f68e8a2baa1 in zone_unload (zone=zone at entry=0x7f68dc57fef0) >>> at zone.c:9092 >>> #7 0x00007f68e8a2fcc4 in dns_zone_unload (zone=0x7f68dc57fef0) at >>> zone.c:9040 >>> #8 0x00007f68e3584b9e in ldap_delete_zone2 >>> (inst=inst at entry=0x7f68e90b0f10, >>> name=name at entry=0x7f68e50dad10, lock=lock at entry=isc_boolean_true) >>> at ldap_helper.c:786 >>> #9 0x00007f68e3586554 in ldap_delete_zone (dn=, >>> inst=0x7f68e90b0f10, lock=) at ldap_helper.c:811 >>> #10 update_action (task=, event=0x7f68e37de6a0) >>> at ldap_helper.c:2763 >>> #11 0x00007f68e73c613e in dispatch (manager=0x7f68e908f010) at task.c:1109 >>> #12 run (uap=0x7f68e908f010) at task.c:1279 >>> #13 0x00007f68e6d7bd14 in start_thread () from /lib64/libpthread.so.0 >>> #14 0x00007f68e624494d in clone () from /lib64/libc.so.6 >>> >>> rob >> >> Thanks for digging out the traceback, I already reported this error to >> bind-dyndb-ldap: >> https://bugzilla.redhat.com/show_bug.cgi?id=827401 >> >> Petr, what's the status of this bug? I guess we cannot push this set of >> patches to enable the psearch by default until this is fixed. Otherwise >> bind-dyndb-ldap would crash _every_ DNS unit test case. >> >> Updated set of patches attached. >> >> Martin > > Petr^2 fixed the bug in bind-dyndb-ldap causing it to crash during DNS > unit tests. A re-tested the new version with IPA and it worked fine. > > Attached a rebased set of patches with proper bind-dyndb-ldap version > enforced. I would like this to get acked soon so that psearch is tested > by a broader audience and we are able to stabilize it faster. > > Martin These work ok so conditional ACK based on the following: The tests all pass but I saw this in messages: Jun 8 10:13:37 localhost named[1624]: psearch moddn change is not implemented Jun 8 10:13:37 localhost named[1624]: psearch_update failed for idnsname=testdnsres-renamed,idnsname=dnszone.test,cn=dns,dc=example,dc=com zone. Zone can be outdated, run `rndc reload` Other than immediately seeing new zones are there any other consequences to disabling psearch? Are features eventually going to not be available if it is not enabled? I assume that if/when that happens the man page will be updated at that point? rob From mkosek at redhat.com Fri Jun 8 15:24:47 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 08 Jun 2012 17:24:47 +0200 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <4FD215FC.2050300@redhat.com> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> <4FCD81D8.9000609@redhat.com> <1338881554.28796.23.camel@balmora.brq.redhat.com> <1339138962.3385.3.camel@balmora.brq.redhat.com> <4FD215FC.2050300@redhat.com> Message-ID: <1339169087.2191.16.camel@priserak> On Fri, 2012-06-08 at 11:10 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2012-06-05 at 09:32 +0200, Martin Kosek wrote: > >> On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: > >>>>> On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: > >>>>>> Martin Kosek wrote: > >>>>>>> This set of patches handles enabling psearch both for new installations > >>>>>>> (patch 263) and upgraded IPA servers. > >>>>>>> > >>>>>>> For upgraded IPA servers I needed to make sure that psearch is not > >>>>>>> enabled for every IPA package update, but at most once, when a user > >>>>>>> updates to IPA with this patch for the first time (patch 264). This is > >>>>>>> enabled by a new State store located in /var/lib/ipa/sysupgrade (patch > >>>>>>> 262). > >>>>>>> > >>>>>>> I also improved the way we handled SELinux sebool updates (patch 265), > >>>>>>> this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 > >>>>>>> seconds as previously. Details are in the patches. > >>>>>>> > >>>>>>> Martin > >>>>>> > >>>>>> 262: > >>>>>> The sysupgrade directory isn't created by the RPM install: > >>>>>> > >>>>>> mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade > >>>>> > >>>>> Fixed. > >>>>> > >>>>>> > >>>>>> 263: > >>>>>> > >>>>>> It looks like zone_refresh is simply disabled in bindinstance.py, why > >>>>>> not remove it completely? > >>>>> > >>>>> zone_refresh is used by bindinstance.py. ipa-server-install or > >>>>> ipa-dns-install may be configured to use zone refresh instead of > >>>>> persistent search mechanism to update the zones (e.g. --zone-refresh > >>>>> 30). > >>>>> > >>>>>> > >>>>>> 264: > >>>>>> > >>>>>> Small nit, worth doing case-insensitive compare of psearch enabled status? > >>>>> > >>>>> Petr2 told me that arg value for boolean configuration option is > >>>>> case-insensitive, so we can do that - fixed. > >>>>> > >>>>>> > >>>>>> We're updating named.conf in place so I don't know that we need to reset > >>>>>> permissions. It at least shouldn't get modified by the write. > >>>>> > >>>>> Right, I was being too defensive. I removed the check. > >>>>> > >>>>> I made the upgrade more robust, now it won't crash for example when > >>>>> named.conf does not exist. I also made sure the upgrade script works > >>>>> correctly when the IPA is configured without DNS. > >>>>> > >>>>> Martin > >>>> > >>>> I rebased the patches for current master. I also slightly reworked patch > >>>> 265, the error message printed in case of an unsuccessful setsebool was > >>>> not printed right. > >>>> > >>>> Martin > >>> > >>> Trailing whitespace in 264: > >>> > >>> # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch > >>> Applying: Enable psearch on upgrades > >>> /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing > >>> whitespace. > >>> root_logger.error('Cannot update connections in %s: > >>> %s', > >>> warning: 1 line adds whitespace errors. > >> > >> Fixed. > >> > >>> > >>> I don't think the DNS detection is adequate in 264, testing for > >>> named.conf is not enough. What if someone is running a non-IPA DNS > >>> server on the box? > >> > >> I assume you are referring to this line: > >> + if not bindinstance.named_conf_exists(): > >> > >> It checks both if the named.conf exists + if it has bind-dyndb-ldap > >> configured for IPA: > >> if line.startswith('dynamic-db "ipa"'): > >> > >>> > >>> I know that I've recently done similar config changes but in 265 is > >>> using line.startswith() going to be fragile? > >> > >> I assume you mean patch 264. This should be OK - user would need to mess > >> with the configuration generated by our install scripts to break it. But > >> in this case, other regex-es would fail too. I did not want to get too > >> wild with regex-es to keep it simple and safe. The worst case scenario > >> should be that named.conf is not updated and psearch is not turned on. > >> > >>> > >>> In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other > >>> patch. > >> > >> I assume you mean patch 265. I had this change moved to 264 right after > >> I sent the patches :-) > >> > >>> > >>> In the 'for setting, state' loop should it be catching a > >>> CalledProcessException rather than raw Exception? I think that is all > >>> that should be raised there. > >> > >> Right, fixed. > >> > >>> > >>> I did an upgrade and it seemed to work ok, ended up with these scary > >>> messages in /var/log/messages: > >>> > >>> Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP > >>> server > >>> Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server > >>> was lost > >>> Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: > >>> Can't contact LDAP server > >>> Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to > >>> handle LDAP connection error. Reconnection in 60s > >>> Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP > >>> server > >>> Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server > >>> was lost > >>> Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: > >>> Can't contact LDAP server > >>> Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] > >>> - Information: Non-Secure Port Disabled > >>> Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed > >>> to obtain ldap error code > >>> Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server > >>> was lost > >>> Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: > >>> Can't contact LDAP server > >>> Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to > >>> handle LDAP connection error. Reconnection in 60s > >>> Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed > >>> to obtain ldap error code > >>> Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server > >>> was lost > >>> > >>> DNS does seem to be working fine from the cli. > >> > >> I think this was caused by ipa-ldap-updater which shut down the > >> Directory Server to perform the LDAP upgrade. > >> > >> Btw I asked Petr to file a ticket for bind-dyndb-ldap to report when it > >> report success after when it returns back from an error state: > >> https://fedorahosted.org/bind-dyndb-ldap/ticket/71 > >> This way, we cannot know that the LDAP connection has been restored > >> besides doing a test DNS query. > >> > >>> > >>> The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in > >>> the test cleanup. > >>> > >>> I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: > >>> > >>> Program received signal SIGABRT, Aborted. > >>> [Switching to Thread 0x7f68e50db700 (LWP 19367)] > >>> 0x00007f68e6188915 in raise () from /lib64/libc.so.6 > >>> (gdb) where > >>> #0 0x00007f68e6188915 in raise () from /lib64/libc.so.6 > >>> #1 0x00007f68e618a0c8 in abort () from /lib64/libc.so.6 > >>> #2 0x00007f68e91171fb in assertion_failed (file=, > >>> line=, type=, cond=) > >>> at ./main.c:219 > >>> #3 0x00007f68e73a6c3a in isc_assertion_failed ( > >>> file=file at entry=0x7f68e8a82deb "zone.c", line=, > >>> type=type at entry=isc_assertiontype_require, > >>> cond=cond at entry=0x7f68e8a82fe7 "zone->db != ((void *)0)") > >>> at assertions.c:57 > >>> #4 0x00007f68e8a2ba67 in zone_detachdb (zone=) at > >>> zone.c:12944 > >>> #5 zone_detachdb (zone=0x7f68dc57fef0) at zone.c:12943 > >>> #6 0x00007f68e8a2baa1 in zone_unload (zone=zone at entry=0x7f68dc57fef0) > >>> at zone.c:9092 > >>> #7 0x00007f68e8a2fcc4 in dns_zone_unload (zone=0x7f68dc57fef0) at > >>> zone.c:9040 > >>> #8 0x00007f68e3584b9e in ldap_delete_zone2 > >>> (inst=inst at entry=0x7f68e90b0f10, > >>> name=name at entry=0x7f68e50dad10, lock=lock at entry=isc_boolean_true) > >>> at ldap_helper.c:786 > >>> #9 0x00007f68e3586554 in ldap_delete_zone (dn=, > >>> inst=0x7f68e90b0f10, lock=) at ldap_helper.c:811 > >>> #10 update_action (task=, event=0x7f68e37de6a0) > >>> at ldap_helper.c:2763 > >>> #11 0x00007f68e73c613e in dispatch (manager=0x7f68e908f010) at task.c:1109 > >>> #12 run (uap=0x7f68e908f010) at task.c:1279 > >>> #13 0x00007f68e6d7bd14 in start_thread () from /lib64/libpthread.so.0 > >>> #14 0x00007f68e624494d in clone () from /lib64/libc.so.6 > >>> > >>> rob > >> > >> Thanks for digging out the traceback, I already reported this error to > >> bind-dyndb-ldap: > >> https://bugzilla.redhat.com/show_bug.cgi?id=827401 > >> > >> Petr, what's the status of this bug? I guess we cannot push this set of > >> patches to enable the psearch by default until this is fixed. Otherwise > >> bind-dyndb-ldap would crash _every_ DNS unit test case. > >> > >> Updated set of patches attached. > >> > >> Martin > > > > Petr^2 fixed the bug in bind-dyndb-ldap causing it to crash during DNS > > unit tests. A re-tested the new version with IPA and it worked fine. > > > > Attached a rebased set of patches with proper bind-dyndb-ldap version > > enforced. I would like this to get acked soon so that psearch is tested > > by a broader audience and we are able to stabilize it faster. > > > > Martin > > These work ok so conditional ACK based on the following: > > The tests all pass but I saw this in messages: > > Jun 8 10:13:37 localhost named[1624]: psearch moddn change is not > implemented > Jun 8 10:13:37 localhost named[1624]: psearch_update failed for > idnsname=testdnsres-renamed,idnsname=dnszone.test,cn=dns,dc=example,dc=com > zone. Zone can be outdated, run `rndc reload` Yup, there is already a ticket which should fix that: https://fedorahosted.org/bind-dyndb-ldap/ticket/72 > > Other than immediately seeing new zones are there any other consequences > to disabling psearch? Are features eventually going to not be available > if it is not enabled? I assume that if/when that happens the man page > will be updated at that point? > > rob At current state of things, both modes (psearch vs. no-psearch) should equivalent in term of features. In the future, DNSSEC+automatic SOA update (i.e. a requirement for zone transfers) will depend on psearch. I guess it would be possible to implement some limited functionality when psearch is off, we can discuss this topic with Petr/Adam. Martin From pvoborni at redhat.com Fri Jun 8 15:51:58 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 08 Jun 2012 17:51:58 +0200 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog Message-ID: <4FD21F9E.5000201@redhat.com> For those of you who are only interest in user perspective I prepared a set of screenshots to demonstrate workflow of password reset: http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png Patch depends on mkosek #274. Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and current password is populated by values from previous login attempt. User than have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on back button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755 -- Petr Vobornik From pvoborni at redhat.com Fri Jun 8 15:52:52 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 08 Jun 2012 17:52:52 +0200 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FD21F9E.5000201@redhat.com> References: <4FD21F9E.5000201@redhat.com> Message-ID: <4FD21FD4.4030301@redhat.com> and now the patch... On 06/08/2012 05:51 PM, Petr Vobornik wrote: > For those of you who are only interest in user perspective I prepared a > set of screenshots to demonstrate workflow of password reset: > http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png > > Patch depends on mkosek #274. > > Web UI was missing a way how to reset expired password for normal user. > Recent server patch added API for such task. This patch is adding reset > password form to unautorized dialog. > > If user tries to login using form-based authentication and his password > is expired login form transforms to reset password form. The username > and current password is populated by values from previous login attempt. > User than have to enter new password and its verification. Then he can > hit enter button on keyboard or click on reset button on dialog to > perform the password reset. Error is displayed if some part of password > reset fails. If it is successful new login with values entered for > password reset is performed. It should login the user. In password reset > form user can click on back button or hit escape on keyboard to go back > to login form. > > https://fedorahosted.org/freeipa/ticket/2755 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0157-Added-password-reset-capabilities-to-unauthorized-di.patch Type: text/x-patch Size: 18047 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 8 15:54:57 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 08 Jun 2012 17:54:57 +0200 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page Message-ID: <4FD22051.7060308@redhat.com> This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page. https://fedorahosted.org/freeipa/ticket/2755 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0158-Separate-reset-password-page.patch Type: text/x-patch Size: 11560 bytes Desc: not available URL: From sbose at redhat.com Fri Jun 8 16:20:44 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 8 Jun 2012 18:20:44 +0200 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <20120607100932.GO8124@localhost.localdomain> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> Message-ID: <20120608162044.GX8124@localhost.localdomain> On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: > now with patches :-) > On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: > > Hi, > > > > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a > > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. > > > > This first patch is just a minor cleanup which is not related to the > > ticket. The second make create_keys() a public function so the it can be > > called by the ipasam plugin as well. Finally the third patch removes the > > kadmin.local call and calls the KEYTAB_SET_OID extented operation > > instead. > > > > bye, > > Sumit Alexander asked to merge the ACI into the existing ACI for the adtrust agents. New version attached. bye, Sumit -------------- next part -------------- From 21fb092ec76e3241e2aeb5aeffa065bcc39c63ea Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 13 Mar 2012 14:06:02 +0100 Subject: [PATCH] Use exop instead of kadmin.local --- daemons/ipa-sam/Makefile.am | 6 +++ daemons/ipa-sam/ipa_sam.c | 101 ++++++++++++++++++++++++++++---------- install/updates/60-trusts.update | 2 +- 3 Dateien ge?ndert, 81 Zeilen hinzugef?gt(+), 28 Zeilen entfernt(-) diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am index b5b9b0b75b276ac14b01ce35bae63af539e596fc..275cce629385b1719544a7832a00e9ee6664b739 100644 --- a/daemons/ipa-sam/Makefile.am +++ b/daemons/ipa-sam/Makefile.am @@ -7,6 +7,9 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \ -lsmbconf \ $(NULL) +KRB5_UTIL_DIR=../../util +KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c + INCLUDES = \ -I. \ -I$(srcdir) \ @@ -18,6 +21,7 @@ INCLUDES = \ -DDATADIR=\""$(datadir)"\" \ -DLDAPIDIR=\""$(localstatedir)/run"\" \ -DHAVE_LDAP \ + -I $(KRB5_UTIL_DIR) \ $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ @@ -34,6 +38,7 @@ plugin_LTLIBRARIES = \ ipasam_la_SOURCES = \ ipa_sam.c \ + $(KRB5_UTIL_SRCS) \ $(NULL) ipasam_la_LDFLAGS = \ @@ -43,6 +48,7 @@ ipasam_la_LDFLAGS = \ ipasam_la_LIBADD = \ $(LDAP_LIBS) \ + $(KRB5_LIBS) \ $(TALLOC_LIBS) \ $(SAMBAUTIL_LIBS) \ $(NDR_LIBS) \ diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 2627025a8f2f757ca62c58b541c002f46e7c3be1..851df8c62f0ffb159610ce0ac311463233eea497 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -9,6 +9,7 @@ #include #include #include +#include #include @@ -28,17 +29,7 @@ #include #include -#include - -/* TODO: remove if smbrunsecret() is removed */ -typedef struct connection_structi {} connection_struct; -struct current_user { - connection_struct *conn; - uint16_t vuid; - struct security_unix_token ut; - struct security_token *nt_user_token; -}; -extern struct current_user current_user; +#include "ipa_krb5.h" /* from drsblobs.h */ struct AuthInfoNone { @@ -104,7 +95,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* avai char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */ bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */ bool strnequal(const char *s1,const char *s2,size_t n); /* available in libutil_str.so */ -int smbrunsecret(const char *cmd, const char *secret); /* available in libsmbconf.so */ bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */ bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ @@ -1382,6 +1372,76 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, return true; } +static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, + TALLOC_CTX *mem_ctx, + const char *princ, const char *pwd, + const char *base_dn) +{ + int ret; + krb5_error_code krberr; + krb5_context krbctx; + krb5_principal service_princ; + struct keys_container keys; + char *err_msg; + struct berval *reqdata = NULL; + struct berval *retdata = NULL; + char *retoid; + + krberr = krb5_init_context(&krbctx); + if (krberr != 0) { + DEBUG(1, ("krb5_init_context failed.\n")); + ret = krberr; + goto done; + } + + krberr = krb5_parse_name(krbctx, princ, &service_princ); + if (krberr != 0) { + DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ)); + ret = krberr; + goto done; + } + + ret = create_keys(krbctx, service_princ, discard_const(pwd), NULL, &keys, &err_msg); + if (!ret) { + if (err_msg != NULL) { + DEBUG(1, ("create_keys returned [%s]\n", err_msg)); + } + goto done; + } + + reqdata = create_key_control(&keys, princ); + if (reqdata == NULL) { + DEBUG(1, ("Failed to create reqdata!\n")); + ret= ENOMEM; + goto done; + } + + ret = smbldap_extended_operation(ldap_state->smbldap_state, + KEYTAB_SET_OID, reqdata, NULL, NULL, + &retoid, &retdata); + if (ret != LDAP_SUCCESS) { + DEBUG(1, ("smbldap_extended_operation failed!\n")); + goto done; + } + + /* So far we do not care abot the result */ + ldap_memfree(retoid); + if (retdata != NULL) { + ber_bvfree(retdata); + } + + ret = 0; +done: + if (reqdata != NULL) { + ber_bvfree(reqdata); + } + free_keys_contents(krbctx, &keys); + krb5_free_principal(krbctx, service_princ); + krb5_free_context(krbctx); + + return ret; +} + static bool set_krb_princ(struct ldapsam_privates *ldap_state, TALLOC_CTX *mem_ctx, const char *princ, const char *pwd, @@ -1450,22 +1510,9 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, return false; } - /* TODO: Call the appropriate expo if ipasam is part of the FreeIPA - * source tree */ - inp = talloc_asprintf(mem_ctx, "change_password -pw %s %s", pwd, princ); - if (inp == NULL) { - return false; - } - - uid_t save_uid = current_user.ut.uid; - gid_t save_gid = current_user.ut.gid; - current_user.ut.uid = 0; - current_user.ut.gid = 0; - ret = smbrunsecret("kadmin.local", inp); - current_user.ut.uid = save_uid; - current_user.ut.gid = save_gid; + ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, pwd, base_dn); if (ret != 0) { - DEBUG(1, ("calling kadmin.local failed.\n")); + DEBUG(1, ("set_cross_realm_pw failed.\n")); return false; } diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index cfd1ad7e5f83bd64c5934d270090754bbe9e9e36..82d78315d773a4cc1f25a420e5171270504730a3 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -54,7 +54,7 @@ default: cn: trusts # 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools) dn: cn=trusts,$SUFFIX -add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust system user to create and delete trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' +add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)' # Samba user should be able to read NT passwords to authenticate -- 1.7.10.2 From rmeggins at redhat.com Sun Jun 10 14:54:00 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Sun, 10 Jun 2012 08:54:00 -0600 Subject: [Freeipa-devel] F-17 install fail - Command '/bin/systemctl start messagebus.service' returned non-zero exit status Message-ID: <4FD4B508.7040408@redhat.com> Steps to reproduce: setup new F-17 machine yum -y update yum install freeipa-server ipa-server-install -N --selfsign .... [16/35]: configuring ssl for ds instance Unexpected error - see ipaserver-install.log for details: Command '/bin/systemctl start messagebus.service' returned non-zero exit status 1 The log has this: 2012-06-10T14:48:30Z DEBUG stderr=Failed to issue method call: Unit var-run.mount failed to load: No such file or directory. See system logs and 'systemctl status var-run.mount' for details. systemctl status var-run.mount Loaded: error (Reason: No such file or directory) Active: inactive (dead) start condition failed at Sun, 10 Jun 2012 09:59:05 -0400; 54min ago Where: /var/run CGroup: name=systemd:/system/var-run.mount ll /var/run lrwxrwxrwx. 1 root root 6 Jun 10 05:49 /var/run -> ../run Any ideas? Am I not supposed to yum -y upgrade with the current version of freeipa in F-17? From mkosek at redhat.com Sun Jun 10 19:33:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Sun, 10 Jun 2012 21:33:42 +0200 Subject: [Freeipa-devel] keys[-1] idiom? In-Reply-To: <4FD21292.6000600@redhat.com> References: <4FD21292.6000600@redhat.com> Message-ID: <1339356822.5425.8.camel@priserak> On Fri, 2012-06-08 at 10:56 -0400, John Dennis wrote: > I frequently see this idiom in the code in plugins and pre/post callbacks: > > keys[-1] > > My understanding is that keys in the positional parameter list of the > command, correct? Correct. > > keys always appears in a formal parameter list with the parameter > "options", which I believe are the keyword arguments of the command > (i.e. *args, **kwds) > > Thus keys[-1] would be the last positional parameter. What is special > about it such that one can always reference the last positional > parameter? (or have I misunderstood, if so please elucidate). I am a bit lost here. As you correctly stated, keys contains the positional parameters. Each keys value should uniquely point to one LDAP entry represented by LDAPObject class. We use keys[-1] for a case when LDAPObjects are nested and keys list holds more than one value and thus keys[0] would not work. For example keys list for DNS record could hold ('example.com', 'ipa'). > > If keys is the positional parameter list (e.g. *args) why is is called > "keys"? That seems really confusing because keys usually has an entirely > different meaning (i.e. keys of a dict). Why isn't it named "args"? > Maybe Rob will know why we started calling it keys, I think it is not a total non-sense, after all it holds primary _key_ values for referred LDAPObjects... HTH, Martin From abokovoy at redhat.com Mon Jun 11 07:07:35 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jun 2012 10:07:35 +0300 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <20120608162044.GX8124@localhost.localdomain> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> <20120608162044.GX8124@localhost.localdomain> Message-ID: <20120611070735.GO25726@redhat.com> On Fri, 08 Jun 2012, Sumit Bose wrote: >On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: >> now with patches :-) >> On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: >> > Hi, >> > >> > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a >> > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. >> > >> > This first patch is just a minor cleanup which is not related to the >> > ticket. The second make create_keys() a public function so the it can be >> > called by the ipasam plugin as well. Finally the third patch removes the >> > kadmin.local call and calls the KEYTAB_SET_OID extented operation >> > instead. >> > >> > bye, >> > Sumit > >Alexander asked to merge the ACI into the existing ACI for the adtrust >agents. New version attached. ACK. -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 11 07:41:13 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 09:41:13 +0200 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <20120611070735.GO25726@redhat.com> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> <20120608162044.GX8124@localhost.localdomain> <20120611070735.GO25726@redhat.com> Message-ID: <1339400473.19118.1.camel@balmora.brq.redhat.com> On Mon, 2012-06-11 at 10:07 +0300, Alexander Bokovoy wrote: > On Fri, 08 Jun 2012, Sumit Bose wrote: > >On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: > >> now with patches :-) > >> On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: > >> > Hi, > >> > > >> > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a > >> > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. > >> > > >> > This first patch is just a minor cleanup which is not related to the > >> > ticket. The second make create_keys() a public function so the it can be > >> > called by the ipasam plugin as well. Finally the third patch removes the > >> > kadmin.local call and calls the KEYTAB_SET_OID extented operation > >> > instead. > >> > > >> > bye, > >> > Sumit > > > >Alexander asked to merge the ACI into the existing ACI for the adtrust > >agents. New version attached. > ACK. > Pushed to master. Martin From mkosek at redhat.com Mon Jun 11 08:36:45 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 10:36:45 +0200 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <1339124835.8230.487.camel@willson.li.ssimo.org> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> <4FD1633F.4090601@redhat.com> <1339124835.8230.487.camel@willson.li.ssimo.org> Message-ID: <1339403805.19118.4.camel@balmora.brq.redhat.com> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote: > On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > You can use the attached script (changepw.py) to test the PW change > > > interface from command line (on IPA server). > > > > > > --- > > > > > > IPA server web form-based authentication allows logins for users > > > which for some reason cannot use Kerberos authentication. However, > > > when a password for such users expires, they are unable change the > > > password via web interface. > > > > > > This patch adds a new WSGI script attached to URL > > > /ipa/session/change_password which can be accessed without > > > authentication and which provides password change capability > > > for web services. > > > > > > The actual password change in the script is processed with kpasswd > > > to be consistent with /ipa/session/login_password. > > > > > > Password result is passed both in the resulting HTML page, but > > > also in HTTP headers for easier parsing in web services: > > > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} > > > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text > > > > > > https://fedorahosted.org/freeipa/ticket/2276 > > > > It is probably more efficient to change the password using ldap. Simo, > > do you know of an advantage of using one over the other? Better password > > policy reporting may be reason enough. > > Yes you'll get better error reporting, plus forking out kpasswd is quite > ugly, the python ldap code should be able to use the ldap passwd extend > op quite easily. > > Simo. > Ok, sending a second version of the patch based on password change via LDAP. The error reporting is indeed easier and with no hard-coded parsing. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-274-2-password-change-capability-for-form-based-auth.patch Type: text/x-patch Size: 8195 bytes Desc: not available URL: From pviktori at redhat.com Mon Jun 11 09:12:27 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 11 Jun 2012 11:12:27 +0200 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <1339400473.19118.1.camel@balmora.brq.redhat.com> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> <20120608162044.GX8124@localhost.localdomain> <20120611070735.GO25726@redhat.com> <1339400473.19118.1.camel@balmora.brq.redhat.com> Message-ID: <4FD5B67B.3050808@redhat.com> On 06/11/2012 09:41 AM, Martin Kosek wrote: > On Mon, 2012-06-11 at 10:07 +0300, Alexander Bokovoy wrote: >> On Fri, 08 Jun 2012, Sumit Bose wrote: >>> On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: >>>> now with patches :-) >>>> On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: >>>>> Hi, >>>>> >>>>> this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a >>>>> consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. >>>>> >>>>> This first patch is just a minor cleanup which is not related to the >>>>> ticket. The second make create_keys() a public function so the it can be >>>>> called by the ipasam plugin as well. Finally the third patch removes the >>>>> kadmin.local call and calls the KEYTAB_SET_OID extented operation >>>>> instead. >>>>> >>>>> bye, >>>>> Sumit >>> >>> Alexander asked to merge the ACI into the existing ACI for the adtrust >>> agents. New version attached. >> ACK. >> > > Pushed to master. > > Martin > This doesn't build because ipa_sam.c uses static functions from ipa-client/ipa-getkeytab.c (create_keys, create_key_control, free_keys_contents), and the KEYTAB_SET_OID define is named IPA_KEYTAB_SET_OID here. -- Petr? From abokovoy at redhat.com Mon Jun 11 09:55:36 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jun 2012 12:55:36 +0300 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <1339400473.19118.1.camel@balmora.brq.redhat.com> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> <20120608162044.GX8124@localhost.localdomain> <20120611070735.GO25726@redhat.com> <1339400473.19118.1.camel@balmora.brq.redhat.com> Message-ID: <20120611095535.GP25726@redhat.com> On Mon, 11 Jun 2012, Martin Kosek wrote: >On Mon, 2012-06-11 at 10:07 +0300, Alexander Bokovoy wrote: >> On Fri, 08 Jun 2012, Sumit Bose wrote: >> >On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: >> >> now with patches :-) >> >> On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: >> >> > Hi, >> >> > >> >> > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a >> >> > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. >> >> > >> >> > This first patch is just a minor cleanup which is not related to the >> >> > ticket. The second make create_keys() a public function so the it can be >> >> > called by the ipasam plugin as well. Finally the third patch removes the >> >> > kadmin.local call and calls the KEYTAB_SET_OID extented operation >> >> > instead. >> >> > >> >> > bye, >> >> > Sumit >> > >> >Alexander asked to merge the ACI into the existing ACI for the adtrust >> >agents. New version attached. >> ACK. >> > >Pushed to master. Please push remaining non-conflicting patches from the previous Sumit's mail as well. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jun 11 09:56:09 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jun 2012 12:56:09 +0300 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <4FD5B67B.3050808@redhat.com> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> <20120608162044.GX8124@localhost.localdomain> <20120611070735.GO25726@redhat.com> <1339400473.19118.1.camel@balmora.brq.redhat.com> <4FD5B67B.3050808@redhat.com> Message-ID: <20120611095609.GQ25726@redhat.com> On Mon, 11 Jun 2012, Petr Viktorin wrote: >On 06/11/2012 09:41 AM, Martin Kosek wrote: >>On Mon, 2012-06-11 at 10:07 +0300, Alexander Bokovoy wrote: >>>On Fri, 08 Jun 2012, Sumit Bose wrote: >>>>On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: >>>>>now with patches :-) >>>>>On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: >>>>>>Hi, >>>>>> >>>>>>this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a >>>>>>consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. >>>>>> >>>>>>This first patch is just a minor cleanup which is not related to the >>>>>>ticket. The second make create_keys() a public function so the it can be >>>>>>called by the ipasam plugin as well. Finally the third patch removes the >>>>>>kadmin.local call and calls the KEYTAB_SET_OID extented operation >>>>>>instead. >>>>>> >>>>>>bye, >>>>>>Sumit >>>> >>>>Alexander asked to merge the ACI into the existing ACI for the adtrust >>>>agents. New version attached. >>>ACK. >>> >> >>Pushed to master. >> >>Martin >> > >This doesn't build because ipa_sam.c uses static functions from >ipa-client/ipa-getkeytab.c (create_keys, create_key_control, >free_keys_contents), and the KEYTAB_SET_OID define is named >IPA_KEYTAB_SET_OID here. They are provided by the patches in the original Sumit's mail. -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 11 10:04:53 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 12:04:53 +0200 Subject: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local In-Reply-To: <20120611095535.GP25726@redhat.com> References: <20120607100713.GN8124@localhost.localdomain> <20120607100932.GO8124@localhost.localdomain> <20120608162044.GX8124@localhost.localdomain> <20120611070735.GO25726@redhat.com> <1339400473.19118.1.camel@balmora.brq.redhat.com> <20120611095535.GP25726@redhat.com> Message-ID: <1339409093.19118.11.camel@balmora.brq.redhat.com> On Mon, 2012-06-11 at 12:55 +0300, Alexander Bokovoy wrote: > On Mon, 11 Jun 2012, Martin Kosek wrote: > >On Mon, 2012-06-11 at 10:07 +0300, Alexander Bokovoy wrote: > >> On Fri, 08 Jun 2012, Sumit Bose wrote: > >> >On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: > >> >> now with patches :-) > >> >> On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: > >> >> > Hi, > >> >> > > >> >> > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a > >> >> > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete. > >> >> > > >> >> > This first patch is just a minor cleanup which is not related to the > >> >> > ticket. The second make create_keys() a public function so the it can be > >> >> > called by the ipasam plugin as well. Finally the third patch removes the > >> >> > kadmin.local call and calls the KEYTAB_SET_OID extented operation > >> >> > instead. > >> >> > > >> >> > bye, > >> >> > Sumit > >> > > >> >Alexander asked to merge the ACI into the existing ACI for the adtrust > >> >agents. New version attached. > >> ACK. > >> > > > >Pushed to master. > Please push remaining non-conflicting patches from the previous Sumit's mail as > well. > Pushed remaining patches 19 and 20 to master, sorry for confusion. Martin From mkosek at redhat.com Mon Jun 11 12:17:37 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 14:17:37 +0200 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <1339403805.19118.4.camel@balmora.brq.redhat.com> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> <4FD1633F.4090601@redhat.com> <1339124835.8230.487.camel@willson.li.ssimo.org> <1339403805.19118.4.camel@balmora.brq.redhat.com> Message-ID: <1339417057.19118.26.camel@balmora.brq.redhat.com> On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote: > On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote: > > On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote: > > > Martin Kosek wrote: > > > > You can use the attached script (changepw.py) to test the PW change > > > > interface from command line (on IPA server). > > > > > > > > --- > > > > > > > > IPA server web form-based authentication allows logins for users > > > > which for some reason cannot use Kerberos authentication. However, > > > > when a password for such users expires, they are unable change the > > > > password via web interface. > > > > > > > > This patch adds a new WSGI script attached to URL > > > > /ipa/session/change_password which can be accessed without > > > > authentication and which provides password change capability > > > > for web services. > > > > > > > > The actual password change in the script is processed with kpasswd > > > > to be consistent with /ipa/session/login_password. > > > > > > > > Password result is passed both in the resulting HTML page, but > > > > also in HTTP headers for easier parsing in web services: > > > > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} > > > > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text > > > > > > > > https://fedorahosted.org/freeipa/ticket/2276 > > > > > > It is probably more efficient to change the password using ldap. Simo, > > > do you know of an advantage of using one over the other? Better password > > > policy reporting may be reason enough. > > > > Yes you'll get better error reporting, plus forking out kpasswd is quite > > ugly, the python ldap code should be able to use the ldap passwd extend > > op quite easily. > > > > Simo. > > > > Ok, sending a second version of the patch based on password change via > LDAP. The error reporting is indeed easier and with no hard-coded > parsing. > > Martin This patch will only work with SELinux disabled, it seems there is a regression in SELinux policy which does not allow httpd to connect to dirsrv socket. I logged a Bug: https://bugzilla.redhat.com/show_bug.cgi?id=830764 This issue also disables other pages using dirsrv socket, like the migration page or password-expiration detection in form-based auth. Martin From mkosek at redhat.com Mon Jun 11 12:46:40 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 14:46:40 +0200 Subject: [Freeipa-devel] [PATCH] 0060 Clean keytabs before installing new keys into them In-Reply-To: <4FD1CF5E.8030509@redhat.com> References: <4FD1CF5E.8030509@redhat.com> Message-ID: <1339418800.19118.28.camel@balmora.brq.redhat.com> On Fri, 2012-06-08 at 12:09 +0200, Petr Viktorin wrote: > This removes old principals for the newly installed realm from > /etc/krb5.keytab before client installation. > The ticket also mentioned doing this for server/replica installs, but in > that case the keytab is removed and created from scratch. > > https://fedorahosted.org/freeipa/ticket/2698 > This works fine. ACK, pushed to master. Martin From jdennis at redhat.com Mon Jun 11 12:50:47 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Jun 2012 08:50:47 -0400 Subject: [Freeipa-devel] keys[-1] idiom? In-Reply-To: <1339356822.5425.8.camel@priserak> References: <4FD21292.6000600@redhat.com> <1339356822.5425.8.camel@priserak> Message-ID: <4FD5E9A7.4090608@redhat.com> On 06/10/2012 03:33 PM, Martin Kosek wrote: > On Fri, 2012-06-08 at 10:56 -0400, John Dennis wrote: >> I frequently see this idiom in the code in plugins and pre/post callbacks: >> >> keys[-1] >> >> My understanding is that keys in the positional parameter list of the >> command, correct? > > Correct. > >> >> keys always appears in a formal parameter list with the parameter >> "options", which I believe are the keyword arguments of the command >> (i.e. *args, **kwds) >> >> Thus keys[-1] would be the last positional parameter. What is special >> about it such that one can always reference the last positional >> parameter? (or have I misunderstood, if so please elucidate). > > I am a bit lost here. As you correctly stated, keys contains the > positional parameters. Each keys value should uniquely point to one LDAP > entry represented by LDAPObject class. We use keys[-1] for a case when > LDAPObjects are nested and keys list holds more than one value and thus > keys[0] would not work. For example keys list for DNS record could hold > ('example.com', 'ipa'). > >> >> If keys is the positional parameter list (e.g. *args) why is is called >> "keys"? That seems really confusing because keys usually has an entirely >> different meaning (i.e. keys of a dict). Why isn't it named "args"? >> > > Maybe Rob will know why we started calling it keys, I think it is not a > total non-sense, after all it holds primary _key_ values for referred > LDAPObjects... Thanks Martin: Your explanation seems to imply the position parameters for a command always reference a dn or rdn. Is that true? We don't use positional parameters for anything else? However when I look through the code I see a lot of places where keys[-1] is used and that value does not appear to be interpreted as an LDAP entry or pointer to an LDAP entry (e.g. a dn) John (who is still confused and suspects there is some convention being used in our code he is not aware of). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pviktori at redhat.com Mon Jun 11 14:39:32 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 11 Jun 2012 16:39:32 +0200 Subject: [Freeipa-devel] [PATCH] 0061 Improve ipa-client-install debug output Message-ID: <4FD60324.7030901@redhat.com> I went through all the output/debug messages in ipa-client-install, removed duplicates, and routed them through the log manager. I used these log levels: DEBUG - detailed messages the user probably doesn't want to see (only printed to console with --debug) INFO - progress reports ("Configured /etc/sssd/sssd.conf") and instructions ("You may need to restart services or reboot the machine.") WARNING - something unusual that may require attention ERROR - something went wrong Obviously there's some overlap there. On the console, the messages are now prefixed with the log level. This should bring attention to the warnings/errors. Does this format look okay? I think the current default console_format, which prefixes the logger name (ipa) and the level, is too verbose. Similar logging changes should be done for the other admin tools in the future. https://fedorahosted.org/freeipa/ticket/2553 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0061-Improve-ipa-client-install-debug-output.patch Type: text/x-patch Size: 55590 bytes Desc: not available URL: From abokovoy at redhat.com Mon Jun 11 14:46:17 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jun 2012 17:46:17 +0300 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120607092729.GM8124@localhost.localdomain> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> Message-ID: <20120611144617.GR25726@redhat.com> On Thu, 07 Jun 2012, Sumit Bose wrote: >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: >> Hi, >> >> these two patches introduce a new extended operation to the IPA server >> which can be used by clients in the IPA domain to obtain information >> about users and groups from trusted domains. Currently this exop is used >> by the sssd sub-domain patch to map user names from a trusted AD domain >> to a SID and back. There is also some code for other kind of requests >> which might become useful in future, e.g. with trusted IPA domain. >> >> I added some unit test and added check for the check unit test framework >> for C (http://check.sourceforge.net/) which is used by sssd as well. I >> modified the spec file that the test is run during the build of the >> packages. I hope this is ok. >> >> The patches depend on the idmap library patch which was ACKed recently >> on sssd-devel and as mentioned before the sub-domain patches on >> sssd-devel can only be fully tested with an IPA server which has these >> patches applied. >> >> Since Alexander is currently rewriting parts of the ipa-adtrust-install >> utility I stand back from adding activation code for the exop to >> ipa-adtrust-install and will send a patch when Alexander's changes are >> available. So currently extdom-extop-conf.ldif has to be loaded manually >> after replacing $SUFFIX to activate the new exop. >> >> bye, >> Sumit > >Please find a rebased version of the patches which work on top of >Alexander's latest series of patches. The patches now also contain the >loading of extdom-extop-conf.ldif and the activation of winbind. Thanks for the rebase. Few comments. 1.The extdom plugin should support IDMAP_BOTH. We do provide user private groups so in our case it should be viewed as preferred output. Thus you would need to add new response type to cover this case. 2. I have tried to look at the plugin description from point of view of a system administrator and I failed to understand what it does: >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" In the ipa-extdom-extop-conf.ldif you have following description: >+nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC? This is a minor point but EXTDOM itself is vague. Maybe we should be more clear and call it 'IPA trusted domain ID mapper' as it really limits itself to only trusted domains? We don't dispatch winbind request if the domain is not found in our list of trusted domains. 3. Could you please define the oid in ipa_extdom.h so that it could be useful for client code as well? >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" 4. Do we have 'check' tool in RHEL6? -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 11 16:49:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 18:49:42 +0200 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD169B7.3030906@redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> Message-ID: <1339433382.19118.43.camel@balmora.brq.redhat.com> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> This adds client session support. The session key is stored in the > >> kernel key ring. > >> > >> Your first request should go to /ipa/session/xml where it should be > >> rejected with a 401. The next will go to /ipa/xml which will be > >> accepted. This should all be invisible to the client. > >> > >> Subsequent requests should go to /ipa/session/xml which should let you > >> in with the cookie. > >> > >> You can add the -vv option after ipa to see fully what is going on, e.g. > >> ipa -vv user-show admin > >> > >> To manage your keyring use the keyctl command like: > >> > >> $ keyctl list @s > >> 2 keys in keyring: > >> 353548226: --alswrv 1000 -1 keyring: _uid.1000 > >> 941350591: --alswrv 1000 1000 user: ipa_session_cookie > >> > >> To remove a key: > >> > >> $ keyctl unlink 941350591 @s > >> > >> rob > > > > Hmm, this doesn't play too nice with the lite-server. Let me see if I > > can track it down. The ccache is being removed, probably as part of the > > session code. Sessions don't make sense with the lite server since it > > uses the local ccache directly. > > Updated patch. Don't clean up the ccache if in the lite-server. > > rob > Good job there. I tested various scenarios (2 master, fallback with SRV records, old client (RHEL 6.2)) and most worked for me, but only I worked under the root account. This is what I got with non-root: $ ipa user-show admin ... ipa: DEBUG: stderr= ipa: DEBUG: args=keyctl search @s user ipa_session_cookie ipa: DEBUG: stdout=113632397 ipa: DEBUG: stderr= ipa: DEBUG: args=keyctl pupdate 113632397 ipa: DEBUG: stdout= ipa: DEBUG: stderr=keyctl_update: Permission denied ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com ipa: ERROR: cannot connect to 'any of the configured servers': ... Shouldn't we use @us instead of @s for storing user session keys? Secondly, I wonder if we also plan to add some logout command? This way even if I do kdestroy, the session still exist and someone other may still execute commands. Martin From darran.lofthouse at jboss.com Mon Jun 11 16:20:29 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Mon, 11 Jun 2012 17:20:29 +0100 Subject: [Freeipa-devel] Installation Hang on Fedora 17 Message-ID: <4FD61ACD.50504@jboss.com> I have recently been having problems on RHEL so I thought I would try installing a Fedora 17 installation to test this but appear to be running into further problems. Everything appears to go well with the installation until it stops on the following line: - Applying LDAP updates The last two lines in the log are: - 2012-06-11T15:33:05Z DEBUG cn: Write IPA Configuration 2012-06-11T15:33:05Z DEBUG description: Write IPA Configuration I have seen reported that there was a problem in the F17 Beta release where a downgrade of '389-ds-base' would address this but this does not seem to be an option now. Does anyone know the underlying cause of the hang? Maybe there is something I can do to address this. Regards, Darran Lofthouse. From rcritten at redhat.com Mon Jun 11 17:52:00 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jun 2012 13:52:00 -0400 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <1339417057.19118.26.camel@balmora.brq.redhat.com> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> <4FD1633F.4090601@redhat.com> <1339124835.8230.487.camel@willson.li.ssimo.org> <1339403805.19118.4.camel@balmora.brq.redhat.com> <1339417057.19118.26.camel@balmora.brq.redhat.com> Message-ID: <4FD63040.3080106@redhat.com> Martin Kosek wrote: > On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote: >> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote: >>> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> You can use the attached script (changepw.py) to test the PW change >>>>> interface from command line (on IPA server). >>>>> >>>>> --- >>>>> >>>>> IPA server web form-based authentication allows logins for users >>>>> which for some reason cannot use Kerberos authentication. However, >>>>> when a password for such users expires, they are unable change the >>>>> password via web interface. >>>>> >>>>> This patch adds a new WSGI script attached to URL >>>>> /ipa/session/change_password which can be accessed without >>>>> authentication and which provides password change capability >>>>> for web services. >>>>> >>>>> The actual password change in the script is processed with kpasswd >>>>> to be consistent with /ipa/session/login_password. >>>>> >>>>> Password result is passed both in the resulting HTML page, but >>>>> also in HTTP headers for easier parsing in web services: >>>>> X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} >>>>> (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2276 >>>> >>>> It is probably more efficient to change the password using ldap. Simo, >>>> do you know of an advantage of using one over the other? Better password >>>> policy reporting may be reason enough. >>> >>> Yes you'll get better error reporting, plus forking out kpasswd is quite >>> ugly, the python ldap code should be able to use the ldap passwd extend >>> op quite easily. >>> >>> Simo. >>> >> >> Ok, sending a second version of the patch based on password change via >> LDAP. The error reporting is indeed easier and with no hard-coded >> parsing. >> >> Martin > > This patch will only work with SELinux disabled, it seems there is a > regression in SELinux policy which does not allow httpd to connect to > dirsrv socket. I logged a Bug: > > https://bugzilla.redhat.com/show_bug.cgi?id=830764 > > This issue also disables other pages using dirsrv socket, like the > migration page or password-expiration detection in form-based auth. > > Martin For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS. This works ok and does successfully change passwords but I don't like the logging very much. It should say that this is the password request URI somewhere at a minimum. Having the HTTP response is a bit strange too, and I don't know if a 400 should be logged as info. I think this test program could be made into a test suite too, particularly to check the more esoteric parts like checking for missing options, too many options, etc. rob From rcritten at redhat.com Mon Jun 11 17:57:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jun 2012 13:57:55 -0400 Subject: [Freeipa-devel] [PATCH] 0059 Fix update plugin order In-Reply-To: <4FD1D4B2.1010008@redhat.com> References: <4FCF243C.8040907@redhat.com> <4FD165F4.2010608@redhat.com> <4FD1D46C.8070509@redhat.com> <4FD1D4B2.1010008@redhat.com> Message-ID: <4FD631A3.7060702@redhat.com> Petr Viktorin wrote: > On 06/08/2012 12:31 PM, Petr Viktorin wrote: >> On 06/08/2012 04:39 AM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> While messing with the ipa-ldap-updater, I found the order method was >>>> using an algorithm that could give incorrect results. I'm submitting a >>>> fix in an extra patch, as it's largely unrelated and shouldn't be so >>>> controversial. >>> >>> Can you open a ticket on this? We like to have a ticket for every commit >>> (minus a random one-liner here and there). >>> >>> thanks >>> >>> rob >>> >> >> Created a ticket, and added a link to the commit message. >> >> https://fedorahosted.org/freeipa/ticket/2820 >> > > ... and forgot to attach the patch. ACK, pushed to master From rcritten at redhat.com Mon Jun 11 18:37:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jun 2012 14:37:50 -0400 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <1338967035.9625.3.camel@balmora.brq.redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> <4FCE7B97.7020003@redhat.com> <1338962500.9625.2.camel@balmora.brq.redhat.com> <4FCF02A5.90206@redhat.com> <1338967035.9625.3.camel@balmora.brq.redhat.com> Message-ID: <4FD63AFE.9040400@redhat.com> Martin Kosek wrote: > On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote: >> On 06/06/2012 08:01 AM, Martin Kosek wrote: >>> On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> This set of patches >>>>> 1) Adds a support for uni-directional remote membership to baseldap >>>>> plugin (like service->host membership in service managedby attribute) - >>>>> patch 272 >>>>> 2) Adds a support for service->host membership to host plugin using the >>>>> new interface - patch 273 >>>>> >>>>> Martin >>>> >>>> Have you tried this in the UI? Are these new relationships already handled? >>>> >>>> rob >>> >>> I just checked that I didn't break anything in the host page. But with >>> this patch, we could add a tab with a list of services for a selected >>> host. I will check with Petr if the information we provide are enough. >>> >>> Martin >>> >> >> Provided information is sufficient for implementation of UI part. >> > > Thanks Petr, I created a ticket for Web UI to implement this new > relationship: > https://fedorahosted.org/freeipa/ticket/2812 > > Martin > This is displaying the DN of the service which is case-insensitive, so for example the HTTP principal shows as : http/ipa.example.com. Perhaps take the RDN and pull that attribute specifically? rob From rcritten at redhat.com Mon Jun 11 18:38:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jun 2012 14:38:44 -0400 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FCDFEBD.5060908@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> <4FCD768D.3090001@redhat.com> <4FCDFEBD.5060908@redhat.com> Message-ID: <4FD63B34.1050604@redhat.com> Petr Vobornik wrote: > On 06/05/2012 05:01 AM, Rob Crittenden wrote: >> Petr Vobornik wrote: >>> On 05/29/2012 11:29 PM, Rob Crittenden wrote: >>>> Petr Vobornik wrote: >>>>> IPA web UI isn't functional when browser doesn't send http headers. >>>>> >>>>> This patch adds a functionality which sets Firefox >>>>> network.http.sendRefererHeader configuration option to value '2' which >>>>> enables it. >>>>> >>>>> Possible values: >>>>> http://kb.mozillazine.org/Network.http.sendRefererHeader >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2778 >>>> >>>> Should we also add a message when referer is missing to check this >>>> setting in about:config? >>> >>> I'm not sure what you have in mind. We set the referer option so why >>> would user check it afterwards? >>> >>> Yes the ticket was about checking the option but: If user is configuring >>> the browser he wants the browser configured. So we should set all >>> options which are required. This is one of them. We have not been >>> notifying the user what was set, so I didn't add such notification for >>> this option now as well. >>> >>> We might want to notify the user what options were changed but it's not >>> the topic of this ticket. >> >> I was thinking more for already configured browsers who then later mess >> with this value. It fails in a very non-obvious way. >> >> rob > > I'm attaching a patch which slightly changes the displayed error message > from: > > Missing or invalid HTTP Referer, missing > > to: > > Missing HTTP referer. > You have to configure your browser to send HTTP referer header. > > Also I think we should document how to set it manually. We already have > documentation for the rest of browser configuration. > This approach looks ok to me, I think someone with more Javascript experience should review the specifics. rob From rcritten at redhat.com Mon Jun 11 18:41:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jun 2012 14:41:04 -0400 Subject: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default In-Reply-To: <1339169087.2191.16.camel@priserak> References: <1337950210.5899.25.camel@balmora.brq.redhat.com> <4FBF882D.9000909@redhat.com> <1337958871.5899.32.camel@balmora.brq.redhat.com> <1338540393.27740.17.camel@balmora.brq.redhat.com> <4FCD81D8.9000609@redhat.com> <1338881554.28796.23.camel@balmora.brq.redhat.com> <1339138962.3385.3.camel@balmora.brq.redhat.com> <4FD215FC.2050300@redhat.com> <1339169087.2191.16.camel@priserak> Message-ID: <4FD63BC0.8090504@redhat.com> Martin Kosek wrote: > On Fri, 2012-06-08 at 11:10 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Tue, 2012-06-05 at 09:32 +0200, Martin Kosek wrote: >>>> On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: >>>>>>> On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: >>>>>>>> Martin Kosek wrote: >>>>>>>>> This set of patches handles enabling psearch both for new installations >>>>>>>>> (patch 263) and upgraded IPA servers. >>>>>>>>> >>>>>>>>> For upgraded IPA servers I needed to make sure that psearch is not >>>>>>>>> enabled for every IPA package update, but at most once, when a user >>>>>>>>> updates to IPA with this patch for the first time (patch 264). This is >>>>>>>>> enabled by a new State store located in /var/lib/ipa/sysupgrade (patch >>>>>>>>> 262). >>>>>>>>> >>>>>>>>> I also improved the way we handled SELinux sebool updates (patch 265), >>>>>>>>> this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 >>>>>>>>> seconds as previously. Details are in the patches. >>>>>>>>> >>>>>>>>> Martin >>>>>>>> >>>>>>>> 262: >>>>>>>> The sysupgrade directory isn't created by the RPM install: >>>>>>>> >>>>>>>> mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade >>>>>>> >>>>>>> Fixed. >>>>>>> >>>>>>>> >>>>>>>> 263: >>>>>>>> >>>>>>>> It looks like zone_refresh is simply disabled in bindinstance.py, why >>>>>>>> not remove it completely? >>>>>>> >>>>>>> zone_refresh is used by bindinstance.py. ipa-server-install or >>>>>>> ipa-dns-install may be configured to use zone refresh instead of >>>>>>> persistent search mechanism to update the zones (e.g. --zone-refresh >>>>>>> 30). >>>>>>> >>>>>>>> >>>>>>>> 264: >>>>>>>> >>>>>>>> Small nit, worth doing case-insensitive compare of psearch enabled status? >>>>>>> >>>>>>> Petr2 told me that arg value for boolean configuration option is >>>>>>> case-insensitive, so we can do that - fixed. >>>>>>> >>>>>>>> >>>>>>>> We're updating named.conf in place so I don't know that we need to reset >>>>>>>> permissions. It at least shouldn't get modified by the write. >>>>>>> >>>>>>> Right, I was being too defensive. I removed the check. >>>>>>> >>>>>>> I made the upgrade more robust, now it won't crash for example when >>>>>>> named.conf does not exist. I also made sure the upgrade script works >>>>>>> correctly when the IPA is configured without DNS. >>>>>>> >>>>>>> Martin >>>>>> >>>>>> I rebased the patches for current master. I also slightly reworked patch >>>>>> 265, the error message printed in case of an unsuccessful setsebool was >>>>>> not printed right. >>>>>> >>>>>> Martin >>>>> >>>>> Trailing whitespace in 264: >>>>> >>>>> # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch >>>>> Applying: Enable psearch on upgrades >>>>> /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing >>>>> whitespace. >>>>> root_logger.error('Cannot update connections in %s: >>>>> %s', >>>>> warning: 1 line adds whitespace errors. >>>> >>>> Fixed. >>>> >>>>> >>>>> I don't think the DNS detection is adequate in 264, testing for >>>>> named.conf is not enough. What if someone is running a non-IPA DNS >>>>> server on the box? >>>> >>>> I assume you are referring to this line: >>>> + if not bindinstance.named_conf_exists(): >>>> >>>> It checks both if the named.conf exists + if it has bind-dyndb-ldap >>>> configured for IPA: >>>> if line.startswith('dynamic-db "ipa"'): >>>> >>>>> >>>>> I know that I've recently done similar config changes but in 265 is >>>>> using line.startswith() going to be fragile? >>>> >>>> I assume you mean patch 264. This should be OK - user would need to mess >>>> with the configuration generated by our install scripts to break it. But >>>> in this case, other regex-es would fail too. I did not want to get too >>>> wild with regex-es to keep it simple and safe. The worst case scenario >>>> should be that named.conf is not updated and psearch is not turned on. >>>> >>>>> >>>>> In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other >>>>> patch. >>>> >>>> I assume you mean patch 265. I had this change moved to 264 right after >>>> I sent the patches :-) >>>> >>>>> >>>>> In the 'for setting, state' loop should it be catching a >>>>> CalledProcessException rather than raw Exception? I think that is all >>>>> that should be raised there. >>>> >>>> Right, fixed. >>>> >>>>> >>>>> I did an upgrade and it seemed to work ok, ended up with these scary >>>>> messages in /var/log/messages: >>>>> >>>>> Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP >>>>> server >>>>> Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server >>>>> was lost >>>>> Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: >>>>> Can't contact LDAP server >>>>> Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to >>>>> handle LDAP connection error. Reconnection in 60s >>>>> Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP >>>>> server >>>>> Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server >>>>> was lost >>>>> Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: >>>>> Can't contact LDAP server >>>>> Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] >>>>> - Information: Non-Secure Port Disabled >>>>> Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed >>>>> to obtain ldap error code >>>>> Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server >>>>> was lost >>>>> Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: >>>>> Can't contact LDAP server >>>>> Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to >>>>> handle LDAP connection error. Reconnection in 60s >>>>> Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed >>>>> to obtain ldap error code >>>>> Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server >>>>> was lost >>>>> >>>>> DNS does seem to be working fine from the cli. >>>> >>>> I think this was caused by ipa-ldap-updater which shut down the >>>> Directory Server to perform the LDAP upgrade. >>>> >>>> Btw I asked Petr to file a ticket for bind-dyndb-ldap to report when it >>>> report success after when it returns back from an error state: >>>> https://fedorahosted.org/bind-dyndb-ldap/ticket/71 >>>> This way, we cannot know that the LDAP connection has been restored >>>> besides doing a test DNS query. >>>> >>>>> >>>>> The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in >>>>> the test cleanup. >>>>> >>>>> I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: >>>>> >>>>> Program received signal SIGABRT, Aborted. >>>>> [Switching to Thread 0x7f68e50db700 (LWP 19367)] >>>>> 0x00007f68e6188915 in raise () from /lib64/libc.so.6 >>>>> (gdb) where >>>>> #0 0x00007f68e6188915 in raise () from /lib64/libc.so.6 >>>>> #1 0x00007f68e618a0c8 in abort () from /lib64/libc.so.6 >>>>> #2 0x00007f68e91171fb in assertion_failed (file=, >>>>> line=, type=, cond=) >>>>> at ./main.c:219 >>>>> #3 0x00007f68e73a6c3a in isc_assertion_failed ( >>>>> file=file at entry=0x7f68e8a82deb "zone.c", line=, >>>>> type=type at entry=isc_assertiontype_require, >>>>> cond=cond at entry=0x7f68e8a82fe7 "zone->db != ((void *)0)") >>>>> at assertions.c:57 >>>>> #4 0x00007f68e8a2ba67 in zone_detachdb (zone=) at >>>>> zone.c:12944 >>>>> #5 zone_detachdb (zone=0x7f68dc57fef0) at zone.c:12943 >>>>> #6 0x00007f68e8a2baa1 in zone_unload (zone=zone at entry=0x7f68dc57fef0) >>>>> at zone.c:9092 >>>>> #7 0x00007f68e8a2fcc4 in dns_zone_unload (zone=0x7f68dc57fef0) at >>>>> zone.c:9040 >>>>> #8 0x00007f68e3584b9e in ldap_delete_zone2 >>>>> (inst=inst at entry=0x7f68e90b0f10, >>>>> name=name at entry=0x7f68e50dad10, lock=lock at entry=isc_boolean_true) >>>>> at ldap_helper.c:786 >>>>> #9 0x00007f68e3586554 in ldap_delete_zone (dn=, >>>>> inst=0x7f68e90b0f10, lock=) at ldap_helper.c:811 >>>>> #10 update_action (task=, event=0x7f68e37de6a0) >>>>> at ldap_helper.c:2763 >>>>> #11 0x00007f68e73c613e in dispatch (manager=0x7f68e908f010) at task.c:1109 >>>>> #12 run (uap=0x7f68e908f010) at task.c:1279 >>>>> #13 0x00007f68e6d7bd14 in start_thread () from /lib64/libpthread.so.0 >>>>> #14 0x00007f68e624494d in clone () from /lib64/libc.so.6 >>>>> >>>>> rob >>>> >>>> Thanks for digging out the traceback, I already reported this error to >>>> bind-dyndb-ldap: >>>> https://bugzilla.redhat.com/show_bug.cgi?id=827401 >>>> >>>> Petr, what's the status of this bug? I guess we cannot push this set of >>>> patches to enable the psearch by default until this is fixed. Otherwise >>>> bind-dyndb-ldap would crash _every_ DNS unit test case. >>>> >>>> Updated set of patches attached. >>>> >>>> Martin >>> >>> Petr^2 fixed the bug in bind-dyndb-ldap causing it to crash during DNS >>> unit tests. A re-tested the new version with IPA and it worked fine. >>> >>> Attached a rebased set of patches with proper bind-dyndb-ldap version >>> enforced. I would like this to get acked soon so that psearch is tested >>> by a broader audience and we are able to stabilize it faster. >>> >>> Martin >> >> These work ok so conditional ACK based on the following: >> >> The tests all pass but I saw this in messages: >> >> Jun 8 10:13:37 localhost named[1624]: psearch moddn change is not >> implemented >> Jun 8 10:13:37 localhost named[1624]: psearch_update failed for >> idnsname=testdnsres-renamed,idnsname=dnszone.test,cn=dns,dc=example,dc=com >> zone. Zone can be outdated, run `rndc reload` > > Yup, there is already a ticket which should fix that: > https://fedorahosted.org/bind-dyndb-ldap/ticket/72 > >> >> Other than immediately seeing new zones are there any other consequences >> to disabling psearch? Are features eventually going to not be available >> if it is not enabled? I assume that if/when that happens the man page >> will be updated at that point? >> >> rob > > At current state of things, both modes (psearch vs. no-psearch) should > equivalent in term of features. In the future, DNSSEC+automatic SOA > update (i.e. a requirement for zone transfers) will depend on psearch. > > I guess it would be possible to implement some limited functionality > when psearch is off, we can discuss this topic with Petr/Adam. > > Martin > Ok, pushed all to master. rob From rcritten at redhat.com Mon Jun 11 19:45:54 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jun 2012 15:45:54 -0400 Subject: [Freeipa-devel] [PATCH] 1025 set fixed primary IPA server in client Message-ID: <4FD64AF2.3000406@redhat.com> Add --fixed-primary flag to control the order of ipa_server in sssd.conf. When set the discovered (or passed) server will be set first rather than _srv_. The default is to have _srv_ set first. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1025-primary.patch Type: text/x-diff Size: 3617 bytes Desc: not available URL: From dpal at redhat.com Mon Jun 11 20:05:54 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Jun 2012 16:05:54 -0400 Subject: [Freeipa-devel] [PATCH] 1025 set fixed primary IPA server in client In-Reply-To: <4FD64AF2.3000406@redhat.com> References: <4FD64AF2.3000406@redhat.com> Message-ID: <4FD64FA2.9030402@redhat.com> On 06/11/2012 03:45 PM, Rob Crittenden wrote: > Add --fixed-primary flag to control the order of ipa_server in > sssd.conf. When set the discovered (or passed) server will be set > first rather than _srv_. The default is to have _srv_ set first. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Have you talked to Jan Zeleny? He is working on the concept of the primary and secondary servers in sssd. It seems that these efforts should be coordinated. https://fedorahosted.org/sssd/ticket/1128 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From riffraff169 at yahoo.com Mon Jun 11 23:09:35 2012 From: riffraff169 at yahoo.com (Lance Dillon) Date: Mon, 11 Jun 2012 16:09:35 -0700 (PDT) Subject: [Freeipa-devel] ipa-client-install patch Message-ID: <1339456175.14473.YahooMailNeo@web83804.mail.sp1.yahoo.com> This small set of patches adds a --fixed option to ipa-client-install.? This specifies that dns server discovery is basically turned of in /etc/sssd/sssd.conf (by removing _srv_ entry from ipa_server). This has been helpful to me because we are in a shared dns domain with a windows domain, and we aren't able to move servers to a separate subdomain. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-option-fixed-to-disable-dns-server-discovery.patch Type: application/octet-stream Size: 1848 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-added-extra-check-to-make-sure-server-is-specified-w.patch Type: application/octet-stream Size: 889 bytes Desc: not available URL: From pviktori at redhat.com Tue Jun 12 11:12:10 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 12 Jun 2012 13:12:10 +0200 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output Message-ID: <4FD7240A.5040400@redhat.com> This will make older clients usable if new output items get added to commands. Since there might be important information in the extra output, it's not ignored as the ticket asks. Instead it's printed, but not formatted nicely as the client doesn't have enough info for that. https://fedorahosted.org/freeipa/ticket/1721 -- Petr? From pviktori at redhat.com Tue Jun 12 12:38:06 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 12 Jun 2012 14:38:06 +0200 Subject: [Freeipa-devel] [PATCH] 0050 Fail on unknown Command options In-Reply-To: <4FD07641.7000707@redhat.com> References: <4F8E97F6.2070703@redhat.com> <1336392614.29911.13.camel@balmora.brq.redhat.com> <4FABA16A.10802@redhat.com> <1336982456.4344.28.camel@balmora.brq.redhat.com> <1336984817.4344.43.camel@balmora.brq.redhat.com> <4FB0FEDB.4020806@redhat.com> <1337068555.10688.20.camel@balmora.brq.redhat.com> <4FB23F9B.10000@redhat.com> <1337155089.2963.10.camel@balmora.brq.redhat.com> <4FB3674A.1010402@redhat.com> <1337170298.2963.16.camel@balmora.brq.redhat.com> <4FBF32D3.1060302@redhat.com> <4FC381A3.7020000@redhat.com> <1338214566.5538.11.camel@balmora.brq.redhat.com> <4FD07641.7000707@redhat.com> Message-ID: <4FD7382E.5030401@redhat.com> On 06/07/2012 11:37 AM, Petr Vobornik wrote: > On 05/28/2012 04:16 PM, Martin Kosek wrote: >> On Mon, 2012-05-28 at 15:46 +0200, Petr Vobornik wrote: >>> On 05/25/2012 09:20 AM, Petr Vobornik wrote: >>>> On 05/16/2012 02:11 PM, Martin Kosek wrote: >>>>> On Wed, 2012-05-16 at 10:37 +0200, Petr Viktorin wrote: >>>>>> On 05/16/2012 09:58 AM, Martin Kosek wrote: >>>>>>> On Tue, 2012-05-15 at 13:35 +0200, Petr Viktorin wrote: >>>>>>>> On 05/15/2012 09:55 AM, Martin Kosek wrote: >>>>>>>>> On Mon, 2012-05-14 at 14:47 +0200, Petr Viktorin wrote: >>>>>>>>>> The final part of rejecting unknown Command arguments: enable the >>>>>>>>>> validation, add tests. >>>>>>>>>> Also fix up things that were changed since the previous patches. >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2509 >>> >>> 8><------------------ >>> >>>>>> >>>>>> Attaching a rebased patch. >>>>>> >>>>> >>>>> Yup, this one is fine. Now, I did not find issues in the patch itself, >>>>> tests are clean. >>>>> >>>>> However, thanks to this new check I found issues in Web UI >>>>> (automember, >>>>> selfservice, delegation screen) which use illegal options and which >>>>> should be fixed before we push your patch: >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2760 >>>>> >>>>> Martin >>>>> >>>> >>>> I found an issue in automountmap_add_indirect. It complains that 'key' >>>> is unknown option. >>> >>> I found another options which were functional and now it complains: >>> * hbacsvcgroup_find: no_hbacsvc >>> * hbacsvc_find: not_in_hbacsvcgroup >>> * same issue in sudo commands and sudo command groups. >>> >>> I didn't check all relationships, so it may be broken elsewhere as well. >>> >> >> I don't think this is an error on server side - it never had filter >> options like these in the modules you referenced (though we may add them >> as an RFE when needed). >> >> When you pass these options in the UI to the server side, its just NOOP >> - or an error when Petr's patch is applied. >> >> Martin >> > All issues found in Web UI are fixed. > Updated and rebased patch attached. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0050-05-Fail-on-unknown-Command-options.patch Type: text/x-patch Size: 16214 bytes Desc: not available URL: From simo at redhat.com Tue Jun 12 12:38:27 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 12 Jun 2012 08:38:27 -0400 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <4FD7240A.5040400@redhat.com> References: <4FD7240A.5040400@redhat.com> Message-ID: <1339504707.8230.577.camel@willson.li.ssimo.org> On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: > This will make older clients usable if new output items get added to > commands. > > Since there might be important information in the extra output, it's not > ignored as the ticket asks. Instead it's printed, but not formatted > nicely as the client doesn't have enough info for that. > > https://fedorahosted.org/freeipa/ticket/1721 Patch is missing. Simo. -- Simo Sorce * Red Hat, Inc * New York From pviktori at redhat.com Tue Jun 12 12:39:05 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 12 Jun 2012 14:39:05 +0200 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <1339504707.8230.577.camel@willson.li.ssimo.org> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> Message-ID: <4FD73869.6020503@redhat.com> On 06/12/2012 02:38 PM, Simo Sorce wrote: > On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: >> This will make older clients usable if new output items get added to >> commands. >> >> Since there might be important information in the extra output, it's not >> ignored as the ticket asks. Instead it's printed, but not formatted >> nicely as the client doesn't have enough info for that. >> >> https://fedorahosted.org/freeipa/ticket/1721 > > Patch is missing. > > Simo. > My apologies -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0062-Don-t-crash-when-server-returns-extra-output.patch Type: text/x-patch Size: 7982 bytes Desc: not available URL: From pvoborni at redhat.com Tue Jun 12 12:48:25 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 12 Jun 2012 14:48:25 +0200 Subject: [Freeipa-devel] [PATCH] 159 Action panel for certificates Message-ID: <4FD73A99.9020300@redhat.com> This is a continuation of effort which transforms status widgets with buttons executing actions to separate status widget and action panels. This patch strips certificate status widget of its buttons and separates the actions to their own objects. Appropriate modifications are taken in host and service details facets. New certificate loader, facet policy and evaluator are introduced to make actions and status widget independent. On facet load event new certificate facet policy loads a certificate from result. Unfortunately results don't contain revocation reason so it also executes additional cert-show command to get the revocation reason. Policy store the certifacete to facet. It raises the certifacet_loaded event to notify certificate evaluator and status widget. Status widget updates its state. Certificate evaluator updates state and actions get disabled or enabled. https://fedorahosted.org/freeipa/ticket/2250 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0159-Action-panel-for-certificates.patch Type: text/x-patch Size: 42499 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jun 12 13:08:12 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 12 Jun 2012 16:08:12 +0300 Subject: [Freeipa-devel] [PATCH] move samba4-specific python code to a subpackage Message-ID: <20120612130812.GS25726@redhat.com> DCERPC code in AD trusts implementation depends on Samba 4 Python bindings. Make this dependency optional for main freeipa-server package by moving the dependency to freeipa-server-trust-ad subpackage. Main interface to AD trusts (ipalib/plugins/trust.py) will still stay, as well as LDIF files and updates as they are not causing real dependency. https://fedorahosted.org/freeipa/ticket/2821 -- / Alexander Bokovoy -------------- next part -------------- >From 743b249c1b5f29aee8629989a1b4968f77766b5e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 12 Jun 2012 15:58:50 +0300 Subject: [PATCH] Move AD trust support code to freeipa-server-trust-ad subpackage DCERPC code in AD trusts implementation depends on Samba 4 Python bindings. Make this dependency optional for main freeipa-server package by moving the dependency to freeipa-server-trust-ad subpackage. Main interface to AD trusts (ipalib/plugins/trust.py) will still stay, as well as LDIF files and updates as they are not causing real dependency. https://fedorahosted.org/freeipa/ticket/2821 --- freeipa.spec.in | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3e1c844..ce8e1e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -415,6 +415,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d install -pm 644 ipa-compliance.cron %{buildroot}%{_sysconfdir}/cron.d/ipa-compliance %endif +(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \ + grep -v dcerpc | grep -v adtrustinstance | \ + sed -e 's,\.py.*$,.*,g' | sort -u | \ + sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list + %clean rm -rf %{buildroot} @@ -521,12 +526,11 @@ fi %if ! %{ONLY_CLIENT} -%files server +%files server -f server-python.list %defattr(-,root,root,-) %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install -%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -557,7 +561,9 @@ fi %attr(755,root,root) %{_initrddir}/ipa_memcached %endif %dir %{python_sitelib}/ipaserver -%{python_sitelib}/ipaserver/* +%dir %{python_sitelib}/ipaserver/install +%dir %{python_sitelib}/ipaserver/install/plugins +%dir %{python_sitelib}/ipaserver/plugins %dir %{_libdir}/ipa/certmonger %attr(755,root,root) %{_libdir}/ipa/certmonger/* %dir %{_usr}/share/ipa @@ -625,7 +631,6 @@ fi %dir %{_localstatedir}/cache/ipa %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so -%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz %{_mandir}/man1/ipa-replica-manage.1.gz @@ -634,7 +639,6 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz -%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz @@ -651,7 +655,12 @@ fi %{_usr}/share/selinux/targeted/ipa_dogtag.pp %files server-trust-ad +%{_sbindir}/ipa-adtrust-install %{_usr}/share/ipa/smb.conf.empty +%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so +%{_mandir}/man1/ipa-adtrust-install.1.gz +%{python_sitelib}/ipaserver/dcerpc* +%{python_sitelib}/ipaserver/install/adtrustinstance* %endif %files client -- 1.7.10.2 From rcritten at redhat.com Tue Jun 12 13:46:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jun 2012 09:46:28 -0400 Subject: [Freeipa-devel] [PATCH] 1025 set fixed primary IPA server in client In-Reply-To: <4FD64FA2.9030402@redhat.com> References: <4FD64AF2.3000406@redhat.com> <4FD64FA2.9030402@redhat.com> Message-ID: <4FD74834.3000804@redhat.com> Dmitri Pal wrote: > On 06/11/2012 03:45 PM, Rob Crittenden wrote: >> Add --fixed-primary flag to control the order of ipa_server in >> sssd.conf. When set the discovered (or passed) server will be set >> first rather than _srv_. The default is to have _srv_ set first. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Have you talked to Jan Zeleny? He is working on the concept of the > primary and secondary servers in sssd. It seems that these efforts > should be coordinated. > https://fedorahosted.org/sssd/ticket/1128 Yes, I'm aware of what he is working on. The work that Jan is doing will simply make this work better. rob From pviktori at redhat.com Tue Jun 12 14:11:31 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 12 Jun 2012 16:11:31 +0200 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <1339433382.19118.43.camel@balmora.brq.redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> <1339433382.19118.43.camel@balmora.brq.redhat.com> Message-ID: <4FD74E13.4050506@redhat.com> On 06/11/2012 06:49 PM, Martin Kosek wrote: > On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> This adds client session support. The session key is stored in the >>>> kernel key ring. >>>> >>>> Your first request should go to /ipa/session/xml where it should be >>>> rejected with a 401. The next will go to /ipa/xml which will be >>>> accepted. This should all be invisible to the client. >>>> >>>> Subsequent requests should go to /ipa/session/xml which should let you >>>> in with the cookie. >>>> >>>> You can add the -vv option after ipa to see fully what is going on, e.g. >>>> ipa -vv user-show admin >>>> >>>> To manage your keyring use the keyctl command like: >>>> >>>> $ keyctl list @s >>>> 2 keys in keyring: >>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie >>>> >>>> To remove a key: >>>> >>>> $ keyctl unlink 941350591 @s >>>> >>>> rob >>> >>> Hmm, this doesn't play too nice with the lite-server. Let me see if I >>> can track it down. The ccache is being removed, probably as part of the >>> session code. Sessions don't make sense with the lite server since it >>> uses the local ccache directly. >> >> Updated patch. Don't clean up the ccache if in the lite-server. >> >> rob >> > > Good job there. I tested various scenarios (2 master, fallback with SRV > records, old client (RHEL 6.2)) and most worked for me, but only I > worked under the root account. This is what I got with non-root: > > $ ipa user-show admin > ... > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie > ipa: DEBUG: stdout=113632397 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl pupdate 113632397 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_update: Permission denied > ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml > ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com > ipa: ERROR: cannot connect to 'any of the configured servers': ... > > Shouldn't we use @us instead of @s for storing user session keys? > > > Secondly, I wonder if we also plan to add some logout command? This way > even if I do kdestroy, the session still exist and someone other may > still execute commands. > > Martin Also: keyctl is in the keyutils package, which we need to depend on. -- Petr? From mkosek at redhat.com Tue Jun 12 14:17:10 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jun 2012 16:17:10 +0200 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <4FD63040.3080106@redhat.com> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> <4FD1633F.4090601@redhat.com> <1339124835.8230.487.camel@willson.li.ssimo.org> <1339403805.19118.4.camel@balmora.brq.redhat.com> <1339417057.19118.26.camel@balmora.brq.redhat.com> <4FD63040.3080106@redhat.com> Message-ID: <1339510630.26346.18.camel@balmora.brq.redhat.com> On Mon, 2012-06-11 at 13:52 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote: > >> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote: > >>> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> You can use the attached script (changepw.py) to test the PW change > >>>>> interface from command line (on IPA server). > >>>>> > >>>>> --- > >>>>> > >>>>> IPA server web form-based authentication allows logins for users > >>>>> which for some reason cannot use Kerberos authentication. However, > >>>>> when a password for such users expires, they are unable change the > >>>>> password via web interface. > >>>>> > >>>>> This patch adds a new WSGI script attached to URL > >>>>> /ipa/session/change_password which can be accessed without > >>>>> authentication and which provides password change capability > >>>>> for web services. > >>>>> > >>>>> The actual password change in the script is processed with kpasswd > >>>>> to be consistent with /ipa/session/login_password. > >>>>> > >>>>> Password result is passed both in the resulting HTML page, but > >>>>> also in HTTP headers for easier parsing in web services: > >>>>> X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} > >>>>> (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/2276 > >>>> > >>>> It is probably more efficient to change the password using ldap. Simo, > >>>> do you know of an advantage of using one over the other? Better password > >>>> policy reporting may be reason enough. > >>> > >>> Yes you'll get better error reporting, plus forking out kpasswd is quite > >>> ugly, the python ldap code should be able to use the ldap passwd extend > >>> op quite easily. > >>> > >>> Simo. > >>> > >> > >> Ok, sending a second version of the patch based on password change via > >> LDAP. The error reporting is indeed easier and with no hard-coded > >> parsing. > >> > >> Martin > > > > This patch will only work with SELinux disabled, it seems there is a > > regression in SELinux policy which does not allow httpd to connect to > > dirsrv socket. I logged a Bug: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=830764 > > > > This issue also disables other pages using dirsrv socket, like the > > migration page or password-expiration detection in form-based auth. > > > > Martin > > For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS. Fixed. > > This works ok and does successfully change passwords but I don't like > the logging very much. Actually it does, it just did it in DEBUG level. I adapted the logging style from /ipa/session/login_password WSGI script, but I see that since this is a special page, it should have a bit different logging. Under normal conditions, it now prints a line when - the WSGI script is started on INFO level, i.e. in httpd error_log by default - parameters are validated and we start password change for user (user is now printed in log too - this will be useful) - when the WSGI script finishes - with either success or error status > It should say that this is the password request > URI somewhere at a minimum. Having the HTTP response is a bit strange > too, and I don't know if a 400 should be logged as info. I used bad_request method of HTTP_Status class. It uses info log level for 400 statuses. I can change that, but it will be changed for all WSGI scripts using HTTP_Status. So far, judging from what I saw in rpcserver.py we use error log level when there is a problem on our side and not in a user request... > > I think this test program could be made into a test suite too, > particularly to check the more esoteric parts like checking for missing > options, too many options, etc. > > rob I added a test suite exercising this WSGI script. It is based on built-in httplib instead of original pyCurl - it has much better output parsing and is easier to handle. The new unit test tests bad options, authentication errors and of course successful password change, including a verification that that the password was actually changed. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-274-3-password-change-capability-for-form-based-auth.patch Type: text/x-patch Size: 14982 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 12 18:10:16 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jun 2012 14:10:16 -0400 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD74E13.4050506@redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> <1339433382.19118.43.camel@balmora.brq.redhat.com> <4FD74E13.4050506@redhat.com> Message-ID: <4FD78608.4060009@redhat.com> Petr Viktorin wrote: > On 06/11/2012 06:49 PM, Martin Kosek wrote: >> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> This adds client session support. The session key is stored in the >>>>> kernel key ring. >>>>> >>>>> Your first request should go to /ipa/session/xml where it should be >>>>> rejected with a 401. The next will go to /ipa/xml which will be >>>>> accepted. This should all be invisible to the client. >>>>> >>>>> Subsequent requests should go to /ipa/session/xml which should let you >>>>> in with the cookie. >>>>> >>>>> You can add the -vv option after ipa to see fully what is going on, >>>>> e.g. >>>>> ipa -vv user-show admin >>>>> >>>>> To manage your keyring use the keyctl command like: >>>>> >>>>> $ keyctl list @s >>>>> 2 keys in keyring: >>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie >>>>> >>>>> To remove a key: >>>>> >>>>> $ keyctl unlink 941350591 @s >>>>> >>>>> rob >>>> >>>> Hmm, this doesn't play too nice with the lite-server. Let me see if I >>>> can track it down. The ccache is being removed, probably as part of the >>>> session code. Sessions don't make sense with the lite server since it >>>> uses the local ccache directly. >>> >>> Updated patch. Don't clean up the ccache if in the lite-server. >>> >>> rob >>> >> >> Good job there. I tested various scenarios (2 master, fallback with SRV >> records, old client (RHEL 6.2)) and most worked for me, but only I >> worked under the root account. This is what I got with non-root: >> >> $ ipa user-show admin >> ... >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie >> ipa: DEBUG: stdout=113632397 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl pupdate 113632397 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr=keyctl_update: Permission denied >> ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml >> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com >> ipa: ERROR: cannot connect to 'any of the configured servers': ... >> >> Shouldn't we use @us instead of @s for storing user session keys? >> >> >> Secondly, I wonder if we also plan to add some logout command? This way >> even if I do kdestroy, the session still exist and someone other may >> still execute commands. >> >> Martin > > Also: keyctl is in the keyutils package, which we need to depend on. > Nice catch, updated patch. I also included a bit more about why I chose @s instead of @us. Basically it is so a different shell can have a different session and therefore a different identity. I'm going to open a ticket for the logout. For the short-term one can do something like: $ keyctl purge user Or more precisely: $ keyctl list @s 2 keys in keyring: 353548226: --alswrv 1000 -1 keyring: _uid.1000 207626975: --alswrv 1000 1000 user: ipa_session_cookie $ keyctl unlink 207626975 1 links removed rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1024-3-session.patch Type: text/x-diff Size: 28255 bytes Desc: not available URL: From jdennis at redhat.com Tue Jun 12 18:39:23 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 12 Jun 2012 14:39:23 -0400 Subject: [Freeipa-devel] Python debugging tip Message-ID: <4FD78CDB.6060807@redhat.com> Every so often I'm confronted with being unable to determine where an exception is being raised. Unfortunately pdb (Python debugger) cannot be set to break on an exception (oddly missing functionality). It turns out that pdb is built upon a simple Python API, a callback that is invoked whenever the interpreter "steps". The callback is set with sys.settrace() (see Python doc for full explanation). To find my elusive exception I simply added this tiny bit of code that sets the tracing function and whenever a TypeError occurred it printed out the stacktrace. Caveat, it's verbose, will print out every TypeError exception including those you're not looking for and it will do so for every place on the stack. A somewhat minor inconvenience if you can't find the exception using any of the other means. You can of course tweak this to be much more specific by examining the other context information passed to the callback but for a quick dirty hack it didn't seem worthwhile. Hope its useful to someone. John import sys import traceback def tracefunc(frame, event, arg): if event == 'exception': exc, value, tb = arg if isinstance(value, TypeError): print ">>> Exception %s" % value print ''.join(traceback.format_tb(tb)) return tracefunc sys.settrace(tracefunc) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Tue Jun 12 20:24:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jun 2012 16:24:36 -0400 Subject: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth In-Reply-To: <1339510630.26346.18.camel@balmora.brq.redhat.com> References: <1338987954.9625.19.camel@balmora.brq.redhat.com> <4FD1633F.4090601@redhat.com> <1339124835.8230.487.camel@willson.li.ssimo.org> <1339403805.19118.4.camel@balmora.brq.redhat.com> <1339417057.19118.26.camel@balmora.brq.redhat.com> <4FD63040.3080106@redhat.com> <1339510630.26346.18.camel@balmora.brq.redhat.com> Message-ID: <4FD7A584.8030401@redhat.com> Martin Kosek wrote: > On Mon, 2012-06-11 at 13:52 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote: >>>> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote: >>>>> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> You can use the attached script (changepw.py) to test the PW change >>>>>>> interface from command line (on IPA server). >>>>>>> >>>>>>> --- >>>>>>> >>>>>>> IPA server web form-based authentication allows logins for users >>>>>>> which for some reason cannot use Kerberos authentication. However, >>>>>>> when a password for such users expires, they are unable change the >>>>>>> password via web interface. >>>>>>> >>>>>>> This patch adds a new WSGI script attached to URL >>>>>>> /ipa/session/change_password which can be accessed without >>>>>>> authentication and which provides password change capability >>>>>>> for web services. >>>>>>> >>>>>>> The actual password change in the script is processed with kpasswd >>>>>>> to be consistent with /ipa/session/login_password. >>>>>>> >>>>>>> Password result is passed both in the resulting HTML page, but >>>>>>> also in HTTP headers for easier parsing in web services: >>>>>>> X-IPA-Pwchange-Result: {ok, invalid-password, policy-error} >>>>>>> (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2276 >>>>>> >>>>>> It is probably more efficient to change the password using ldap. Simo, >>>>>> do you know of an advantage of using one over the other? Better password >>>>>> policy reporting may be reason enough. >>>>> >>>>> Yes you'll get better error reporting, plus forking out kpasswd is quite >>>>> ugly, the python ldap code should be able to use the ldap passwd extend >>>>> op quite easily. >>>>> >>>>> Simo. >>>>> >>>> >>>> Ok, sending a second version of the patch based on password change via >>>> LDAP. The error reporting is indeed easier and with no hard-coded >>>> parsing. >>>> >>>> Martin >>> >>> This patch will only work with SELinux disabled, it seems there is a >>> regression in SELinux policy which does not allow httpd to connect to >>> dirsrv socket. I logged a Bug: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=830764 >>> >>> This issue also disables other pages using dirsrv socket, like the >>> migration page or password-expiration detection in form-based auth. >>> >>> Martin >> >> For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS. > > Fixed. > >> >> This works ok and does successfully change passwords but I don't like >> the logging very much. > > Actually it does, it just did it in DEBUG level. > > I adapted the logging style from /ipa/session/login_password WSGI > script, but I see that since this is a special page, it should have a > bit different logging. > > Under normal conditions, it now prints a line when > - the WSGI script is started on INFO level, i.e. in httpd error_log by > default > - parameters are validated and we start password change for user (user > is now printed in log too - this will be useful) > - when the WSGI script finishes - with either success or error status > >> It should say that this is the password request >> URI somewhere at a minimum. Having the HTTP response is a bit strange >> too, and I don't know if a 400 should be logged as info. > > I used bad_request method of HTTP_Status class. It uses info log level > for 400 statuses. I can change that, but it will be changed for all WSGI > scripts using HTTP_Status. So far, judging from what I saw in > rpcserver.py we use error log level when there is a problem on our side > and not in a user request... > >> >> I think this test program could be made into a test suite too, >> particularly to check the more esoteric parts like checking for missing >> options, too many options, etc. >> >> rob > > I added a test suite exercising this WSGI script. It is based on > built-in httplib instead of original pyCurl - it has much better output > parsing and is easier to handle. > > The new unit test tests bad options, authentication errors and of course > successful password change, including a verification that that the > password was actually changed. > > Martin ACK, pushed to master. I like the tests very much. rob From rcritten at redhat.com Tue Jun 12 21:14:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jun 2012 17:14:05 -0400 Subject: [Freeipa-devel] [PATCH] 0061 Improve ipa-client-install debug output In-Reply-To: <4FD60324.7030901@redhat.com> References: <4FD60324.7030901@redhat.com> Message-ID: <4FD7B11D.2020407@redhat.com> Petr Viktorin wrote: > I went through all the output/debug messages in ipa-client-install, > removed duplicates, and routed them through the log manager. > > I used these log levels: > DEBUG - detailed messages the user probably doesn't want to see (only > printed to console with --debug) > INFO - progress reports ("Configured /etc/sssd/sssd.conf") and > instructions ("You may need to restart services or reboot the machine.") > WARNING - something unusual that may require attention > ERROR - something went wrong > > Obviously there's some overlap there. > > > On the console, the messages are now prefixed with the log level. This > should bring attention to the warnings/errors. > Does this format look okay? > I think the current default console_format, which prefixes the logger > name (ipa) and the level, is too verbose. I agree. I'm not a fan of printing the log level, it is very distracting. This is a good start but the DNS discovery area needs more work. I've found it very difficult to look at a log and figure out where the domain and hostname came from (user provided or discovered?) and trace how the discovery is working. There is currently a lot of smoke and noise and very little useful information. rob From edewata at redhat.com Tue Jun 12 23:24:15 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jun 2012 18:24:15 -0500 Subject: [Freeipa-devel] [PATCH] 155 Action panel for host enrollment In-Reply-To: <4FCF7E4E.8000000@redhat.com> References: <4FCF7E4E.8000000@redhat.com> Message-ID: <4FD7CF9F.3000506@redhat.com> On 6/6/2012 10:59 AM, Petr Vobornik wrote: > Widgets in host enrollment sections were modified. They now serve only > for displaying of has_key and has_password status. Functionality for > setting otp and unprovisioning was moved to separate dialogs. Execution > points for opening of these dialogs are items in new action panel in > enrollment section. ACK. -- Endi S. Dewata From edewata at redhat.com Tue Jun 12 23:24:20 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jun 2012 18:24:20 -0500 Subject: [Freeipa-devel] [PATCH] 156 Action panel for service provisioning In-Reply-To: <4FD06BEA.3020905@redhat.com> References: <4FD06BEA.3020905@redhat.com> Message-ID: <4FD7CFA4.8030804@redhat.com> On 6/7/2012 3:52 AM, Petr Vobornik wrote: > Service provisioning status widget was modified only to display the > has_keytab status. Button for 'delete key,unprovision' was moved as > action to newly created action panel in the same section. This required > to moved the creation of the unprovisioning dialog from that widget to > new separate dialog. > > Action for action panel and all required status evaluators for > enabling/disabling of that action were also created. > > https://fedorahosted.org/freeipa/ticket/2252 ACK. -- Endi S. Dewata From edewata at redhat.com Tue Jun 12 23:24:39 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jun 2012 18:24:39 -0500 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FD21FD4.4030301@redhat.com> References: <4FD21F9E.5000201@redhat.com> <4FD21FD4.4030301@redhat.com> Message-ID: <4FD7CFB7.3020609@redhat.com> On 6/8/2012 10:52 AM, Petr Vobornik wrote: > and now the patch... > On 06/08/2012 05:51 PM, Petr Vobornik wrote: >> For those of you who are only interest in user perspective I prepared a >> set of screenshots to demonstrate workflow of password reset: >> http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png >> >> Patch depends on mkosek #274. >> >> Web UI was missing a way how to reset expired password for normal user. >> Recent server patch added API for such task. This patch is adding reset >> password form to unautorized dialog. >> >> If user tries to login using form-based authentication and his password >> is expired login form transforms to reset password form. The username >> and current password is populated by values from previous login attempt. >> User than have to enter new password and its verification. Then he can >> hit enter button on keyboard or click on reset button on dialog to >> perform the password reset. Error is displayed if some part of password >> reset fails. If it is successful new login with values entered for >> password reset is performed. It should login the user. In password reset >> form user can click on back button or hit escape on keyboard to go back >> to login form. >> >> https://fedorahosted.org/freeipa/ticket/2755 It works with mkosek 274-2. Some comments: 1. If you click 'form-based authentication' the dialog title still shows 'Kerberos ticket no longer valid' which is not relevant for form-based authentication. It might be better to use 'Login' as the title for all pages in this dialog. 2. Instead of having to go to a separate page for form-based authentication, would it be better to change the first page in the login dialog to show the login form? Something like this: Login ----------------------------------------------------- Your session has expired. Please re-login. To login with username and password: Username: [edewata ] Password: [******** ] [Login] To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. [Login with Kerberos] The two login mechanisms can be shown at the same time like above or in collapsible sections. If the user enters a password and it's expired, the dialog will change into: Login ----------------------------------------------------- Your password has expired. Please enter a new password: Username: edewata New Password: [******** ] Verify Password: [******** ] [Reset Password and Login] [Cancel] In this page the username is shown for info only, it's not editable. The old password is not shown again, but kept in memory. I use Cancel instead of Back to indicate that we are starting over. The Cancel button will bring you back to the first page. 3. I noticed that the password is kept in memory too long by the login dialog so if you go back and forth between the pages the fields are already populated. This might be a security risk. I think the username & password should be cleaned up when you click Back/Cancel. 4. Is there a plan to provide password reset via email? -- Endi S. Dewata From edewata at redhat.com Tue Jun 12 23:25:10 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jun 2012 18:25:10 -0500 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page In-Reply-To: <4FD22051.7060308@redhat.com> References: <4FD22051.7060308@redhat.com> Message-ID: <4FD7CFD6.1040209@redhat.com> On 6/8/2012 10:54 AM, Petr Vobornik wrote: > This patch adds separate reset password page. It is a complement to > separate login page. It differentiate from reset password capabilities > in Web UI's anauthorized dialog by not performing login. This is useful > for users who wants only to reset the password and not to use Web UI. > And also for users who are using the separate login page. > > https://fedorahosted.org/freeipa/ticket/2755 It also works with mkosek 274-2 (but needs rebase). If the password reset is successful, the page shows a link to the login page, but it also still shows the password reset form. I think it's very unlikely that the user will want to change the password again, so it might be better not to show the form, but provide a link to the form just in case the user needs to do it again. -- Endi S. Dewata From mkosek at redhat.com Wed Jun 13 07:19:50 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jun 2012 09:19:50 +0200 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD78608.4060009@redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> <1339433382.19118.43.camel@balmora.brq.redhat.com> <4FD74E13.4050506@redhat.com> <4FD78608.4060009@redhat.com> Message-ID: <1339571990.2965.11.camel@balmora.brq.redhat.com> On Tue, 2012-06-12 at 14:10 -0400, Rob Crittenden wrote: > Petr Viktorin wrote: > > On 06/11/2012 06:49 PM, Martin Kosek wrote: > >> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: > >>> Rob Crittenden wrote: > >>>> Rob Crittenden wrote: > >>>>> This adds client session support. The session key is stored in the > >>>>> kernel key ring. > >>>>> > >>>>> Your first request should go to /ipa/session/xml where it should be > >>>>> rejected with a 401. The next will go to /ipa/xml which will be > >>>>> accepted. This should all be invisible to the client. > >>>>> > >>>>> Subsequent requests should go to /ipa/session/xml which should let you > >>>>> in with the cookie. > >>>>> > >>>>> You can add the -vv option after ipa to see fully what is going on, > >>>>> e.g. > >>>>> ipa -vv user-show admin > >>>>> > >>>>> To manage your keyring use the keyctl command like: > >>>>> > >>>>> $ keyctl list @s > >>>>> 2 keys in keyring: > >>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 > >>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie > >>>>> > >>>>> To remove a key: > >>>>> > >>>>> $ keyctl unlink 941350591 @s > >>>>> > >>>>> rob > >>>> > >>>> Hmm, this doesn't play too nice with the lite-server. Let me see if I > >>>> can track it down. The ccache is being removed, probably as part of the > >>>> session code. Sessions don't make sense with the lite server since it > >>>> uses the local ccache directly. > >>> > >>> Updated patch. Don't clean up the ccache if in the lite-server. > >>> > >>> rob > >>> > >> > >> Good job there. I tested various scenarios (2 master, fallback with SRV > >> records, old client (RHEL 6.2)) and most worked for me, but only I > >> worked under the root account. This is what I got with non-root: > >> > >> $ ipa user-show admin > >> ... > >> ipa: DEBUG: stderr= > >> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie > >> ipa: DEBUG: stdout=113632397 > >> > >> ipa: DEBUG: stderr= > >> ipa: DEBUG: args=keyctl pupdate 113632397 > >> ipa: DEBUG: stdout= > >> ipa: DEBUG: stderr=keyctl_update: Permission denied > >> ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml > >> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com > >> ipa: ERROR: cannot connect to 'any of the configured servers': ... > >> > >> Shouldn't we use @us instead of @s for storing user session keys? > >> > >> > >> Secondly, I wonder if we also plan to add some logout command? This way > >> even if I do kdestroy, the session still exist and someone other may > >> still execute commands. > >> > >> Martin > > > > Also: keyctl is in the keyutils package, which we need to depend on. > > > > Nice catch, updated patch. Thanks. It just needs rebasing (conflicts with pushed password change capability). > > I also included a bit more about why I chose @s instead of @us. > Basically it is so a different shell can have a different session and > therefore a different identity. Hm, personally I am not sure why I would want to have to different identity in different shell, maybe for custom scripts? There is a disadvantage for using @s over @us though. This use case will fail: # kinit admin Password for admin at IDM.LAB.BOS.REDHAT.COM: # ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 384000000 GID: 384000000 Account disabled: False Password: True Member of groups: admins, trust admins Kerberos keys available: True # su admin $ kinit admin Password for admin at IDM.LAB.BOS.REDHAT.COM: $ ipa user-show admin ipa: ERROR: cannot connect to 'any of the configured servers': https://vm-021.idm.lab.bos.redhat.com/ipa/session/xml, https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml This fails because the session under "su" does not have a permission to update the key. Btw this worked for me when I used @us instead of @s. > > I'm going to open a ticket for the logout. For the short-term one can do > something like: > > $ keyctl purge user > > Or more precisely: > > $ keyctl list @s > 2 keys in keyring: > 353548226: --alswrv 1000 -1 keyring: _uid.1000 > 207626975: --alswrv 1000 1000 user: ipa_session_cookie > $ keyctl unlink 207626975 > 1 links removed Ok, I think this is fine for now. Martin From mkosek at redhat.com Wed Jun 13 08:15:16 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jun 2012 10:15:16 +0200 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <4FD63AFE.9040400@redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> <4FCE7B97.7020003@redhat.com> <1338962500.9625.2.camel@balmora.brq.redhat.com> <4FCF02A5.90206@redhat.com> <1338967035.9625.3.camel@balmora.brq.redhat.com> <4FD63AFE.9040400@redhat.com> Message-ID: <1339575316.2965.17.camel@balmora.brq.redhat.com> On Mon, 2012-06-11 at 14:37 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote: > >> On 06/06/2012 08:01 AM, Martin Kosek wrote: > >>> On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> This set of patches > >>>>> 1) Adds a support for uni-directional remote membership to baseldap > >>>>> plugin (like service->host membership in service managedby attribute) - > >>>>> patch 272 > >>>>> 2) Adds a support for service->host membership to host plugin using the > >>>>> new interface - patch 273 > >>>>> > >>>>> Martin > >>>> > >>>> Have you tried this in the UI? Are these new relationships already handled? > >>>> > >>>> rob > >>> > >>> I just checked that I didn't break anything in the host page. But with > >>> this patch, we could add a tab with a list of services for a selected > >>> host. I will check with Petr if the information we provide are enough. > >>> > >>> Martin > >>> > >> > >> Provided information is sufficient for implementation of UI part. > >> > > > > Thanks Petr, I created a ticket for Web UI to implement this new > > relationship: > > https://fedorahosted.org/freeipa/ticket/2812 > > > > Martin > > > > This is displaying the DN of the service which is case-insensitive, so > for example the HTTP principal shows as : http/ipa.example.com. Perhaps > take the RDN and pull that attribute specifically? > > rob Yes, this is caused by our (member) DN normalizing which is a more general issue than this patch (I would not hold it because of that). Look for example at roles, we also put all privileges member DNs to lower case: # ipa role-show helpdesk Role name: helpdesk Description: Helpdesk > Privileges: modify users and reset passwords, modify group membership DNs are normalized as well: # ipa role-show helpdesk --all --raw dn: cn=helpdesk,cn=roles,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: helpdesk description: Helpdesk memberof: cn=modify users and reset passwords,cn=privileges,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com ... # ipa privilege-show "modify users and reset passwords" Privilege name: Modify Users and Reset passwords <<< not lowercase Bottomline is that I would not do any extra processing just for "remote_attrs" (which would make it inconsistent with the rest). This needs to be solved on a more global level. I see there are at least these two tickets relevant to this issue: #2620 renaming of objects is case insensitive #2482 Sudo commands are case-insensitive Martin From sbose at redhat.com Wed Jun 13 08:36:04 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Jun 2012 10:36:04 +0200 Subject: [Freeipa-devel] [PATCH] move samba4-specific python code to a subpackage In-Reply-To: <20120612130812.GS25726@redhat.com> References: <20120612130812.GS25726@redhat.com> Message-ID: <20120613083604.GF20850@localhost.localdomain> On Tue, Jun 12, 2012 at 04:08:12PM +0300, Alexander Bokovoy wrote: > DCERPC code in AD trusts implementation depends on Samba 4 Python > bindings. > > Make this dependency optional for main freeipa-server package by moving > the dependency to freeipa-server-trust-ad subpackage. > > Main interface to AD trusts (ipalib/plugins/trust.py) will still stay, > as well as LDIF files and updates as they are not causing real > dependency. > > https://fedorahosted.org/freeipa/ticket/2821 ACK, build and install works fine. The freeipa-server now only has a dependency to libraries from samba4-libs because of ipadb.so and libipa_cldap.so. One might argue that libipa_cldap.so can be moved to freeipa-server-trust-ad as well, but since ipadb.so cannot be removed and libipa_cldap.so does not add extra dependencies, I think it can stay in freeipa-server as well. bye, Sumit > > -- > / Alexander Bokovoy From abokovoy at redhat.com Wed Jun 13 09:06:26 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 13 Jun 2012 12:06:26 +0300 Subject: [Freeipa-devel] [PATCH] move samba4-specific python code to a subpackage In-Reply-To: <20120613083604.GF20850@localhost.localdomain> References: <20120612130812.GS25726@redhat.com> <20120613083604.GF20850@localhost.localdomain> Message-ID: <20120613090626.GT25726@redhat.com> On Wed, 13 Jun 2012, Sumit Bose wrote: >On Tue, Jun 12, 2012 at 04:08:12PM +0300, Alexander Bokovoy wrote: >> DCERPC code in AD trusts implementation depends on Samba 4 Python >> bindings. >> >> Make this dependency optional for main freeipa-server package by moving >> the dependency to freeipa-server-trust-ad subpackage. >> >> Main interface to AD trusts (ipalib/plugins/trust.py) will still stay, >> as well as LDIF files and updates as they are not causing real >> dependency. >> >> https://fedorahosted.org/freeipa/ticket/2821 > >ACK, build and install works fine. The freeipa-server now only has a >dependency to libraries from samba4-libs because of ipadb.so and >libipa_cldap.so. One might argue that libipa_cldap.so can be moved to >freeipa-server-trust-ad as well, but since ipadb.so cannot be removed >and libipa_cldap.so does not add extra dependencies, I think it can stay >in freeipa-server as well. Thanks. Pushed to master. -- / Alexander Bokovoy From sbose at redhat.com Wed Jun 13 10:26:43 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Jun 2012 12:26:43 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120611144617.GR25726@redhat.com> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> Message-ID: <20120613102642.GG20850@localhost.localdomain> On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: > On Thu, 07 Jun 2012, Sumit Bose wrote: > >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: > >>Hi, > >> > >>these two patches introduce a new extended operation to the IPA server > >>which can be used by clients in the IPA domain to obtain information > >>about users and groups from trusted domains. Currently this exop is used > >>by the sssd sub-domain patch to map user names from a trusted AD domain > >>to a SID and back. There is also some code for other kind of requests > >>which might become useful in future, e.g. with trusted IPA domain. > >> > >>I added some unit test and added check for the check unit test framework > >>for C (http://check.sourceforge.net/) which is used by sssd as well. I > >>modified the spec file that the test is run during the build of the > >>packages. I hope this is ok. > >> > >>The patches depend on the idmap library patch which was ACKed recently > >>on sssd-devel and as mentioned before the sub-domain patches on > >>sssd-devel can only be fully tested with an IPA server which has these > >>patches applied. > >> > >>Since Alexander is currently rewriting parts of the ipa-adtrust-install > >>utility I stand back from adding activation code for the exop to > >>ipa-adtrust-install and will send a patch when Alexander's changes are > >>available. So currently extdom-extop-conf.ldif has to be loaded manually > >>after replacing $SUFFIX to activate the new exop. > >> > >>bye, > >>Sumit > > > >Please find a rebased version of the patches which work on top of > >Alexander's latest series of patches. The patches now also contain the > >loading of extdom-extop-conf.ldif and the activation of winbind. > Thanks for the rebase. > > Few comments. > > 1.The extdom plugin should support IDMAP_BOTH. We do provide user private > groups so in our case it should be viewed as preferred output. Thus you > would need to add new response type to cover this case. Currently the plugin only uses winbind to map SIDs to names and back and in the returned user data the user private groups are already respected by setting the GID to the UID. On the client side sssd handles the trusted domains a mpg (magic private group) domains. > > 2. I have tried to look at the plugin description from point of view of > a system administrator and I failed to understand what it does: > >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" > >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" > >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" > > In the ipa-extdom-extop-conf.ldif you have following description: > >+nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back > Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC? > > This is a minor point but EXTDOM itself is vague. Maybe we should be more clear > and call it 'IPA trusted domain ID mapper' as it really limits itself to > only trusted domains? We don't dispatch winbind request if the domain is > not found in our list of trusted domains. I have updated the descriptions. I prefer the EXTDOM prefix because there might be future use cases where we might want to get some data from other domains without trust. But I'm happy to change it if you like a different prefix better. > > 3. Could you please define the oid in ipa_extdom.h so that it could be > useful for client code as well? > >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" done New version attached. > > 4. Do we have 'check' tool in RHEL6? yes, current version is check-0.9.8-1.1.el6 Thank you for the review. bye, Sumit > -- > / Alexander Bokovoy -------------- next part -------------- From 879072a11fe0b07876f88f202ab02e07a5cf649e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 12 Dec 2011 11:32:06 +0100 Subject: [PATCH] Add configure check for C Unit-Test framework check The framework can be found at http://check.sourceforge.net. --- daemons/configure.ac | 10 ++++++++++ 1 Datei ge?ndert, 10 Zeilen hinzugef?gt(+) diff --git a/daemons/configure.ac b/daemons/configure.ac index deaa47358445fa552f5a9b53c9b65a9550b71d9e..547c907f3c6327507e7b01f7642c7db4a7409391 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -240,6 +240,16 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +dnl --------------------------------------------------------------------------- +dnl - Check for check unit test framework http://check.sourceforge.net/ +dnl --------------------------------------------------------------------------- +PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) +if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' library, you will be unable to run all tests in the 'make check' suite]) +else + AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers])) +fi +AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir -- 1.7.10.2 -------------- next part -------------- From 9914a84b3cf42cf5007aadf8baf3e59a9fbd3f16 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 30 Nov 2011 13:29:10 +0100 Subject: [PATCH] Add external domain extop DS plugin This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back. --- daemons/configure.ac | 19 +- daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 74 +++ .../ipa-extdom-extop/ipa-extdom-extop-conf.ldif | 16 + .../ipa-extdom-extop/ipa_extdom.h | 153 ++++++ .../ipa-extdom-extop/ipa_extdom_common.c | 498 ++++++++++++++++++++ .../ipa-extdom-extop/ipa_extdom_extop.c | 236 ++++++++++ .../ipa-extdom-extop/ipa_extdom_tests.c | 203 ++++++++ freeipa.spec.in | 7 + ipaserver/install/adtrustinstance.py | 14 +- ipaserver/install/service.py | 3 +- 11 Dateien ge?ndert, 1221 Zeilen hinzugef?gt(+), 3 Zeilen entfernt(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/README create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c diff --git a/daemons/configure.ac b/daemons/configure.ac index 547c907f3c6327507e7b01f7642c7db4a7409391..8f026883569700fc0cd1c60b314cc87ccdbc8c57 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -237,8 +237,19 @@ PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) PKG_CHECK_MODULES([NDR], [ndr]) PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" +SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +AC_CHECK_HEADERS([samba-4.0/wbclient.h], + , + [AC_MSG_ERROR([samba-4.0/wbclient.h not found])], + [#include + #include ]) +AC_CHECK_LIB([wbclient], + [wbcLookupSid], + [WBCLIENT_LIBS="$SAMBA40EXTRA_LIBPATH -lwbclient"], + [AC_MSG_ERROR([libwbclient does not have wbcLookupSid])], + [$SAMBA40EXTRA_LIBPATH]) +AC_SUBST(WBCLIENT_LIBS) dnl --------------------------------------------------------------------------- dnl - Check for check unit test framework http://check.sourceforge.net/ @@ -251,6 +262,11 @@ else fi AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) +dnl -- dirsrv is needed for the extdom unit tests -- +PKG_CHECK_MODULES([DIRSRV], [dirsrv]) +dnl -- sss_idmap is needed by the extdom exop -- +PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) + dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir dnl --------------------------------------------------------------------------- @@ -320,6 +336,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile + ipa-slapi-plugins/ipa-extdom-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 29b985e69424c9f2ce453ea3607cdb0e936bcce2..01b8bc330bb9525b54ac3e0493e311d2cafb64e7 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -6,6 +6,7 @@ SUBDIRS = \ ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ + ipa-extdom-extop \ ipa-uuid \ ipa-version \ ipa-winsync \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..d93e094b95510cf0ec99b7f7c38ff261c56f310e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -0,0 +1,74 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ + -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WBCLIENT_CFLAGS) \ + $(WARN_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_extdom_extop.la \ + $(NULL) + +libipa_extdom_extop_la_SOURCES = \ + ipa_extdom_extop.c \ + ipa_extdom_common.c \ + $(NULL) + +libipa_extdom_extop_la_LDFLAGS = -avoid-version + +libipa_extdom_extop_la_LIBADD = \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +if HAVE_CHECK +TESTS = extdom_tests +check_PROGRAMS = extdom_tests +endif + +extdom_tests_SOURCES = \ + ipa_extdom_tests.c \ + ipa_extdom_common.c \ + $(NULL) +extdom_tests_CFLAGS = $(CHECK_CFLAGS) +extdom_tests_LDFLAGS = \ + -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \ + $(NULL) +extdom_tests_LDADD = \ + $(CHECK_LIBS) \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(DIRSRV_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-extdom-extop-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + README \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/README b/daemons/ipa-slapi-plugins/ipa-extdom-extop/README new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..ec51ed26f127410901972053c86a49930d217d82 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=ipa_extdom_extop,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: ipa_extdom_extop +nsslapd-pluginpath: libipa_extdom_extop +nsslapd-plugininitfunc: ipa_extdom_init +nsslapd-plugintype: extendedop +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_extdom_extop +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: RedHat +nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h new file mode 100644 index 0000000000000000000000000000000000000000..bcb3f16ed45d7d36237f95794481377d5306605e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -0,0 +1,153 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _IPA_EXTDOM_H_ +#define _IPA_EXTDOM_H_ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include + + +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" +#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" +#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" + +#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME + +enum input_types { + INP_SID = 1, + INP_NAME, + INP_POSIX_UID, + INP_POSIX_GID +}; + +enum request_types { + REQ_SIMPLE = 1, + REQ_FULL +}; + +enum response_types { + RESP_SID = 1, + RESP_NAME, + RESP_USER, + RESP_GROUP +}; + +struct extdom_req { + enum input_types input_type; + enum request_types request_type; + union { + char *sid; + struct { + char *domain_name; + char *object_name; + } name; + struct { + char *domain_name; + uid_t uid; + } posix_uid; + struct { + char *domain_name; + gid_t gid; + } posix_gid; + } data; +}; + +struct extdom_res { + enum response_types response_type; + union { + char *sid; + struct { + const char *domain_name; + const char *object_name; + } name; + struct { + const char *domain_name; + const char *user_name; + uid_t uid; + gid_t gid; + } user; + struct { + const char *domain_name; + const char *group_name; + gid_t gid; + } group; + } data; +}; + +struct ipa_extdom_ctx { + Slapi_ComponentId *plugin_id; + char *base_dn; +}; + +struct domain_info { + char *flat_name; + char *sid; + char *guid; + struct sss_idmap_ctx *idmap_ctx; +}; + +int parse_request_data(struct berval *req_val, struct extdom_req **_req); +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res); +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res); +int pack_response(struct extdom_res *res, struct berval **ret_val); +#endif /* _IPA_EXTDOM_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c new file mode 100644 index 0000000000000000000000000000000000000000..294b00d50dd76c6541831b5c53bf70a4d377dcc3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -0,0 +1,498 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 /* for asprintf() */ +#endif + +#include +#include + +#include "ipa_extdom.h" +#include "util.h" + +int parse_request_data(struct berval *req_val, struct extdom_req **_req) +{ + BerElement *ber = NULL; + ber_tag_t tag; + ber_int_t input_type; + ber_int_t request_type; + ber_int_t id; + struct extdom_req *req; + +/* We expect the following request: + * ExtdomRequestValue ::= SEQUENCE { + * inputType ENUMERATED { + * sid (1), + * name (2), + * posix uid (3), + * posix gid (3) + * }, + * requestType ENUMERATED { + * simple (1), + * full (2) + * }, + * data InputData + * } + * + * InputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData + * uid PosixUid, + * gid PosixGid + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUid ::= SEQUENCE { + * domain_name OCTET STRING, + * uid INTEGER + * } + * + * PosixGid ::= SEQUENCE { + * domain_name OCTET STRING, + * gid INTEGER + * } + */ + + if (req_val == NULL || req_val->bv_val == NULL || req_val->bv_len == 0) { + return LDAP_PROTOCOL_ERROR; + } + + ber = ber_init(req_val); + if (ber == NULL) { + return LDAP_PROTOCOL_ERROR; + } + + tag = ber_scanf(ber, "{ee", &input_type, &request_type); + if (tag == LBER_ERROR) { + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + + req = calloc(sizeof(struct extdom_req), 1); + if (req == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + req->input_type = input_type; + req->request_type = request_type; + + switch (req->input_type) { + case INP_NAME: + tag = ber_scanf(ber, "{aa}}", &req->data.name.domain_name, + &req->data.name.object_name); + break; + case INP_SID: + tag = ber_scanf(ber, "a}", &req->data.sid); + break; + case INP_POSIX_UID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_uid.domain_name, + &id); + req->data.posix_uid.uid = (uid_t) id; + break; + case INP_POSIX_GID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_gid.domain_name, + &id); + req->data.posix_gid.gid = (gid_t) id; + break; + default: + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + ber_free(ber, 1); + if (tag == LBER_ERROR) { + return LDAP_PROTOCOL_ERROR; + } + + *_req = req; + + return LDAP_SUCCESS; +} + +static void free_domain_info(struct domain_info *domain_info) +{ + if (domain_info == NULL) { + return; + } + + sss_idmap_free(domain_info->idmap_ctx); + slapi_ch_free((void **) &domain_info->guid); + slapi_ch_free((void **) &domain_info->sid); + slapi_ch_free((void **) &domain_info->flat_name); + free(domain_info); +} + +/* TODO: A similar call is used in ipa_cldap_netlogon.c, maybe a candidate for + * a common library */ +static int get_domain_info(struct ipa_extdom_ctx *ctx, const char *domain_name, + struct domain_info **_domain_info) +{ + struct domain_info *domain_info = NULL; + Slapi_PBlock *pb = NULL; + Slapi_Entry **e = NULL; + char *filter = NULL; + int ret; + enum idmap_error_code err; + struct sss_idmap_range range; + + pb = slapi_pblock_new(); + if (pb == NULL) { + return ENOMEM; + } + + ret = asprintf(&filter, "(&(|(cn=%s)(ipaNTTrustPartner=%s)(ipaNTFlatName=%s))(objectclass=ipaNTTrustedDomain))", + domain_name, domain_name, domain_name); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + slapi_search_internal_set_pb(pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, filter, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + if (ret != EOK) { + ret = ENOENT; + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); + if (!e || !e[0] || e[1]) { + /* no matches or too many matches */ + ret = ENOENT; + goto done; + } + + domain_info = calloc(1, sizeof(struct domain_info)); + if (domain_info == NULL) { + ret = ENOMEM; + goto done; + } + + domain_info->guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID"); + domain_info->sid = slapi_entry_attr_get_charptr(e[0], + "ipaNTTrustedDomainSID"); + domain_info->flat_name = slapi_entry_attr_get_charptr(e[0], + "ipaNTFlatName"); + + /* TODO: read range from LDAP server */ + range.min = 200000; + range.max = 400000; + + err = sss_idmap_init(NULL, NULL, NULL, &domain_info->idmap_ctx); + if (err == IDMAP_SUCCESS) { + err = sss_idmap_add_domain(domain_info->idmap_ctx, domain_name, + domain_info->sid, &range); + } + if (err != IDMAP_SUCCESS) { + free_domain_info(domain_info); + ret = EFAULT; + goto done; + } + + *_domain_info = domain_info; + + ret = 0; + +done: + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + free(filter); + return ret; + +} + +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res) +{ + wbcErr werr; + int ret; + struct wbcDomainSid sid; + char *domain_name; + char *name; + enum wbcSidType name_type; + struct domain_info *domain_info = NULL; + + ret = get_domain_info(ctx, req->data.name.domain_name, &domain_info); + if (ret != 0) { + return LDAP_OPERATIONS_ERROR; + } + + switch (req->input_type) { + case INP_SID: + werr = wbcStringToSid(req->data.sid, &sid); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + werr = wbcLookupSid(&sid, &domain_name, &name, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, domain_name, name, &sid, + name_type, res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + case INP_NAME: + werr = wbcLookupName(domain_info->flat_name, + req->data.name.object_name, &sid, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, req->data.name.domain_name, + req->data.name.object_name, &sid, name_type, + res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + default: + ret = LDAP_PROTOCOL_ERROR; + goto done; + } + + ret = LDAP_SUCCESS; + +done: + free_domain_info(domain_info); + + return ret; +} + +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res) +{ + int ret = EFAULT; + int len; + struct extdom_res *res; + uint32_t id; + enum idmap_error_code err; + char sid_str[WBC_SID_STRING_BUFLEN + 1]; + + res = malloc(sizeof(struct extdom_res)); + if (res == NULL) { + return ENOMEM; + } + + switch (req->request_type) { + case REQ_SIMPLE: + switch (req->input_type) { + case INP_SID: + res->response_type = RESP_NAME; + res->data.name.domain_name = domain_name; + res->data.name.object_name = name; + break; + case INP_NAME: + res->response_type = RESP_SID; + + len = wbcSidToStringBuf(sid, sid_str, + WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + res->data.sid = sid_str; + break; + default: + ret = EINVAL; + goto done; + } + break; + case REQ_FULL: + len = wbcSidToStringBuf(sid, sid_str, WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + err = sss_idmap_sid_to_unix(domain_info->idmap_ctx, sid_str, &id); + if (err != IDMAP_SUCCESS) { + ret = EINVAL; + goto done; + } + switch (name_type) { + case WBC_SID_NAME_USER: + res->response_type = RESP_USER; + res->data.user.domain_name = domain_name; + res->data.user.user_name = name; + + res->data.user.uid = (uid_t) id; + + /* We use MPGs for external users */ + res->data.user.gid = (gid_t) id; + break; + case WBC_SID_NAME_DOM_GRP: + res->response_type = RESP_GROUP; + res->data.group.domain_name = domain_name; + res->data.group.group_name = name; + + res->data.group.gid = (gid_t) id; + break; + default: + ret = EINVAL; + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *_res = res; + } else { + free(res); + } + + return ret; +} + +int pack_response(struct extdom_res *res, struct berval **ret_val) +{ + BerElement *ber = NULL; + int ret; + +/* We send to follwing response: + * ExtdomResponseValue ::= SEQUENCE { + * responseType ENUMERATED { + * sid (1), + * name (2), + * posix_user (3), + * posix_group (4) + * }, + * data OutputData + * } + * + * OutputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData, + * user PosixUser, + * group PosixGroup + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUser ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER + * gid INTEGER + * } + * + * PosixGroup ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER + * } + */ + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + switch (res->response_type) { + case RESP_SID: + ret = ber_printf(ber,"{es}", res->response_type, res->data.sid); + break; + case RESP_NAME: + ret = ber_printf(ber,"{e{ss}}", res->response_type, + res->data.name.domain_name, + res->data.name.object_name); + break; + case RESP_USER: + ret = ber_printf(ber,"{e{ssii}}", res->response_type, + res->data.user.domain_name, + res->data.user.user_name, + res->data.user.uid, + res->data.user.gid); + break; + case RESP_GROUP: + ret = ber_printf(ber,"{e{ssi}}", res->response_type, + res->data.group.domain_name, + res->data.group.group_name, + res->data.group.gid); + break; + default: + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ret = ber_flatten(ber, ret_val); + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ber_free(ber, 1); + + return LDAP_SUCCESS; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c new file mode 100644 index 0000000000000000000000000000000000000000..cf2db333ad57940dc06c3bdb6990b6548ffc0040 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -0,0 +1,236 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include "ipa_extdom.h" +#include "util.h" + +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" + +Slapi_PluginDesc ipa_extdom_plugin_desc = { + IPA_EXTDOM_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_EXTDOM_PLUGIN_DESC +}; + +static char *ipa_extdom_oid_list[] = { + EXOP_EXTDOM_OID, + NULL +}; + +static char *ipa_extdom_name_list[] = { + IPA_EXTDOM_PLUGIN_DESC, + NULL +}; + +static int ipa_extdom_start(Slapi_PBlock *pb) +{ + return LDAP_SUCCESS; +} + +static int ipa_extdom_extop(Slapi_PBlock *pb) +{ + char *oid = NULL; + char *err_msg = NULL; + int rc; + int ret; + struct berval *req_val = NULL; + struct berval *ret_val = NULL; + struct extdom_req *req = NULL; + struct extdom_res *res = NULL; + struct ipa_extdom_ctx *ctx; + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Could not get OID value from request.\n"; + goto done; + } + LOG("Received extended operation request with OID %s\n", oid); + + if (strcasecmp(oid, EXOP_EXTDOM_OID) != 0) { + return SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; + } + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &req_val); + if (ret != 0) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Missing request data.\n"; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Missing plugin context.\n"; + goto done; + } + + ret = parse_request_data(req_val, &req); + if (ret != LDAP_SUCCESS) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Cannot parse request data.\n"; + goto done; + } + + ret = handle_request(ctx, req, &res); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to handle the request.\n"; + goto done; + } + + ret = pack_response(res, &ret_val); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to pack the response.\n"; + goto done; + } + + ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXOP_EXTDOM_OID); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the OID for the response.\n"; + goto done; + } + + ret = slapi_pblock_set( pb, SLAPI_EXT_OP_RET_VALUE, ret_val); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the value for the response.\n"; + goto done; + } + + rc = LDAP_SUCCESS; + +done: + free(req); + free(res); + if (err_msg != NULL) { + LOG(err_msg); + } + slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); + return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; +} + +static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) +{ + struct ipa_extdom_ctx *ctx; + Slapi_Entry *e; + int ret; + + ctx = calloc(1, sizeof(struct ipa_extdom_ctx)); + if (!ctx) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (NULL == ctx->plugin_id)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &e); + if (!e) { + LOG_FATAL("Plugin configuration not found!\n"); + return -1; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(e, "nsslapd-basedn"); + if (!ctx->base_dn) { + LOG_FATAL("Base DN not found in plugin configuration not found!\n"); + return -1; + } + + +done: + if (ret) { + free(ctx); + } else { + *_ctx = ctx; + } + return ret; +} + +int ipa_extdom_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_extdom_ctx *extdom_ctx; + + ret = ipa_extdom_init_ctx(pb, &extdom_ctx); + if (ret) { + LOG_FATAL("Failed ot initialize external domain extended operation.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01); + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *)&ipa_extdom_plugin_desc); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *)ipa_extdom_start); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, + ipa_extdom_oid_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, + ipa_extdom_name_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, + (void *)ipa_extdom_extop); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, extdom_ctx); + } + if (ret) { + LOG("Failed to set plug-in version, function, and OID.\n" ); + return -1; + } + + return 0; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c new file mode 100644 index 0000000000000000000000000000000000000000..acb6ae2844eafe938a293a964efa2afe31e32b9e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c @@ -0,0 +1,203 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include + +#include "ipa_extdom.h" +#include "util.h" + +char req_sid[] = {0x30, 0x11, 0x0a, 0x01, 0x01, 0x0a, 0x01, 0x01, 0x04, 0x09, \ + 0x53, 0x2d, 0x31, 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char req_nam[] = {0x30, 0x16, 0x0a, 0x01, 0x02, 0x0a, 0x01, 0x01, 0x30, 0x0e, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, \ + 0x74, 0x65, 0x73, 0x74}; +char req_uid[] = {0x30, 0x14, 0x0a, 0x01, 0x03, 0x0a, 0x01, 0x01, 0x30, 0x0c, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x02, \ + 0x30, 0x39}; +char req_gid[] = {0x30, 0x15, 0x0a, 0x01, 0x04, 0x0a, 0x01, 0x01, 0x30, 0x0d, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x03, \ + 0x00, 0xd4, 0x31}; + +char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ + 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74}; +char res_uid[] = {0x30, 0x17, 0x0a, 0x01, 0x03, 0x30, 0x12, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74, 0x02, 0x02, 0x30, 0x39}; +char res_gid[] = {0x30, 0x1e, 0x0a, 0x01, 0x04, 0x30, 0x19, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x0a, 0x74, 0x65, 0x73, \ + 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x02, 0x03, 0x00, \ + 0xd4, 0x31}; + +#define TEST_SID "S-1-2-3-4" +#define TEST_DOMAIN_NAME "DOMAIN" + +START_TEST(test_encode) +{ + int ret; + struct extdom_res res; + struct berval *resp_val; + + res.response_type = RESP_SID; + res.data.sid = TEST_SID; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_sid) == resp_val->bv_len && + memcmp(res_sid, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); + + res.response_type = RESP_NAME; + res.data.name.domain_name = TEST_DOMAIN_NAME; + res.data.name.object_name = "test"; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_nam) == resp_val->bv_len && + memcmp(res_nam, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); +} +END_TEST + +START_TEST(test_decode) +{ + struct berval req_val; + struct extdom_req *req; + int ret; + + req_val.bv_val = req_sid; + req_val.bv_len = sizeof(req_sid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, "parse_request_data() failed."); + fail_unless(req->input_type == INP_SID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.sid, "S-1-2-3-4") == 0, + "parse_request_data() returned unexpected sid"); + free(req); + + req_val.bv_val = req_nam; + req_val.bv_len = sizeof(req_nam); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_NAME, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.name.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(strcmp(req->data.name.object_name, "test") == 0, + "parse_request_data() returned unexpected object name"); + free(req); + + req_val.bv_val = req_uid; + req_val.bv_len = sizeof(req_uid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_UID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_uid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_uid.uid == 12345, + "parse_request_data() returned unexpected uid [%d]", + req->data.posix_uid.uid); + free(req); + + req_val.bv_val = req_gid; + req_val.bv_len = sizeof(req_gid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_GID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_gid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_gid.gid == 54321, + "parse_request_data() returned unexpected gid [%d]", + req->data.posix_gid.gid); + free(req); +} +END_TEST + +Suite * ipa_extdom_suite(void) +{ + Suite *s = suite_create("IPA extdom"); + + TCase *tc_core = tcase_create("Core"); + tcase_add_test(tc_core, test_decode); + tcase_add_test(tc_core, test_encode); + /* TODO: add test for create_response() */ + suite_add_tcase(s, tc_core); + + return s; +} + +int main(void) +{ + int number_failed; + + Suite *s = ipa_extdom_suite (); + SRunner *sr = srunner_create (s); + srunner_run_all (sr, CK_VERBOSE); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/freeipa.spec.in b/freeipa.spec.in index ce8e1e69fa0953013f06736394800e8797883323..8d07fde211fca932d2b80d4f4f31be2709e9109e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,6 +81,8 @@ BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-dns BuildRequires: python-crypto +BuildRequires: check >= 0.9.5 +BuildRequires: libsss_idmap-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -350,6 +352,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -656,6 +659,7 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %{_mandir}/man1/ipa-adtrust-install.1.gz @@ -712,6 +716,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Fri Jun 8 2012 Sumit Bose - 2.99.0-33 +- Add extdom extop plugin + * Fri Jun 8 2012 Martin Kosek - 2.99.0-32 - Add directory /var/lib/ipa/sysupgrade for package upgrade metadata - Set min for bind-dyndb-ldap to 1.1.0-0.12.rc1 to pick up persistent search diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 5f74054316ed714cc5cab004b497033dc4b47adf..0e9e9ef245a0897dfee9bcb0940d0de35c1bfd61 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -223,6 +223,12 @@ class ADTRUSTInstance(service.Service): except: pass + def __add_extdom_module(self): + try: + self._ldap_mod("ipa-extdom-extop-conf.ldif", self.sub_dict) + except: + pass + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -380,7 +386,12 @@ class ADTRUSTInstance(service.Service): self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.info("ADTRUST Service startup entry already exists.") - pass + + try: + self.ldap_enable('EXTID', self.fqdn, self.dm_password, \ + self.suffix) + except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: + root_logger.info("EXTID Service startup entry already exists.") def __setup_sub_dict(self): self.sub_dict = dict(REALM = self.realm_name, @@ -430,6 +441,7 @@ class ADTRUSTInstance(service.Service): self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) + self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) if not self.no_msdcs: self.step("adding special DNS service records", \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a3d09fcd633a851a67ef94b2025f1afb605d3d84..5cc7ae639db3fe2aa3805a90e0902f10f277064c 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -42,7 +42,8 @@ SERVICE_LIST = { 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), - 'ADTRUST':('smb', 60) + 'ADTRUST':('smb', 60), + 'EXTID':('winbind', 70) } def print_msg(message, output_fd=sys.stdout): -- 1.7.10.2 From sbose at redhat.com Wed Jun 13 10:37:49 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Jun 2012 12:37:49 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120613102642.GG20850@localhost.localdomain> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> Message-ID: <20120613103749.GH20850@localhost.localdomain> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: > On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: > > On Thu, 07 Jun 2012, Sumit Bose wrote: > > >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: > > >>Hi, > > >> > > >>these two patches introduce a new extended operation to the IPA server > > >>which can be used by clients in the IPA domain to obtain information > > >>about users and groups from trusted domains. Currently this exop is used > > >>by the sssd sub-domain patch to map user names from a trusted AD domain > > >>to a SID and back. There is also some code for other kind of requests > > >>which might become useful in future, e.g. with trusted IPA domain. > > >> > > >>I added some unit test and added check for the check unit test framework > > >>for C (http://check.sourceforge.net/) which is used by sssd as well. I > > >>modified the spec file that the test is run during the build of the > > >>packages. I hope this is ok. > > >> > > >>The patches depend on the idmap library patch which was ACKed recently > > >>on sssd-devel and as mentioned before the sub-domain patches on > > >>sssd-devel can only be fully tested with an IPA server which has these > > >>patches applied. > > >> > > >>Since Alexander is currently rewriting parts of the ipa-adtrust-install > > >>utility I stand back from adding activation code for the exop to > > >>ipa-adtrust-install and will send a patch when Alexander's changes are > > >>available. So currently extdom-extop-conf.ldif has to be loaded manually > > >>after replacing $SUFFIX to activate the new exop. > > >> > > >>bye, > > >>Sumit > > > > > >Please find a rebased version of the patches which work on top of > > >Alexander's latest series of patches. The patches now also contain the > > >loading of extdom-extop-conf.ldif and the activation of winbind. > > Thanks for the rebase. > > > > Few comments. > > > > 1.The extdom plugin should support IDMAP_BOTH. We do provide user private > > groups so in our case it should be viewed as preferred output. Thus you > > would need to add new response type to cover this case. > > Currently the plugin only uses winbind to map SIDs to names and back and > in the returned user data the user private groups are already respected > by setting the GID to the UID. On the client side sssd handles the > trusted domains a mpg (magic private group) domains. > > > > > 2. I have tried to look at the plugin description from point of view of > > a system administrator and I failed to understand what it does: > > >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" > > >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" > > >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" > > > > In the ipa-extdom-extop-conf.ldif you have following description: > > >+nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back > > Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC? > > > > This is a minor point but EXTDOM itself is vague. Maybe we should be more clear > > and call it 'IPA trusted domain ID mapper' as it really limits itself to > > only trusted domains? We don't dispatch winbind request if the domain is > > not found in our list of trusted domains. > > I have updated the descriptions. I prefer the EXTDOM prefix because > there might be future use cases where we might want to get some data > from other domains without trust. But I'm happy to change it if you like > a different prefix better. > > > > > 3. Could you please define the oid in ipa_extdom.h so that it could be > > useful for client code as well? > > >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" > > done > > New version attached. ah. sorry, forgot to squash in some changes. Additionally I moved the binary to the freeipa-server-trust-ad package to avoid additional dependencies in the freeipa-server package. bye, Sumit > > > > > 4. Do we have 'check' tool in RHEL6? > > yes, current version is check-0.9.8-1.1.el6 > > Thank you for the review. > > bye, > Sumit > > -- > > / Alexander Bokovoy -------------- next part -------------- From 879072a11fe0b07876f88f202ab02e07a5cf649e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 12 Dec 2011 11:32:06 +0100 Subject: [PATCH] Add configure check for C Unit-Test framework check The framework can be found at http://check.sourceforge.net. --- daemons/configure.ac | 10 ++++++++++ 1 Datei ge?ndert, 10 Zeilen hinzugef?gt(+) diff --git a/daemons/configure.ac b/daemons/configure.ac index deaa47358445fa552f5a9b53c9b65a9550b71d9e..547c907f3c6327507e7b01f7642c7db4a7409391 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -240,6 +240,16 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +dnl --------------------------------------------------------------------------- +dnl - Check for check unit test framework http://check.sourceforge.net/ +dnl --------------------------------------------------------------------------- +PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) +if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' library, you will be unable to run all tests in the 'make check' suite]) +else + AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers])) +fi +AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir -- 1.7.10.2 -------------- next part -------------- From 037ba5743186fb2a95db9e583a99b6b9169aa293 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 30 Nov 2011 13:29:10 +0100 Subject: [PATCH] Add external domain extop DS plugin This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back. --- daemons/configure.ac | 19 +- daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 74 +++ .../ipa-extdom-extop/ipa-extdom-extop-conf.ldif | 16 + .../ipa-extdom-extop/ipa_extdom.h | 154 ++++++ .../ipa-extdom-extop/ipa_extdom_common.c | 498 ++++++++++++++++++++ .../ipa-extdom-extop/ipa_extdom_extop.c | 234 +++++++++ .../ipa-extdom-extop/ipa_extdom_tests.c | 203 ++++++++ freeipa.spec.in | 7 + ipaserver/install/adtrustinstance.py | 14 +- ipaserver/install/service.py | 3 +- 11 Dateien ge?ndert, 1220 Zeilen hinzugef?gt(+), 3 Zeilen entfernt(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/README create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c diff --git a/daemons/configure.ac b/daemons/configure.ac index 547c907f3c6327507e7b01f7642c7db4a7409391..8f026883569700fc0cd1c60b314cc87ccdbc8c57 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -237,8 +237,19 @@ PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) PKG_CHECK_MODULES([NDR], [ndr]) PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" +SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +AC_CHECK_HEADERS([samba-4.0/wbclient.h], + , + [AC_MSG_ERROR([samba-4.0/wbclient.h not found])], + [#include + #include ]) +AC_CHECK_LIB([wbclient], + [wbcLookupSid], + [WBCLIENT_LIBS="$SAMBA40EXTRA_LIBPATH -lwbclient"], + [AC_MSG_ERROR([libwbclient does not have wbcLookupSid])], + [$SAMBA40EXTRA_LIBPATH]) +AC_SUBST(WBCLIENT_LIBS) dnl --------------------------------------------------------------------------- dnl - Check for check unit test framework http://check.sourceforge.net/ @@ -251,6 +262,11 @@ else fi AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) +dnl -- dirsrv is needed for the extdom unit tests -- +PKG_CHECK_MODULES([DIRSRV], [dirsrv]) +dnl -- sss_idmap is needed by the extdom exop -- +PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) + dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir dnl --------------------------------------------------------------------------- @@ -320,6 +336,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile + ipa-slapi-plugins/ipa-extdom-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 29b985e69424c9f2ce453ea3607cdb0e936bcce2..01b8bc330bb9525b54ac3e0493e311d2cafb64e7 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -6,6 +6,7 @@ SUBDIRS = \ ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ + ipa-extdom-extop \ ipa-uuid \ ipa-version \ ipa-winsync \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..d93e094b95510cf0ec99b7f7c38ff261c56f310e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -0,0 +1,74 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ + -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WBCLIENT_CFLAGS) \ + $(WARN_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_extdom_extop.la \ + $(NULL) + +libipa_extdom_extop_la_SOURCES = \ + ipa_extdom_extop.c \ + ipa_extdom_common.c \ + $(NULL) + +libipa_extdom_extop_la_LDFLAGS = -avoid-version + +libipa_extdom_extop_la_LIBADD = \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +if HAVE_CHECK +TESTS = extdom_tests +check_PROGRAMS = extdom_tests +endif + +extdom_tests_SOURCES = \ + ipa_extdom_tests.c \ + ipa_extdom_common.c \ + $(NULL) +extdom_tests_CFLAGS = $(CHECK_CFLAGS) +extdom_tests_LDFLAGS = \ + -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \ + $(NULL) +extdom_tests_LDADD = \ + $(CHECK_LIBS) \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(DIRSRV_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-extdom-extop-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + README \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/README b/daemons/ipa-slapi-plugins/ipa-extdom-extop/README new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..ec51ed26f127410901972053c86a49930d217d82 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=ipa_extdom_extop,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: ipa_extdom_extop +nsslapd-pluginpath: libipa_extdom_extop +nsslapd-plugininitfunc: ipa_extdom_init +nsslapd-plugintype: extendedop +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_extdom_extop +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: RedHat +nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h new file mode 100644 index 0000000000000000000000000000000000000000..5c2eeddceb3983fa5793c1a7fa86c5001c47beba --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -0,0 +1,154 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _IPA_EXTDOM_H_ +#define _IPA_EXTDOM_H_ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include + +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" + +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" +#define IPA_EXTDOM_FEATURE_DESC "IPA trusted domain ID mapper" +#define IPA_EXTDOM_PLUGIN_DESC "Support resolving IDs in trusted domains to names and back" + +#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME + +enum input_types { + INP_SID = 1, + INP_NAME, + INP_POSIX_UID, + INP_POSIX_GID +}; + +enum request_types { + REQ_SIMPLE = 1, + REQ_FULL +}; + +enum response_types { + RESP_SID = 1, + RESP_NAME, + RESP_USER, + RESP_GROUP +}; + +struct extdom_req { + enum input_types input_type; + enum request_types request_type; + union { + char *sid; + struct { + char *domain_name; + char *object_name; + } name; + struct { + char *domain_name; + uid_t uid; + } posix_uid; + struct { + char *domain_name; + gid_t gid; + } posix_gid; + } data; +}; + +struct extdom_res { + enum response_types response_type; + union { + char *sid; + struct { + const char *domain_name; + const char *object_name; + } name; + struct { + const char *domain_name; + const char *user_name; + uid_t uid; + gid_t gid; + } user; + struct { + const char *domain_name; + const char *group_name; + gid_t gid; + } group; + } data; +}; + +struct ipa_extdom_ctx { + Slapi_ComponentId *plugin_id; + char *base_dn; +}; + +struct domain_info { + char *flat_name; + char *sid; + char *guid; + struct sss_idmap_ctx *idmap_ctx; +}; + +int parse_request_data(struct berval *req_val, struct extdom_req **_req); +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res); +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res); +int pack_response(struct extdom_res *res, struct berval **ret_val); +#endif /* _IPA_EXTDOM_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c new file mode 100644 index 0000000000000000000000000000000000000000..294b00d50dd76c6541831b5c53bf70a4d377dcc3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -0,0 +1,498 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 /* for asprintf() */ +#endif + +#include +#include + +#include "ipa_extdom.h" +#include "util.h" + +int parse_request_data(struct berval *req_val, struct extdom_req **_req) +{ + BerElement *ber = NULL; + ber_tag_t tag; + ber_int_t input_type; + ber_int_t request_type; + ber_int_t id; + struct extdom_req *req; + +/* We expect the following request: + * ExtdomRequestValue ::= SEQUENCE { + * inputType ENUMERATED { + * sid (1), + * name (2), + * posix uid (3), + * posix gid (3) + * }, + * requestType ENUMERATED { + * simple (1), + * full (2) + * }, + * data InputData + * } + * + * InputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData + * uid PosixUid, + * gid PosixGid + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUid ::= SEQUENCE { + * domain_name OCTET STRING, + * uid INTEGER + * } + * + * PosixGid ::= SEQUENCE { + * domain_name OCTET STRING, + * gid INTEGER + * } + */ + + if (req_val == NULL || req_val->bv_val == NULL || req_val->bv_len == 0) { + return LDAP_PROTOCOL_ERROR; + } + + ber = ber_init(req_val); + if (ber == NULL) { + return LDAP_PROTOCOL_ERROR; + } + + tag = ber_scanf(ber, "{ee", &input_type, &request_type); + if (tag == LBER_ERROR) { + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + + req = calloc(sizeof(struct extdom_req), 1); + if (req == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + req->input_type = input_type; + req->request_type = request_type; + + switch (req->input_type) { + case INP_NAME: + tag = ber_scanf(ber, "{aa}}", &req->data.name.domain_name, + &req->data.name.object_name); + break; + case INP_SID: + tag = ber_scanf(ber, "a}", &req->data.sid); + break; + case INP_POSIX_UID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_uid.domain_name, + &id); + req->data.posix_uid.uid = (uid_t) id; + break; + case INP_POSIX_GID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_gid.domain_name, + &id); + req->data.posix_gid.gid = (gid_t) id; + break; + default: + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + ber_free(ber, 1); + if (tag == LBER_ERROR) { + return LDAP_PROTOCOL_ERROR; + } + + *_req = req; + + return LDAP_SUCCESS; +} + +static void free_domain_info(struct domain_info *domain_info) +{ + if (domain_info == NULL) { + return; + } + + sss_idmap_free(domain_info->idmap_ctx); + slapi_ch_free((void **) &domain_info->guid); + slapi_ch_free((void **) &domain_info->sid); + slapi_ch_free((void **) &domain_info->flat_name); + free(domain_info); +} + +/* TODO: A similar call is used in ipa_cldap_netlogon.c, maybe a candidate for + * a common library */ +static int get_domain_info(struct ipa_extdom_ctx *ctx, const char *domain_name, + struct domain_info **_domain_info) +{ + struct domain_info *domain_info = NULL; + Slapi_PBlock *pb = NULL; + Slapi_Entry **e = NULL; + char *filter = NULL; + int ret; + enum idmap_error_code err; + struct sss_idmap_range range; + + pb = slapi_pblock_new(); + if (pb == NULL) { + return ENOMEM; + } + + ret = asprintf(&filter, "(&(|(cn=%s)(ipaNTTrustPartner=%s)(ipaNTFlatName=%s))(objectclass=ipaNTTrustedDomain))", + domain_name, domain_name, domain_name); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + slapi_search_internal_set_pb(pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, filter, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + if (ret != EOK) { + ret = ENOENT; + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); + if (!e || !e[0] || e[1]) { + /* no matches or too many matches */ + ret = ENOENT; + goto done; + } + + domain_info = calloc(1, sizeof(struct domain_info)); + if (domain_info == NULL) { + ret = ENOMEM; + goto done; + } + + domain_info->guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID"); + domain_info->sid = slapi_entry_attr_get_charptr(e[0], + "ipaNTTrustedDomainSID"); + domain_info->flat_name = slapi_entry_attr_get_charptr(e[0], + "ipaNTFlatName"); + + /* TODO: read range from LDAP server */ + range.min = 200000; + range.max = 400000; + + err = sss_idmap_init(NULL, NULL, NULL, &domain_info->idmap_ctx); + if (err == IDMAP_SUCCESS) { + err = sss_idmap_add_domain(domain_info->idmap_ctx, domain_name, + domain_info->sid, &range); + } + if (err != IDMAP_SUCCESS) { + free_domain_info(domain_info); + ret = EFAULT; + goto done; + } + + *_domain_info = domain_info; + + ret = 0; + +done: + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + free(filter); + return ret; + +} + +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res) +{ + wbcErr werr; + int ret; + struct wbcDomainSid sid; + char *domain_name; + char *name; + enum wbcSidType name_type; + struct domain_info *domain_info = NULL; + + ret = get_domain_info(ctx, req->data.name.domain_name, &domain_info); + if (ret != 0) { + return LDAP_OPERATIONS_ERROR; + } + + switch (req->input_type) { + case INP_SID: + werr = wbcStringToSid(req->data.sid, &sid); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + werr = wbcLookupSid(&sid, &domain_name, &name, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, domain_name, name, &sid, + name_type, res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + case INP_NAME: + werr = wbcLookupName(domain_info->flat_name, + req->data.name.object_name, &sid, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, req->data.name.domain_name, + req->data.name.object_name, &sid, name_type, + res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + default: + ret = LDAP_PROTOCOL_ERROR; + goto done; + } + + ret = LDAP_SUCCESS; + +done: + free_domain_info(domain_info); + + return ret; +} + +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res) +{ + int ret = EFAULT; + int len; + struct extdom_res *res; + uint32_t id; + enum idmap_error_code err; + char sid_str[WBC_SID_STRING_BUFLEN + 1]; + + res = malloc(sizeof(struct extdom_res)); + if (res == NULL) { + return ENOMEM; + } + + switch (req->request_type) { + case REQ_SIMPLE: + switch (req->input_type) { + case INP_SID: + res->response_type = RESP_NAME; + res->data.name.domain_name = domain_name; + res->data.name.object_name = name; + break; + case INP_NAME: + res->response_type = RESP_SID; + + len = wbcSidToStringBuf(sid, sid_str, + WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + res->data.sid = sid_str; + break; + default: + ret = EINVAL; + goto done; + } + break; + case REQ_FULL: + len = wbcSidToStringBuf(sid, sid_str, WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + err = sss_idmap_sid_to_unix(domain_info->idmap_ctx, sid_str, &id); + if (err != IDMAP_SUCCESS) { + ret = EINVAL; + goto done; + } + switch (name_type) { + case WBC_SID_NAME_USER: + res->response_type = RESP_USER; + res->data.user.domain_name = domain_name; + res->data.user.user_name = name; + + res->data.user.uid = (uid_t) id; + + /* We use MPGs for external users */ + res->data.user.gid = (gid_t) id; + break; + case WBC_SID_NAME_DOM_GRP: + res->response_type = RESP_GROUP; + res->data.group.domain_name = domain_name; + res->data.group.group_name = name; + + res->data.group.gid = (gid_t) id; + break; + default: + ret = EINVAL; + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *_res = res; + } else { + free(res); + } + + return ret; +} + +int pack_response(struct extdom_res *res, struct berval **ret_val) +{ + BerElement *ber = NULL; + int ret; + +/* We send to follwing response: + * ExtdomResponseValue ::= SEQUENCE { + * responseType ENUMERATED { + * sid (1), + * name (2), + * posix_user (3), + * posix_group (4) + * }, + * data OutputData + * } + * + * OutputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData, + * user PosixUser, + * group PosixGroup + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUser ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER + * gid INTEGER + * } + * + * PosixGroup ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER + * } + */ + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + switch (res->response_type) { + case RESP_SID: + ret = ber_printf(ber,"{es}", res->response_type, res->data.sid); + break; + case RESP_NAME: + ret = ber_printf(ber,"{e{ss}}", res->response_type, + res->data.name.domain_name, + res->data.name.object_name); + break; + case RESP_USER: + ret = ber_printf(ber,"{e{ssii}}", res->response_type, + res->data.user.domain_name, + res->data.user.user_name, + res->data.user.uid, + res->data.user.gid); + break; + case RESP_GROUP: + ret = ber_printf(ber,"{e{ssi}}", res->response_type, + res->data.group.domain_name, + res->data.group.group_name, + res->data.group.gid); + break; + default: + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ret = ber_flatten(ber, ret_val); + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ber_free(ber, 1); + + return LDAP_SUCCESS; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c new file mode 100644 index 0000000000000000000000000000000000000000..d5a2f604c4a61bda04dd026ace4b53ea5c2c3645 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -0,0 +1,234 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include "ipa_extdom.h" +#include "util.h" + +Slapi_PluginDesc ipa_extdom_plugin_desc = { + IPA_EXTDOM_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_EXTDOM_PLUGIN_DESC +}; + +static char *ipa_extdom_oid_list[] = { + EXOP_EXTDOM_OID, + NULL +}; + +static char *ipa_extdom_name_list[] = { + IPA_EXTDOM_PLUGIN_DESC, + NULL +}; + +static int ipa_extdom_start(Slapi_PBlock *pb) +{ + return LDAP_SUCCESS; +} + +static int ipa_extdom_extop(Slapi_PBlock *pb) +{ + char *oid = NULL; + char *err_msg = NULL; + int rc; + int ret; + struct berval *req_val = NULL; + struct berval *ret_val = NULL; + struct extdom_req *req = NULL; + struct extdom_res *res = NULL; + struct ipa_extdom_ctx *ctx; + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Could not get OID value from request.\n"; + goto done; + } + LOG("Received extended operation request with OID %s\n", oid); + + if (strcasecmp(oid, EXOP_EXTDOM_OID) != 0) { + return SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; + } + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &req_val); + if (ret != 0) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Missing request data.\n"; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Missing plugin context.\n"; + goto done; + } + + ret = parse_request_data(req_val, &req); + if (ret != LDAP_SUCCESS) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Cannot parse request data.\n"; + goto done; + } + + ret = handle_request(ctx, req, &res); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to handle the request.\n"; + goto done; + } + + ret = pack_response(res, &ret_val); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to pack the response.\n"; + goto done; + } + + ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXOP_EXTDOM_OID); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the OID for the response.\n"; + goto done; + } + + ret = slapi_pblock_set( pb, SLAPI_EXT_OP_RET_VALUE, ret_val); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the value for the response.\n"; + goto done; + } + + rc = LDAP_SUCCESS; + +done: + free(req); + free(res); + if (err_msg != NULL) { + LOG(err_msg); + } + slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); + return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; +} + +static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) +{ + struct ipa_extdom_ctx *ctx; + Slapi_Entry *e; + int ret; + + ctx = calloc(1, sizeof(struct ipa_extdom_ctx)); + if (!ctx) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (NULL == ctx->plugin_id)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &e); + if (!e) { + LOG_FATAL("Plugin configuration not found!\n"); + return -1; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(e, "nsslapd-basedn"); + if (!ctx->base_dn) { + LOG_FATAL("Base DN not found in plugin configuration not found!\n"); + return -1; + } + + +done: + if (ret) { + free(ctx); + } else { + *_ctx = ctx; + } + return ret; +} + +int ipa_extdom_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_extdom_ctx *extdom_ctx; + + ret = ipa_extdom_init_ctx(pb, &extdom_ctx); + if (ret) { + LOG_FATAL("Failed ot initialize external domain extended operation.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01); + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *)&ipa_extdom_plugin_desc); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *)ipa_extdom_start); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, + ipa_extdom_oid_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, + ipa_extdom_name_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, + (void *)ipa_extdom_extop); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, extdom_ctx); + } + if (ret) { + LOG("Failed to set plug-in version, function, and OID.\n" ); + return -1; + } + + return 0; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c new file mode 100644 index 0000000000000000000000000000000000000000..acb6ae2844eafe938a293a964efa2afe31e32b9e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c @@ -0,0 +1,203 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include + +#include "ipa_extdom.h" +#include "util.h" + +char req_sid[] = {0x30, 0x11, 0x0a, 0x01, 0x01, 0x0a, 0x01, 0x01, 0x04, 0x09, \ + 0x53, 0x2d, 0x31, 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char req_nam[] = {0x30, 0x16, 0x0a, 0x01, 0x02, 0x0a, 0x01, 0x01, 0x30, 0x0e, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, \ + 0x74, 0x65, 0x73, 0x74}; +char req_uid[] = {0x30, 0x14, 0x0a, 0x01, 0x03, 0x0a, 0x01, 0x01, 0x30, 0x0c, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x02, \ + 0x30, 0x39}; +char req_gid[] = {0x30, 0x15, 0x0a, 0x01, 0x04, 0x0a, 0x01, 0x01, 0x30, 0x0d, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x03, \ + 0x00, 0xd4, 0x31}; + +char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ + 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74}; +char res_uid[] = {0x30, 0x17, 0x0a, 0x01, 0x03, 0x30, 0x12, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74, 0x02, 0x02, 0x30, 0x39}; +char res_gid[] = {0x30, 0x1e, 0x0a, 0x01, 0x04, 0x30, 0x19, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x0a, 0x74, 0x65, 0x73, \ + 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x02, 0x03, 0x00, \ + 0xd4, 0x31}; + +#define TEST_SID "S-1-2-3-4" +#define TEST_DOMAIN_NAME "DOMAIN" + +START_TEST(test_encode) +{ + int ret; + struct extdom_res res; + struct berval *resp_val; + + res.response_type = RESP_SID; + res.data.sid = TEST_SID; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_sid) == resp_val->bv_len && + memcmp(res_sid, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); + + res.response_type = RESP_NAME; + res.data.name.domain_name = TEST_DOMAIN_NAME; + res.data.name.object_name = "test"; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_nam) == resp_val->bv_len && + memcmp(res_nam, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); +} +END_TEST + +START_TEST(test_decode) +{ + struct berval req_val; + struct extdom_req *req; + int ret; + + req_val.bv_val = req_sid; + req_val.bv_len = sizeof(req_sid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, "parse_request_data() failed."); + fail_unless(req->input_type == INP_SID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.sid, "S-1-2-3-4") == 0, + "parse_request_data() returned unexpected sid"); + free(req); + + req_val.bv_val = req_nam; + req_val.bv_len = sizeof(req_nam); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_NAME, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.name.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(strcmp(req->data.name.object_name, "test") == 0, + "parse_request_data() returned unexpected object name"); + free(req); + + req_val.bv_val = req_uid; + req_val.bv_len = sizeof(req_uid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_UID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_uid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_uid.uid == 12345, + "parse_request_data() returned unexpected uid [%d]", + req->data.posix_uid.uid); + free(req); + + req_val.bv_val = req_gid; + req_val.bv_len = sizeof(req_gid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_GID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_gid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_gid.gid == 54321, + "parse_request_data() returned unexpected gid [%d]", + req->data.posix_gid.gid); + free(req); +} +END_TEST + +Suite * ipa_extdom_suite(void) +{ + Suite *s = suite_create("IPA extdom"); + + TCase *tc_core = tcase_create("Core"); + tcase_add_test(tc_core, test_decode); + tcase_add_test(tc_core, test_encode); + /* TODO: add test for create_response() */ + suite_add_tcase(s, tc_core); + + return s; +} + +int main(void) +{ + int number_failed; + + Suite *s = ipa_extdom_suite (); + SRunner *sr = srunner_create (s); + srunner_run_all (sr, CK_VERBOSE); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/freeipa.spec.in b/freeipa.spec.in index ce8e1e69fa0953013f06736394800e8797883323..8d07fde211fca932d2b80d4f4f31be2709e9109e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,6 +81,8 @@ BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-dns BuildRequires: python-crypto +BuildRequires: check >= 0.9.5 +BuildRequires: libsss_idmap-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -350,6 +352,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -656,6 +659,7 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %{_mandir}/man1/ipa-adtrust-install.1.gz @@ -712,6 +716,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Fri Jun 8 2012 Sumit Bose - 2.99.0-33 +- Add extdom extop plugin + * Fri Jun 8 2012 Martin Kosek - 2.99.0-32 - Add directory /var/lib/ipa/sysupgrade for package upgrade metadata - Set min for bind-dyndb-ldap to 1.1.0-0.12.rc1 to pick up persistent search diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 5f74054316ed714cc5cab004b497033dc4b47adf..0e9e9ef245a0897dfee9bcb0940d0de35c1bfd61 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -223,6 +223,12 @@ class ADTRUSTInstance(service.Service): except: pass + def __add_extdom_module(self): + try: + self._ldap_mod("ipa-extdom-extop-conf.ldif", self.sub_dict) + except: + pass + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -380,7 +386,12 @@ class ADTRUSTInstance(service.Service): self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.info("ADTRUST Service startup entry already exists.") - pass + + try: + self.ldap_enable('EXTID', self.fqdn, self.dm_password, \ + self.suffix) + except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: + root_logger.info("EXTID Service startup entry already exists.") def __setup_sub_dict(self): self.sub_dict = dict(REALM = self.realm_name, @@ -430,6 +441,7 @@ class ADTRUSTInstance(service.Service): self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) + self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) if not self.no_msdcs: self.step("adding special DNS service records", \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a3d09fcd633a851a67ef94b2025f1afb605d3d84..5cc7ae639db3fe2aa3805a90e0902f10f277064c 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -42,7 +42,8 @@ SERVICE_LIST = { 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), - 'ADTRUST':('smb', 60) + 'ADTRUST':('smb', 60), + 'EXTID':('winbind', 70) } def print_msg(message, output_fd=sys.stdout): -- 1.7.10.2 From mkosek at redhat.com Wed Jun 13 11:56:04 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jun 2012 13:56:04 +0200 Subject: [Freeipa-devel] httpd sometimes returns 400 Bad Request Message-ID: <1339588564.2965.32.camel@balmora.brq.redhat.com> Hello all, when I created a new F17 VM this week, httpd started to sometimes return a 400 Bad Request error (some header parsing error) even though the request was OK. This happens for requests via web browsers, CLI XMLRPC interface or JSON-RPC interface. I logged a bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=831589 Bugzilla also contains steps to reproduce this outside of an IPA server. So far, I am not sure what component causes this bug, but I suspect mod_nss. Please feel free to add a comment to the bugzilla above if you have any hint that could help us pin point the issue. Thanks, Martin From pvoborni at redhat.com Wed Jun 13 13:15:29 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 13 Jun 2012 15:15:29 +0200 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FD7CFB7.3020609@redhat.com> References: <4FD21F9E.5000201@redhat.com> <4FD21FD4.4030301@redhat.com> <4FD7CFB7.3020609@redhat.com> Message-ID: <4FD89271.7030406@redhat.com> I'll address all issues once we decide on the solution. On 06/13/2012 01:24 AM, Endi Sukma Dewata wrote: > On 6/8/2012 10:52 AM, Petr Vobornik wrote: >> and now the patch... >> On 06/08/2012 05:51 PM, Petr Vobornik wrote: >>> For those of you who are only interest in user perspective I prepared a >>> set of screenshots to demonstrate workflow of password reset: >>> http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png >>> >>> Patch depends on mkosek #274. >>> >>> Web UI was missing a way how to reset expired password for normal user. >>> Recent server patch added API for such task. This patch is adding reset >>> password form to unautorized dialog. >>> >>> If user tries to login using form-based authentication and his password >>> is expired login form transforms to reset password form. The username >>> and current password is populated by values from previous login attempt. >>> User than have to enter new password and its verification. Then he can >>> hit enter button on keyboard or click on reset button on dialog to >>> perform the password reset. Error is displayed if some part of password >>> reset fails. If it is successful new login with values entered for >>> password reset is performed. It should login the user. In password reset >>> form user can click on back button or hit escape on keyboard to go back >>> to login form. >>> >>> https://fedorahosted.org/freeipa/ticket/2755 > > It works with mkosek 274-2. Some comments: > > 1. If you click 'form-based authentication the dialog title still shows > 'Kerberos ticket no longer valid' which is not relevant for form-based > authentication. It might be better to use 'Login' as the title for all > pages in this dialog. Agree > > 2. Instead of having to go to a separate page for form-based > authentication, would it be better to change the first page in the login > dialog to show the login form? Something like this: > > Login > ----------------------------------------------------- > > Your session has expired. Please re-login. > > To login with username and password: > > Username: [edewata ] > Password: [******** ] > > [Login] > > To login with Kerberos, please make sure you > have valid tickets (obtainable via kinit) and > [configured] the browser correctly. > > [Login with Kerberos] > > The two login mechanisms can be shown at the same time like above or in > collapsible sections. If the user enters a password and it's expired, > the dialog will change into: I like the idea but I'm not sure about the layout. Having one button inside the dialog seems strange a also it will probably look weird. Collapsible sections are worse because you have to click on them so it slow things down. Current implementation has 'forms-based authentication' link selected so user can in most cases hit enter and immediately write username, password and complete login procedure only by using keyboard. Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). So current button: 'retry' is more appropriate. > > Login > ----------------------------------------------------- > > Your password has expired. Please enter a new > password: > > Username: edewata > New Password: [******** ] > Verify Password: [******** ] > > [Reset Password and Login] [Cancel] > > In this page the username is shown for info only, it's not editable. The > old password is not shown again, but kept in memory. I use Cancel > instead of Back to indicate that we are starting over. The Cancel button > will bring you back to the first page. Little change, but can be probably more straightforward - will do. 2a. The dialog uses headers in title (the one from #1) and a headers inside (login, reset password). From your examples I'm not sure if you would like to: a) remove the inside headers b) change them to 'login' everywhere c) keep them unchanged > > 3. I noticed that the password is kept in memory too long by the login > dialog so if you go back and forth between the pages the fields are > already populated. This might be a security risk. I think the username & > password should be cleaned up when you click Back/Cancel. Agree > > 4. Is there a plan to provide password reset via email? > I don't think so. I'm not sure if it is even useful for Freeipa. One of main purposes for Freeipa is SSO and I guess company mail would be kerberized too. So if you forget the password, you can't login, reset and even access mail. I guess using external mail is not the way to go. Maybe it is useful if company uses additional authentication mechanism like pin + token or other. -- Petr Vobornik From rcritten at redhat.com Wed Jun 13 13:28:37 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 09:28:37 -0400 Subject: [Freeipa-devel] [PATCH] 272-273 Add service membership to host objects In-Reply-To: <1339575316.2965.17.camel@balmora.brq.redhat.com> References: <1338904536.28796.41.camel@balmora.brq.redhat.com> <4FCE7B97.7020003@redhat.com> <1338962500.9625.2.camel@balmora.brq.redhat.com> <4FCF02A5.90206@redhat.com> <1338967035.9625.3.camel@balmora.brq.redhat.com> <4FD63AFE.9040400@redhat.com> <1339575316.2965.17.camel@balmora.brq.redhat.com> Message-ID: <4FD89585.40505@redhat.com> Martin Kosek wrote: > On Mon, 2012-06-11 at 14:37 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote: >>>> On 06/06/2012 08:01 AM, Martin Kosek wrote: >>>>> On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> This set of patches >>>>>>> 1) Adds a support for uni-directional remote membership to baseldap >>>>>>> plugin (like service->host membership in service managedby attribute) - >>>>>>> patch 272 >>>>>>> 2) Adds a support for service->host membership to host plugin using the >>>>>>> new interface - patch 273 >>>>>>> >>>>>>> Martin >>>>>> >>>>>> Have you tried this in the UI? Are these new relationships already handled? >>>>>> >>>>>> rob >>>>> >>>>> I just checked that I didn't break anything in the host page. But with >>>>> this patch, we could add a tab with a list of services for a selected >>>>> host. I will check with Petr if the information we provide are enough. >>>>> >>>>> Martin >>>>> >>>> >>>> Provided information is sufficient for implementation of UI part. >>>> >>> >>> Thanks Petr, I created a ticket for Web UI to implement this new >>> relationship: >>> https://fedorahosted.org/freeipa/ticket/2812 >>> >>> Martin >>> >> >> This is displaying the DN of the service which is case-insensitive, so >> for example the HTTP principal shows as : http/ipa.example.com. Perhaps >> take the RDN and pull that attribute specifically? >> >> rob > > Yes, this is caused by our (member) DN normalizing which is a more > general issue than this patch (I would not hold it because of that). > > Look for example at roles, we also put all privileges member DNs to > lower case: > > # ipa role-show helpdesk > Role name: helpdesk > Description: Helpdesk >> Privileges: modify users and reset passwords, modify group membership > > DNs are normalized as well: > # ipa role-show helpdesk --all --raw > dn: > cn=helpdesk,cn=roles,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > cn: helpdesk > description: Helpdesk > memberof: cn=modify users and reset > passwords,cn=privileges,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > ... > > # ipa privilege-show "modify users and reset passwords" > Privilege name: Modify Users and Reset passwords<<< not lowercase > > > Bottomline is that I would not do any extra processing just for > "remote_attrs" (which would make it inconsistent with the rest). This > needs to be solved on a more global level. > > I see there are at least these two tickets relevant to this issue: > #2620 renaming of objects is case insensitive > #2482 Sudo commands are case-insensitive > > Martin > I think this is a different issue and related to the way we decided to structure some dns. IMHO I'd rather not show member service principals than show an incorrect one. rob From pvoborni at redhat.com Wed Jun 13 13:32:16 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 13 Jun 2012 15:32:16 +0200 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page In-Reply-To: <4FD7CFD6.1040209@redhat.com> References: <4FD22051.7060308@redhat.com> <4FD7CFD6.1040209@redhat.com> Message-ID: <4FD89660.7060002@redhat.com> On 06/13/2012 01:25 AM, Endi Sukma Dewata wrote: > On 6/8/2012 10:54 AM, Petr Vobornik wrote: >> This patch adds separate reset password page. It is a complement to >> separate login page. It differentiate from reset password capabilities >> in Web UI's anauthorized dialog by not performing login. This is useful >> for users who wants only to reset the password and not to use Web UI. >> And also for users who are using the separate login page. >> >> https://fedorahosted.org/freeipa/ticket/2755 > > It also works with mkosek 274-2 (but needs rebase). > > If the password reset is successful, the page shows a link to the login > page, but it also still shows the password reset form. I think it's very > unlikely that the user will want to change the password again, so it > might be better not to show the form, but provide a link to the form > just in case the user needs to do it again. > So after successful reset user will remain on reset_password.html and will see something like this: http://pvoborni.fedorapeople.org/ux/resetpwd_success.png ? -- Petr Vobornik From mkosek at redhat.com Wed Jun 13 14:49:01 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jun 2012 16:49:01 +0200 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <4FD165BB.7030604@redhat.com> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> <4FD165BB.7030604@redhat.com> Message-ID: <1339598941.2965.39.camel@balmora.brq.redhat.com> On Thu, 2012-06-07 at 22:38 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > When invalid data is passed, an unhandled decimal exception could > > be raised in Decimal number conversion. Handle the exception > > more gracefully and report proper ipalib.errors.ConversionError. > > > > https://fedorahosted.org/freeipa/ticket/2705 > > I'm being pedantic but I think the Decimal special values need to be > handled better. Using Infinity returns a rather odd message: > > $ ipa dnsrecord-add example.com > Record name: foo > Please choose a type of DNS resource record to be added > The most common types for this type of zone are: A, AAAA > > DNS resource record type: LOC > LOC Degrees Latitude: 90 > [LOC Minutes Latitude]: 59 > [LOC Seconds Latitude]: > 999999999999999999999999999999999999999999999999999999999999999999999 > >>> LOC Seconds Latitude: quantize result has too many digits for > current context > [LOC Seconds Latitude]: Infinity > >>> LOC Seconds Latitude: quantize with one INF > > And using NaN raises an unhandled exception: > > [LOC Seconds Latitude]: NaN > ipa: ERROR: InvalidOperation: comparison involving NaN > Traceback (most recent call last): > File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run > sys.exit(api.Backend.cli.run(argv)) > File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run > kw = self.argv_to_keyword_arguments(cmd, argv[1:]) > File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in > argv_to_keyword_arguments > self.prompt_interactively(cmd, kw) > File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in > prompt_interactively > callback(kw) > File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, > in interactive_prompt_callback > user_options = param.prompt_parts(self.Backend) > File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in > prompt_parts > self.__get_part_param(backend, part, user_options, default) > File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in > __get_part_param > output_kw[name] = part(raw) > File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in > __call__ > self.validate(value, supplied=self.name in kw) > File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in > validate > self._validate_scalar(value) > File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in > _validate_scalar > error = rule(ugettext, value) > File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in > _rule_minvalue > if value < self.minvalue: > File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ > ans = self._compare_check_nans(other, context) > File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans > self) > File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error > raise error(explanation) > InvalidOperation: comparison involving NaN > ipa: ERROR: an internal error has occurred > > Otherwise it does what it should. > > rob Thanks for being pedantic, I found out that Decimal number validation and normalization needs more care, dnsrecord-add would also fail with values such as "1E4" or "-0". Attached patch improves Decimal number validation a lot and adds optional exponent normalization. I also added missing tests for all Decimal Parameter attributes. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-275-2-decimal-parameter-conversion-and-normalization.patch Type: text/x-patch Size: 9394 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 13 14:58:58 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 13 Jun 2012 16:58:58 +0200 Subject: [Freeipa-devel] [PATCH] 155 Action panel for host enrollment In-Reply-To: <4FD7CF9F.3000506@redhat.com> References: <4FCF7E4E.8000000@redhat.com> <4FD7CF9F.3000506@redhat.com> Message-ID: <4FD8AAB2.6080902@redhat.com> On 06/13/2012 01:24 AM, Endi Sukma Dewata wrote: > On 6/6/2012 10:59 AM, Petr Vobornik wrote: >> Widgets in host enrollment sections were modified. They now serve only >> for displaying of has_key and has_password status. Functionality for >> setting otp and unprovisioning was moved to separate dialogs. Execution >> points for opening of these dialogs are items in new action panel in >> enrollment section. > > ACK. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Wed Jun 13 14:59:07 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 13 Jun 2012 16:59:07 +0200 Subject: [Freeipa-devel] [PATCH] 156 Action panel for service provisioning In-Reply-To: <4FD7CFA4.8030804@redhat.com> References: <4FD06BEA.3020905@redhat.com> <4FD7CFA4.8030804@redhat.com> Message-ID: <4FD8AABB.5020002@redhat.com> On 06/13/2012 01:24 AM, Endi Sukma Dewata wrote: > On 6/7/2012 3:52 AM, Petr Vobornik wrote: >> Service provisioning status widget was modified only to display the >> has_keytab status. Button for 'delete key,unprovision' was moved as >> action to newly created action panel in the same section. This required >> to moved the creation of the unprovisioning dialog from that widget to >> new separate dialog. >> >> Action for action panel and all required status evaluators for >> enabling/disabling of that action were also created. >> >> https://fedorahosted.org/freeipa/ticket/2252 > > ACK. > > Pushed to master. -- Petr Vobornik From rcritten at redhat.com Wed Jun 13 15:16:53 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 11:16:53 -0400 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <1339571990.2965.11.camel@balmora.brq.redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> <1339433382.19118.43.camel@balmora.brq.redhat.com> <4FD74E13.4050506@redhat.com> <4FD78608.4060009@redhat.com> <1339571990.2965.11.camel@balmora.brq.redhat.com> Message-ID: <4FD8AEE5.60002@redhat.com> Martin Kosek wrote: > On Tue, 2012-06-12 at 14:10 -0400, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 06/11/2012 06:49 PM, Martin Kosek wrote: >>>> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> This adds client session support. The session key is stored in the >>>>>>> kernel key ring. >>>>>>> >>>>>>> Your first request should go to /ipa/session/xml where it should be >>>>>>> rejected with a 401. The next will go to /ipa/xml which will be >>>>>>> accepted. This should all be invisible to the client. >>>>>>> >>>>>>> Subsequent requests should go to /ipa/session/xml which should let you >>>>>>> in with the cookie. >>>>>>> >>>>>>> You can add the -vv option after ipa to see fully what is going on, >>>>>>> e.g. >>>>>>> ipa -vv user-show admin >>>>>>> >>>>>>> To manage your keyring use the keyctl command like: >>>>>>> >>>>>>> $ keyctl list @s >>>>>>> 2 keys in keyring: >>>>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >>>>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie >>>>>>> >>>>>>> To remove a key: >>>>>>> >>>>>>> $ keyctl unlink 941350591 @s >>>>>>> >>>>>>> rob >>>>>> >>>>>> Hmm, this doesn't play too nice with the lite-server. Let me see if I >>>>>> can track it down. The ccache is being removed, probably as part of the >>>>>> session code. Sessions don't make sense with the lite server since it >>>>>> uses the local ccache directly. >>>>> >>>>> Updated patch. Don't clean up the ccache if in the lite-server. >>>>> >>>>> rob >>>>> >>>> >>>> Good job there. I tested various scenarios (2 master, fallback with SRV >>>> records, old client (RHEL 6.2)) and most worked for me, but only I >>>> worked under the root account. This is what I got with non-root: >>>> >>>> $ ipa user-show admin >>>> ... >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie >>>> ipa: DEBUG: stdout=113632397 >>>> >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: args=keyctl pupdate 113632397 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr=keyctl_update: Permission denied >>>> ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml >>>> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com >>>> ipa: ERROR: cannot connect to 'any of the configured servers': ... >>>> >>>> Shouldn't we use @us instead of @s for storing user session keys? >>>> >>>> >>>> Secondly, I wonder if we also plan to add some logout command? This way >>>> even if I do kdestroy, the session still exist and someone other may >>>> still execute commands. >>>> >>>> Martin >>> >>> Also: keyctl is in the keyutils package, which we need to depend on. >>> >> >> Nice catch, updated patch. > > Thanks. It just needs rebasing (conflicts with pushed password change > capability). > >> >> I also included a bit more about why I chose @s instead of @us. >> Basically it is so a different shell can have a different session and >> therefore a different identity. > > Hm, personally I am not sure why I would want to have to different > identity in different shell, maybe for custom scripts? > > There is a disadvantage for using @s over @us though. This use case will > fail: > > # kinit admin > Password for admin at IDM.LAB.BOS.REDHAT.COM: > # ipa user-show admin > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > UID: 384000000 > GID: 384000000 > Account disabled: False > Password: True > Member of groups: admins, trust admins > Kerberos keys available: True > > # su admin > $ kinit admin > Password for admin at IDM.LAB.BOS.REDHAT.COM: > $ ipa user-show admin > ipa: ERROR: cannot connect to 'any of the configured servers': > https://vm-021.idm.lab.bos.redhat.com/ipa/session/xml, > https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml > > This fails because the session under "su" does not have a permission to > update the key. Btw this worked for me when I used @us instead of @s. I think a more likely use case is where you are logged in as yourself and you want to keep that TGT but want to do some administrative work as admin. $ export KRB5CCNAME=/tmp/my_cc $ kinit admin $ ipa user-mod ... If you use @us then this new ccache isn't used at all, the original session is. If you use @s then this new ccache is used as expected. > >> >> I'm going to open a ticket for the logout. For the short-term one can do >> something like: >> >> $ keyctl purge user >> >> Or more precisely: >> >> $ keyctl list @s >> 2 keys in keyring: >> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >> 207626975: --alswrv 1000 1000 user: ipa_session_cookie >> $ keyctl unlink 207626975 >> 1 links removed > > Ok, I think this is fine for now. > > Martin > From edewata at redhat.com Wed Jun 13 17:18:02 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Jun 2012 12:18:02 -0500 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FD89271.7030406@redhat.com> References: <4FD21F9E.5000201@redhat.com> <4FD21FD4.4030301@redhat.com> <4FD7CFB7.3020609@redhat.com> <4FD89271.7030406@redhat.com> Message-ID: <4FD8CB4A.6090405@redhat.com> On 6/13/2012 8:15 AM, Petr Vobornik wrote: > I'll address all issues once we decide on the solution. > >> 1. If you click 'form-based authentication the dialog title still shows >> 'Kerberos ticket no longer valid' which is not relevant for form-based >> authentication. It might be better to use 'Login' as the title for all >> pages in this dialog. > > Agree > >> 2. Instead of having to go to a separate page for form-based >> authentication, would it be better to change the first page in the login >> dialog to show the login form? Something like this: >> >> Login >> ----------------------------------------------------- >> >> Your session has expired. Please re-login. >> >> To login with username and password: >> >> Username: [edewata ] >> Password: [******** ] >> >> [Login] >> >> To login with Kerberos, please make sure you >> have valid tickets (obtainable via kinit) and >> [configured] the browser correctly. >> >> [Login with Kerberos] >> >> The two login mechanisms can be shown at the same time like above or in >> collapsible sections. If the user enters a password and it's expired, >> the dialog will change into: > > I like the idea but I'm not sure about the layout. Having one button > inside the dialog seems strange a also it will probably look weird. You mean two buttons (Login & Login with Kerberos)? I agree it's kinda strange. > Collapsible sections are worse because you have to click on them so it > slow things down. That's also true. I'll leave this up to you. The current workflow still makes sense if we consider form-based authentication a less preferred method, so you'd have to go to another page to login with username & password. > Current implementation has 'forms-based > authentication' link selected so user can in most cases hit enter and > immediately write username, password and complete login procedure only > by using keyboard. Hmm... that's not very obvious though. I wouldn't have known that until you told me :) I think intuitively people will think that if you hit enter it will click the default button in the dialog, unless there's input text field. > Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). > So current button: 'retry' is more appropriate. What I meant was 'Login with Kerberos mechanism' or 'Login with Kerberos ticket', but it might be too long. I assume people in general isn't going to be confused by that because the text also mentions that you'd have to get the ticket from kinit. My concern with 'Retry' is that if you open the UI for the first time and you haven't done kinit yet, you'll see a message saying your Kerberos ticket has expired and asking you to Retry. This is not quite accurate because you never had a ticket before. The 'expired ticket' and 'retry' message might make more sense if you already had the UI open but left it for a while and come back to continue. If you just open the UI for the first time I think the message should only tell you what you need to do to login, not what went wrong in the past. I'll leave this up to you too. We might be able to keep the current workflow, but display different message depending whether it's your first visit or return visit. >> Login >> ----------------------------------------------------- >> >> Your password has expired. Please enter a new >> password: >> >> Username: edewata >> New Password: [******** ] >> Verify Password: [******** ] >> >> [Reset Password and Login] [Cancel] >> >> In this page the username is shown for info only, it's not editable. The >> old password is not shown again, but kept in memory. I use Cancel >> instead of Back to indicate that we are starting over. The Cancel button >> will bring you back to the first page. > > Little change, but can be probably more straightforward - will do. If you keep the original workflow, the Cancel button probably should bring you to the first page (expired ticket), not to the second page (login) because if your password has expired you can't login without reset anyway. > 2a. The dialog uses headers in title (the one from #1) and a headers > inside (login, reset password). From your examples I'm not sure if you > would like to: > a) remove the inside headers > b) change them to 'login' everywhere > c) keep them unchanged I think the inside header is not necessary, it's a duplicate of the dialog title. This reset password operation is still part of login operation because if you cancel reset you still aren't logged in yet. >> 3. I noticed that the password is kept in memory too long by the login >> dialog so if you go back and forth between the pages the fields are >> already populated. This might be a security risk. I think the username & >> password should be cleaned up when you click Back/Cancel. > > Agree Also when you complete the login process, it should be cleaned up as well. >> 4. Is there a plan to provide password reset via email? > > I don't think so. I'm not sure if it is even useful for Freeipa. One of > main purposes for Freeipa is SSO and I guess company mail would be > kerberized too. So if you forget the password, you can't login, reset > and even access mail. I guess using external mail is not the way to go. > Maybe it is useful if company uses additional authentication mechanism > like pin + token or other. OK. -- Endi S. Dewata From edewata at redhat.com Wed Jun 13 17:22:57 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Jun 2012 12:22:57 -0500 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page In-Reply-To: <4FD89660.7060002@redhat.com> References: <4FD22051.7060308@redhat.com> <4FD7CFD6.1040209@redhat.com> <4FD89660.7060002@redhat.com> Message-ID: <4FD8CC71.7030607@redhat.com> On 6/13/2012 8:32 AM, Petr Vobornik wrote: > On 06/13/2012 01:25 AM, Endi Sukma Dewata wrote: >> On 6/8/2012 10:54 AM, Petr Vobornik wrote: >>> This patch adds separate reset password page. It is a complement to >>> separate login page. It differentiate from reset password capabilities >>> in Web UI's anauthorized dialog by not performing login. This is useful >>> for users who wants only to reset the password and not to use Web UI. >>> And also for users who are using the separate login page. >>> >>> https://fedorahosted.org/freeipa/ticket/2755 >> >> It also works with mkosek 274-2 (but needs rebase). >> >> If the password reset is successful, the page shows a link to the login >> page, but it also still shows the password reset form. I think it's very >> unlikely that the user will want to change the password again, so it >> might be better not to show the form, but provide a link to the form >> just in case the user needs to do it again. > > So after successful reset user will remain on reset_password.html and > will see something like this: > http://pvoborni.fedorapeople.org/ux/resetpwd_success.png ? Yes, I think it looks much cleaner. Also make sure the password fields are cleaned too. -- Endi S. Dewata From sbose at redhat.com Wed Jun 13 19:17:26 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Jun 2012 21:17:26 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges Message-ID: <20120613191726.GI20850@localhost.localdomain> Hi, to keep track of the different ranges we use for UIDs/GIDs for local users/groups and users from trusted domains new range objects are introduced which are stored below cn=range,cn=etc,$SUFFIX. 0022: LDAP schema update 0023: Create a range object during installation fir the local ID range 0024: add primary and secondary RID base to the local range object during ipa-adtrust-install bye, Sumit -------------- next part -------------- From f9dbf28c52feabeae801d41bd4f69d2eb898a8b0 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 11 Jun 2012 18:31:36 +0200 Subject: [PATCH] Extend LDAP schema The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaLocalIDrange) or the ranges reserved for AD domains (ipaNTIDrange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well. --- install/share/60basev3.ldif | 8 ++++++++ 1 Datei ge?ndert, 8 Zeilen hinzugef?gt(+) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 2c24137b0dc39f215ed0e4b97079ffce0ec630d3..03561d13f45768006eb22e3dc00f41f35944dc56 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -29,6 +29,10 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') attributeTypes: (2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -40,3 +44,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAsso objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT MAY ipaSshPubKey X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) -- 1.7.10.2 -------------- next part -------------- From f4cce6c9952e1429cd0bf404b3b53f22f5f2b45a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 11:58:41 +0200 Subject: [PATCH] Add objects for initial ID range --- install/share/bootstrap-template.ldif | 14 ++++++++++++++ install/updates/62-ranges.update | 13 +++++++++++++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 1 + 4 Dateien ge?ndert, 29 Zeilen hinzugef?gt(+) create mode 100644 install/updates/62-ranges.update diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 149b6c9b29c6fd363eb7baccd9648d49c260ff85..ca74bf6fade5f4e0591ee511f96cc3d58542887d 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -409,3 +409,17 @@ objectClass: top objectClass: nsContainer cn: usermap +dn: cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: ranges + +dn: cn=local_id_range,cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaIDrange +objectClass: ipaDomainIDRange +cn: local_id_range +ipaBaseID: $IDSTART +ipaIDRangeSize: $IDRANGE_SIZE diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update new file mode 100644 index 0000000000000000000000000000000000000000..42c1e2a98b8b64164ae9ae0292aa7b91beac2b26 --- /dev/null +++ b/install/updates/62-ranges.update @@ -0,0 +1,13 @@ +dn: cn=schema +add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) + +dn: cn=ranges,cn=etc,$SUFFIX +default: obectClass: top +default: objectClass: nsContainer +default: cn: ranges diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 412630e4e6d13167e2c0ae17c54f8ad84a4797fa..e45690f14c41dbd9eb10b5969ee14a257b8c7883 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 55-pbacmemberof.update \ 60-trusts.update \ 61-trusts-s4u2proxy.update \ + 62-ranges.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fb620a82e0d432d50e6c40ab8a7053ced153965a..93c6b50c274506949d1cdb81ad952141de10dab1 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -313,6 +313,7 @@ class DsInstance(service.Service): IDMAX=self.idmax, HOST=self.fqdn, ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()), GROUP=DS_GROUP, + IDRANGE_SIZE=self.idmax-self.idstart+1 ) def __create_ds_user(self): -- 1.7.10.2 -------------- next part -------------- From cfef8f1f1f24e682bbd7851715ff195cf8bf5b59 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 17:53:36 +0200 Subject: [PATCH] Set RID bases for local domain during ipa-adtrust-install --- install/tools/ipa-adtrust-install | 9 ++++++- ipaserver/install/adtrustinstance.py | 48 +++++++++++++++++++++++++++++++++- 2 Dateien ge?ndert, 55 Zeilen hinzugef?gt(+), 2 Zeilen entfernt(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index c0b477102462e128400436f52d2f78b092f5272d..c104b5113c16acec09d88a665f56bbb10ede4ed1 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -48,6 +48,12 @@ def parse_options(): parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", default=False, help="Do not create DNS service records " \ "for Windows in managed DNS server") + parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, + help="Start value for mapping UIDs and GIDs to RIDs") + parser.add_option("--secondary-rid-base", dest="secondary_rid_base", + type=int, default=100000000, + help="Start value of the secondary range for mapping " \ + "UIDs and GIDs to RIDs") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") @@ -207,7 +213,8 @@ def main(): api.Backend.ldap2.connect(ccache) smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, - netbios_name, options.no_msdcs) + netbios_name, options.rid_base, options.secondary_rid_base, + options.no_msdcs) smb.create_instance() print "==============================================================================" diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0e9e9ef245a0897dfee9bcb0940d0de35c1bfd61..43a2790831c9e941380c9ce705cc5dc441b4538b 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -114,6 +114,8 @@ class ADTRUSTInstance(service.Service): self.cifs_principal = None self.cifs_agent = None self.selinux_booleans = None + self.rid_base = None + self.secondary_rid_base = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -174,6 +176,47 @@ class ADTRUSTInstance(service.Service): except: print "Failed to modify IPA admin group object" + def __add_rid_bases(self): + """ + Add RID bases to the range object for the local ID range. + + TODO: handle missing or multiple ranges more gracefully. + """ + + try: + res = self.admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix, + ldap.SCOPE_ONELEVEL, + "(objectclass=ipaDomainIDRange)") + if len(res) != 1: + root_logger.critical("Found more than one ID range for the " \ + "local domain.") + raise RuntimeError("Too many ID ranges\n") + + if res[0].getValue('ipaBaseRID') or \ + res[0].getValue('ipaSecondaryBaseRID'): + print "RID bases already set, nothing to do" + return + + size = res[0].getValue('ipaIDRangeSize') + if abs(self.rid_base - self.secondary_rid_base) > size: + print "Primary and secondary RID base are too close. " \ + "They have to differ at least by %d." % size + raise RuntimeError("RID bases too close.\n") + + try: + self.admin_conn.modify_s(res[0].dn, + [(ldap.MOD_ADD, "ipaBaseRID", \ + str(self.rid_base)), \ + (ldap.MOD_ADD, "ipaSecondaryBaseRID", \ + str(self.secondary_rid_base))]) + except: + print "Failed to add RID bases to the local range object" + + except errors.NotFound as e: + root_logger.critical("ID range of the local domain not found, " \ + "define it and run again.") + raise e + def __create_samba_domain_object(self): try: @@ -402,12 +445,14 @@ class ADTRUSTInstance(service.Service): FQDN = self.fqdn) def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, - no_msdcs=False, smbd_user="samba"): + rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"): self.fqdn = fqdn self.ip_address = ip_address self.realm_name = realm_name self.domain_name = domain_name self.netbios_name = netbios_name + self.rid_base = rid_base + self.secondary_rid_base = secondary_rid_base self.no_msdcs = no_msdcs self.smbd_user = smbd_user self.suffix = ipautil.realm_to_suffix(self.realm_name) @@ -440,6 +485,7 @@ class ADTRUSTInstance(service.Service): self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) + self.step("adding RID bases", self.__add_rid_bases) self.step("activating CLDAP plugin", self.__add_cldap_module) self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) -- 1.7.10.2 From rcritten at redhat.com Wed Jun 13 20:14:24 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 16:14:24 -0400 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD8AEE5.60002@redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> <1339433382.19118.43.camel@balmora.brq.redhat.com> <4FD74E13.4050506@redhat.com> <4FD78608.4060009@redhat.com> <1339571990.2965.11.camel@balmora.brq.redhat.com> <4FD8AEE5.60002@redhat.com> Message-ID: <4FD8F4A0.6070705@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Tue, 2012-06-12 at 14:10 -0400, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> On 06/11/2012 06:49 PM, Martin Kosek wrote: >>>>> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> This adds client session support. The session key is stored in the >>>>>>>> kernel key ring. >>>>>>>> >>>>>>>> Your first request should go to /ipa/session/xml where it should be >>>>>>>> rejected with a 401. The next will go to /ipa/xml which will be >>>>>>>> accepted. This should all be invisible to the client. >>>>>>>> >>>>>>>> Subsequent requests should go to /ipa/session/xml which should >>>>>>>> let you >>>>>>>> in with the cookie. >>>>>>>> >>>>>>>> You can add the -vv option after ipa to see fully what is going on, >>>>>>>> e.g. >>>>>>>> ipa -vv user-show admin >>>>>>>> >>>>>>>> To manage your keyring use the keyctl command like: >>>>>>>> >>>>>>>> $ keyctl list @s >>>>>>>> 2 keys in keyring: >>>>>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >>>>>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie >>>>>>>> >>>>>>>> To remove a key: >>>>>>>> >>>>>>>> $ keyctl unlink 941350591 @s >>>>>>>> >>>>>>>> rob >>>>>>> >>>>>>> Hmm, this doesn't play too nice with the lite-server. Let me see >>>>>>> if I >>>>>>> can track it down. The ccache is being removed, probably as part >>>>>>> of the >>>>>>> session code. Sessions don't make sense with the lite server >>>>>>> since it >>>>>>> uses the local ccache directly. >>>>>> >>>>>> Updated patch. Don't clean up the ccache if in the lite-server. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> Good job there. I tested various scenarios (2 master, fallback with >>>>> SRV >>>>> records, old client (RHEL 6.2)) and most worked for me, but only I >>>>> worked under the root account. This is what I got with non-root: >>>>> >>>>> $ ipa user-show admin >>>>> ... >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie >>>>> ipa: DEBUG: stdout=113632397 >>>>> >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: args=keyctl pupdate 113632397 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr=keyctl_update: Permission denied >>>>> ipa: INFO: trying >>>>> https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml >>>>> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com >>>>> ipa: ERROR: cannot connect to 'any of the configured servers': ... >>>>> >>>>> Shouldn't we use @us instead of @s for storing user session keys? >>>>> >>>>> >>>>> Secondly, I wonder if we also plan to add some logout command? This >>>>> way >>>>> even if I do kdestroy, the session still exist and someone other may >>>>> still execute commands. >>>>> >>>>> Martin >>>> >>>> Also: keyctl is in the keyutils package, which we need to depend on. >>>> >>> >>> Nice catch, updated patch. >> >> Thanks. It just needs rebasing (conflicts with pushed password change >> capability). >> >>> >>> I also included a bit more about why I chose @s instead of @us. >>> Basically it is so a different shell can have a different session and >>> therefore a different identity. >> >> Hm, personally I am not sure why I would want to have to different >> identity in different shell, maybe for custom scripts? >> >> There is a disadvantage for using @s over @us though. This use case will >> fail: >> >> # kinit admin >> Password for admin at IDM.LAB.BOS.REDHAT.COM: >> # ipa user-show admin >> User login: admin >> Last name: Administrator >> Home directory: /home/admin >> Login shell: /bin/bash >> UID: 384000000 >> GID: 384000000 >> Account disabled: False >> Password: True >> Member of groups: admins, trust admins >> Kerberos keys available: True >> >> # su admin >> $ kinit admin >> Password for admin at IDM.LAB.BOS.REDHAT.COM: >> $ ipa user-show admin >> ipa: ERROR: cannot connect to 'any of the configured servers': >> https://vm-021.idm.lab.bos.redhat.com/ipa/session/xml, >> https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml >> >> This fails because the session under "su" does not have a permission to >> update the key. Btw this worked for me when I used @us instead of @s. > > I think a more likely use case is where you are logged in as yourself > and you want to keep that TGT but want to do some administrative work as > admin. > > $ export KRB5CCNAME=/tmp/my_cc > $ kinit admin > $ ipa user-mod ... > > If you use @us then this new ccache isn't used at all, the original > session is. > > If you use @s then this new ccache is used as expected. > >> >>> >>> I'm going to open a ticket for the logout. For the short-term one can do >>> something like: >>> >>> $ keyctl purge user >>> >>> Or more precisely: >>> >>> $ keyctl list @s >>> 2 keys in keyring: >>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 >>> 207626975: --alswrv 1000 1000 user: ipa_session_cookie >>> $ keyctl unlink 207626975 >>> 1 links removed >> >> Ok, I think this is fine for now. >> >> Martin Rebased patch -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1024-4-session.patch Type: text/x-diff Size: 27932 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 13 21:40:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 17:40:04 -0400 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <4FD73869.6020503@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> Message-ID: <4FD908B4.9050407@redhat.com> Petr Viktorin wrote: > On 06/12/2012 02:38 PM, Simo Sorce wrote: >> On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: >>> This will make older clients usable if new output items get added to >>> commands. >>> >>> Since there might be important information in the extra output, it's not >>> ignored as the ticket asks. Instead it's printed, but not formatted >>> nicely as the client doesn't have enough info for that. >>> >>> https://fedorahosted.org/freeipa/ticket/1721 >> >> Patch is missing. >> >> Simo. >> > > My apologies I'd replace the print_line with print_indented so the output looks a little nicer. This sure does make an impression. It looks something like this (with print_indented): $ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1872200000 GID: 1872200000 Account disabled: False Password: True Member of groups: admins, trust admins Kerberos keys available: True ------------------------------ Unexpected output from server: ------------------------------ new: new It's hard to argue with this as being descriptive it just seems a bit overbearing. I have a couple of ideas on this. 1. We could detect and supress unexpected output by default and include a note at the end, something like: Unexpected output suppressed, use --all to show. 2. Replace the print_dashed with print_line and embed a \n in the value so it would look like: $ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1872200000 GID: 1872200000 Account disabled: False Password: True Member of groups: admins, trust admins Kerberos keys available: True Unexpected output from server: new: new I think we'll need to document this somewhere in any case, explaining how this situation can happen. I think it could be very confusing. Functionally it works pretty well. rob From rcritten at redhat.com Wed Jun 13 22:05:59 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 18:05:59 -0400 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <1339598941.2965.39.camel@balmora.brq.redhat.com> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> <4FD165BB.7030604@redhat.com> <1339598941.2965.39.camel@balmora.brq.redhat.com> Message-ID: <4FD90EC7.1060603@redhat.com> Martin Kosek wrote: > On Thu, 2012-06-07 at 22:38 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> When invalid data is passed, an unhandled decimal exception could >>> be raised in Decimal number conversion. Handle the exception >>> more gracefully and report proper ipalib.errors.ConversionError. >>> >>> https://fedorahosted.org/freeipa/ticket/2705 >> >> I'm being pedantic but I think the Decimal special values need to be >> handled better. Using Infinity returns a rather odd message: >> >> $ ipa dnsrecord-add example.com >> Record name: foo >> Please choose a type of DNS resource record to be added >> The most common types for this type of zone are: A, AAAA >> >> DNS resource record type: LOC >> LOC Degrees Latitude: 90 >> [LOC Minutes Latitude]: 59 >> [LOC Seconds Latitude]: >> 999999999999999999999999999999999999999999999999999999999999999999999 >> >>> LOC Seconds Latitude: quantize result has too many digits for >> current context >> [LOC Seconds Latitude]: Infinity >> >>> LOC Seconds Latitude: quantize with one INF >> >> And using NaN raises an unhandled exception: >> >> [LOC Seconds Latitude]: NaN >> ipa: ERROR: InvalidOperation: comparison involving NaN >> Traceback (most recent call last): >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run >> sys.exit(api.Backend.cli.run(argv)) >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run >> kw = self.argv_to_keyword_arguments(cmd, argv[1:]) >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in >> argv_to_keyword_arguments >> self.prompt_interactively(cmd, kw) >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in >> prompt_interactively >> callback(kw) >> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, >> in interactive_prompt_callback >> user_options = param.prompt_parts(self.Backend) >> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in >> prompt_parts >> self.__get_part_param(backend, part, user_options, default) >> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in >> __get_part_param >> output_kw[name] = part(raw) >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in >> __call__ >> self.validate(value, supplied=self.name in kw) >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in >> validate >> self._validate_scalar(value) >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in >> _validate_scalar >> error = rule(ugettext, value) >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in >> _rule_minvalue >> if value< self.minvalue: >> File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ >> ans = self._compare_check_nans(other, context) >> File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans >> self) >> File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error >> raise error(explanation) >> InvalidOperation: comparison involving NaN >> ipa: ERROR: an internal error has occurred >> >> Otherwise it does what it should. >> >> rob > > Thanks for being pedantic, I found out that Decimal number validation > and normalization needs more care, dnsrecord-add would also fail with > values such as "1E4" or "-0". > > Attached patch improves Decimal number validation a lot and adds > optional exponent normalization. I also added missing tests for all > Decimal Parameter attributes. > > Martin Getting some lint errors. Ran out of time to investigate but its strange because AFAICT these are members. ipalib/parameters.py:1266: [E1101, Decimal._enforce_numberclass] Instance of 'Decimal' has no 'numberclass' member ipalib/parameters.py:1271: [E1101, Decimal._enforce_numberclass] Instance of 'Decimal' has no 'numberclass' member ipalib/parameters.py:1288: [E1101, Decimal._remove_exponent] Instance of 'Decimal' has no 'exponential' member From simo at redhat.com Thu Jun 14 00:30:47 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 13 Jun 2012 20:30:47 -0400 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120613191726.GI20850@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> Message-ID: <1339633847.8230.629.camel@willson.li.ssimo.org> On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > The ipa*IDRange objectclasses will be used to store the used Posix ID > ranges of the local domains (ipaLocalIDrange) or the ranges reserved > for AD domains (ipaNTIDrange). To be able to map the Posix IDs to a > RID > and back the corresponding ranges can be saved here as well. > The commit comment needs fixing, we renamed the objectclasses in the last revision :) Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 14 00:38:23 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 13 Jun 2012 20:38:23 -0400 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120613191726.GI20850@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> Message-ID: <1339634303.8230.634.camel@willson.li.ssimo.org> On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > to keep track of the different ranges we use for UIDs/GIDs for local > users/groups and users from trusted domains new range objects are > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > 0022: LDAP schema update ack > 0023: Create a range object during installation fir the local ID range nack, I think we need to find a way to handle adding at least the base range on update. Otherwise an updated server won't be able to have IDs for most of its users. > 0024: add primary and secondary RID base to the local range object > during ipa-adtrust-install Not sure if setting the range belongs in the previous patch or this one. We might decide to ask questions during ipa-adtrust-install if the range is not available, maybe presenting a set of pre-canned choices if we can detect them. Finally I think we need to do a search with uid/gidNmber < base and uid/gidNumber > max and prompt/warn the user if we detect any ID the falls outside the configured range (either because we failed to detect ranges on upgrade and the user botched the question or because the admin added arbitrary IDs. If a warning we should warn that missing a range that suitably covers these IDs, those users/groups will not be available for the trust. Maybe we should also have a simple ipa command that can list all users/groups that fall outside the ranges as well. Simo. > -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Jun 14 06:27:16 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jun 2012 08:27:16 +0200 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <4FD90EC7.1060603@redhat.com> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> <4FD165BB.7030604@redhat.com> <1339598941.2965.39.camel@balmora.brq.redhat.com> <4FD90EC7.1060603@redhat.com> Message-ID: <1339655236.2062.5.camel@balmora.brq.redhat.com> On Wed, 2012-06-13 at 18:05 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2012-06-07 at 22:38 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> When invalid data is passed, an unhandled decimal exception could > >>> be raised in Decimal number conversion. Handle the exception > >>> more gracefully and report proper ipalib.errors.ConversionError. > >>> > >>> https://fedorahosted.org/freeipa/ticket/2705 > >> > >> I'm being pedantic but I think the Decimal special values need to be > >> handled better. Using Infinity returns a rather odd message: > >> > >> $ ipa dnsrecord-add example.com > >> Record name: foo > >> Please choose a type of DNS resource record to be added > >> The most common types for this type of zone are: A, AAAA > >> > >> DNS resource record type: LOC > >> LOC Degrees Latitude: 90 > >> [LOC Minutes Latitude]: 59 > >> [LOC Seconds Latitude]: > >> 999999999999999999999999999999999999999999999999999999999999999999999 > >> >>> LOC Seconds Latitude: quantize result has too many digits for > >> current context > >> [LOC Seconds Latitude]: Infinity > >> >>> LOC Seconds Latitude: quantize with one INF > >> > >> And using NaN raises an unhandled exception: > >> > >> [LOC Seconds Latitude]: NaN > >> ipa: ERROR: InvalidOperation: comparison involving NaN > >> Traceback (most recent call last): > >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run > >> sys.exit(api.Backend.cli.run(argv)) > >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run > >> kw = self.argv_to_keyword_arguments(cmd, argv[1:]) > >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in > >> argv_to_keyword_arguments > >> self.prompt_interactively(cmd, kw) > >> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in > >> prompt_interactively > >> callback(kw) > >> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, > >> in interactive_prompt_callback > >> user_options = param.prompt_parts(self.Backend) > >> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in > >> prompt_parts > >> self.__get_part_param(backend, part, user_options, default) > >> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in > >> __get_part_param > >> output_kw[name] = part(raw) > >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in > >> __call__ > >> self.validate(value, supplied=self.name in kw) > >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in > >> validate > >> self._validate_scalar(value) > >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in > >> _validate_scalar > >> error = rule(ugettext, value) > >> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in > >> _rule_minvalue > >> if value< self.minvalue: > >> File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ > >> ans = self._compare_check_nans(other, context) > >> File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans > >> self) > >> File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error > >> raise error(explanation) > >> InvalidOperation: comparison involving NaN > >> ipa: ERROR: an internal error has occurred > >> > >> Otherwise it does what it should. > >> > >> rob > > > > Thanks for being pedantic, I found out that Decimal number validation > > and normalization needs more care, dnsrecord-add would also fail with > > values such as "1E4" or "-0". > > > > Attached patch improves Decimal number validation a lot and adds > > optional exponent normalization. I also added missing tests for all > > Decimal Parameter attributes. > > > > Martin > > Getting some lint errors. Ran out of time to investigate but its strange > because AFAICT these are members. > > ipalib/parameters.py:1266: [E1101, Decimal._enforce_numberclass] > Instance of 'Decimal' has no 'numberclass' member > ipalib/parameters.py:1271: [E1101, Decimal._enforce_numberclass] > Instance of 'Decimal' has no 'numberclass' member > ipalib/parameters.py:1288: [E1101, Decimal._remove_exponent] Instance of > 'Decimal' has no 'exponential' member > I assume you run this lint: # ./make-lint ipalib/parameters.py This produces a lot of false positive lint errors... But if you run lint for the entire project, my patches will pass: # git apply /home/mkosek/freeipa-mkosek-275-2-decimal-parameter-conversion-and-normalization.patch # ./make-lint # That's why 275-2 includes a change for make-lint to not report these new attributes: diff --git a/make-lint b/make-lint index 7ecd59d7e8c5a644f812d4b8987866e7d06236b5..30c5e00c1f0606c75ff1f7fec675ff673a6b87a0 100755 --- a/make-lint +++ b/make-lint @@ -61,7 +61,8 @@ class IPATypeChecker(TypeChecker): 'csv', 'csv_separator', 'csv_skipspace'], 'ipalib.parameters.Bool': ['truths', 'falsehoods'], 'ipalib.parameters.Int': ['minvalue', 'maxvalue'], - 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision'], + 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision', + 'numberclass', 'exponential'], 'ipalib.parameters.Data': ['minlength', 'maxlength', 'length', 'pattern', 'pattern_errmsg'], 'ipalib.parameters.Enum': ['values'], Bottom line - I do not think there is a lint problem with my patch :-) Martin From pviktori at redhat.com Thu Jun 14 08:51:58 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jun 2012 10:51:58 +0200 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <4FD908B4.9050407@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FD908B4.9050407@redhat.com> Message-ID: <4FD9A62E.5050309@redhat.com> On 06/13/2012 11:40 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/12/2012 02:38 PM, Simo Sorce wrote: >>> On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: >>>> This will make older clients usable if new output items get added to >>>> commands. >>>> >>>> Since there might be important information in the extra output, it's >>>> not >>>> ignored as the ticket asks. Instead it's printed, but not formatted >>>> nicely as the client doesn't have enough info for that. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1721 >>> >>> Patch is missing. >>> >>> Simo. >>> >> >> My apologies > > I'd replace the print_line with print_indented so the output looks a > little nicer. > > This sure does make an impression. It looks something like this (with > print_indented): > > $ ipa user-show admin > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > UID: 1872200000 > GID: 1872200000 > Account disabled: False > Password: True > Member of groups: admins, trust admins > Kerberos keys available: True > ------------------------------ > Unexpected output from server: > ------------------------------ > new: new > > It's hard to argue with this as being descriptive it just seems a bit > overbearing. > > I have a couple of ideas on this. > > 1. We could detect and supress unexpected output by default and include > a note at the end, something like: > > Unexpected output suppressed, use --all to show. That would work with show/find, but you can't just re-run add/mod commands. > 2. Replace the print_dashed with print_line and embed a \n in the value > so it would look like: > > $ ipa user-show admin > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > UID: 1872200000 > GID: 1872200000 > Account disabled: False > Password: True > Member of groups: admins, trust admins > Kerberos keys available: True > > Unexpected output from server: > new: new I went with an extra print instead of the '\n' (it won't confuse translators as much). I also now use print_plain instead of print_line, so the output doesn't get truncated. > I think we'll need to document this somewhere in any case, explaining > how this situation can happen. I think it could be very confusing. I added a ?please upgrade? message at the end. That should make the situation clear. > Functionally it works pretty well. > > rob -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0062-02-Don-t-crash-when-server-returns-extra-output.patch Type: text/x-patch Size: 8134 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 14 08:58:50 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jun 2012 10:58:50 +0200 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <4FD9A62E.5050309@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FD908B4.9050407@redhat.com> <4FD9A62E.5050309@redhat.com> Message-ID: <1339664330.2062.13.camel@balmora.brq.redhat.com> On Thu, 2012-06-14 at 10:51 +0200, Petr Viktorin wrote: > On 06/13/2012 11:40 PM, Rob Crittenden wrote: [snip] > > 1. We could detect and supress unexpected output by default and include > > a note at the end, something like: > > > > Unexpected output suppressed, use --all to show. > > That would work with show/find, but you can't just re-run add/mod commands. I would add a new option for this purpose directly to ipa command, i.e. something like this: # ipa --all user-show admin Martin From mkosek at redhat.com Thu Jun 14 09:07:40 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jun 2012 11:07:40 +0200 Subject: [Freeipa-devel] [PATCH] 276 Remove trust work unit test failures Message-ID: <1339664860.2062.14.camel@balmora.brq.redhat.com> Trust work that was pushed recently requires few changes in unit tests to prevent test failures. This patch also removes repetitive construction of group DN in group unit tests. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-276-remove-trust-work-unit-test-failures.patch Type: text/x-patch Size: 14360 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 14 09:12:01 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jun 2012 11:12:01 +0200 Subject: [Freeipa-devel] [PATCH] 0048 Rework the CallbackInterface In-Reply-To: <4FC6232F.7070402@redhat.com> References: <4FABB28C.90208@redhat.com> <4FB21314.6040205@redhat.com> <4FC6232F.7070402@redhat.com> Message-ID: <1339665121.2062.16.camel@balmora.brq.redhat.com> On Wed, 2012-05-30 at 15:39 +0200, Petr Viktorin wrote: > On 05/15/2012 10:25 AM, Petr Viktorin wrote: > > On 05/10/2012 02:20 PM, Petr Viktorin wrote: > >> While investigating ticket 2674, I found several problems with our > >> implementation of the CallbackInterface ?? it required complicated > >> calling code, and would subtly break if command classes were > >> instantiated in different ways than they are currently. > >> > >> Here's my fix. See commit message for details. > >> > > > > Rebased to current master > > > > Rebased again. This is certainly an improvement of our callback interface. No issue found, unit tests clean. ACK, pushed to master. Martin From pviktori at redhat.com Thu Jun 14 10:18:04 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jun 2012 12:18:04 +0200 Subject: [Freeipa-devel] [PATCH] 276 Remove trust work unit test failures In-Reply-To: <1339664860.2062.14.camel@balmora.brq.redhat.com> References: <1339664860.2062.14.camel@balmora.brq.redhat.com> Message-ID: <4FD9BA5C.7050003@redhat.com> On 06/14/2012 11:07 AM, Martin Kosek wrote: > Trust work that was pushed recently requires few changes in unit > tests to prevent test failures. This patch also removes repetitive > construction of group DN in group unit tests. > Thanks, the tests pass now. ACK -- Petr? From mkosek at redhat.com Thu Jun 14 10:22:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jun 2012 12:22:42 +0200 Subject: [Freeipa-devel] [PATCH] 276 Remove trust work unit test failures In-Reply-To: <4FD9BA5C.7050003@redhat.com> References: <1339664860.2062.14.camel@balmora.brq.redhat.com> <4FD9BA5C.7050003@redhat.com> Message-ID: <1339669362.2062.18.camel@balmora.brq.redhat.com> On Thu, 2012-06-14 at 12:18 +0200, Petr Viktorin wrote: > On 06/14/2012 11:07 AM, Martin Kosek wrote: > > Trust work that was pushed recently requires few changes in unit > > tests to prevent test failures. This patch also removes repetitive > > construction of group DN in group unit tests. > > > > Thanks, the tests pass now. ACK Pushed to master. Martin From sbose at redhat.com Thu Jun 14 10:35:38 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 Jun 2012 12:35:38 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <1339634303.8230.634.camel@willson.li.ssimo.org> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> Message-ID: <20120614103538.GJ20850@localhost.localdomain> On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > users/groups and users from trusted domains new range objects are > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > 0022: LDAP schema update > > ack > > > 0023: Create a range object during installation fir the local ID range > > nack, I think we need to find a way to handle adding at least the base > range on update. Otherwise an updated server won't be able to have IDs > for most of its users. I fully agree, but since we said that we concentrate on update issues in beta2 I wanted to send the version for the fresh install first to allow testing. > > > 0024: add primary and secondary RID base to the local range object > > during ipa-adtrust-install > > Not sure if setting the range belongs in the previous patch or this one. I think it is right here, because a plain IPA server does not need the RID related attributes. > We might decide to ask questions during ipa-adtrust-install if the range > is not available, maybe presenting a set of pre-canned choices if we can > detect them. I agree here, too. But as above I would like to handle update issues in a second round. > > Finally I think we need to do a search with uid/gidNmber < base and > uid/gidNumber > max and prompt/warn the user if we detect any ID the > falls outside the configured range (either because we failed to detect > ranges on upgrade and the user botched the question or because the admin > added arbitrary IDs. > If a warning we should warn that missing a range that suitably covers > these IDs, those users/groups will not be available for the trust. > > Maybe we should also have a simple ipa command that can list all > users/groups that fall outside the ranges as well. I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa range-find' etc. I can add it there. bye, Sumit > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > From simo at redhat.com Thu Jun 14 11:54:40 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 14 Jun 2012 07:54:40 -0400 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120614103538.GJ20850@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> Message-ID: <1339674880.8230.674.camel@willson.li.ssimo.org> On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > users/groups and users from trusted domains new range objects are > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > 0022: LDAP schema update > > > > ack > > > > > 0023: Create a range object during installation fir the local ID range > > > > nack, I think we need to find a way to handle adding at least the base > > range on update. Otherwise an updated server won't be able to have IDs > > for most of its users. > > I fully agree, but since we said that we concentrate on update issues in > beta2 I wanted to send the version for the fresh install first to allow > testing. The reason I'd like updates is that this patchset can be installed on top of existing servers for testing w/o having to reinstall from scratch or manually creating the ipaDomainIDRange object :):) > > > > > 0024: add primary and secondary RID base to the local range object > > > during ipa-adtrust-install > > > > Not sure if setting the range belongs in the previous patch or this one. > > I think it is right here, because a plain IPA server does not need the > RID related attributes. > > > We might decide to ask questions during ipa-adtrust-install if the range > > is not available, maybe presenting a set of pre-canned choices if we can > > detect them. > > I agree here, too. But as above I would like to handle update issues > in a second round. > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > falls outside the configured range (either because we failed to detect > > ranges on upgrade and the user botched the question or because the admin > > added arbitrary IDs. > > If a warning we should warn that missing a range that suitably covers > > these IDs, those users/groups will not be available for the trust. > > > > Maybe we should also have a simple ipa command that can list all > > users/groups that fall outside the ranges as well. > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > range-find' etc. I can add it there. > > bye, > Sumit > > > > > Simo. > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Jun 14 12:04:55 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jun 2012 14:04:55 +0200 Subject: [Freeipa-devel] [PATCH] 1024 add client session support In-Reply-To: <4FD8F4A0.6070705@redhat.com> References: <4FD0EA6B.3040801@redhat.com> <4FD0F9DD.6040504@redhat.com> <4FD169B7.3030906@redhat.com> <1339433382.19118.43.camel@balmora.brq.redhat.com> <4FD74E13.4050506@redhat.com> <4FD78608.4060009@redhat.com> <1339571990.2965.11.camel@balmora.brq.redhat.com> <4FD8AEE5.60002@redhat.com> <4FD8F4A0.6070705@redhat.com> Message-ID: <1339675495.2062.21.camel@balmora.brq.redhat.com> On Wed, 2012-06-13 at 16:14 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Tue, 2012-06-12 at 14:10 -0400, Rob Crittenden wrote: > >>> Petr Viktorin wrote: > >>>> On 06/11/2012 06:49 PM, Martin Kosek wrote: > >>>>> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote: > >>>>>> Rob Crittenden wrote: > >>>>>>> Rob Crittenden wrote: > >>>>>>>> This adds client session support. The session key is stored in the > >>>>>>>> kernel key ring. > >>>>>>>> > >>>>>>>> Your first request should go to /ipa/session/xml where it should be > >>>>>>>> rejected with a 401. The next will go to /ipa/xml which will be > >>>>>>>> accepted. This should all be invisible to the client. > >>>>>>>> > >>>>>>>> Subsequent requests should go to /ipa/session/xml which should > >>>>>>>> let you > >>>>>>>> in with the cookie. > >>>>>>>> > >>>>>>>> You can add the -vv option after ipa to see fully what is going on, > >>>>>>>> e.g. > >>>>>>>> ipa -vv user-show admin > >>>>>>>> > >>>>>>>> To manage your keyring use the keyctl command like: > >>>>>>>> > >>>>>>>> $ keyctl list @s > >>>>>>>> 2 keys in keyring: > >>>>>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 > >>>>>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie > >>>>>>>> > >>>>>>>> To remove a key: > >>>>>>>> > >>>>>>>> $ keyctl unlink 941350591 @s > >>>>>>>> > >>>>>>>> rob > >>>>>>> > >>>>>>> Hmm, this doesn't play too nice with the lite-server. Let me see > >>>>>>> if I > >>>>>>> can track it down. The ccache is being removed, probably as part > >>>>>>> of the > >>>>>>> session code. Sessions don't make sense with the lite server > >>>>>>> since it > >>>>>>> uses the local ccache directly. > >>>>>> > >>>>>> Updated patch. Don't clean up the ccache if in the lite-server. > >>>>>> > >>>>>> rob > >>>>>> > >>>>> > >>>>> Good job there. I tested various scenarios (2 master, fallback with > >>>>> SRV > >>>>> records, old client (RHEL 6.2)) and most worked for me, but only I > >>>>> worked under the root account. This is what I got with non-root: > >>>>> > >>>>> $ ipa user-show admin > >>>>> ... > >>>>> ipa: DEBUG: stderr= > >>>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie > >>>>> ipa: DEBUG: stdout=113632397 > >>>>> > >>>>> ipa: DEBUG: stderr= > >>>>> ipa: DEBUG: args=keyctl pupdate 113632397 > >>>>> ipa: DEBUG: stdout= > >>>>> ipa: DEBUG: stderr=keyctl_update: Permission denied > >>>>> ipa: INFO: trying > >>>>> https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml > >>>>> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com > >>>>> ipa: ERROR: cannot connect to 'any of the configured servers': ... > >>>>> > >>>>> Shouldn't we use @us instead of @s for storing user session keys? > >>>>> > >>>>> > >>>>> Secondly, I wonder if we also plan to add some logout command? This > >>>>> way > >>>>> even if I do kdestroy, the session still exist and someone other may > >>>>> still execute commands. > >>>>> > >>>>> Martin > >>>> > >>>> Also: keyctl is in the keyutils package, which we need to depend on. > >>>> > >>> > >>> Nice catch, updated patch. > >> > >> Thanks. It just needs rebasing (conflicts with pushed password change > >> capability). > >> > >>> > >>> I also included a bit more about why I chose @s instead of @us. > >>> Basically it is so a different shell can have a different session and > >>> therefore a different identity. > >> > >> Hm, personally I am not sure why I would want to have to different > >> identity in different shell, maybe for custom scripts? > >> > >> There is a disadvantage for using @s over @us though. This use case will > >> fail: > >> > >> # kinit admin > >> Password for admin at IDM.LAB.BOS.REDHAT.COM: > >> # ipa user-show admin > >> User login: admin > >> Last name: Administrator > >> Home directory: /home/admin > >> Login shell: /bin/bash > >> UID: 384000000 > >> GID: 384000000 > >> Account disabled: False > >> Password: True > >> Member of groups: admins, trust admins > >> Kerberos keys available: True > >> > >> # su admin > >> $ kinit admin > >> Password for admin at IDM.LAB.BOS.REDHAT.COM: > >> $ ipa user-show admin > >> ipa: ERROR: cannot connect to 'any of the configured servers': > >> https://vm-021.idm.lab.bos.redhat.com/ipa/session/xml, > >> https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml > >> > >> This fails because the session under "su" does not have a permission to > >> update the key. Btw this worked for me when I used @us instead of @s. > > > > I think a more likely use case is where you are logged in as yourself > > and you want to keep that TGT but want to do some administrative work as > > admin. > > > > $ export KRB5CCNAME=/tmp/my_cc > > $ kinit admin > > $ ipa user-mod ... > > > > If you use @us then this new ccache isn't used at all, the original > > session is. > > > > If you use @s then this new ccache is used as expected. > > > >> > >>> > >>> I'm going to open a ticket for the logout. For the short-term one can do > >>> something like: > >>> > >>> $ keyctl purge user > >>> > >>> Or more precisely: > >>> > >>> $ keyctl list @s > >>> 2 keys in keyring: > >>> 353548226: --alswrv 1000 -1 keyring: _uid.1000 > >>> 207626975: --alswrv 1000 1000 user: ipa_session_cookie > >>> $ keyctl unlink 207626975 > >>> 1 links removed > >> > >> Ok, I think this is fine for now. > >> > >> Martin > > Rebased patch Ok, this is OK. I could not find any other pressing issues, lets get it baked also with other devels. I just bumped ipa.conf config VERSION so that it is updated also in current master installs. ACK. Pushed to master. Martin From sbose at redhat.com Thu Jun 14 12:25:01 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 Jun 2012 14:25:01 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <1339674880.8230.674.camel@willson.li.ssimo.org> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> Message-ID: <20120614122501.GK20850@localhost.localdomain> On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > > users/groups and users from trusted domains new range objects are > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > > > 0022: LDAP schema update > > > > > > ack > > > > > > > 0023: Create a range object during installation fir the local ID range > > > > > > nack, I think we need to find a way to handle adding at least the base > > > range on update. Otherwise an updated server won't be able to have IDs > > > for most of its users. > > > > I fully agree, but since we said that we concentrate on update issues in > > beta2 I wanted to send the version for the fresh install first to allow > > testing. > > The reason I'd like updates is that this patchset can be installed on > top of existing servers for testing w/o having to reinstall from scratch > or manually creating the ipaDomainIDRange object :):) ok, will do. Do you otherwise agree with the patches or is there something I should change while adding the updates? bye, Sumit > > > > > > > > 0024: add primary and secondary RID base to the local range object > > > > during ipa-adtrust-install > > > > > > Not sure if setting the range belongs in the previous patch or this one. > > > > I think it is right here, because a plain IPA server does not need the > > RID related attributes. > > > > > We might decide to ask questions during ipa-adtrust-install if the range > > > is not available, maybe presenting a set of pre-canned choices if we can > > > detect them. > > > > I agree here, too. But as above I would like to handle update issues > > in a second round. > > > > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > > falls outside the configured range (either because we failed to detect > > > ranges on upgrade and the user botched the question or because the admin > > > added arbitrary IDs. > > > If a warning we should warn that missing a range that suitably covers > > > these IDs, those users/groups will not be available for the trust. > > > > > > Maybe we should also have a simple ipa command that can list all > > > users/groups that fall outside the ranges as well. > > > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > > range-find' etc. I can add it there. > > > > bye, > > Sumit > > > > > > > > Simo. > > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > From pviktori at redhat.com Thu Jun 14 12:36:47 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jun 2012 14:36:47 +0200 Subject: [Freeipa-devel] [PATCH] 0061, 63 Improve ipa-client-install debug output In-Reply-To: <4FD7B11D.2020407@redhat.com> References: <4FD60324.7030901@redhat.com> <4FD7B11D.2020407@redhat.com> Message-ID: <4FD9DADF.7050605@redhat.com> On 06/12/2012 11:14 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> I went through all the output/debug messages in ipa-client-install, >> removed duplicates, and routed them through the log manager. >> >> I used these log levels: >> DEBUG - detailed messages the user probably doesn't want to see (only >> printed to console with --debug) >> INFO - progress reports ("Configured /etc/sssd/sssd.conf") and >> instructions ("You may need to restart services or reboot the machine.") >> WARNING - something unusual that may require attention >> ERROR - something went wrong >> >> Obviously there's some overlap there. >> >> >> On the console, the messages are now prefixed with the log level. This >> should bring attention to the warnings/errors. >> Does this format look okay? >> I think the current default console_format, which prefixes the logger >> name (ipa) and the level, is too verbose. > > I agree. I'm not a fan of printing the log level, it is very distracting. I've removed the log level. > This is a good start but the DNS discovery area needs more work. I've > found it very difficult to look at a log and figure out where the domain > and hostname came from (user provided or discovered?) and trace how the > discovery is working. There is currently a lot of smoke and noise and > very little useful information. > I've added the sources of the values to the summary, and provided more tracing information. I put this in a separate patch; it's not the almost mechanical changes as in the first one. I'll be happy to squash them if that would make review easier. > rob -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0061-02-Improve-ipa-client-install-debug-output.patch Type: text/x-patch Size: 55575 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0063-Improve-autodiscovery-logging.patch Type: text/x-patch Size: 22123 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 14 13:05:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Jun 2012 09:05:36 -0400 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <1339655236.2062.5.camel@balmora.brq.redhat.com> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> <4FD165BB.7030604@redhat.com> <1339598941.2965.39.camel@balmora.brq.redhat.com> <4FD90EC7.1060603@redhat.com> <1339655236.2062.5.camel@balmora.brq.redhat.com> Message-ID: <4FD9E1A0.1070109@redhat.com> Martin Kosek wrote: > On Wed, 2012-06-13 at 18:05 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Thu, 2012-06-07 at 22:38 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> When invalid data is passed, an unhandled decimal exception could >>>>> be raised in Decimal number conversion. Handle the exception >>>>> more gracefully and report proper ipalib.errors.ConversionError. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2705 >>>> >>>> I'm being pedantic but I think the Decimal special values need to be >>>> handled better. Using Infinity returns a rather odd message: >>>> >>>> $ ipa dnsrecord-add example.com >>>> Record name: foo >>>> Please choose a type of DNS resource record to be added >>>> The most common types for this type of zone are: A, AAAA >>>> >>>> DNS resource record type: LOC >>>> LOC Degrees Latitude: 90 >>>> [LOC Minutes Latitude]: 59 >>>> [LOC Seconds Latitude]: >>>> 999999999999999999999999999999999999999999999999999999999999999999999 >>>> >>> LOC Seconds Latitude: quantize result has too many digits for >>>> current context >>>> [LOC Seconds Latitude]: Infinity >>>> >>> LOC Seconds Latitude: quantize with one INF >>>> >>>> And using NaN raises an unhandled exception: >>>> >>>> [LOC Seconds Latitude]: NaN >>>> ipa: ERROR: InvalidOperation: comparison involving NaN >>>> Traceback (most recent call last): >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run >>>> sys.exit(api.Backend.cli.run(argv)) >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run >>>> kw = self.argv_to_keyword_arguments(cmd, argv[1:]) >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in >>>> argv_to_keyword_arguments >>>> self.prompt_interactively(cmd, kw) >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in >>>> prompt_interactively >>>> callback(kw) >>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, >>>> in interactive_prompt_callback >>>> user_options = param.prompt_parts(self.Backend) >>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in >>>> prompt_parts >>>> self.__get_part_param(backend, part, user_options, default) >>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in >>>> __get_part_param >>>> output_kw[name] = part(raw) >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in >>>> __call__ >>>> self.validate(value, supplied=self.name in kw) >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in >>>> validate >>>> self._validate_scalar(value) >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in >>>> _validate_scalar >>>> error = rule(ugettext, value) >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in >>>> _rule_minvalue >>>> if value< self.minvalue: >>>> File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ >>>> ans = self._compare_check_nans(other, context) >>>> File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans >>>> self) >>>> File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error >>>> raise error(explanation) >>>> InvalidOperation: comparison involving NaN >>>> ipa: ERROR: an internal error has occurred >>>> >>>> Otherwise it does what it should. >>>> >>>> rob >>> >>> Thanks for being pedantic, I found out that Decimal number validation >>> and normalization needs more care, dnsrecord-add would also fail with >>> values such as "1E4" or "-0". >>> >>> Attached patch improves Decimal number validation a lot and adds >>> optional exponent normalization. I also added missing tests for all >>> Decimal Parameter attributes. >>> >>> Martin >> >> Getting some lint errors. Ran out of time to investigate but its strange >> because AFAICT these are members. >> >> ipalib/parameters.py:1266: [E1101, Decimal._enforce_numberclass] >> Instance of 'Decimal' has no 'numberclass' member >> ipalib/parameters.py:1271: [E1101, Decimal._enforce_numberclass] >> Instance of 'Decimal' has no 'numberclass' member >> ipalib/parameters.py:1288: [E1101, Decimal._remove_exponent] Instance of >> 'Decimal' has no 'exponential' member >> > > I assume you run this lint: > > # ./make-lint ipalib/parameters.py > > This produces a lot of false positive lint errors... But if you run lint > for the entire project, my patches will pass: > > # git > apply /home/mkosek/freeipa-mkosek-275-2-decimal-parameter-conversion-and-normalization.patch > # ./make-lint > # > > That's why 275-2 includes a change for make-lint to not report these new > attributes: > diff --git a/make-lint b/make-lint > index 7ecd59d7e8c5a644f812d4b8987866e7d06236b5..30c5e00c1f0606c75ff1f7fec675ff673a6b87a0 100755 > --- a/make-lint > +++ b/make-lint > @@ -61,7 +61,8 @@ class IPATypeChecker(TypeChecker): > 'csv', 'csv_separator', 'csv_skipspace'], > 'ipalib.parameters.Bool': ['truths', 'falsehoods'], > 'ipalib.parameters.Int': ['minvalue', 'maxvalue'], > - 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision'], > + 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision', > + 'numberclass', 'exponential'], > 'ipalib.parameters.Data': ['minlength', 'maxlength', 'length', > 'pattern', 'pattern_errmsg'], > 'ipalib.parameters.Enum': ['values'], > > > Bottom line - I do not think there is a lint problem with my patch :-) > > Martin > This was output from './make-lint'. It blew up when I was trying to build the rpms. rob From pviktori at redhat.com Thu Jun 14 13:29:07 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jun 2012 15:29:07 +0200 Subject: [Freeipa-devel] [PATCH] 1025 set fixed primary IPA server in client In-Reply-To: <4FD64AF2.3000406@redhat.com> References: <4FD64AF2.3000406@redhat.com> Message-ID: <4FD9E723.1050702@redhat.com> On 06/11/2012 09:45 PM, Rob Crittenden wrote: > Add --fixed-primary flag to control the order of ipa_server in > sssd.conf. When set the discovered (or passed) server will be set first > rather than _srv_. The default is to have _srv_ set first. > > rob > Works as advertised, just two nitpicks: Applying: Add flag to ipa-client-install to managed order of ipa_server in sssd /home/pviktori/freeipa/.git/rebase-apply/patch:14: trailing whitespace. basic_group.add_option("--fixed-primary", dest="primary", action="store_true", warning: 1 line adds whitespace errors. And since you're fixing the manpage: +\-\-hostname option may be used to specify a static hostname that is set in machine system configuration and persist over reboot. s/persist/persists/ ACK if they're fixed -- Petr? From rcritten at redhat.com Thu Jun 14 15:39:31 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Jun 2012 11:39:31 -0400 Subject: [Freeipa-devel] [PATCH] 1026 increase header limit Message-ID: <4FDA05B3.9000001@redhat.com> Increase the request header limit to accommodate a 64KiB PAC. It's hard to test this outside of trust but you can do a reverse test to be sure this is doing anything by setting the limit to 10. You should get a 400 error back. And I guess check for regressions. All tests are passing for me. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1026-requestlimit.patch Type: text/x-diff Size: 1026 bytes Desc: not available URL: From ohamada at redhat.com Thu Jun 14 15:55:41 2012 From: ohamada at redhat.com (Ondrej Hamada) Date: Thu, 14 Jun 2012 17:55:41 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin Message-ID: <4FDA097D.4030601@redhat.com> Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. Following characters were removed from the set: '"`\$<> https://fedorahosted.org/freeipa/ticket/2800 -- Regards, Ondrej Hamada FreeIPA team jabber: ohama at jabbim.cz IRC: ohamada -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ohamada-26-Change-random-passwords-behaviour.patch Type: text/x-patch Size: 2948 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 14 19:55:54 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Jun 2012 15:55:54 -0400 Subject: [Freeipa-devel] [PATCH] 1025 set fixed primary IPA server in client In-Reply-To: <4FD9E723.1050702@redhat.com> References: <4FD64AF2.3000406@redhat.com> <4FD9E723.1050702@redhat.com> Message-ID: <4FDA41CA.6090003@redhat.com> Petr Viktorin wrote: > On 06/11/2012 09:45 PM, Rob Crittenden wrote: >> Add --fixed-primary flag to control the order of ipa_server in >> sssd.conf. When set the discovered (or passed) server will be set first >> rather than _srv_. The default is to have _srv_ set first. >> >> rob >> > > Works as advertised, just two nitpicks: > > Applying: Add flag to ipa-client-install to managed order of ipa_server > in sssd > /home/pviktori/freeipa/.git/rebase-apply/patch:14: trailing whitespace. > basic_group.add_option("--fixed-primary", dest="primary", > action="store_true", > warning: 1 line adds whitespace errors. > > > And since you're fixing the manpage: > > +\-\-hostname option may be used to specify a static hostname that is > set in machine system configuration and persist over reboot. > > s/persist/persists/ > > > ACK if they're fixed > Done and pushed to master. rob From rcritten at redhat.com Thu Jun 14 20:35:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Jun 2012 16:35:03 -0400 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <4FDA097D.4030601@redhat.com> References: <4FDA097D.4030601@redhat.com> Message-ID: <4FDA4AF7.1050102@redhat.com> Ondrej Hamada wrote: > Improved options checking so that host-mod operation is not changing > password for enrolled host when '--random' option is used. > > https://fedorahosted.org/freeipa/ticket/2799 > > Updated set of characters that is used for generating random passwords > for ipa hosts. Following characters were removed from the set: '"`\$<> > > https://fedorahosted.org/freeipa/ticket/2800 This works ok but it would be nice to have a test for both setting a password and random on an enrolled host to prevent regressions. We have some ipa-getkeytab tests already and these can be extended to test this I think. Might be nice to mention in the inline comment the set of characters excluded and why. rob From mkosek at redhat.com Fri Jun 15 05:36:54 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jun 2012 07:36:54 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <4FDA4AF7.1050102@redhat.com> References: <4FDA097D.4030601@redhat.com> <4FDA4AF7.1050102@redhat.com> Message-ID: <1339738614.12383.5.camel@priserak> On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: > Ondrej Hamada wrote: > > Improved options checking so that host-mod operation is not changing > > password for enrolled host when '--random' option is used. > > > > https://fedorahosted.org/freeipa/ticket/2799 > > > > Updated set of characters that is used for generating random passwords > > for ipa hosts. Following characters were removed from the set: '"`\$<> > > > > https://fedorahosted.org/freeipa/ticket/2800 > > This works ok but it would be nice to have a test for both setting a > password and random on an enrolled host to prevent regressions. We have > some ipa-getkeytab tests already and these can be extended to test this > I think. > > Might be nice to mention in the inline comment the set of characters > excluded and why. > > rob > We already generate passwords for users with this character set: user_pwdchars = string.digits + string.ascii_letters + '_,. at +-=' Why would we want to generate passwords for host enrolling with a different set? Additionally, I think the set of characters you chose is too wide, try entering a passwords with ' ', !, (, ), &, or ; without careful escaping or quoting... Martin From mkosek at redhat.com Fri Jun 15 10:54:02 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jun 2012 12:54:02 +0200 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <4FD9E1A0.1070109@redhat.com> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> <4FD165BB.7030604@redhat.com> <1339598941.2965.39.camel@balmora.brq.redhat.com> <4FD90EC7.1060603@redhat.com> <1339655236.2062.5.camel@balmora.brq.redhat.com> <4FD9E1A0.1070109@redhat.com> Message-ID: <1339757642.12383.26.camel@priserak> On Thu, 2012-06-14 at 09:05 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2012-06-13 at 18:05 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Thu, 2012-06-07 at 22:38 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> When invalid data is passed, an unhandled decimal exception could > >>>>> be raised in Decimal number conversion. Handle the exception > >>>>> more gracefully and report proper ipalib.errors.ConversionError. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/2705 > >>>> > >>>> I'm being pedantic but I think the Decimal special values need to be > >>>> handled better. Using Infinity returns a rather odd message: > >>>> > >>>> $ ipa dnsrecord-add example.com > >>>> Record name: foo > >>>> Please choose a type of DNS resource record to be added > >>>> The most common types for this type of zone are: A, AAAA > >>>> > >>>> DNS resource record type: LOC > >>>> LOC Degrees Latitude: 90 > >>>> [LOC Minutes Latitude]: 59 > >>>> [LOC Seconds Latitude]: > >>>> 999999999999999999999999999999999999999999999999999999999999999999999 > >>>> >>> LOC Seconds Latitude: quantize result has too many digits for > >>>> current context > >>>> [LOC Seconds Latitude]: Infinity > >>>> >>> LOC Seconds Latitude: quantize with one INF > >>>> > >>>> And using NaN raises an unhandled exception: > >>>> > >>>> [LOC Seconds Latitude]: NaN > >>>> ipa: ERROR: InvalidOperation: comparison involving NaN > >>>> Traceback (most recent call last): > >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run > >>>> sys.exit(api.Backend.cli.run(argv)) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run > >>>> kw = self.argv_to_keyword_arguments(cmd, argv[1:]) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in > >>>> argv_to_keyword_arguments > >>>> self.prompt_interactively(cmd, kw) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in > >>>> prompt_interactively > >>>> callback(kw) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, > >>>> in interactive_prompt_callback > >>>> user_options = param.prompt_parts(self.Backend) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in > >>>> prompt_parts > >>>> self.__get_part_param(backend, part, user_options, default) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in > >>>> __get_part_param > >>>> output_kw[name] = part(raw) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in > >>>> __call__ > >>>> self.validate(value, supplied=self.name in kw) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in > >>>> validate > >>>> self._validate_scalar(value) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in > >>>> _validate_scalar > >>>> error = rule(ugettext, value) > >>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in > >>>> _rule_minvalue > >>>> if value< self.minvalue: > >>>> File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ > >>>> ans = self._compare_check_nans(other, context) > >>>> File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans > >>>> self) > >>>> File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error > >>>> raise error(explanation) > >>>> InvalidOperation: comparison involving NaN > >>>> ipa: ERROR: an internal error has occurred > >>>> > >>>> Otherwise it does what it should. > >>>> > >>>> rob > >>> > >>> Thanks for being pedantic, I found out that Decimal number validation > >>> and normalization needs more care, dnsrecord-add would also fail with > >>> values such as "1E4" or "-0". > >>> > >>> Attached patch improves Decimal number validation a lot and adds > >>> optional exponent normalization. I also added missing tests for all > >>> Decimal Parameter attributes. > >>> > >>> Martin > >> > >> Getting some lint errors. Ran out of time to investigate but its strange > >> because AFAICT these are members. > >> > >> ipalib/parameters.py:1266: [E1101, Decimal._enforce_numberclass] > >> Instance of 'Decimal' has no 'numberclass' member > >> ipalib/parameters.py:1271: [E1101, Decimal._enforce_numberclass] > >> Instance of 'Decimal' has no 'numberclass' member > >> ipalib/parameters.py:1288: [E1101, Decimal._remove_exponent] Instance of > >> 'Decimal' has no 'exponential' member > >> > > > > I assume you run this lint: > > > > # ./make-lint ipalib/parameters.py > > > > This produces a lot of false positive lint errors... But if you run lint > > for the entire project, my patches will pass: > > > > # git > > apply /home/mkosek/freeipa-mkosek-275-2-decimal-parameter-conversion-and-normalization.patch > > # ./make-lint > > # > > > > That's why 275-2 includes a change for make-lint to not report these new > > attributes: > > diff --git a/make-lint b/make-lint > > index 7ecd59d7e8c5a644f812d4b8987866e7d06236b5..30c5e00c1f0606c75ff1f7fec675ff673a6b87a0 100755 > > --- a/make-lint > > +++ b/make-lint > > @@ -61,7 +61,8 @@ class IPATypeChecker(TypeChecker): > > 'csv', 'csv_separator', 'csv_skipspace'], > > 'ipalib.parameters.Bool': ['truths', 'falsehoods'], > > 'ipalib.parameters.Int': ['minvalue', 'maxvalue'], > > - 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision'], > > + 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision', > > + 'numberclass', 'exponential'], > > 'ipalib.parameters.Data': ['minlength', 'maxlength', 'length', > > 'pattern', 'pattern_errmsg'], > > 'ipalib.parameters.Enum': ['values'], > > > > > > Bottom line - I do not think there is a lint problem with my patch :-) > > > > Martin > > > > This was output from './make-lint'. It blew up when I was trying to > build the rpms. > > rob Hm, I guess you have a different version of pylint, mine is error-less (I use pylint-0.25.1-1.fc17.noarch). Anyway, I have disabled the false positive pylint errors you reported, it should not hurt and will keep your build clean. Updated patch is attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-275-3-decimal-parameter-conversion-and-normalization.patch Type: text/x-patch Size: 9450 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 15 13:22:23 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jun 2012 15:22:23 +0200 Subject: [Freeipa-devel] [DRAFT] Per-domain DNS update permissions Message-ID: <1339766543.12383.48.camel@priserak> Hello all, In a scope of ticket 2511 I would like to implement an ability to delegate a DNS update permissions to chosen user (or host) without having to give the user full "Update DNS Entries" privileges, i.e. allow him to modify any DNS zone or record. So far, this is what I would like to do (comments welcome): 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute in MAY list 2) Create new DNS commands: a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] - these commands would add/remove chosen user/host DN to managedBy attribute in chosen DNS zone 3) Add new generic ACIs to cn=dns,$SUFFIX: aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Users and hosts can add DNS entries";allow (add) userattr = "parent[1].managedby#USERDN";) ... add similar ACIs for UPDATE, REMOVE access With these steps done, all that an administrator would need to do to delegate a management of a DNS zone "example.com" is to run this command: $ ipa dnszone-add-managedby example.com --users=fbar The only downside I found so far is that the user would already need to have "Read DNS Entries" permission assigned, otherwise he would not be able to actually read DNS entries (allow rules can't take precedence over deny rule we implemented to deny public access to DNS tree). An admin could of course create a special privilege and role with just "Read DNS Entries" permission and then assign it to relevant users/groups, but this looks awkward. Any idea to make this simpler? Maybe creating a group "dns readers" by default which would allow such access? Thanks, Martin From simo at redhat.com Fri Jun 15 14:15:14 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 15 Jun 2012 10:15:14 -0400 Subject: [Freeipa-devel] [DRAFT] Per-domain DNS update permissions In-Reply-To: <1339766543.12383.48.camel@priserak> References: <1339766543.12383.48.camel@priserak> Message-ID: <1339769714.32038.0.camel@willson.li.ssimo.org> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > Hello all, > > In a scope of ticket 2511 I would like to implement an ability to > delegate a DNS update permissions to chosen user (or host) without > having to give the user full "Update DNS Entries" privileges, i.e. allow > him to modify any DNS zone or record. > > So far, this is what I would like to do (comments welcome): > > 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > in MAY list > 2) Create new DNS commands: > a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > - these commands would add/remove chosen user/host DN to managedBy > attribute in chosen DNS zone > 3) Add new generic ACIs to cn=dns,$SUFFIX: > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > "Users and hosts can add DNS entries";allow (add) userattr = > "parent[1].managedby#USERDN";) > ... add similar ACIs for UPDATE, REMOVE access > > With these steps done, all that an administrator would need to do to > delegate a management of a DNS zone "example.com" is to run this > command: > $ ipa dnszone-add-managedby example.com --users=fbar > > The only downside I found so far is that the user would already need to > have "Read DNS Entries" permission assigned, otherwise he would not be > able to actually read DNS entries (allow rules can't take precedence > over deny rule we implemented to deny public access to DNS tree). > > An admin could of course create a special privilege and role with just > "Read DNS Entries" permission and then assign it to relevant > users/groups, but this looks awkward. Any idea to make this simpler? > Maybe creating a group "dns readers" by default which would allow such > access? Change the deny rule to deny to everyone except the user in "parent[1].managedby#USERDN" ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Jun 15 19:22:57 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 15 Jun 2012 15:22:57 -0400 Subject: [Freeipa-devel] Announcing SSSD 1.9.0 beta 2 Message-ID: <1339788177.2727.27.camel@sgallagh520.sgallagh.bos.redhat.com> The SSSD team is proud to announce the second beta of our upcoming 1.9.0 release. We have revised our beta plan and will be having five betas instead of three as originally communicated. Originally, the plan was to have our next beta be the final one, at the end of July. We now have the following schedule: Beta 3 will be released next Friday (Jun 22nd) or the following Monday and contain enhancements necessary to support Kerberos cross-realm trusts with FreeIPA, a server-side piece of which will be released a few days after. Beta 4 will be released on July 10th and include a new AD provider (wrapping the intricacies of setting up AD, configuring LDAP attributes and Kerberos realm into a simpler set of configuration options) Beta 5 will be released on July 31st and will contain a new tool for "seeding" accounts with a temporary password for sending machines to remotees as well as introducing a concept of primary vs. secondary servers. After Beta 5, no new features will be added to SSSD 1.9.0 and we will focus on stability and our backlog of bugfixes until the final release around September 1st. We will most likely issue a series of release candidate builds prior to that, but these have not yet been scheduled. As always, you can download the latest sources at https://fedorahosted.org/sssd/ == Highlights == * Add support for the Kerberos DIR cache for storing multiple TGTs automatically * Major performance enhancement when storing large groups in the cache * Major performance enhancement when performing initgroups() against Active Directory * SSSDConfig data file default locations can now be set during configure for easier packaging == Tickets Fixed == https://fedorahosted.org/sssd/ticket/974 [RFE] Support DIR: credential caches for multiple TGT support https://fedorahosted.org/sssd/ticket/984 RFE: sssd should support Netscape LDAP password expiration controls https://fedorahosted.org/sssd/ticket/1213 Warn to syslog when dereference requests fail https://fedorahosted.org/sssd/ticket/1240 sudo: contact data provider only once https://fedorahosted.org/sssd/ticket/1255 RFE: change the way we deal with fake users https://fedorahosted.org/sssd/ticket/1256 Document the expectations about ghost users showing in the lookups https://fedorahosted.org/sssd/ticket/1330 Potential NULL dereference in sss_krb5_read_etypes_for_keytab https://fedorahosted.org/sssd/ticket/1336 Please only use named parameters in translatable strings https://fedorahosted.org/sssd/ticket/1337 Minor typos in SSSD messages and man pages https://fedorahosted.org/sssd/ticket/1346 in-memory cache causes nss to segfault if it cannot be initialized properly https://fedorahosted.org/sssd/ticket/1367 Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN == Detailed Changelog == Ariel Barria (3): * Potential NULL dereference in proxy provider * Warn to syslog when dereference requests fail * Clarify how comments work in sssd.conf Jakub Hrozek (20): * NSS: keep a pointer to body after body is reallocated * Use sized_string correctly in FQDN domains * Use the sysdb attribute name, not LDAP attribute name * LDAP nested groups: Do not process callback with _post deep in the nested structure * Send 16bit protocol numbers from the sss_client * Revert the client packet length, too, after reverting the packet protocol * Fix the default sssd.conf path * Fix the 0.11 sysdb upgrade * sss_names_init: Report correct error code if allocation failed * Two small krb5_child fixes * Provide more debugging in krb5_child and ldap_child * Allow redefining the KRB5_CHILD path * Split parse_krb5_child_response so it can be reused * Add a krb5_child test tool * Residual util functions * Handle trailing slash in the ccname template * Add a credential cache back end structure * Add support for storing credential caches in the DIR: back end * Use Kerberos context in KRB5_DEBUG * Make krb5_ccname_template and krb5_ccachedir configurable Jan Cholasta (3): * SSH: Update sss_ssh_knownhostsproxy manual page * SSH: Supress error message output in sss_ssh_knownhostsproxy * SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing Jan Zeleny (20): * Fixed two minor memory leaks * Fixed issue in SELinux user maps * Ghost members - add the ghost attribute to sysdb * Ghost members - support in LDAP provider * Ghost members - support in proxy provider * Ghost members - modifications in sysdb * Ghost members - modifications in memberof plugin * Ghost members - sysdb upgrade routine * Ghost members - NSS responder changes * Ghost members - removed sdap_check_aliases() * Ghost members - modified sss_groupshow * Ghost members - various small changes * Add support for filtering atributes * Utilize attribute exclusion in LDAP initgroups * Fixed setting of debug level in test suite * IPA subdomains - ask for information about master domain * Allow fast memcache timeout to be configurable * Fix an issue in ghost users * Provide "service filter" for SELinux context * Fixed debug message in sdap_save_group() Joshua Roys (1): * Simple implementation of Netscape password warning expiration control Nick Guay (1): * added DEBUG messages to krb5_child and ldap_child Stef Walter (1): * Make re_expression and full_name_format per domain options Stephen Gallagher (27): * Bumping version ton 1.8.92 for beta 2 development * RPM: Allow running 'make rpms' on RHEL 5 machines * NSS: Expire in-memory netgroup cache before the nowait timeout * Always use positional arguments in translatable strings * KRB5: Avoid NULL-dereference with empty keytab * Update translation sources * NSS: Fix segfault when mmap cache cannot be initialized * NSS: Restore original protocol for getservbyport * SSSDConfig: Make SSSDConfig a package * SSSDConfig: Make default config and schema file locations configurable * PAM: Better pam_reply message * SYSDB: Reduce noise level of debug messages in lookups * LDAP: Remove redundant check * LDAP: Fix incorrect switch statement in sdap_get_initgr_done() * LDAP: Add helper function to get list of a user's groups from sysdb * LDAP: Make sdap_initgr_common_store() non-static * LDAP: Add ldap_*_use_matching_rule_in_chain options * LDAP: Add support for AD chain matching extension in group lookups * LDAP: Add support for AD chain matching extension in initgroups * LDAP: Auto-detect support for the ldap match rule * LDAP: Fix missing variable in debug message * SSS_CLIENT: Fix uninitialized value error * Fix compilation on older little-endian systems * KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_data * KRB5: Auto-detect DIR cache support in configure * KRB5: Avoid shadowing dirname * Updating translations for 1.9.0 beta 2 release Sumit Bose (4): * Rename struct dom_sid to struct sss_dom_sid * Fix libsss_hbac library version * sss_idmap: add support for samba struct dom_sid * sss_idmap: fix typo which prevents sub auth larger then 2^31 Yuri Chornoivan (1): * Fix typos in message and man pages. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sbose at redhat.com Sun Jun 17 19:47:20 2012 From: sbose at redhat.com (Sumit Bose) Date: Sun, 17 Jun 2012 21:47:20 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120614122501.GK20850@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> Message-ID: <20120617194720.GB29454@localhost.localdomain> On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > > > users/groups and users from trusted domains new range objects are > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > > > > > 0022: LDAP schema update > > > > > > > > ack > > > > > > > > > 0023: Create a range object during installation fir the local ID range > > > > > > > > nack, I think we need to find a way to handle adding at least the base > > > > range on update. Otherwise an updated server won't be able to have IDs > > > > for most of its users. > > > > > > I fully agree, but since we said that we concentrate on update issues in > > > beta2 I wanted to send the version for the fresh install first to allow > > > testing. > > > > The reason I'd like updates is that this patchset can be installed on > > top of existing servers for testing w/o having to reinstall from scratch > > or manually creating the ipaDomainIDRange object :):) > > ok, will do. > > Do you otherwise agree with the patches or is there something I should > change while adding the updates? > > bye, > Sumit > > > > > > > > > > > > 0024: add primary and secondary RID base to the local range object > > > > > during ipa-adtrust-install > > > > > > > > Not sure if setting the range belongs in the previous patch or this one. > > > > > > I think it is right here, because a plain IPA server does not need the > > > RID related attributes. > > > > > > > We might decide to ask questions during ipa-adtrust-install if the range > > > > is not available, maybe presenting a set of pre-canned choices if we can > > > > detect them. > > > > > > I agree here, too. But as above I would like to handle update issues > > > in a second round. > > > > > > > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > > > falls outside the configured range (either because we failed to detect > > > > ranges on upgrade and the user botched the question or because the admin > > > > added arbitrary IDs. > > > > If a warning we should warn that missing a range that suitably covers > > > > these IDs, those users/groups will not be available for the trust. > > > > > > > > Maybe we should also have a simple ipa command that can list all > > > > users/groups that fall outside the ranges as well. > > > > > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > > > range-find' etc. I can add it there. > > > Hi, this new series of patches add the cli plugin to create the ID ranges manually. I'm still working on a detection of the locally used id range of an upgrade domain in ipa-adtrust-install and an plugin which rejects new ranges which overlaps with existing ones. bye, Sumit -------------- next part -------------- From 6197ddd510ab01ba4de49d1a1c7a66e19e566384 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 11 Jun 2012 18:31:36 +0200 Subject: [PATCH 1/4] Extend LDAP schema The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well. --- install/share/60basev3.ldif | 8 ++++++++ 1 Datei ge?ndert, 8 Zeilen hinzugef?gt(+) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 2c24137b0dc39f215ed0e4b97079ffce0ec630d3..03561d13f45768006eb22e3dc00f41f35944dc56 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -29,6 +29,10 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') attributeTypes: (2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -40,3 +44,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAsso objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT MAY ipaSshPubKey X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) -- 1.7.10.2 -------------- next part -------------- From 32514788013faf7f35171c4addec42998c08ae03 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 11:58:41 +0200 Subject: [PATCH 2/4] Add objects for initial ID range --- install/share/bootstrap-template.ldif | 14 ++++++++++++++ install/updates/62-ranges.update | 13 +++++++++++++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 1 + 4 Dateien ge?ndert, 29 Zeilen hinzugef?gt(+) create mode 100644 install/updates/62-ranges.update diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 149b6c9b29c6fd363eb7baccd9648d49c260ff85..ca74bf6fade5f4e0591ee511f96cc3d58542887d 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -409,3 +409,17 @@ objectClass: top objectClass: nsContainer cn: usermap +dn: cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: ranges + +dn: cn=local_id_range,cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaIDrange +objectClass: ipaDomainIDRange +cn: local_id_range +ipaBaseID: $IDSTART +ipaIDRangeSize: $IDRANGE_SIZE diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update new file mode 100644 index 0000000000000000000000000000000000000000..42c1e2a98b8b64164ae9ae0292aa7b91beac2b26 --- /dev/null +++ b/install/updates/62-ranges.update @@ -0,0 +1,13 @@ +dn: cn=schema +add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) + +dn: cn=ranges,cn=etc,$SUFFIX +default: obectClass: top +default: objectClass: nsContainer +default: cn: ranges diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 412630e4e6d13167e2c0ae17c54f8ad84a4797fa..e45690f14c41dbd9eb10b5969ee14a257b8c7883 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 55-pbacmemberof.update \ 60-trusts.update \ 61-trusts-s4u2proxy.update \ + 62-ranges.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fb620a82e0d432d50e6c40ab8a7053ced153965a..93c6b50c274506949d1cdb81ad952141de10dab1 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -313,6 +313,7 @@ class DsInstance(service.Service): IDMAX=self.idmax, HOST=self.fqdn, ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()), GROUP=DS_GROUP, + IDRANGE_SIZE=self.idmax-self.idstart+1 ) def __create_ds_user(self): -- 1.7.10.2 -------------- next part -------------- From 7f47d74f825cd7ad05b741cec550deab474e3ddb Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 17:53:36 +0200 Subject: [PATCH 3/4] Set RID bases for local domain during ipa-adtrust-install --- install/tools/ipa-adtrust-install | 9 ++++++- ipaserver/install/adtrustinstance.py | 48 +++++++++++++++++++++++++++++++++- 2 Dateien ge?ndert, 55 Zeilen hinzugef?gt(+), 2 Zeilen entfernt(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index c0b477102462e128400436f52d2f78b092f5272d..c104b5113c16acec09d88a665f56bbb10ede4ed1 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -48,6 +48,12 @@ def parse_options(): parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", default=False, help="Do not create DNS service records " \ "for Windows in managed DNS server") + parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, + help="Start value for mapping UIDs and GIDs to RIDs") + parser.add_option("--secondary-rid-base", dest="secondary_rid_base", + type=int, default=100000000, + help="Start value of the secondary range for mapping " \ + "UIDs and GIDs to RIDs") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") @@ -207,7 +213,8 @@ def main(): api.Backend.ldap2.connect(ccache) smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, - netbios_name, options.no_msdcs) + netbios_name, options.rid_base, options.secondary_rid_base, + options.no_msdcs) smb.create_instance() print "==============================================================================" diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0e9e9ef245a0897dfee9bcb0940d0de35c1bfd61..43a2790831c9e941380c9ce705cc5dc441b4538b 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -114,6 +114,8 @@ class ADTRUSTInstance(service.Service): self.cifs_principal = None self.cifs_agent = None self.selinux_booleans = None + self.rid_base = None + self.secondary_rid_base = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -174,6 +176,47 @@ class ADTRUSTInstance(service.Service): except: print "Failed to modify IPA admin group object" + def __add_rid_bases(self): + """ + Add RID bases to the range object for the local ID range. + + TODO: handle missing or multiple ranges more gracefully. + """ + + try: + res = self.admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix, + ldap.SCOPE_ONELEVEL, + "(objectclass=ipaDomainIDRange)") + if len(res) != 1: + root_logger.critical("Found more than one ID range for the " \ + "local domain.") + raise RuntimeError("Too many ID ranges\n") + + if res[0].getValue('ipaBaseRID') or \ + res[0].getValue('ipaSecondaryBaseRID'): + print "RID bases already set, nothing to do" + return + + size = res[0].getValue('ipaIDRangeSize') + if abs(self.rid_base - self.secondary_rid_base) > size: + print "Primary and secondary RID base are too close. " \ + "They have to differ at least by %d." % size + raise RuntimeError("RID bases too close.\n") + + try: + self.admin_conn.modify_s(res[0].dn, + [(ldap.MOD_ADD, "ipaBaseRID", \ + str(self.rid_base)), \ + (ldap.MOD_ADD, "ipaSecondaryBaseRID", \ + str(self.secondary_rid_base))]) + except: + print "Failed to add RID bases to the local range object" + + except errors.NotFound as e: + root_logger.critical("ID range of the local domain not found, " \ + "define it and run again.") + raise e + def __create_samba_domain_object(self): try: @@ -402,12 +445,14 @@ class ADTRUSTInstance(service.Service): FQDN = self.fqdn) def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, - no_msdcs=False, smbd_user="samba"): + rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"): self.fqdn = fqdn self.ip_address = ip_address self.realm_name = realm_name self.domain_name = domain_name self.netbios_name = netbios_name + self.rid_base = rid_base + self.secondary_rid_base = secondary_rid_base self.no_msdcs = no_msdcs self.smbd_user = smbd_user self.suffix = ipautil.realm_to_suffix(self.realm_name) @@ -440,6 +485,7 @@ class ADTRUSTInstance(service.Service): self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) + self.step("adding RID bases", self.__add_rid_bases) self.step("activating CLDAP plugin", self.__add_cldap_module) self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) -- 1.7.10.2 -------------- next part -------------- From 9932893aa3ca94691473e8d8ad30121bc78f982f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 13 Jun 2012 20:58:54 +0200 Subject: [PATCH 4/4] Add CLI for ID ranges --- API.txt | 52 +++++++++++++++++++ ipalib/constants.py | 1 + ipalib/plugins/range.py | 126 +++++++++++++++++++++++++++++++++++++++++++++++ 3 Dateien ge?ndert, 179 Zeilen hinzugef?gt(+) create mode 100644 ipalib/plugins/range.py diff --git a/API.txt b/API.txt index 8127b90b91415d165590845f0ba1b6d94dab28aa..fef1475c3beaf083cfac50759205de4c425ebd95 100644 --- a/API.txt +++ b/API.txt @@ -2340,6 +2340,58 @@ option: Str('version?', exclude='webui') output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) +command: range_add +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Int('ipabaseid', attribute=True, cli_name='base_id', multivalue=False, required=True) +option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True) +option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False, required=True) +option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False) +option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (, ), None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('value', , None) +command: range_del +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +output: Output('summary', (, ), None) +output: Output('result', , None) +output: Output('value', , None) +command: range_find +args: 1,12,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', multivalue=False, query=True, required=False) +option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False) +option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False) +option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False) +option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +output: Output('summary', (, ), None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('count', , None) +output: Output('truncated', , None) +command: range_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('rights', autofill=True, default=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (, ), None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('value', , None) command: role_add args: 1,6,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) diff --git a/ipalib/constants.py b/ipalib/constants.py index 8f87a18eef80e9824203aedf50e29e9819ae7c18..c4ba32007f74f0b8ccc6c8c518587dbf76530217 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -104,6 +104,7 @@ DEFAULT_CONFIG = ( ('container_cifsdomains', 'cn=ad,cn=etc'), ('container_trusts', 'cn=trusts'), ('container_adtrusts', 'cn=ad,cn=trusts'), + ('container_ranges', 'cn=ranges,cn=etc'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipalib/plugins/range.py b/ipalib/plugins/range.py new file mode 100644 index 0000000000000000000000000000000000000000..37482b09a6517e3b129249c9937621da17232c8c --- /dev/null +++ b/ipalib/plugins/range.py @@ -0,0 +1,126 @@ +# Authors: +# Sumit Bose +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipalib.plugins.baseldap import * +from ipalib import api, Str, Password, DefaultFrom, _, ngettext, Object +from ipalib.parameters import Enum +from ipalib import Command +from ipalib import errors +from ipapython import ipautil +from ipalib import util + + +__doc__ = _(""" +Manage ID ranges +""") + +class range(LDAPObject): + """ + Range object. + """ + + range_time = ('domain', 'ad', 'ipa') + container_dn = api.env.container_ranges + object_name = ('range') + object_name_plural = ('ranges') + object_class = ['ipaIDrange'] + possible_objectclasses = ['ipadomainidrange', 'ipatrustedaddomainrange'] + default_attributes = ['cn', 'ipabaseid', 'ipaidrangesize', 'ipabaserid', + 'ipasecondarybaserid', 'ipanttrusteddomainsid'] + + label = _('Ranges') + label_singular = _('Range') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Range name'), + primary_key=True, + ), + Int('ipabaseid', + cli_name='base_id', + label=_("First Posix ID of the range"), + ), + Int('ipaidrangesize', + cli_name='range_size', + label=_("Number of IDs in the range"), + ), + Int('ipabaserid', + cli_name='rid_base', + label=_('First RID of the corresponding RID range'), + ), + Int('ipasecondarybaserid?', + cli_name='secondary_rid_base', + label=_('First RID of the secondary RID range'), + ), + Str('ipanttrusteddomainsid?', + cli_name='dom_sid', + label=_('Domain SID of the trusted domain'), + ), + ) + +class range_add(LDAPCreate): + __doc__ = _('Add new ID range.') + + msg_summary = _('Added ID range "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if 'ipanttrusteddomainsid' not in options and \ + 'ipasecondarybaserid' not in options: + raise errors.ValidationError(name=_('Range setup'), + reason=_('Ranges for local domain ' \ + 'must have a secondary RID base')) + + if 'ipanttrusteddomainsid' in options: + entry_attrs['objectclass'].append('ipatrustedaddomainrange') + else: + entry_attrs['objectclass'].append('ipadomainidrange') + + return dn + +class range_del(LDAPDelete): + __doc__ = _('Delete an ID range.') + + msg_summary = _('Deleted ID range "%(value)s"') + +class range_find(LDAPSearch): + __doc__ = _('Search for ranges.') + + msg_summary = ngettext( + '%(count)d range matched', '%(count)d rangess matched', 0 + ) + + # Since all range types are stored within separate containers under + # 'cn=ranges,cn=etc' search can be done on a one-level scope + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + return (filters, base_dn, ldap.SCOPE_ONELEVEL) + +class range_show(LDAPRetrieve): + __doc__ = _('Display information about a range.') + + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + return dn + +api.register(range) +api.register(range_add) +#api.register(range_mod) +api.register(range_del) +api.register(range_find) +api.register(range_show) + -- 1.7.10.2 From mkosek at redhat.com Mon Jun 18 06:29:29 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jun 2012 08:29:29 +0200 Subject: [Freeipa-devel] [DRAFT] Per-domain DNS update permissions In-Reply-To: <1339769714.32038.0.camel@willson.li.ssimo.org> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> Message-ID: <1340000969.7024.2.camel@balmora.brq.redhat.com> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > > Hello all, > > > > In a scope of ticket 2511 I would like to implement an ability to > > delegate a DNS update permissions to chosen user (or host) without > > having to give the user full "Update DNS Entries" privileges, i.e. allow > > him to modify any DNS zone or record. > > > > So far, this is what I would like to do (comments welcome): > > > > 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > > in MAY list > > 2) Create new DNS commands: > > a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > > b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > > - these commands would add/remove chosen user/host DN to managedBy > > attribute in chosen DNS zone > > 3) Add new generic ACIs to cn=dns,$SUFFIX: > > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > > "Users and hosts can add DNS entries";allow (add) userattr = > > "parent[1].managedby#USERDN";) > > ... add similar ACIs for UPDATE, REMOVE access > > > > With these steps done, all that an administrator would need to do to > > delegate a management of a DNS zone "example.com" is to run this > > command: > > $ ipa dnszone-add-managedby example.com --users=fbar > > > > The only downside I found so far is that the user would already need to > > have "Read DNS Entries" permission assigned, otherwise he would not be > > able to actually read DNS entries (allow rules can't take precedence > > over deny rule we implemented to deny public access to DNS tree). > > > > An admin could of course create a special privilege and role with just > > "Read DNS Entries" permission and then assign it to relevant > > users/groups, but this looks awkward. Any idea to make this simpler? > > Maybe creating a group "dns readers" by default which would allow such > > access? > > Change the deny rule to deny to everyone except the user in > "parent[1].managedby#USERDN" ? > > Simo. > Good idea, I will do that. I will just use "parent[0,1].managedby#USERDN" so that user can also read the zone record. This way, a selected user will have read/write access to the chosen zone only, which is exactly what we want to achieve. Martin From mkosek at redhat.com Mon Jun 18 11:04:28 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jun 2012 13:04:28 +0200 Subject: [Freeipa-devel] [PATCH] 1026 increase header limit In-Reply-To: <4FDA05B3.9000001@redhat.com> References: <4FDA05B3.9000001@redhat.com> Message-ID: <1340017468.7024.3.camel@balmora.brq.redhat.com> On Thu, 2012-06-14 at 11:39 -0400, Rob Crittenden wrote: > Increase the request header limit to accommodate a 64KiB PAC. > > It's hard to test this outside of trust but you can do a reverse test to > be sure this is doing anything by setting the limit to 10. You should > get a 400 error back. > > And I guess check for regressions. All tests are passing for me. > > rob ACK, no regression found. Pushed to master. Martin From james.hogarth at gmail.com Mon Jun 18 12:56:54 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Mon, 18 Jun 2012 13:56:54 +0100 Subject: [Freeipa-devel] Wiki account request Message-ID: Hi, I just finished implementing name based virtual hosts with SSL (via SNI) and individual keytabs for authentication.... with IPA handling the certificates (via dogtag/certmonger). It was suggested on IRC this might be useful to add to the wiki. Please could an account be created so that I can write up template apache configs and step by step details? Thanks, James From rcritten at redhat.com Mon Jun 18 13:23:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 09:23:03 -0400 Subject: [Freeipa-devel] Wiki account request In-Reply-To: References: Message-ID: <4FDF2BB7.4040108@redhat.com> James Hogarth wrote: > Hi, > > I just finished implementing name based virtual hosts with SSL (via > SNI) and individual keytabs for authentication.... with IPA handling > the certificates (via dogtag/certmonger). > > It was suggested on IRC this might be useful to add to the wiki. > > Please could an account be created so that I can write up template > apache configs and step by step details? > > Thanks, Done rob From sgallagh at redhat.com Mon Jun 18 14:12:59 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 18 Jun 2012 10:12:59 -0400 Subject: [Freeipa-devel] [SSSD] Announcing SSSD 1.9.0 beta 2 In-Reply-To: <1339788177.2727.27.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1339788177.2727.27.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1340028779.2513.20.camel@sgallagh520.sgallagh.bos.redhat.com> Ok, I have a bit of egg on my face here. I accidentally pushed a patch related to the Kerberos DIR cache support that had a debugging "#if 0" left in it. Because of this, DIR cache support is actually non-functional in 1.9.0 beta 2. I'm attaching a patch to fix this to this email (already pushed upstream) so anyone who wants to build beta 2 to try out the DIR cache support must apply this patch for it to work. We decided not to reroll the beta for this one patch, since beta 3 is being released on Friday anyway. On Fri, 2012-06-15 at 15:22 -0400, Stephen Gallagher wrote: > The SSSD team is proud to announce the second beta of our upcoming 1.9.0 > release. We have revised our beta plan and will be having five betas > instead of three as originally communicated. Originally, the plan was to > have our next beta be the final one, at the end of July. We now have the > following schedule: > > Beta 3 will be released next Friday (Jun 22nd) or the following Monday > and contain enhancements necessary to support Kerberos cross-realm > trusts with FreeIPA, a server-side piece of which will be released a few > days after. > > Beta 4 will be released on July 10th and include a new AD provider > (wrapping the intricacies of setting up AD, configuring LDAP attributes > and Kerberos realm into a simpler set of configuration options) > > Beta 5 will be released on July 31st and will contain a new tool for > "seeding" accounts with a temporary password for sending machines to > remotees as well as introducing a concept of primary vs. secondary > servers. > > After Beta 5, no new features will be added to SSSD 1.9.0 and we will > focus on stability and our backlog of bugfixes until the final release > around September 1st. We will most likely issue a series of release > candidate builds prior to that, but these have not yet been scheduled. > > As always, you can download the latest sources at > https://fedorahosted.org/sssd/ > > > == Highlights == > * Add support for the Kerberos DIR cache for storing multiple TGTs > automatically > * Major performance enhancement when storing large groups in the cache > * Major performance enhancement when performing initgroups() against > Active Directory > * SSSDConfig data file default locations can now be set during > configure for easier packaging > > == Tickets Fixed == > https://fedorahosted.org/sssd/ticket/974 > [RFE] Support DIR: credential caches for multiple TGT support > > https://fedorahosted.org/sssd/ticket/984 > RFE: sssd should support Netscape LDAP password expiration controls > > https://fedorahosted.org/sssd/ticket/1213 > Warn to syslog when dereference requests fail > > https://fedorahosted.org/sssd/ticket/1240 > sudo: contact data provider only once > > https://fedorahosted.org/sssd/ticket/1255 > RFE: change the way we deal with fake users > > https://fedorahosted.org/sssd/ticket/1256 > Document the expectations about ghost users showing in the lookups > > https://fedorahosted.org/sssd/ticket/1330 > Potential NULL dereference in sss_krb5_read_etypes_for_keytab > > https://fedorahosted.org/sssd/ticket/1336 > Please only use named parameters in translatable strings > > https://fedorahosted.org/sssd/ticket/1337 > Minor typos in SSSD messages and man pages > > https://fedorahosted.org/sssd/ticket/1346 > in-memory cache causes nss to segfault if it cannot be initialized > properly > > https://fedorahosted.org/sssd/ticket/1367 > Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN > > == Detailed Changelog == > Ariel Barria (3): > * Potential NULL dereference in proxy provider > * Warn to syslog when dereference requests fail > * Clarify how comments work in sssd.conf > > Jakub Hrozek (20): > * NSS: keep a pointer to body after body is reallocated > * Use sized_string correctly in FQDN domains > * Use the sysdb attribute name, not LDAP attribute name > * LDAP nested groups: Do not process callback with _post deep in the > nested structure > * Send 16bit protocol numbers from the sss_client > * Revert the client packet length, too, after reverting the packet > protocol > * Fix the default sssd.conf path > * Fix the 0.11 sysdb upgrade > * sss_names_init: Report correct error code if allocation failed > * Two small krb5_child fixes > * Provide more debugging in krb5_child and ldap_child > * Allow redefining the KRB5_CHILD path > * Split parse_krb5_child_response so it can be reused > * Add a krb5_child test tool > * Residual util functions > * Handle trailing slash in the ccname template > * Add a credential cache back end structure > * Add support for storing credential caches in the DIR: back end > * Use Kerberos context in KRB5_DEBUG > * Make krb5_ccname_template and krb5_ccachedir configurable > > Jan Cholasta (3): > * SSH: Update sss_ssh_knownhostsproxy manual page > * SSH: Supress error message output in sss_ssh_knownhostsproxy > * SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS > records are missing > > Jan Zeleny (20): > * Fixed two minor memory leaks > * Fixed issue in SELinux user maps > * Ghost members - add the ghost attribute to sysdb > * Ghost members - support in LDAP provider > * Ghost members - support in proxy provider > * Ghost members - modifications in sysdb > * Ghost members - modifications in memberof plugin > * Ghost members - sysdb upgrade routine > * Ghost members - NSS responder changes > * Ghost members - removed sdap_check_aliases() > * Ghost members - modified sss_groupshow > * Ghost members - various small changes > * Add support for filtering atributes > * Utilize attribute exclusion in LDAP initgroups > * Fixed setting of debug level in test suite > * IPA subdomains - ask for information about master domain > * Allow fast memcache timeout to be configurable > * Fix an issue in ghost users > * Provide "service filter" for SELinux context > * Fixed debug message in sdap_save_group() > > Joshua Roys (1): > * Simple implementation of Netscape password warning expiration control > > Nick Guay (1): > * added DEBUG messages to krb5_child and ldap_child > > Stef Walter (1): > * Make re_expression and full_name_format per domain options > > Stephen Gallagher (27): > * Bumping version ton 1.8.92 for beta 2 development > * RPM: Allow running 'make rpms' on RHEL 5 machines > * NSS: Expire in-memory netgroup cache before the nowait timeout > * Always use positional arguments in translatable strings > * KRB5: Avoid NULL-dereference with empty keytab > * Update translation sources > * NSS: Fix segfault when mmap cache cannot be initialized > * NSS: Restore original protocol for getservbyport > * SSSDConfig: Make SSSDConfig a package > * SSSDConfig: Make default config and schema file locations > configurable > * PAM: Better pam_reply message > * SYSDB: Reduce noise level of debug messages in lookups > * LDAP: Remove redundant check > * LDAP: Fix incorrect switch statement in sdap_get_initgr_done() > * LDAP: Add helper function to get list of a user's groups from sysdb > * LDAP: Make sdap_initgr_common_store() non-static > * LDAP: Add ldap_*_use_matching_rule_in_chain options > * LDAP: Add support for AD chain matching extension in group lookups > * LDAP: Add support for AD chain matching extension in initgroups > * LDAP: Auto-detect support for the ldap match rule > * LDAP: Fix missing variable in debug message > * SSS_CLIENT: Fix uninitialized value error > * Fix compilation on older little-endian systems > * KRB5: Update DEBUG macros for create_ccache_dir and > find_ccdir_parent_data > * KRB5: Auto-detect DIR cache support in configure > * KRB5: Avoid shadowing dirname > * Updating translations for 1.9.0 beta 2 release > > Sumit Bose (4): > * Rename struct dom_sid to struct sss_dom_sid > * Fix libsss_hbac library version > * sss_idmap: add support for samba struct dom_sid > * sss_idmap: fix typo which prevents sub auth larger then 2^31 > > Yuri Chornoivan (1): > * Fix typos in message and man pages. > > _______________________________________________ > sssd-devel mailing list > sssd-devel at lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-typo-breaking-DIR-cache-detection.patch Type: text/x-patch Size: 940 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From pviktori at redhat.com Mon Jun 18 14:18:20 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 18 Jun 2012 16:18:20 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Framework for admin/install tools, with ipa-ldap-updater In-Reply-To: <4FCCCC8B.1030903@redhat.com> References: <4FCCCC8B.1030903@redhat.com> Message-ID: <4FDF38AC.1000508@redhat.com> On 06/04/2012 04:56 PM, Petr Viktorin wrote: > Currently, FreeIPA's install/admin scripts are long pieces of code > that aren't very reusable, importable, or testable. > They have been extended over time with features such as logging and > error handling, but since each tool was extended individually, there > is much inconsistency and code duplication. > This patch starts a framework which the admin tools can use, and > converts ipa-ldap-updater to use the framework. > > In an earlier patch I found that improving a particular functionality in > all the commands is not workable, so I want to tackle this one tool at a > time. > I'm starting with ipa-ldap-updater, because it's pretty small, doesn't > use DNs (I don't want conflicts with John's work), and has the > interesting --upgrade option. > > > The framework does these tasks: > - Parse options > - Select tool to run (see below) > - Validate options > - Set up logging > - Run the tool code > - Handle any errors > - Log success/failure > > The base class has some defaults for these that the tools can > extend/override. > > > To handle the case where one script does two different things > (ipa-ldap-updater with/without --upgrade, or ipa-server-install > with/without --uninstall), I want to split the tool in two classes > rather than have repeated ifs in the code. > This meant that option parsing (and initializing the parser) has to be > done before creating an instance of the tool. I use a factory classmethod. > > > I put the admintool base class in ipapython/ as it should be useful for > ipa-client-install as well. > > > > First part of the work for: > https://fedorahosted.org/freeipa/ticket/2652 > > Attaching rebased patch. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0056-02-Framework-for-admin-install-tools-with-ipa-ldap-upda.patch Type: text/x-patch Size: 29951 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 18 15:37:19 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 11:37:19 -0400 Subject: [Freeipa-devel] [DRAFT] Per-domain DNS update permissions In-Reply-To: <1340000969.7024.2.camel@balmora.brq.redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> Message-ID: <4FDF4B2F.8020401@redhat.com> Martin Kosek wrote: > On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>> Hello all, >>> >>> In a scope of ticket 2511 I would like to implement an ability to >>> delegate a DNS update permissions to chosen user (or host) without >>> having to give the user full "Update DNS Entries" privileges, i.e. allow >>> him to modify any DNS zone or record. >>> >>> So far, this is what I would like to do (comments welcome): >>> >>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>> in MAY list >>> 2) Create new DNS commands: >>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>> - these commands would add/remove chosen user/host DN to managedBy >>> attribute in chosen DNS zone >>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>> "Users and hosts can add DNS entries";allow (add) userattr = >>> "parent[1].managedby#USERDN";) >>> ... add similar ACIs for UPDATE, REMOVE access >>> >>> With these steps done, all that an administrator would need to do to >>> delegate a management of a DNS zone "example.com" is to run this >>> command: >>> $ ipa dnszone-add-managedby example.com --users=fbar >>> >>> The only downside I found so far is that the user would already need to >>> have "Read DNS Entries" permission assigned, otherwise he would not be >>> able to actually read DNS entries (allow rules can't take precedence >>> over deny rule we implemented to deny public access to DNS tree). >>> >>> An admin could of course create a special privilege and role with just >>> "Read DNS Entries" permission and then assign it to relevant >>> users/groups, but this looks awkward. Any idea to make this simpler? >>> Maybe creating a group "dns readers" by default which would allow such >>> access? >> >> Change the deny rule to deny to everyone except the user in >> "parent[1].managedby#USERDN" ? >> >> Simo. >> > > Good idea, I will do that. I will just use > "parent[0,1].managedby#USERDN" so that user can also read the zone > record. This way, a selected user will have read/write access to the > chosen zone only, which is exactly what we want to achieve. Yes, this sounds workable to me too. rob From rcritten at redhat.com Mon Jun 18 19:04:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 15:04:05 -0400 Subject: [Freeipa-devel] [PATCH] 0061, 63 Improve ipa-client-install debug output In-Reply-To: <4FD9DADF.7050605@redhat.com> References: <4FD60324.7030901@redhat.com> <4FD7B11D.2020407@redhat.com> <4FD9DADF.7050605@redhat.com> Message-ID: <4FDF7BA5.7080700@redhat.com> Petr Viktorin wrote: > On 06/12/2012 11:14 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> I went through all the output/debug messages in ipa-client-install, >>> removed duplicates, and routed them through the log manager. >>> >>> I used these log levels: >>> DEBUG - detailed messages the user probably doesn't want to see (only >>> printed to console with --debug) >>> INFO - progress reports ("Configured /etc/sssd/sssd.conf") and >>> instructions ("You may need to restart services or reboot the machine.") >>> WARNING - something unusual that may require attention >>> ERROR - something went wrong >>> >>> Obviously there's some overlap there. >>> >>> >>> On the console, the messages are now prefixed with the log level. This >>> should bring attention to the warnings/errors. >>> Does this format look okay? >>> I think the current default console_format, which prefixes the logger >>> name (ipa) and the level, is too verbose. >> >> I agree. I'm not a fan of printing the log level, it is very distracting. > > I've removed the log level. > >> This is a good start but the DNS discovery area needs more work. I've >> found it very difficult to look at a log and figure out where the domain >> and hostname came from (user provided or discovered?) and trace how the >> discovery is working. There is currently a lot of smoke and noise and >> very little useful information. >> > > I've added the sources of the values to the summary, and provided more > tracing information. > I put this in a separate patch; it's not the almost mechanical changes > as in the first one. I'll be happy to squash them if that would make > review easier. > >> rob > > ACK. Both pushed to master. rob From rcritten at redhat.com Mon Jun 18 19:16:49 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 15:16:49 -0400 Subject: [Freeipa-devel] [PATCH] 275 Do not crash in Decimal parameter conversion In-Reply-To: <1339757642.12383.26.camel@priserak> References: <1339062486.7369.3.camel@balmora.brq.redhat.com> <4FD165BB.7030604@redhat.com> <1339598941.2965.39.camel@balmora.brq.redhat.com> <4FD90EC7.1060603@redhat.com> <1339655236.2062.5.camel@balmora.brq.redhat.com> <4FD9E1A0.1070109@redhat.com> <1339757642.12383.26.camel@priserak> Message-ID: <4FDF7EA1.9020305@redhat.com> Martin Kosek wrote: > On Thu, 2012-06-14 at 09:05 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2012-06-13 at 18:05 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Thu, 2012-06-07 at 22:38 -0400, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> When invalid data is passed, an unhandled decimal exception could >>>>>>> be raised in Decimal number conversion. Handle the exception >>>>>>> more gracefully and report proper ipalib.errors.ConversionError. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2705 >>>>>> >>>>>> I'm being pedantic but I think the Decimal special values need to be >>>>>> handled better. Using Infinity returns a rather odd message: >>>>>> >>>>>> $ ipa dnsrecord-add example.com >>>>>> Record name: foo >>>>>> Please choose a type of DNS resource record to be added >>>>>> The most common types for this type of zone are: A, AAAA >>>>>> >>>>>> DNS resource record type: LOC >>>>>> LOC Degrees Latitude: 90 >>>>>> [LOC Minutes Latitude]: 59 >>>>>> [LOC Seconds Latitude]: >>>>>> 999999999999999999999999999999999999999999999999999999999999999999999 >>>>>> >>> LOC Seconds Latitude: quantize result has too many digits for >>>>>> current context >>>>>> [LOC Seconds Latitude]: Infinity >>>>>> >>> LOC Seconds Latitude: quantize with one INF >>>>>> >>>>>> And using NaN raises an unhandled exception: >>>>>> >>>>>> [LOC Seconds Latitude]: NaN >>>>>> ipa: ERROR: InvalidOperation: comparison involving NaN >>>>>> Traceback (most recent call last): >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1263, in run >>>>>> sys.exit(api.Backend.cli.run(argv)) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1049, in run >>>>>> kw = self.argv_to_keyword_arguments(cmd, argv[1:]) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1035, in >>>>>> argv_to_keyword_arguments >>>>>> self.prompt_interactively(cmd, kw) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/cli.py", line 1199, in >>>>>> prompt_interactively >>>>>> callback(kw) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 2147, >>>>>> in interactive_prompt_callback >>>>>> user_options = param.prompt_parts(self.Backend) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 768, in >>>>>> prompt_parts >>>>>> self.__get_part_param(backend, part, user_options, default) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/plugins/dns.py", line 747, in >>>>>> __get_part_param >>>>>> output_kw[name] = part(raw) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 556, in >>>>>> __call__ >>>>>> self.validate(value, supplied=self.name in kw) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 879, in >>>>>> validate >>>>>> self._validate_scalar(value) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 893, in >>>>>> _validate_scalar >>>>>> error = rule(ugettext, value) >>>>>> File "/home/rcrit/redhat/freeipa/ipalib/parameters.py", line 1244, in >>>>>> _rule_minvalue >>>>>> if value< self.minvalue: >>>>>> File "/usr/lib64/python2.7/decimal.py", line 884, in __lt__ >>>>>> ans = self._compare_check_nans(other, context) >>>>>> File "/usr/lib64/python2.7/decimal.py", line 786, in _compare_check_nans >>>>>> self) >>>>>> File "/usr/lib64/python2.7/decimal.py", line 3866, in _raise_error >>>>>> raise error(explanation) >>>>>> InvalidOperation: comparison involving NaN >>>>>> ipa: ERROR: an internal error has occurred >>>>>> >>>>>> Otherwise it does what it should. >>>>>> >>>>>> rob >>>>> >>>>> Thanks for being pedantic, I found out that Decimal number validation >>>>> and normalization needs more care, dnsrecord-add would also fail with >>>>> values such as "1E4" or "-0". >>>>> >>>>> Attached patch improves Decimal number validation a lot and adds >>>>> optional exponent normalization. I also added missing tests for all >>>>> Decimal Parameter attributes. >>>>> >>>>> Martin >>>> >>>> Getting some lint errors. Ran out of time to investigate but its strange >>>> because AFAICT these are members. >>>> >>>> ipalib/parameters.py:1266: [E1101, Decimal._enforce_numberclass] >>>> Instance of 'Decimal' has no 'numberclass' member >>>> ipalib/parameters.py:1271: [E1101, Decimal._enforce_numberclass] >>>> Instance of 'Decimal' has no 'numberclass' member >>>> ipalib/parameters.py:1288: [E1101, Decimal._remove_exponent] Instance of >>>> 'Decimal' has no 'exponential' member >>>> >>> >>> I assume you run this lint: >>> >>> # ./make-lint ipalib/parameters.py >>> >>> This produces a lot of false positive lint errors... But if you run lint >>> for the entire project, my patches will pass: >>> >>> # git >>> apply /home/mkosek/freeipa-mkosek-275-2-decimal-parameter-conversion-and-normalization.patch >>> # ./make-lint >>> # >>> >>> That's why 275-2 includes a change for make-lint to not report these new >>> attributes: >>> diff --git a/make-lint b/make-lint >>> index 7ecd59d7e8c5a644f812d4b8987866e7d06236b5..30c5e00c1f0606c75ff1f7fec675ff673a6b87a0 100755 >>> --- a/make-lint >>> +++ b/make-lint >>> @@ -61,7 +61,8 @@ class IPATypeChecker(TypeChecker): >>> 'csv', 'csv_separator', 'csv_skipspace'], >>> 'ipalib.parameters.Bool': ['truths', 'falsehoods'], >>> 'ipalib.parameters.Int': ['minvalue', 'maxvalue'], >>> - 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision'], >>> + 'ipalib.parameters.Decimal': ['minvalue', 'maxvalue', 'precision', >>> + 'numberclass', 'exponential'], >>> 'ipalib.parameters.Data': ['minlength', 'maxlength', 'length', >>> 'pattern', 'pattern_errmsg'], >>> 'ipalib.parameters.Enum': ['values'], >>> >>> >>> Bottom line - I do not think there is a lint problem with my patch :-) >>> >>> Martin >>> >> >> This was output from './make-lint'. It blew up when I was trying to >> build the rpms. >> >> rob > > Hm, I guess you have a different version of pylint, mine is error-less > (I use pylint-0.25.1-1.fc17.noarch). > > Anyway, I have disabled the false positive pylint errors you reported, > it should not hurt and will keep your build clean. Updated patch is > attached. > > Martin ACK, pushed to master rob From rcritten at redhat.com Mon Jun 18 20:43:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 16:43:26 -0400 Subject: [Freeipa-devel] [PATCH] 1027 add logging to ipa-upgradeconfig Message-ID: <4FDF92EE.8060504@redhat.com> Add some additional logging to ipa-upgradeconfig and have it update /var/log/ipaupgrade.log so we can see what an upgrade has already done. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1027-upgrade.patch Type: text/x-diff Size: 8552 bytes Desc: not available URL: From pvoborni at redhat.com Tue Jun 19 06:22:35 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 19 Jun 2012 08:22:35 +0200 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page In-Reply-To: <4FD8CC71.7030607@redhat.com> References: <4FD22051.7060308@redhat.com> <4FD7CFD6.1040209@redhat.com> <4FD89660.7060002@redhat.com> <4FD8CC71.7030607@redhat.com> Message-ID: <4FE01AAB.8050805@redhat.com> On 06/13/2012 07:22 PM, Endi Sukma Dewata wrote: > On 6/13/2012 8:32 AM, Petr Vobornik wrote: >> On 06/13/2012 01:25 AM, Endi Sukma Dewata wrote: >>> On 6/8/2012 10:54 AM, Petr Vobornik wrote: >>>> This patch adds separate reset password page. It is a complement to >>>> separate login page. It differentiate from reset password capabilities >>>> in Web UI's anauthorized dialog by not performing login. This is useful >>>> for users who wants only to reset the password and not to use Web UI. >>>> And also for users who are using the separate login page. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2755 >>> >>> It also works with mkosek 274-2 (but needs rebase). >>> >>> If the password reset is successful, the page shows a link to the login >>> page, but it also still shows the password reset form. I think it's very >>> unlikely that the user will want to change the password again, so it >>> might be better not to show the form, but provide a link to the form >>> just in case the user needs to do it again. >> >> So after successful reset user will remain on reset_password.html and >> will see something like this: >> http://pvoborni.fedorapeople.org/ux/resetpwd_success.png ? > > Yes, I think it looks much cleaner. Also make sure the password fields > are cleaned too. > Updated patch attached. Sorry for late update, I was working on trust UI and didn't want to switch context. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0158-1-Separate-reset-password-page.patch Type: text/x-patch Size: 11831 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 19 06:30:09 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jun 2012 08:30:09 +0200 Subject: [Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions In-Reply-To: <4FDF4B2F.8020401@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> Message-ID: <1340087409.24730.5.camel@balmora.brq.redhat.com> On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > >> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > >>> Hello all, > >>> > >>> In a scope of ticket 2511 I would like to implement an ability to > >>> delegate a DNS update permissions to chosen user (or host) without > >>> having to give the user full "Update DNS Entries" privileges, i.e. allow > >>> him to modify any DNS zone or record. > >>> > >>> So far, this is what I would like to do (comments welcome): > >>> > >>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > >>> in MAY list > >>> 2) Create new DNS commands: > >>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > >>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > >>> - these commands would add/remove chosen user/host DN to managedBy > >>> attribute in chosen DNS zone > >>> 3) Add new generic ACIs to cn=dns,$SUFFIX: > >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > >>> "Users and hosts can add DNS entries";allow (add) userattr = > >>> "parent[1].managedby#USERDN";) > >>> ... add similar ACIs for UPDATE, REMOVE access > >>> > >>> With these steps done, all that an administrator would need to do to > >>> delegate a management of a DNS zone "example.com" is to run this > >>> command: > >>> $ ipa dnszone-add-managedby example.com --users=fbar > >>> > >>> The only downside I found so far is that the user would already need to > >>> have "Read DNS Entries" permission assigned, otherwise he would not be > >>> able to actually read DNS entries (allow rules can't take precedence > >>> over deny rule we implemented to deny public access to DNS tree). > >>> > >>> An admin could of course create a special privilege and role with just > >>> "Read DNS Entries" permission and then assign it to relevant > >>> users/groups, but this looks awkward. Any idea to make this simpler? > >>> Maybe creating a group "dns readers" by default which would allow such > >>> access? > >> > >> Change the deny rule to deny to everyone except the user in > >> "parent[1].managedby#USERDN" ? > >> > >> Simo. > >> > > > > Good idea, I will do that. I will just use > > "parent[0,1].managedby#USERDN" so that user can also read the zone > > record. This way, a selected user will have read/write access to the > > chosen zone only, which is exactly what we want to achieve. > > Yes, this sounds workable to me too. > > rob > Ok, thank you both. I finished the patch, it should work fine for both new installs and upgrades. After the upgrade, all you have to do to delegate read/write privileges to the zone is this command: # ipa dnszone-add-managedby example.com --users=fbar fbar then will be able to actually see the zone with dnszone-show + modify it. Delegated permissions have several limitations though: 1) Delegated user cannot delete the zone 2) Delegated user cannot add or remove another users to the managedBy list Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-277-per-domain-dns-record-permissions.patch Type: text/x-patch Size: 34112 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 19 10:04:21 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jun 2012 12:04:21 +0200 Subject: [Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions In-Reply-To: <1340087409.24730.5.camel@balmora.brq.redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <1340087409.24730.5.camel@balmora.brq.redhat.com> Message-ID: <1340100261.24730.9.camel@balmora.brq.redhat.com> On Tue, 2012-06-19 at 08:30 +0200, Martin Kosek wrote: > On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > > >> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > > >>> Hello all, > > >>> > > >>> In a scope of ticket 2511 I would like to implement an ability to > > >>> delegate a DNS update permissions to chosen user (or host) without > > >>> having to give the user full "Update DNS Entries" privileges, i.e. allow > > >>> him to modify any DNS zone or record. > > >>> > > >>> So far, this is what I would like to do (comments welcome): > > >>> > > >>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > > >>> in MAY list > > >>> 2) Create new DNS commands: > > >>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > > >>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > > >>> - these commands would add/remove chosen user/host DN to managedBy > > >>> attribute in chosen DNS zone > > >>> 3) Add new generic ACIs to cn=dns,$SUFFIX: > > >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > > >>> "Users and hosts can add DNS entries";allow (add) userattr = > > >>> "parent[1].managedby#USERDN";) > > >>> ... add similar ACIs for UPDATE, REMOVE access > > >>> > > >>> With these steps done, all that an administrator would need to do to > > >>> delegate a management of a DNS zone "example.com" is to run this > > >>> command: > > >>> $ ipa dnszone-add-managedby example.com --users=fbar > > >>> > > >>> The only downside I found so far is that the user would already need to > > >>> have "Read DNS Entries" permission assigned, otherwise he would not be > > >>> able to actually read DNS entries (allow rules can't take precedence > > >>> over deny rule we implemented to deny public access to DNS tree). > > >>> > > >>> An admin could of course create a special privilege and role with just > > >>> "Read DNS Entries" permission and then assign it to relevant > > >>> users/groups, but this looks awkward. Any idea to make this simpler? > > >>> Maybe creating a group "dns readers" by default which would allow such > > >>> access? > > >> > > >> Change the deny rule to deny to everyone except the user in > > >> "parent[1].managedby#USERDN" ? > > >> > > >> Simo. > > >> > > > > > > Good idea, I will do that. I will just use > > > "parent[0,1].managedby#USERDN" so that user can also read the zone > > > record. This way, a selected user will have read/write access to the > > > chosen zone only, which is exactly what we want to achieve. > > > > Yes, this sounds workable to me too. > > > > rob > > > > Ok, thank you both. I finished the patch, it should work fine for both > new installs and upgrades. > > After the upgrade, all you have to do to delegate read/write privileges > to the zone is this command: > > # ipa dnszone-add-managedby example.com --users=fbar > > fbar then will be able to actually see the zone with dnszone-show + > modify it. Delegated permissions have several limitations though: > 1) Delegated user cannot delete the zone > 2) Delegated user cannot add or remove another users to the managedBy > list > > Martin This is a ticket to add Web UI support for this functionality: https://fedorahosted.org/freeipa/ticket/2851 Martin From pviktori at redhat.com Tue Jun 19 13:05:27 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 19 Jun 2012 15:05:27 +0200 Subject: [Freeipa-devel] [PATCH] 1027 add logging to ipa-upgradeconfig In-Reply-To: <4FDF92EE.8060504@redhat.com> References: <4FDF92EE.8060504@redhat.com> Message-ID: <4FE07917.2060100@redhat.com> On 06/18/2012 10:43 PM, Rob Crittenden wrote: > Add some additional logging to ipa-upgradeconfig and have it update > /var/log/ipaupgrade.log so we can see what an upgrade has already done. > > rob > I don't think the indentation works too well: 2012-06-19T12:52:47Z INFO Verifying that root certificate is published 2012-06-19T12:52:47Z DEBUG Certificate file exists 2012-06-19T12:52:47Z INFO Verifying that CA proxy configuration is correct 2012-06-19T12:52:47Z DEBUG No CA detected in /etc/pki-ca 2012-06-19T12:52:47Z INFO Verifying that KDC configuration is using ipa-kdb backend 2012-06-19T12:52:47Z DEBUG dbmodules already updated in /etc/krb5.conf It would be nice to add a message right after logging setup saying that ipa-upgradeconfig is being run. The --debug flag only affects console output, standard_logging_setup always sets the file handler to debug level. There's no need for the flag with >/dev/null. Otherwise the patch works great. -- Petr? From pviktori at redhat.com Tue Jun 19 13:16:03 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 19 Jun 2012 15:16:03 +0200 Subject: [Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions In-Reply-To: <1340087409.24730.5.camel@balmora.brq.redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <1340087409.24730.5.camel@balmora.brq.redhat.com> Message-ID: <4FE07B93.4050102@redhat.com> On 06/19/2012 08:30 AM, Martin Kosek wrote: > On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>> Hello all, >>>>> >>>>> In a scope of ticket 2511 I would like to implement an ability to >>>>> delegate a DNS update permissions to chosen user (or host) without >>>>> having to give the user full "Update DNS Entries" privileges, i.e. allow >>>>> him to modify any DNS zone or record. >>>>> >>>>> So far, this is what I would like to do (comments welcome): >>>>> >>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>>>> in MAY list >>>>> 2) Create new DNS commands: >>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>> - these commands would add/remove chosen user/host DN to managedBy >>>>> attribute in chosen DNS zone >>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>> "parent[1].managedby#USERDN";) >>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>> >>>>> With these steps done, all that an administrator would need to do to >>>>> delegate a management of a DNS zone "example.com" is to run this >>>>> command: >>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>> >>>>> The only downside I found so far is that the user would already need to >>>>> have "Read DNS Entries" permission assigned, otherwise he would not be >>>>> able to actually read DNS entries (allow rules can't take precedence >>>>> over deny rule we implemented to deny public access to DNS tree). >>>>> >>>>> An admin could of course create a special privilege and role with just >>>>> "Read DNS Entries" permission and then assign it to relevant >>>>> users/groups, but this looks awkward. Any idea to make this simpler? >>>>> Maybe creating a group "dns readers" by default which would allow such >>>>> access? >>>> >>>> Change the deny rule to deny to everyone except the user in >>>> "parent[1].managedby#USERDN" ? >>>> >>>> Simo. >>>> >>> >>> Good idea, I will do that. I will just use >>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>> record. This way, a selected user will have read/write access to the >>> chosen zone only, which is exactly what we want to achieve. >> >> Yes, this sounds workable to me too. >> >> rob >> > > Ok, thank you both. I finished the patch, it should work fine for both > new installs and upgrades. > > After the upgrade, all you have to do to delegate read/write privileges > to the zone is this command: > > # ipa dnszone-add-managedby example.com --users=fbar > > fbar then will be able to actually see the zone with dnszone-show + > modify it. Delegated permissions have several limitations though: > 1) Delegated user cannot delete the zone > 2) Delegated user cannot add or remove another users to the managedBy > list > > Martin > Would it be possible to delegate the rights to groups, not only to individual users? -- Petr? From mkosek at redhat.com Tue Jun 19 13:54:22 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jun 2012 15:54:22 +0200 Subject: [Freeipa-devel] [PATCH] 277 Per-domain DNS record permissions In-Reply-To: <4FE07B93.4050102@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <1340087409.24730.5.camel@balmora.brq.redhat.com> <4FE07B93.4050102@redhat.com> Message-ID: <1340114062.24730.30.camel@balmora.brq.redhat.com> On Tue, 2012-06-19 at 15:16 +0200, Petr Viktorin wrote: > On 06/19/2012 08:30 AM, Martin Kosek wrote: > > On Mon, 2012-06-18 at 11:37 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > >>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > >>>>> Hello all, > >>>>> > >>>>> In a scope of ticket 2511 I would like to implement an ability to > >>>>> delegate a DNS update permissions to chosen user (or host) without > >>>>> having to give the user full "Update DNS Entries" privileges, i.e. allow > >>>>> him to modify any DNS zone or record. > >>>>> > >>>>> So far, this is what I would like to do (comments welcome): > >>>>> > >>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > >>>>> in MAY list > >>>>> 2) Create new DNS commands: > >>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > >>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > >>>>> - these commands would add/remove chosen user/host DN to managedBy > >>>>> attribute in chosen DNS zone > >>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: > >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > >>>>> "Users and hosts can add DNS entries";allow (add) userattr = > >>>>> "parent[1].managedby#USERDN";) > >>>>> ... add similar ACIs for UPDATE, REMOVE access > >>>>> > >>>>> With these steps done, all that an administrator would need to do to > >>>>> delegate a management of a DNS zone "example.com" is to run this > >>>>> command: > >>>>> $ ipa dnszone-add-managedby example.com --users=fbar > >>>>> > >>>>> The only downside I found so far is that the user would already need to > >>>>> have "Read DNS Entries" permission assigned, otherwise he would not be > >>>>> able to actually read DNS entries (allow rules can't take precedence > >>>>> over deny rule we implemented to deny public access to DNS tree). > >>>>> > >>>>> An admin could of course create a special privilege and role with just > >>>>> "Read DNS Entries" permission and then assign it to relevant > >>>>> users/groups, but this looks awkward. Any idea to make this simpler? > >>>>> Maybe creating a group "dns readers" by default which would allow such > >>>>> access? > >>>> > >>>> Change the deny rule to deny to everyone except the user in > >>>> "parent[1].managedby#USERDN" ? > >>>> > >>>> Simo. > >>>> > >>> > >>> Good idea, I will do that. I will just use > >>> "parent[0,1].managedby#USERDN" so that user can also read the zone > >>> record. This way, a selected user will have read/write access to the > >>> chosen zone only, which is exactly what we want to achieve. > >> > >> Yes, this sounds workable to me too. > >> > >> rob > >> > > > > Ok, thank you both. I finished the patch, it should work fine for both > > new installs and upgrades. > > > > After the upgrade, all you have to do to delegate read/write privileges > > to the zone is this command: > > > > # ipa dnszone-add-managedby example.com --users=fbar > > > > fbar then will be able to actually see the zone with dnszone-show + > > modify it. Delegated permissions have several limitations though: > > 1) Delegated user cannot delete the zone > > 2) Delegated user cannot add or remove another users to the managedBy > > list > > > > Martin > > > > Would it be possible to delegate the rights to groups, not only to > individual users? > It is possible, now we use this rule for the deny ACI: (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX") and not (userattr = "parent[0,1].managedby#USERDN") We could add a group comparison this way: (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX") and (not ((userattr = "parent[0,1].managedby#USERDN") or (userattr = "parent[0,1].managedby#GROUPDN"))) + add similar changes to add/delete/update ACIs. There is just question if we want to add this capability. For example in case of hosts, we also do not allow hostgroups in managedBy attribute. Wouldn't this new parent[0,1].managedby#GROUPDN check increase the ACI evaluation time? Simo, Rob? Martin From pvoborni at redhat.com Tue Jun 19 14:01:06 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 19 Jun 2012 16:01:06 +0200 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FD8CB4A.6090405@redhat.com> References: <4FD21F9E.5000201@redhat.com> <4FD21FD4.4030301@redhat.com> <4FD7CFB7.3020609@redhat.com> <4FD89271.7030406@redhat.com> <4FD8CB4A.6090405@redhat.com> Message-ID: <4FE08622.4040603@redhat.com> In general I like simplifying the dialog so I took most of your suggestions and implemented them following way: Login ----------------------------------------------------- Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. To login with username and password: Username: [edewata ] Password: [******** ] [Login] So I just changed the order and kept only one button. If username and password are filled it uses form-based auth otherwise it uses kerberos auth. I'm not sure if it is straightforward but it is easy to use. I followed all suggestion in the reset part. I have to place to the forms error box. I'm not sure about the position though. Updated patch attached. On 06/13/2012 07:18 PM, Endi Sukma Dewata wrote: > On 6/13/2012 8:15 AM, Petr Vobornik wrote: >> I'll address all issues once we decide on the solution. >> >>> 1. If you click 'form-based authentication the dialog title still shows >>> 'Kerberos ticket no longer valid' which is not relevant for form-based >>> authentication. It might be better to use 'Login' as the title for all >>> pages in this dialog. >> >> Agree >> >>> 2. Instead of having to go to a separate page for form-based >>> authentication, would it be better to change the first page in the login >>> dialog to show the login form? Something like this: >>> >>> Login >>> ----------------------------------------------------- >>> >>> Your session has expired. Please re-login. >>> >>> To login with username and password: >>> >>> Username: [edewata ] >>> Password: [******** ] >>> >>> [Login] >>> >>> To login with Kerberos, please make sure you >>> have valid tickets (obtainable via kinit) and >>> [configured] the browser correctly. >>> >>> [Login with Kerberos] >>> >>> The two login mechanisms can be shown at the same time like above or in >>> collapsible sections. If the user enters a password and it's expired, >>> the dialog will change into: >> >> I like the idea but I'm not sure about the layout. Having one button >> inside the dialog seems strange a also it will probably look weird. > > You mean two buttons (Login & Login with Kerberos)? I agree it's kinda > strange. > >> Collapsible sections are worse because you have to click on them so it >> slow things down. > > That's also true. I'll leave this up to you. The current workflow still > makes sense if we consider form-based authentication a less preferred > method, so you'd have to go to another page to login with username & > password. > >> Current implementation has 'forms-based >> authentication' link selected so user can in most cases hit enter and >> immediately write username, password and complete login procedure only >> by using keyboard. > > Hmm... that's not very obvious though. I wouldn't have known that until > you told me :) I think intuitively people will think that if you hit > enter it will click the default button in the dialog, unless there's > input text field. > >> Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). >> So current button: 'retry' is more appropriate. > > What I meant was 'Login with Kerberos mechanism' or 'Login with Kerberos > ticket', but it might be too long. I assume people in general isn't > going to be confused by that because the text also mentions that you'd > have to get the ticket from kinit. > > My concern with 'Retry' is that if you open the UI for the first time > and you haven't done kinit yet, you'll see a message saying your > Kerberos ticket has expired and asking you to Retry. This is not quite > accurate because you never had a ticket before. > > The 'expired ticket' and 'retry' message might make more sense if you > already had the UI open but left it for a while and come back to > continue. If you just open the UI for the first time I think the message > should only tell you what you need to do to login, not what went wrong > in the past. > > I'll leave this up to you too. We might be able to keep the current > workflow, but display different message depending whether it's your > first visit or return visit. > >>> Login >>> ----------------------------------------------------- >>> >>> Your password has expired. Please enter a new >>> password: >>> >>> Username: edewata >>> New Password: [******** ] >>> Verify Password: [******** ] >>> >>> [Reset Password and Login] [Cancel] >>> >>> In this page the username is shown for info only, it's not editable. The >>> old password is not shown again, but kept in memory. I use Cancel >>> instead of Back to indicate that we are starting over. The Cancel button >>> will bring you back to the first page. >> >> Little change, but can be probably more straightforward - will do. > > If you keep the original workflow, the Cancel button probably should > bring you to the first page (expired ticket), not to the second page > (login) because if your password has expired you can't login without > reset anyway. > >> 2a. The dialog uses headers in title (the one from #1) and a headers >> inside (login, reset password). From your examples I'm not sure if you >> would like to: >> a) remove the inside headers >> b) change them to 'login' everywhere >> c) keep them unchanged > > I think the inside header is not necessary, it's a duplicate of the > dialog title. This reset password operation is still part of login > operation because if you cancel reset you still aren't logged in yet. > >>> 3. I noticed that the password is kept in memory too long by the login >>> dialog so if you go back and forth between the pages the fields are >>> already populated. This might be a security risk. I think the username & >>> password should be cleaned up when you click Back/Cancel. >> >> Agree > > Also when you complete the login process, it should be cleaned up as well. > >>> 4. Is there a plan to provide password reset via email? >> >> I don't think so. I'm not sure if it is even useful for Freeipa. One of >> main purposes for Freeipa is SSO and I guess company mail would be >> kerberized too. So if you forget the password, you can't login, reset >> and even access mail. I guess using external mail is not the way to go. >> Maybe it is useful if company uses additional authentication mechanism >> like pin + token or other. > > OK. > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0157-1-Added-password-reset-capabilities-to-unauthorized-di.patch Type: text/x-patch Size: 24146 bytes Desc: not available URL: From pviktori at redhat.com Tue Jun 19 16:55:20 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 19 Jun 2012 18:55:20 +0200 Subject: [Freeipa-devel] [PATCH] 0064 Typo fixes Message-ID: <4FE0AEF8.3050604@redhat.com> Fixing a typo in the ipa-rmkeytab man page. Over the past few months I also found a few typos in docstrings and comments. I'm including those in the patch. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0064-Typo-fixes.patch Type: text/x-patch Size: 4224 bytes Desc: not available URL: From pviktori at redhat.com Wed Jun 20 09:10:48 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 20 Jun 2012 11:10:48 +0200 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <4FD73869.6020503@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> Message-ID: <4FE19398.2040401@redhat.com> On 06/12/2012 02:39 PM, Petr Viktorin wrote: > On 06/12/2012 02:38 PM, Simo Sorce wrote: >> On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: >>> This will make older clients usable if new output items get added to >>> commands. >>> >>> Since there might be important information in the extra output, it's not >>> ignored as the ticket asks. Instead it's printed, but not formatted >>> nicely as the client doesn't have enough info for that. >>> >>> https://fedorahosted.org/freeipa/ticket/1721 >> >> Patch is missing. >> >> Simo. >> > > My apologies > We decided off-list that relaxing validation is not the right thing to do. A better approach would be to notify the server that the client can accept extended data (through a header or a version parameter). So, ticket 1721 is invalid, but we need a better solution to make https://fedorahosted.org/freeipa/ticket/2732 "Provide means of displaying warning and informational messages on clients" possible. I think that using the existing "version" parameter (which gets added to RPC calls automatically) would be perfect for this. Simo mentioned that we don't want to make the API depend on the version of our client version, so other clients don't need to copy our versioning scheme. However, in the version argument we send the API version, not our client version. I think other clients should know and advertise what API version they are using, and the number shouldn't be specific to our client. It's the perfect place to learn the client's capabilities from, if we're okay with a linear evolution of the API (as opposed to the client advertising individual features). Simo, can you comment? Hopefully I didn't mishear anything on the meeting. -- Petr? From mkosek at redhat.com Wed Jun 20 10:47:50 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jun 2012 12:47:50 +0200 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <4FE19398.2040401@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FE19398.2040401@redhat.com> Message-ID: <1340189270.3072.29.camel@balmora.brq.redhat.com> On Wed, 2012-06-20 at 11:10 +0200, Petr Viktorin wrote: > On 06/12/2012 02:39 PM, Petr Viktorin wrote: > > On 06/12/2012 02:38 PM, Simo Sorce wrote: > >> On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: > >>> This will make older clients usable if new output items get added to > >>> commands. > >>> > >>> Since there might be important information in the extra output, it's not > >>> ignored as the ticket asks. Instead it's printed, but not formatted > >>> nicely as the client doesn't have enough info for that. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1721 > >> > >> Patch is missing. > >> > >> Simo. > >> > > > > My apologies > > > > > We decided off-list that relaxing validation is not the right thing to do. > A better approach would be to notify the server that the client can > accept extended data (through a header or a version parameter). > So, ticket 1721 is invalid, but we need a better solution to make > https://fedorahosted.org/freeipa/ticket/2732 "Provide means of > displaying warning and informational messages on clients" possible. > > I think that using the existing "version" parameter (which gets added to > RPC calls automatically) would be perfect for this. I agree, API version is exactly what we want. We should not care about client version or if the client is in Fedora, RHEL or Ubuntu. > > Simo mentioned that we don't want to make the API depend on the version > of our client version, so other clients don't need to copy our > versioning scheme. > > However, in the version argument we send the API version, not our client > version. I think other clients should know and advertise what API > version they are using, and the number shouldn't be specific to our client. > It's the perfect place to learn the client's capabilities from, if we're > okay with a linear evolution of the API (as opposed to the client > advertising individual features). > > Simo, can you comment? Hopefully I didn't mishear anything on the meeting. > The biggest asset about API version is that we already have this number available for clients that were already released, we don't have to backport anything. I would keep linear evolution of the API version number as is, but it would be also good to assign new API capabilities with the number and have a simple way of checking if client has the capability, i.e. something like this: def post_callback(self, ..., *keys, **options): if 'warnings' in version.client_capabilities(options['version']): send_warning('forward record added, but reverse zone not found') continue else: raise errors.NonFatalError(...) Martin From ohamada at redhat.com Wed Jun 20 13:21:16 2012 From: ohamada at redhat.com (Ondrej Hamada) Date: Wed, 20 Jun 2012 15:21:16 +0200 Subject: [Freeipa-devel] [PATCH] 27 Case sensitive renaming of objects Message-ID: <4FE1CE4C.7030608@redhat.com> https://fedorahosted.org/freeipa/ticket/2620 When renaming object its case sensitivity is obeyed. This was DS bug. Unit tests were corrected and minimal DS version was updated in spec file. The minimal version for F16 and lower is still in koji only, so we may wait with pushing these patch. -- Regards, Ondrej Hamada FreeIPA team jabber: ohama at jabbim.cz IRC: ohamada -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ohamada-27-Case-sensitive-renaming-of-objects.patch Type: text/x-patch Size: 4050 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 20 13:20:27 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jun 2012 15:20:27 +0200 Subject: [Freeipa-devel] [PATCH] 0050 Fail on unknown Command options In-Reply-To: <4FD7382E.5030401@redhat.com> References: <4F8E97F6.2070703@redhat.com> <1336392614.29911.13.camel@balmora.brq.redhat.com> <4FABA16A.10802@redhat.com> <1336982456.4344.28.camel@balmora.brq.redhat.com> <1336984817.4344.43.camel@balmora.brq.redhat.com> <4FB0FEDB.4020806@redhat.com> <1337068555.10688.20.camel@balmora.brq.redhat.com> <4FB23F9B.10000@redhat.com> <1337155089.2963.10.camel@balmora.brq.redhat.com> <4FB3674A.1010402@redhat.com> <1337170298.2963.16.camel@balmora.brq.redhat.com> <4FBF32D3.1060302@redhat.com> <4FC381A3.7020000@redhat.com> <1338214566.5538.11.camel@balmora.brq.redhat.com> <4FD07641.7000707@redhat.com> <4FD7382E.5030401@redhat.com> Message-ID: <1340198427.25888.1.camel@balmora.brq.redhat.com> On Tue, 2012-06-12 at 14:38 +0200, Petr Viktorin wrote: > On 06/07/2012 11:37 AM, Petr Vobornik wrote: > > On 05/28/2012 04:16 PM, Martin Kosek wrote: > >> On Mon, 2012-05-28 at 15:46 +0200, Petr Vobornik wrote: > >>> On 05/25/2012 09:20 AM, Petr Vobornik wrote: > >>>> On 05/16/2012 02:11 PM, Martin Kosek wrote: > >>>>> On Wed, 2012-05-16 at 10:37 +0200, Petr Viktorin wrote: > >>>>>> On 05/16/2012 09:58 AM, Martin Kosek wrote: > >>>>>>> On Tue, 2012-05-15 at 13:35 +0200, Petr Viktorin wrote: > >>>>>>>> On 05/15/2012 09:55 AM, Martin Kosek wrote: > >>>>>>>>> On Mon, 2012-05-14 at 14:47 +0200, Petr Viktorin wrote: > >>>>>>>>>> The final part of rejecting unknown Command arguments: enable the > >>>>>>>>>> validation, add tests. > >>>>>>>>>> Also fix up things that were changed since the previous patches. > >>>>>>>>>> > >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2509 > >>> > >>> 8><------------------ > >>> > >>>>>> > >>>>>> Attaching a rebased patch. > >>>>>> > >>>>> > >>>>> Yup, this one is fine. Now, I did not find issues in the patch itself, > >>>>> tests are clean. > >>>>> > >>>>> However, thanks to this new check I found issues in Web UI > >>>>> (automember, > >>>>> selfservice, delegation screen) which use illegal options and which > >>>>> should be fixed before we push your patch: > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/2760 > >>>>> > >>>>> Martin > >>>>> > >>>> > >>>> I found an issue in automountmap_add_indirect. It complains that 'key' > >>>> is unknown option. > >>> > >>> I found another options which were functional and now it complains: > >>> * hbacsvcgroup_find: no_hbacsvc > >>> * hbacsvc_find: not_in_hbacsvcgroup > >>> * same issue in sudo commands and sudo command groups. > >>> > >>> I didn't check all relationships, so it may be broken elsewhere as well. > >>> > >> > >> I don't think this is an error on server side - it never had filter > >> options like these in the modules you referenced (though we may add them > >> as an RFE when needed). > >> > >> When you pass these options in the UI to the server side, its just NOOP > >> - or an error when Petr's patch is applied. > >> > >> Martin > >> > > All issues found in Web UI are fixed. > > > > Updated and rebased patch attached. I did not find any other issue, so ACK, pushed to master. Martin From mkosek at redhat.com Wed Jun 20 13:48:15 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jun 2012 15:48:15 +0200 Subject: [Freeipa-devel] [PATCH] 27 Case sensitive renaming of objects In-Reply-To: <4FE1CE4C.7030608@redhat.com> References: <4FE1CE4C.7030608@redhat.com> Message-ID: <1340200095.25888.3.camel@balmora.brq.redhat.com> On Wed, 2012-06-20 at 15:21 +0200, Ondrej Hamada wrote: > https://fedorahosted.org/freeipa/ticket/2620 > > When renaming object its case sensitivity is obeyed. This was DS bug. > Unit tests were corrected and minimal DS version was updated in spec > file. > > The minimal version for F16 and lower is still in koji only, so we may wait > with pushing these patch. I think its ok, the packages for F16 are already in updates-testing, at least they will be tested and karma++'ed. ACK. Pushed to master. Martin From simo at redhat.com Wed Jun 20 13:57:48 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 20 Jun 2012 09:57:48 -0400 Subject: [Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output In-Reply-To: <1340189270.3072.29.camel@balmora.brq.redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FE19398.2040401@redhat.com> <1340189270.3072.29.camel@balmora.brq.redhat.com> Message-ID: <1340200668.32038.150.camel@willson.li.ssimo.org> On Wed, 2012-06-20 at 12:47 +0200, Martin Kosek wrote: > On Wed, 2012-06-20 at 11:10 +0200, Petr Viktorin wrote: > > On 06/12/2012 02:39 PM, Petr Viktorin wrote: > > > On 06/12/2012 02:38 PM, Simo Sorce wrote: > > >> On Tue, 2012-06-12 at 13:12 +0200, Petr Viktorin wrote: > > >>> This will make older clients usable if new output items get added to > > >>> commands. > > >>> > > >>> Since there might be important information in the extra output, it's not > > >>> ignored as the ticket asks. Instead it's printed, but not formatted > > >>> nicely as the client doesn't have enough info for that. > > >>> > > >>> https://fedorahosted.org/freeipa/ticket/1721 > > >> > > >> Patch is missing. > > >> > > >> Simo. > > >> > > > > > > My apologies > > > > > > > > > We decided off-list that relaxing validation is not the right thing to do. > > A better approach would be to notify the server that the client can > > accept extended data (through a header or a version parameter). > > So, ticket 1721 is invalid, but we need a better solution to make > > https://fedorahosted.org/freeipa/ticket/2732 "Provide means of > > displaying warning and informational messages on clients" possible. > > > > I think that using the existing "version" parameter (which gets added to > > RPC calls automatically) would be perfect for this. > > I agree, API version is exactly what we want. We should not care about > client version or if the client is in Fedora, RHEL or Ubuntu. > > > > > Simo mentioned that we don't want to make the API depend on the version > > of our client version, so other clients don't need to copy our > > versioning scheme. > > > > However, in the version argument we send the API version, not our client > > version. I think other clients should know and advertise what API > > version they are using, and the number shouldn't be specific to our client. > > It's the perfect place to learn the client's capabilities from, if we're > > okay with a linear evolution of the API (as opposed to the client > > advertising individual features). > > > > Simo, can you comment? Hopefully I didn't mishear anything on the meeting. > > > > The biggest asset about API version is that we already have this number > available for clients that were already released, we don't have to > backport anything. > > I would keep linear evolution of the API version number as is, but it > would be also good to assign new API capabilities with the number and > have a simple way of checking if client has the capability, i.e. > something like this: > > def post_callback(self, ..., *keys, **options): > if 'warnings' in version.client_capabilities(options['version']): > send_warning('forward record added, but reverse zone not found') > continue > else: > raise errors.NonFatalError(...) > > Martin Given the discussion, I guess this is the best option we have right now. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jun 20 14:17:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 10:17:01 -0400 Subject: [Freeipa-devel] [PATCH] 1027 add logging to ipa-upgradeconfig In-Reply-To: <4FE07917.2060100@redhat.com> References: <4FDF92EE.8060504@redhat.com> <4FE07917.2060100@redhat.com> Message-ID: <4FE1DB5D.2080109@redhat.com> Petr Viktorin wrote: > On 06/18/2012 10:43 PM, Rob Crittenden wrote: >> Add some additional logging to ipa-upgradeconfig and have it update >> /var/log/ipaupgrade.log so we can see what an upgrade has already done. >> >> rob >> > > I don't think the indentation works too well: > > 2012-06-19T12:52:47Z INFO Verifying that root certificate is published > 2012-06-19T12:52:47Z DEBUG Certificate file exists > 2012-06-19T12:52:47Z INFO Verifying that CA proxy configuration is correct > 2012-06-19T12:52:47Z DEBUG No CA detected in /etc/pki-ca > 2012-06-19T12:52:47Z INFO Verifying that KDC configuration is using > ipa-kdb backend > 2012-06-19T12:52:47Z DEBUG dbmodules already updated in /etc/krb5.conf > > > It would be nice to add a message right after logging setup saying that > ipa-upgradeconfig is being run. > > > The --debug flag only affects console output, standard_logging_setup > always sets the file handler to debug level. There's no need for the > flag with >/dev/null. > > > Otherwise the patch works great. > I had put the indentation so that when executed in a shell you can tell what the heck is going on :-) I'm open to suggestion but I found it hard to read when it was all left-justified. I'll remove the unnecessary --debug flag. rob From ohamada at redhat.com Wed Jun 20 15:43:33 2012 From: ohamada at redhat.com (Ondrej Hamada) Date: Wed, 20 Jun 2012 17:43:33 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <1339738614.12383.5.camel@priserak> References: <4FDA097D.4030601@redhat.com> <4FDA4AF7.1050102@redhat.com> <1339738614.12383.5.camel@priserak> Message-ID: <4FE1EFA5.4090602@redhat.com> On 06/15/2012 07:36 AM, Martin Kosek wrote: > On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: >> Ondrej Hamada wrote: >>> Improved options checking so that host-mod operation is not changing >>> password for enrolled host when '--random' option is used. >>> >>> https://fedorahosted.org/freeipa/ticket/2799 >>> >>> Updated set of characters that is used for generating random passwords >>> for ipa hosts. Following characters were removed from the set: '"`\$<> >>> >>> https://fedorahosted.org/freeipa/ticket/2800 >> This works ok but it would be nice to have a test for both setting a >> password and random on an enrolled host to prevent regressions. We have >> some ipa-getkeytab tests already and these can be extended to test this >> I think. >> >> Might be nice to mention in the inline comment the set of characters >> excluded and why. >> >> rob >> I've added new test class into test_host_plugin.py that takes care of that. Just there is a problem that the ipa-join command always fails on 'adding key into keytab'. But the attributes necessary for testing are set correctly, so the testing can continue. > We already generate passwords for users with this character set: > user_pwdchars = string.digits + string.ascii_letters + '_,. at +-=' > > Why would we want to generate passwords for host enrolling with a > different set? Additionally, I think the set of characters you chose is > too wide, try entering a passwords with ' ', !, (, ), &, or ; without > careful escaping or quoting... > > Martin > Ok, I've used the same set of characters as for the user passwords. -- Regards, Ondrej Hamada FreeIPA team jabber: ohama at jabbim.cz IRC: ohamada -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch Type: text/x-patch Size: 6316 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 20 16:15:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 12:15:58 -0400 Subject: [Freeipa-devel] [PATCH] 0056 Framework for admin/install tools, with ipa-ldap-updater In-Reply-To: <4FDF38AC.1000508@redhat.com> References: <4FCCCC8B.1030903@redhat.com> <4FDF38AC.1000508@redhat.com> Message-ID: <4FE1F73E.6000003@redhat.com> Petr Viktorin wrote: > On 06/04/2012 04:56 PM, Petr Viktorin wrote: >> Currently, FreeIPA's install/admin scripts are long pieces of code >> that aren't very reusable, importable, or testable. >> They have been extended over time with features such as logging and >> error handling, but since each tool was extended individually, there >> is much inconsistency and code duplication. >> This patch starts a framework which the admin tools can use, and >> converts ipa-ldap-updater to use the framework. >> >> In an earlier patch I found that improving a particular functionality in >> all the commands is not workable, so I want to tackle this one tool at a >> time. >> I'm starting with ipa-ldap-updater, because it's pretty small, doesn't >> use DNs (I don't want conflicts with John's work), and has the >> interesting --upgrade option. >> >> >> The framework does these tasks: >> - Parse options >> - Select tool to run (see below) >> - Validate options >> - Set up logging >> - Run the tool code >> - Handle any errors >> - Log success/failure >> >> The base class has some defaults for these that the tools can >> extend/override. >> >> >> To handle the case where one script does two different things >> (ipa-ldap-updater with/without --upgrade, or ipa-server-install >> with/without --uninstall), I want to split the tool in two classes >> rather than have repeated ifs in the code. >> This meant that option parsing (and initializing the parser) has to be >> done before creating an instance of the tool. I use a factory >> classmethod. >> >> >> I put the admintool base class in ipapython/ as it should be useful for >> ipa-client-install as well. >> >> >> >> First part of the work for: >> https://fedorahosted.org/freeipa/ticket/2652 >> >> > > Attaching rebased patch. I gather you want people to be calling run_cli() in their admin tools. Should main() be made private then? I could see someone getting confused and using main instead, which would work, but then the return value might not do the right thing. Or maybe just drop run_cli and have main exit with sys.exit()? It isn't correctly handling the case of an update not found: ipa : INFO Parsing file ad [Errno 2] No such file or directory: 'ad' ipa : INFO File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in execute self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 180, in run modified = ld.update(self.files) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 828, in update sys.exit(1) ipa : INFO The ipa-ldap-updater command failed, exception: SystemExit: 1 Running in test mode with the attached update doesn't seem to work either. There is nothing special about this file, just something I had lying around: ipa : INFO File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in execute self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 184, in run 'Update complete, changes to be made, test mode', 2) ipa : INFO The ipa-ldap-updater command failed, exception: ScriptError: Update complete, changes to be made, test mode ipa : ERROR Update complete, changes to be made, test mode ipa : ERROR None The unit tests still pass which is good. With ipa-ldap-updater the return value is a bit strange. All the updates themselves can fail for one reason or another and the command can still consider this a success (it may fail because a feature is not enabled, for example). Still, the success message displayed at the end is a bit jarring when the updates themselves aren't applied. Here is a snippet when running ad.update live: ipa : INFO New entry: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com ipa : DEBUG --------------------------------------------- ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com ipa : DEBUG add: 'account' to objectClass, current value [] ipa : DEBUG add: updated value [u'account'] ipa : DEBUG --------------------------------------------- ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com ipa : DEBUG objectClass: ipa : DEBUG account ipa : DEBUG add: 'adtrust' to uid, current value [] ipa : DEBUG add: updated value [u'adtrust'] ipa : DEBUG --------------------------------------------- ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com ipa : DEBUG objectClass: ipa : DEBUG account ipa : DEBUG uid: ipa : DEBUG adtrust ipa : DEBUG --------------------------------------------- ipa : DEBUG Final value ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com ipa : DEBUG objectClass: ipa : DEBUG account ipa : DEBUG uid: ipa : DEBUG adtrust ipa : INFO Parent DN of uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com may not exist, cannot create the entry ipa : INFO The ipa-ldap-updater command was successful [root at pinto freeipa]# echo $? 0 This may be contrasting just because it is a contrived case. The command rval is separate from whether the updates all applied, so maybe this is ok. rob -------------- next part -------------- dn: uid=adtrust,cn=sysaccounts,cn=etc,$SUFFIX add: objectClass: account add: objectClass: simplesecurityobject add: uid: adtrust dn: uid=adtrust,cn=notfound,cn=etc,$SUFFIX add: objectClass: account add: uid: adtrust From edewata at redhat.com Wed Jun 20 16:46:16 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jun 2012 11:46:16 -0500 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FE08622.4040603@redhat.com> References: <4FD21F9E.5000201@redhat.com> <4FD21FD4.4030301@redhat.com> <4FD7CFB7.3020609@redhat.com> <4FD89271.7030406@redhat.com> <4FD8CB4A.6090405@redhat.com> <4FE08622.4040603@redhat.com> Message-ID: <4FE1FE58.9040304@redhat.com> ACK, but feel free to make additional minor changes as suggested below before push. On 6/19/2012 9:01 AM, Petr Vobornik wrote: > In general I like simplifying the dialog so I took most of your > suggestions and implemented them following way: > > Login > ----------------------------------------------------- > > Your session has expired. Please re-login. > > To login with Kerberos, please make sure you > have valid tickets (obtainable via kinit) and > [configured] the browser correctly. > > To login with username and password: > > Username: [edewata ] > Password: [******** ] > > [Login] > > So I just changed the order and kept only one button. If username and > password are filled it uses form-based auth otherwise it uses kerberos > auth. I'm not sure if it is straightforward but it is easy to use. The layout looks good. I think to avoid confusion the text should mention what needs to be done in each login option, something like this: To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly, then click Login. To login with username and password, enter them in the fields below then click Login. Another thing, when I fill in the username a red star (required marker) appears next to the password field, and disappears when I remove the username. I don't think we need to display it because it's pretty clear from the text that either you don't fill in anything or you fill in both fields. Less surprises is better, but I'll let you decide. > I followed all suggestion in the reset part. > > I have to place to the forms error box. I'm not sure about the position > though. > > Updated patch attached. I think this is fine. Another option is to show the error box between the fields and the buttons, this way the content don't shift too much when the error appears. Same thing for the login page. In the Reset page if you click Cancel it goes back to the Login page, but the username & password are still showing the old values. I think the username_widget and password_widget should be cleared as well. What do you think? One more thing, this dialog has an X button at the top right corner so people can close it. If it's closed it will show a blank page without a way to open it again. Maybe it should go to the unauthorized.html? This can be fixed separately. -- Endi S. Dewata From edewata at redhat.com Wed Jun 20 17:00:55 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jun 2012 12:00:55 -0500 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page In-Reply-To: <4FE01AAB.8050805@redhat.com> References: <4FD22051.7060308@redhat.com> <4FD7CFD6.1040209@redhat.com> <4FD89660.7060002@redhat.com> <4FD8CC71.7030607@redhat.com> <4FE01AAB.8050805@redhat.com> Message-ID: <4FE201C7.4050308@redhat.com> On 6/19/2012 1:22 AM, Petr Vobornik wrote: > Updated patch attached. Sorry for late update, I was working on trust UI > and didn't want to switch context. No problem. It would be nicer if this page can use the same fonts as the login dialog in patch #157, but that can be fixed separately. ACK. -- Endi S. Dewata From rcritten at redhat.com Wed Jun 20 17:23:38 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 13:23:38 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FD0CC45.6080803@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> Message-ID: <4FE2071A.10008@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Here is a tool that can be used to configure automount in an IPA client. >> It can use either SSSD or autofs for automount. It also configures NFSv4 >> on the client so secure maps will work. > > rebased patch rebase again rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1023-3-automount.patch Type: text/x-diff Size: 24091 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 20 17:34:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 13:34:01 -0400 Subject: [Freeipa-devel] Updated 389-ds-base released Message-ID: <4FE20989.7040908@redhat.com> An update of 389-ds-base has been released which should resolve the problems that IPA was having. 389-ds-base-1.2.11.5-1.fc17 corrects the problems we were seeing with managed entries. Don't forget to remove 389-ds-base from excludes in your yum.conf and/or use yum versionlock delete 389-ds-base{,-devel,-libs} regards rob From edewata at redhat.com Wed Jun 20 20:21:03 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jun 2012 15:21:03 -0500 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FD63B34.1050604@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> <4FCD768D.3090001@redhat.com> <4FCDFEBD.5060908@redhat.com> <4FD63B34.1050604@redhat.com> Message-ID: <4FE230AF.70203@redhat.com> Sorry for the late response. I have some questions below. On 6/11/2012 1:38 PM, Rob Crittenden wrote: > Petr Vobornik wrote: >>>>>> This patch adds a functionality which sets Firefox >>>>>> network.http.sendRefererHeader configuration option to value '2' >>>>>> which >>>>>> enables it. >>>>>> >>>>>> Possible values: >>>>>> http://kb.mozillazine.org/Network.http.sendRefererHeader According to this page the sendRefererHeader option affects all version of Firefox and SeaMonkey. However, the patch seems to set the option on newer browsers only that don't have navigator.preference() anymore. Is this correct? Can the option be set using navigator.preference() on older browsers? >>>>> Should we also add a message when referer is missing to check this >>>>> setting in about:config? >>>> >>>> I'm not sure what you have in mind. We set the referer option so why >>>> would user check it afterwards? >>>> >>>> Yes the ticket was about checking the option but: If user is >>>> configuring >>>> the browser he wants the browser configured. So we should set all >>>> options which are required. This is one of them. We have not been >>>> notifying the user what was set, so I didn't add such notification for >>>> this option now as well. >>>> >>>> We might want to notify the user what options were changed but it's not >>>> the topic of this ticket. >>> >>> I was thinking more for already configured browsers who then later mess >>> with this value. It fails in a very non-obvious way. >> >> I'm attaching a patch which slightly changes the displayed error message >> from: >> >> Missing or invalid HTTP Referer, missing >> >> to: >> >> Missing HTTP referer. >> You have to configure your browser to send HTTP referer header. >> >> Also I think we should document how to set it manually. We already have >> documentation for the rest of browser configuration. > > This approach looks ok to me, I think someone with more Javascript > experience should review the specifics. The patch tries to replace the ${message} in the message template with the actual error message, but the current message template (i.e. 911) doesn't contain the ${message}. Is this for future use? If these are actually OK then ACK on both patches. -- Endi S. Dewata From pviktori at redhat.com Thu Jun 21 08:32:58 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 21 Jun 2012 10:32:58 +0200 Subject: [Freeipa-devel] [PATCH] 1027 add logging to ipa-upgradeconfig In-Reply-To: <4FE1DB5D.2080109@redhat.com> References: <4FDF92EE.8060504@redhat.com> <4FE07917.2060100@redhat.com> <4FE1DB5D.2080109@redhat.com> Message-ID: <4FE2DC3A.9080703@redhat.com> On 06/20/2012 04:17 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/18/2012 10:43 PM, Rob Crittenden wrote: >>> Add some additional logging to ipa-upgradeconfig and have it update >>> /var/log/ipaupgrade.log so we can see what an upgrade has already done. >>> >>> rob >>> >> >> I don't think the indentation works too well: >> >> 2012-06-19T12:52:47Z INFO Verifying that root certificate is published >> 2012-06-19T12:52:47Z DEBUG Certificate file exists >> 2012-06-19T12:52:47Z INFO Verifying that CA proxy configuration is >> correct >> 2012-06-19T12:52:47Z DEBUG No CA detected in /etc/pki-ca >> 2012-06-19T12:52:47Z INFO Verifying that KDC configuration is using >> ipa-kdb backend >> 2012-06-19T12:52:47Z DEBUG dbmodules already updated in /etc/krb5.conf >> >> >> It would be nice to add a message right after logging setup saying that >> ipa-upgradeconfig is being run. >> >> >> The --debug flag only affects console output, standard_logging_setup >> always sets the file handler to debug level. There's no need for the >> flag with >/dev/null. >> >> >> Otherwise the patch works great. >> > > I had put the indentation so that when executed in a shell you can tell > what the heck is going on :-) I'm open to suggestion but I found it hard > to read when it was all left-justified. I guess it works now, but we'll need a better approach. If a subsystem logs anything between the indented messages, it will be very confusing. ipa-client-install uses ini-style sections in debug output, which isn't ideal either but could work here: [Verify root cert] Verifying that root certificate is published Certificate file exists [Verify CA proxy] Verifying that CA proxy configuration is correct No CA detected in /etc/pki-ca [Verify ipa-kdb backend] Verifying that KDC configuration is using ipa-kdb backend dbmodules already updated in /etc/krb5.conf Having the logger indent all messages properly would be a nicer solution but that would be a rather giant change. > I'll remove the unnecessary --debug flag. > > rob The indentation is a tiny issue and shouldn't hold the patch back, so ACK if you don't want to chase this further. -- Petr? From mkosek at redhat.com Thu Jun 21 08:40:11 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jun 2012 10:40:11 +0200 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FE2071A.10008@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> Message-ID: <1340268011.12122.2.camel@balmora.brq.redhat.com> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Here is a tool that can be used to configure automount in an IPA client. > >> It can use either SSSD or autofs for automount. It also configures NFSv4 > >> on the client so secure maps will work. > > > > rebased patch > > rebase again > > rob I finally managed to look on this patch. This is generally a good work and make things a lot easier, but still I found few issues: 1) The patch does not apply cleanly+it needs to be rebased: # git apply freeipa-rcrit-1023-3-automount.patch freeipa-rcrit-1023-3-automount.patch:210: trailing whitespace. freeipa-rcrit-1023-3-automount.patch:264: trailing whitespace. freeipa-rcrit-1023-3-automount.patch:273: trailing whitespace. freeipa-rcrit-1023-3-automount.patch:542: trailing whitespace. .\" freeipa-rcrit-1023-3-automount.patch:547: trailing whitespace. .\" error: patch failed: ipapython/platform/base.py:24 error: ipapython/platform/base.py: patch does not apply 2) This is just an idea, but would it be better to call the new script "ipa-client-automount" so that it is more visible that it is from ipa-client binary family (along with ipa-client-install)? 3) KeyboardInterrupt is not caught properly: # ipa-configure-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: Traceback (most recent call last): File "/sbin/ipa-configure-automount", line 433, in sys.exit(main()) File "/sbin/ipa-configure-automount", line 409, in main if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False): File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 636, in user_input ret = raw_input("%s [%s]: " % (prompt, choice)) KeyboardInterrupt 4) Neither is EOFError (CTRL+d): # ipa-configure-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: Traceback (most recent call last): File "/sbin/ipa-configure-automount", line 433, in sys.exit(main()) File "/sbin/ipa-configure-automount", line 409, in main if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False): File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 636, in user_input ret = raw_input("%s [%s]: " % (prompt, choice)) EOFError 5) Would it make sense to check if the given automount location exists? Currently there is no check for that: # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com --location foo Searching for IPA server... IPA server: DNS discovery Location: foo Continue to configure the system with these values? [no]: y Configured /etc/nsswitch.conf Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started nfs-server.service Started nfs-secure.service Restarting sssd, waiting for it to become available. Started autofs.service Automount then obviously not work: Jun 21 04:05:06 localhost automount[1401]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory 6) In /etc/sssd/sssd.conf we configure ipa_automount_location and autofs_provider options. But in uninstall, we remove only ipa_automount_location and leave autofs_provider configured 7) This is related to ipa-client-install, but even when I disable autodiscovery and add --server option it still disregards it and tries to search SRV records: # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com Unable to confirm that .redhat.com is an IPA v2 server 8) When discovery is on, we are not really verbose: # ipa-configure-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: We just write "IPA server: DNS discovery", but I would at least like to now what servers it detected so that I know it does the right thing. 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. After some investigation I found this line is causing it: + if not autodiscover: + ldap_uri = "ldap://%s" % server + else: + ldap_uri = "ldap:///%s" % api.env.basedn <<< There should be an IPA server, not basedn. When I fixed it, autofs via LDAP worked. 9) Shouldn't configure_nfs be made optional? I don't think every IPA client with autofs configured will want to have nfs-server running... 10) There are some artifacts in the man page: +.TP +Files that will be always be configured: + +/etc/nsswitch.conf + +Files that will be configured when SSSD is the automount client (default): + +/etc/sssd/sssd.conf + +Files that will be configured when using the ldap automount client: + +/etc/sysconfig/autofs + +/etc/autofs_ldap_auth.conf .TP is missing for the latter 2 file lists thus causing a bad indent. Martin From pviktori at redhat.com Thu Jun 21 10:08:18 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 21 Jun 2012 12:08:18 +0200 Subject: [Freeipa-devel] [PATCH] 0065 Improve output validation Message-ID: <4FE2F292.8070803@redhat.com> In my patch 62 I fixed output validation. Since that patch was rejected, I'm submitting the fix separately. https://fedorahosted.org/freeipa/ticket/2860 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0065-Improve-output-validation.patch Type: text/x-patch Size: 3815 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 21 10:48:59 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jun 2012 12:48:59 +0200 Subject: [Freeipa-devel] [PATCH] 158 Separate reset password page In-Reply-To: <4FE201C7.4050308@redhat.com> References: <4FD22051.7060308@redhat.com> <4FD7CFD6.1040209@redhat.com> <4FD89660.7060002@redhat.com> <4FD8CC71.7030607@redhat.com> <4FE01AAB.8050805@redhat.com> <4FE201C7.4050308@redhat.com> Message-ID: <4FE2FC1B.4000300@redhat.com> On 06/20/2012 07:00 PM, Endi Sukma Dewata wrote: > On 6/19/2012 1:22 AM, Petr Vobornik wrote: >> Updated patch attached. Sorry for late update, I was working on trust UI >> and didn't want to switch context. > > No problem. It would be nicer if this page can use the same fonts as the > login dialog in patch #157, but that can be fixed separately. > > ACK. > Pushed to master. Fonts: https://fedorahosted.org/freeipa/ticket/2861 -- Petr Vobornik From pvoborni at redhat.com Thu Jun 21 11:26:22 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jun 2012 13:26:22 +0200 Subject: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog In-Reply-To: <4FE1FE58.9040304@redhat.com> References: <4FD21F9E.5000201@redhat.com> <4FD21FD4.4030301@redhat.com> <4FD7CFB7.3020609@redhat.com> <4FD89271.7030406@redhat.com> <4FD8CB4A.6090405@redhat.com> <4FE08622.4040603@redhat.com> <4FE1FE58.9040304@redhat.com> Message-ID: <4FE304DE.8080708@redhat.com> On 06/20/2012 06:46 PM, Endi Sukma Dewata wrote: > ACK, but feel free to make additional minor changes as suggested below > before push. Pushed to master. I added some of the minor changes (patch attached for completeness). > > On 6/19/2012 9:01 AM, Petr Vobornik wrote: >> In general I like simplifying the dialog so I took most of your >> suggestions and implemented them following way: >> >> Login >> ----------------------------------------------------- >> >> Your session has expired. Please re-login. >> >> To login with Kerberos, please make sure you >> have valid tickets (obtainable via kinit) and >> [configured] the browser correctly. >> >> To login with username and password: >> >> Username: [edewata ] >> Password: [******** ] >> >> [Login] >> >> So I just changed the order and kept only one button. If username and >> password are filled it uses form-based auth otherwise it uses kerberos >> auth. I'm not sure if it is straightforward but it is easy to use. > > The layout looks good. I think to avoid confusion the text should > mention what needs to be done in each login option, something like this: > > To login with Kerberos, please make sure you have valid tickets > (obtainable via kinit) and [configured] the browser correctly, > then click Login. > > To login with username and password, enter them in the fields > below then click Login. Used both. > > Another thing, when I fill in the username a red star (required marker) > appears next to the password field, and disappears when I remove the > username. I don't think we need to display it because it's pretty clear > from the text that either you don't fill in anything or you fill in both > fields. Less surprises is better, but I'll let you decide. > IMO it doesn't do any damage. It also enables required-validation so 'required field' message is displayed when user forgets to enter password. I left it there. >> I followed all suggestion in the reset part. >> >> I have to place to the forms error box. I'm not sure about the position >> though. >> >> Updated patch attached. > > I think this is fine. Another option is to show the error box between > the fields and the buttons, this way the content don't shift too much > when the error appears. Same thing for the login page. Left it unchanged. > > In the Reset page if you click Cancel it goes back to the Login page, > but the username & password are still showing the old values. I think > the username_widget and password_widget should be cleared as well. What > do you think? Done. > > One more thing, this dialog has an X button at the top right corner so > people can close it. If it's closed it will show a blank page without a > way to open it again. Maybe it should go to the unauthorized.html? This > can be fixed separately. > I want to fix the X button separately. Probably we don't handle it well in other dialogs too. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0157-2-Added-password-reset-capabilities-to-unauthorized-di.patch Type: text/x-patch Size: 24426 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jun 21 15:26:02 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 21 Jun 2012 18:26:02 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains Message-ID: <20120621152602.GA28689@redhat.com> Hi! Attached is the patch to support external group membership for trusted domains. This is needed to get proper group membership with the work Sumit and Jan are doing on both IPA and SSSD sides. We already have ipaExternalGroup class that includes ipaExternalMember attribute (multivalued case-insensitive string). The group that has ipaExternalGroup object class will have to be non-POSIX and ipaExternalMember attribute will contain security identifiers (SIDs) of members from trusted domains. The patch takes care of three things: 1. Extends 'ipa group-add' with --external option to add ipaExternalGroup object class to a new group 2. Modifies 'ipa group-add-member' to accept --external CSV argument to specify SIDs 3. Modifies 'ipa group-del-member' to allow removing external members. When adding new external member we also perform SID correctness checks. This is important part of the patch due to potential security implications of allowing random SIDs. SIDs are universal identifiers and can point to objects in own domain as well as any other. If so-called builtin SIDs are used, they are resolved against local domain which will allow granting permissions trusted domain user should have never had. Below is how we do perform validation of SIDs: 1. Use Samba 4 bindings to parse SID and validate its format 2. If SID is outside S-1-5- prefix (SID_NT_AUTHORITY), we reject it. 3. If SID is from our own domain, we reject it. 4. If SID is from any of our trusted domains, we accept it 5. Otherwise we reject SID. Here is real code: + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False -- / Alexander Bokovoy -------------- next part -------------- >From 5d68493a061797e671dd42eb278ede1a04cc1a22 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 Jun 2012 16:08:33 +0300 Subject: [PATCH 1/3] Add support for external group members When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 --- API.txt | 12 ++++-- ipalib/errors.py | 17 ++++++++ ipalib/plugins/baseldap.py | 18 ++++++-- ipalib/plugins/group.py | 103 +++++++++++++++++++++++++++++++++++++++++--- ipalib/plugins/trust.py | 4 ++ ipaserver/dcerpc.py | 93 +++++++++++++++++++++++++++++++++++---- 6 files changed, 226 insertions(+), 21 deletions(-) diff --git a/API.txt b/API.txt index 8127b90b91415d165590845f0ba1b6d94dab28aa..6e993cc9412a354cb882e8f5cc2bd3caede53100 100644 --- a/API.txt +++ b/API.txt @@ -1196,13 +1196,14 @@ output: Output('total', , None) output: Output('count', , None) output: Output('summary', (, ), None) command: group_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Int('gidnumber', attribute=True, cli_name='gid', minvalue=1, multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1210,8 +1211,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_add_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1265,7 +1267,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: group_mod -args: 1,11,3 +args: 1,12,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gid', minvalue=1, multivalue=False, required=False) @@ -1274,6 +1276,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Flag('rights', autofill=True, default=False) option: Flag('posix', autofill=True, cli_name='posix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1282,8 +1285,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_remove_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') diff --git a/ipalib/errors.py b/ipalib/errors.py index 407d9f7dbcf79c47193a3087fe6efbc50728c903..f4dc3c6084b0c36f2fd8556c1b725621bea29d1f 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1277,6 +1277,23 @@ class SingleMatchExpected(ExecutionError): format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') +class AlreadyExternalGroup(ExecutionError): + """ + **4028** Raised when a group is already an external member group + + For example: + + >>> raise AlreadyExternalGroup + Traceback (most recent call last): + ... + AlreadyExternalGroup: This group already allows external members + + """ + + errno = 4028 + format = _('This group already allows external members') + + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a30863bcc536e1746bf5b338a4e42448..a1c8c2fbafec979c36978e04e752e8a20066e949 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,6 +362,9 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = True + if 'external_callback_normalize' in options: + normalize = options['external_callback_normalize'] # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: @@ -373,9 +376,13 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) if membername not in external_entries and \ - member_dn not in members: + entry[0] not in external_entries and \ + member_dn not in members: # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) completed_external += 1 elif membername in external_entries and \ member_dn not in members: @@ -409,8 +416,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 65657363a463fb0ccb07133c9c84e17b15ffee42..83ec980aa6fed10f1a74e6c20736e130af012c54 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,12 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" Groups of users @@ -83,19 +89,18 @@ class group(LDAPObject): object_name_plural = _('groups') object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' - possible_objectclasses = ['posixGroup', 'mepManagedEntry'] + possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', - 'memberindirect', 'memberofindirect', + 'memberindirect', 'memberofindirect', 'ipaexternalmember', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'member': ['user', 'group'], 'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'memberindirect': ['user', 'group'], - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', - 'sudorule'], + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], } rdn_is_primary_key = True @@ -139,10 +144,19 @@ class group_add(LDAPCreate): doc=_('Create as a non-POSIX group'), default=False, ), + Flag('external', + cli_name='external', + doc=_('Allow adding external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if not options['nonposix']: + if 'external' in options: + entry_attrs['objectclass'].append('ipaexternalgroup') + if 'gidnumber' in options: + raise errors.RequirementError(name='gid') + elif not 'nonposix' in options: entry_attrs['objectclass'].append('posixgroup') if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 @@ -194,6 +208,11 @@ class group_mod(LDAPUpdate): cli_name='posix', doc=_('change to a POSIX group'), ), + Flag('external', + cli_name='external', + doc=_('change to support external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -207,6 +226,14 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external'] in options: + (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + if options['external']: + raise errors.AlreadyExternalGroup() + else: + old_entry_attrs['objectclass'].append('ipaexternalgroup') + entry_attrs['objectclass'] = old_entry_attrs['objectclass'] # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') @@ -274,12 +301,64 @@ api.register(group_show) class group_add_member(LDAPAddMember): __doc__ = _('Add members to a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('AD Trust'), + reason=_('''Cannot perform external member validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + failed_sids.append((sid, 'Not a trusted domain SID')) + if len(sids) == 0: + raise errors.ValidationError(name=_('external member'), + error=_('values are not recognized as valid SIDs from trusted domain')) + restore = [] + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = add_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options, external_callback_normalize=False) + failed['member']['group'] = restore + failed_sids + return result + api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) @@ -290,6 +369,20 @@ class group_remove_member(LDAPRemoveMember): label=_(u'group'), container=protected_group_name) return dn + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + sids = options['ipaexternalmember'] + restore = list() + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = remove_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options) + failed['member']['group'] = restore + return result + api.register(group_remove_member) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 2fd949cd24145a28ebbe909543914b56027e1d45..b313b30d9b16911adea3c607dbff7e5fe30bda1f 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -154,6 +154,10 @@ class trust_add_ad(LDAPCreate): realm_server = options['realm_server'] trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) + if not trustinstance.configured: + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3bc8b63af3f416cc45cb75c76fd7b9587f367e3e..ae5f4b632b514929a0cae35db14e0b5d6e484910 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -58,6 +58,79 @@ class ExtendedDNControl(_ldap.controls.RequestControl): def encodeControlValue(self): return '0\x03\x02\x01\x01' +class DomainValidator(object): + ATTR_FLATNAME = 'ipantflatname' + ATTR_SID = 'ipantsecurityidentifier' + ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' + + def __init__(self, api): + self.api = api + self.ldap = self.api.Backend.ldap2 + self.domain = None + self.flatname = None + self.dn = None + self.sid = None + self._domains = None + + def is_configured(self): + cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + try: + (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME, self.ATTR_SID]) + self.flatname = entry_attrs[self.ATTR_FLATNAME][0] + self.sid = entry_attrs[self.ATTR_SID][0] + self.dn = dn + self.domain = self.api.env.domain + except errors.NotFound, e: + return False + return True + + def get_trusted_domains(self): + cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn) + try: + search_kw = {'objectClass': 'ipaNTTrustedDomain'} + filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=unicode(cn_trust), + attrs_list=[self.ATTR_TRUSTED_SID, 'dn']) + + return entries + except errors.NotFound, e: + return [] + + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False + class TrustDomainInstance(object): def __init__(self, hostname, creds=None): @@ -247,20 +320,18 @@ class TrustDomainInstance(object): self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) class TrustDomainJoins(object): - ATTR_FLATNAME = 'ipantflatname' - def __init__(self, api): self.api = api self.local_domain = None self.remote_domain = None - self.ldap = self.api.Backend.ldap2 - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) - (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME]) - self.local_flatname = entry_attrs[self.ATTR_FLATNAME][0] - self.local_dn = dn + domain_validator = DomainValidator(api) + self.configured = domain_validator.is_configured() - self.__populate_local_domain() + if self.configured: + self.local_flatname = domain_validator.flatname + self.local_dn = domain_validator.dn + self.__populate_local_domain() def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -308,6 +379,9 @@ class TrustDomainJoins(object): self.remote_domain = rd def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) @@ -317,6 +391,9 @@ class TrustDomainJoins(object): return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_passwd=None) self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain) -- 1.7.10.2 From abokovoy at redhat.com Thu Jun 21 15:29:45 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 21 Jun 2012 18:29:45 +0300 Subject: [Freeipa-devel] [PATCH] Restart dirsrv as part of ipa-adtrust-install Message-ID: <20120621152945.GB28689@redhat.com> We should restart Directory Server when performing AD trusts configuration to enable new CLDAP plugin and force KDC to notice MS PAC is now available. Previously we only restarted KDC but if dirsrv is restarted, KDC will notice its socket disappeared and will refresh itself. http://fedorahosted.org/freeipa/ticket/2862 -- / Alexander Bokovoy -------------- next part -------------- >From 9c982e28ce08d1d6847276e3d39496089edf6b58 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 21 Jun 2012 16:04:10 +0300 Subject: [PATCH 2/3] restart dirsrv as part of ipa-adtrust-install We should restart Directory Server when performing AD trusts configuration to enable new CLDAP plugin and force KDC to notice MS PAC is now available. Previously we only restarted KDC but if dirsrv is restarted, KDC will notice its socket disappeared and will refresh itself http://fedorahosted.org/freeipa/ticket/2862 --- ipaserver/install/adtrustinstance.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 5f74054316ed714cc5cab004b497033dc4b47adf..4d417c8d1d15e4e7a799e871f886232cbf888331 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -364,9 +364,9 @@ class ADTRUSTInstance(service.Service): except: pass - def __restart_kdc(self): + def __restart_dirsrv(self): try: - ipaservices.knownservices.krb5kdc.restart() + ipaservices.knownservices.dirsrv.restart() except: pass @@ -434,8 +434,8 @@ class ADTRUSTInstance(service.Service): if not self.no_msdcs: self.step("adding special DNS service records", \ self.__add_dns_service_records) - self.step("restarting KDC to take MS PAC changes into account", \ - self.__restart_kdc) + self.step("restarting Directory Server to take MS PAC and CLDAP changes into account", \ + self.__restart_dirsrv) self.step("setting SELinux booleans", \ self.__configure_selinux_for_smbd) self.step("starting smbd", self.__start) -- 1.7.10.2 From abokovoy at redhat.com Thu Jun 21 15:30:39 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 21 Jun 2012 18:30:39 +0300 Subject: [Freeipa-devel] [PATCH] Reformat ipa-adtrust-install final message to fit 80 columns Message-ID: <20120621153038.GC28689@redhat.com> https://fedorahosted.org/freeipa/ticket/2857 -- / Alexander Bokovoy -------------- next part -------------- >From bb54d74b7816374206843f5739ac672a13af971e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 21 Jun 2012 16:19:27 +0300 Subject: [PATCH 3/3] Re-format ipa-adtrust-install final message to be within 80 characters wide https://fedorahosted.org/freeipa/ticket/2857 --- install/tools/ipa-adtrust-install | 52 ++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index c0b477102462e128400436f52d2f78b092f5272d..49bcf54e7c26c92f246c7612940d441e60a86e1f 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -210,30 +210,34 @@ def main(): netbios_name, options.no_msdcs) smb.create_instance() - print "==============================================================================" - print "Setup complete" - print "" - print "\tYou must make sure these network ports are open:" - print "\t\tTCP Ports:" - print "\t\t * 138: netbios-dgm" - print "\t\t * 139: netbios-ssn" - print "\t\t * 445: microsoft-ds" - print "\t\tUDP Ports:" - print "\t\t * 138: netbios-dgm" - print "\t\t * 139: netbios-ssn" - print "\t\t * 389: (C)LDAP" - print "\t\t * 445: microsoft-ds" - print "" - print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot be reached" - print "\tby any domain controller in the Active Directory domain by closing the" - print "\tfollowing ports for these servers:" - print "\t\tTCP Ports:" - print "\t\t * 389, 636: LDAP/LDAPS" - print "\tYou may want to choose to REJECT the network packets instead of DROPing them" - print "\tto avoid timeouts on the AD domain controllers." - print "" - print "\tWARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands family" - print "\tin order to re-generate Kerberos tickets to include AD-specific information" + print """ +============================================================================= +Setup complete + +You must make sure these network ports are open: +\tTCP Ports: +\t * 138: netbios-dgm +\t * 139: netbios-ssn +\t * 445: microsoft-ds +\tUDP Ports: +\t * 138: netbios-dgm +\t * 139: netbios-ssn +\t * 389: (C)LDAP +\t * 445: microsoft-ds + +Additionally you have to make sure the FreeIPA LDAP server is not reachable +by any domain controller in the Active Directory domain by closing down +the following ports for these servers: +\tTCP Ports: +\t * 389, 636: LDAP/LDAPS + +You may want to choose to REJECT the network packets instead of DROPing +them to avoid timeouts on the AD domain controllers. + +============================================================================= +WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands +family in order to re-generate Kerberos tickets to include AD-specific +information""" return 0 -- 1.7.10.2 From pvoborni at redhat.com Thu Jun 21 16:29:57 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jun 2012 18:29:57 +0200 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FE230AF.70203@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> <4FCD768D.3090001@redhat.com> <4FCDFEBD.5060908@redhat.com> <4FD63B34.1050604@redhat.com> <4FE230AF.70203@redhat.com> Message-ID: <4FE34C05.2010401@redhat.com> On 06/20/2012 10:21 PM, Endi Sukma Dewata wrote: > Sorry for the late response. I have some questions below. > > On 6/11/2012 1:38 PM, Rob Crittenden wrote: >> Petr Vobornik wrote: >>>>>>> This patch adds a functionality which sets Firefox >>>>>>> network.http.sendRefererHeader configuration option to value '2' >>>>>>> which >>>>>>> enables it. >>>>>>> >>>>>>> Possible values: >>>>>>> http://kb.mozillazine.org/Network.http.sendRefererHeader > > According to this page the sendRefererHeader option affects all version > of Firefox and SeaMonkey. However, the patch seems to set the option on > newer browsers only that don't have navigator.preference() anymore. Is > this correct? Can the option be set using navigator.preference() on > older browsers? > I modified the patch to set it in old browsers. Patch attached. I tested it in Firefox 3.6.17 in fresh install of RHEL 6.1. >>>>>> Should we also add a message when referer is missing to check this >>>>>> setting in about:config? >>>>> >>>>> I'm not sure what you have in mind. We set the referer option so why >>>>> would user check it afterwards? >>>>> >>>>> Yes the ticket was about checking the option but: If user is >>>>> configuring >>>>> the browser he wants the browser configured. So we should set all >>>>> options which are required. This is one of them. We have not been >>>>> notifying the user what was set, so I didn't add such notification for >>>>> this option now as well. >>>>> >>>>> We might want to notify the user what options were changed but it's >>>>> not >>>>> the topic of this ticket. >>>> >>>> I was thinking more for already configured browsers who then later mess >>>> with this value. It fails in a very non-obvious way. >>> >>> I'm attaching a patch which slightly changes the displayed error message >>> from: >>> >>> Missing or invalid HTTP Referer, missing >>> >>> to: >>> >>> Missing HTTP referer. >>> You have to configure your browser to send HTTP referer header. >>> >>> Also I think we should document how to set it manually. We already have >>> documentation for the rest of browser configuration. >> >> This approach looks ok to me, I think someone with more Javascript >> experience should review the specifics. > > The patch tries to replace the ${message} in the message template with > the actual error message, but the current message template (i.e. 911) > doesn't contain the ${message}. Is this for future use? Yes, it's for future use. > > If these are actually OK then ACK on both patches. > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0147-1-Set-network.http.sendRefererHeader-to-2-on-browser-c.patch Type: text/x-patch Size: 3111 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 21 16:41:17 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jun 2012 11:41:17 -0500 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FE34C05.2010401@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> <4FCD768D.3090001@redhat.com> <4FCDFEBD.5060908@redhat.com> <4FD63B34.1050604@redhat.com> <4FE230AF.70203@redhat.com> <4FE34C05.2010401@redhat.com> Message-ID: <4FE34EAD.2050001@redhat.com> On 6/21/2012 11:29 AM, Petr Vobornik wrote: > I modified the patch to set it in old browsers. Patch attached. I tested > it in Firefox 3.6.17 in fresh install of RHEL 6.1. ACK. -- Endi S. Dewata From simo at redhat.com Thu Jun 21 18:31:46 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 21 Jun 2012 14:31:46 -0400 Subject: [Freeipa-devel] [PATCH] Restart dirsrv as part of ipa-adtrust-install In-Reply-To: <20120621152945.GB28689@redhat.com> References: <20120621152945.GB28689@redhat.com> Message-ID: <1340303506.32038.172.camel@willson.li.ssimo.org> On Thu, 2012-06-21 at 18:29 +0300, Alexander Bokovoy wrote: > We should restart Directory Server when performing AD trusts > configuration to enable new CLDAP plugin and force KDC to notice MS PAC > is now available. Previously we only restarted KDC but if dirsrv is > restarted, KDC will notice its socket disappeared and will refresh > itself. > > http://fedorahosted.org/freeipa/ticket/2862 ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 21 18:33:53 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 21 Jun 2012 14:33:53 -0400 Subject: [Freeipa-devel] [PATCH] Reformat ipa-adtrust-install final message to fit 80 columns In-Reply-To: <20120621153038.GC28689@redhat.com> References: <20120621153038.GC28689@redhat.com> Message-ID: <1340303633.32038.173.camel@willson.li.ssimo.org> On Thu, 2012-06-21 at 18:30 +0300, Alexander Bokovoy wrote: > https://fedorahosted.org/freeipa/ticket/2857 ACK. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri Jun 22 06:49:13 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jun 2012 08:49:13 +0200 Subject: [Freeipa-devel] [PATCH] Restart dirsrv as part of ipa-adtrust-install In-Reply-To: <1340303506.32038.172.camel@willson.li.ssimo.org> References: <20120621152945.GB28689@redhat.com> <1340303506.32038.172.camel@willson.li.ssimo.org> Message-ID: <4FE41569.4070309@redhat.com> On 06/21/2012 08:31 PM, Simo Sorce wrote: > On Thu, 2012-06-21 at 18:29 +0300, Alexander Bokovoy wrote: >> We should restart Directory Server when performing AD trusts >> configuration to enable new CLDAP plugin and force KDC to notice MS PAC >> is now available. Previously we only restarted KDC but if dirsrv is >> restarted, KDC will notice its socket disappeared and will refresh >> itself. >> >> http://fedorahosted.org/freeipa/ticket/2862 > > ACK. > > Simo. > Pushed to master. Martin From mkosek at redhat.com Fri Jun 22 06:49:28 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jun 2012 08:49:28 +0200 Subject: [Freeipa-devel] [PATCH] Reformat ipa-adtrust-install final message to fit 80 columns In-Reply-To: <1340303633.32038.173.camel@willson.li.ssimo.org> References: <20120621153038.GC28689@redhat.com> <1340303633.32038.173.camel@willson.li.ssimo.org> Message-ID: <4FE41578.5070908@redhat.com> On 06/21/2012 08:33 PM, Simo Sorce wrote: > On Thu, 2012-06-21 at 18:30 +0300, Alexander Bokovoy wrote: >> https://fedorahosted.org/freeipa/ticket/2857 > > ACK. > Pushed to master. Martin From pvoborni at redhat.com Fri Jun 22 08:54:01 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 22 Jun 2012 10:54:01 +0200 Subject: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config In-Reply-To: <4FE34EAD.2050001@redhat.com> References: <4FBF99FB.7090206@redhat.com> <4FC53FA6.5030906@redhat.com> <4FCC8B62.2030600@redhat.com> <4FCD768D.3090001@redhat.com> <4FCDFEBD.5060908@redhat.com> <4FD63B34.1050604@redhat.com> <4FE230AF.70203@redhat.com> <4FE34C05.2010401@redhat.com> <4FE34EAD.2050001@redhat.com> Message-ID: <4FE432A9.2050807@redhat.com> On 06/21/2012 06:41 PM, Endi Sukma Dewata wrote: > On 6/21/2012 11:29 AM, Petr Vobornik wrote: >> I modified the patch to set it in old browsers. Patch attached. I tested >> it in Firefox 3.6.17 in fresh install of RHEL 6.1. > > ACK. > Patches #147-1 and #137 pushed to master. -- Petr Vobornik From mkosek at redhat.com Fri Jun 22 10:20:01 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jun 2012 12:20:01 +0200 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <4FDF4B2F.8020401@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> Message-ID: <4FE446D1.1040101@redhat.com> On 06/18/2012 05:37 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>> Hello all, >>>> >>>> In a scope of ticket 2511 I would like to implement an ability to >>>> delegate a DNS update permissions to chosen user (or host) without >>>> having to give the user full "Update DNS Entries" privileges, i.e. >>>> allow >>>> him to modify any DNS zone or record. >>>> >>>> So far, this is what I would like to do (comments welcome): >>>> >>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>>> in MAY list >>>> 2) Create new DNS commands: >>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>> - these commands would add/remove chosen user/host DN to managedBy >>>> attribute in chosen DNS zone >>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>> "parent[1].managedby#USERDN";) >>>> ... add similar ACIs for UPDATE, REMOVE access >>>> >>>> With these steps done, all that an administrator would need to do to >>>> delegate a management of a DNS zone "example.com" is to run this >>>> command: >>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>> >>>> The only downside I found so far is that the user would already need to >>>> have "Read DNS Entries" permission assigned, otherwise he would not be >>>> able to actually read DNS entries (allow rules can't take precedence >>>> over deny rule we implemented to deny public access to DNS tree). >>>> >>>> An admin could of course create a special privilege and role with just >>>> "Read DNS Entries" permission and then assign it to relevant >>>> users/groups, but this looks awkward. Any idea to make this simpler? >>>> Maybe creating a group "dns readers" by default which would allow such >>>> access? >>> >>> Change the deny rule to deny to everyone except the user in >>> "parent[1].managedby#USERDN" ? >>> >>> Simo. >>> >> >> Good idea, I will do that. I will just use >> "parent[0,1].managedby#USERDN" so that user can also read the zone >> record. This way, a selected user will have read/write access to the >> chosen zone only, which is exactly what we want to achieve. > > Yes, this sounds workable to me too. > > rob > There were some second thoughts about the proposed design, which I would like to discuss so that we can eventually accept another (better) solution for this feature. The main concern here was that proposed solution (based on user list in managedBy attribute in DNS zone) is not in line with the rest of permission&privilege architecture in IPA. Here is another idea how to address the feature (I tested it and it would work): 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access rule (a working patch attached) to avoid current and future issues with extending ACIs (deny rules are evil). 2) Add new Managed Entry Definition and Template to automatically add "Manage DNS zone $idsname" permission. These could be used with standard IPA privileges, roles and thus could be assigned to users, groups, hosts, hostgroups... 3) New DNS zone managedBy attribute won't be manageable by user, but it will hold a DN of the managed Permission entry 4) Add the following ACIs to cn=dns,$SUFFIX: aci: (targetattr = "*") (version 3.0; acl "Read DNS entries"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") (version 3.0;acl "Add dns entries";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") (version 3.0;acl "Remove DNS entries";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders") (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) I needed to add permission DN to the managedBy attribute so that I could create just one set of generic ACIs without having to create a set of ACIs for every new zone and thus let users with "Update DNS entries" permission have a write access to the "aci" attribute. Would this design be better than the previous one? Comments welcome. Thanks, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: remove-deny-rule.patch Type: text/x-patch Size: 2540 bytes Desc: not available URL: From simo at redhat.com Fri Jun 22 12:23:12 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 22 Jun 2012 08:23:12 -0400 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <4FE446D1.1040101@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> Message-ID: <1340367792.32038.400.camel@willson.li.ssimo.org> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: > On 06/18/2012 05:37 PM, Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > >>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > >>>> Hello all, > >>>> > >>>> In a scope of ticket 2511 I would like to implement an ability to > >>>> delegate a DNS update permissions to chosen user (or host) without > >>>> having to give the user full "Update DNS Entries" privileges, i.e. > >>>> allow > >>>> him to modify any DNS zone or record. > >>>> > >>>> So far, this is what I would like to do (comments welcome): > >>>> > >>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > >>>> in MAY list > >>>> 2) Create new DNS commands: > >>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > >>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > >>>> - these commands would add/remove chosen user/host DN to managedBy > >>>> attribute in chosen DNS zone > >>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: > >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > >>>> "Users and hosts can add DNS entries";allow (add) userattr = > >>>> "parent[1].managedby#USERDN";) > >>>> ... add similar ACIs for UPDATE, REMOVE access > >>>> > >>>> With these steps done, all that an administrator would need to do to > >>>> delegate a management of a DNS zone "example.com" is to run this > >>>> command: > >>>> $ ipa dnszone-add-managedby example.com --users=fbar > >>>> > >>>> The only downside I found so far is that the user would already need to > >>>> have "Read DNS Entries" permission assigned, otherwise he would not be > >>>> able to actually read DNS entries (allow rules can't take precedence > >>>> over deny rule we implemented to deny public access to DNS tree). > >>>> > >>>> An admin could of course create a special privilege and role with just > >>>> "Read DNS Entries" permission and then assign it to relevant > >>>> users/groups, but this looks awkward. Any idea to make this simpler? > >>>> Maybe creating a group "dns readers" by default which would allow such > >>>> access? > >>> > >>> Change the deny rule to deny to everyone except the user in > >>> "parent[1].managedby#USERDN" ? > >>> > >>> Simo. > >>> > >> > >> Good idea, I will do that. I will just use > >> "parent[0,1].managedby#USERDN" so that user can also read the zone > >> record. This way, a selected user will have read/write access to the > >> chosen zone only, which is exactly what we want to achieve. > > > > Yes, this sounds workable to me too. > > > > rob > > > > There were some second thoughts about the proposed design, which I would > like to discuss so that we can eventually accept another (better) > solution for this feature. > > The main concern here was that proposed solution (based on user list in > managedBy attribute in DNS zone) is not in line with the rest of > permission&privilege architecture in IPA. > > Here is another idea how to address the feature (I tested it and it > would work): > 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access > rule (a working patch attached) to avoid current and future issues with > extending ACIs (deny rules are evil). > > 2) Add new Managed Entry Definition and Template to automatically add > "Manage DNS zone $idsname" permission. These could be used with standard > IPA privileges, roles and thus could be assigned to users, groups, > hosts, hostgroups... > > 3) New DNS zone managedBy attribute won't be manageable by user, but it > will hold a DN of the managed Permission entry > > 4) Add the following ACIs to cn=dns,$SUFFIX: > aci: (targetattr = "*") > (version 3.0; acl "Read DNS entries"; allow (read,search,compare) > userattr = "parent[0,1].managedby#GROUPDN";) > > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") > (version 3.0;acl "Add dns entries";allow (add) > userattr = "parent[1].managedby#GROUPDN";) > > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") > (version 3.0;acl "Remove DNS entries";allow (delete) > userattr = "parent[1].managedby#GROUPDN";) > > aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || > dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord > || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || > hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || > locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || > dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || > idnsname || idnszoneactive || idnssoamname || idnssoarname || > idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || > idnssoaminimum || idnsupdatepolicy || idnsallowquery || > idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || > idnsforwarders") > (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update > DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) > > I needed to add permission DN to the managedBy attribute so that I could > create just one set of generic ACIs without having to create a set of > ACIs for every new zone and thus let users with "Update DNS entries" > permission have a write access to the "aci" attribute. > > Would this design be better than the previous one? Comments welcome. Removing Deny ACIs would be great. But don't we need a second set of ACIs to allow uber admins to still control all zones ? or is that part of current ACIs not going to change ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri Jun 22 12:25:53 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jun 2012 14:25:53 +0200 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <1340367792.32038.400.camel@willson.li.ssimo.org> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> Message-ID: <4FE46451.2010509@redhat.com> On 06/22/2012 02:23 PM, Simo Sorce wrote: > On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>> Hello all, >>>>>> >>>>>> In a scope of ticket 2511 I would like to implement an ability to >>>>>> delegate a DNS update permissions to chosen user (or host) without >>>>>> having to give the user full "Update DNS Entries" privileges, i.e. >>>>>> allow >>>>>> him to modify any DNS zone or record. >>>>>> >>>>>> So far, this is what I would like to do (comments welcome): >>>>>> >>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>>>>> in MAY list >>>>>> 2) Create new DNS commands: >>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>> - these commands would add/remove chosen user/host DN to managedBy >>>>>> attribute in chosen DNS zone >>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>> "parent[1].managedby#USERDN";) >>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>> >>>>>> With these steps done, all that an administrator would need to do to >>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>> command: >>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>> >>>>>> The only downside I found so far is that the user would already need to >>>>>> have "Read DNS Entries" permission assigned, otherwise he would not be >>>>>> able to actually read DNS entries (allow rules can't take precedence >>>>>> over deny rule we implemented to deny public access to DNS tree). >>>>>> >>>>>> An admin could of course create a special privilege and role with just >>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>> users/groups, but this looks awkward. Any idea to make this simpler? >>>>>> Maybe creating a group "dns readers" by default which would allow such >>>>>> access? >>>>> >>>>> Change the deny rule to deny to everyone except the user in >>>>> "parent[1].managedby#USERDN" ? >>>>> >>>>> Simo. >>>>> >>>> >>>> Good idea, I will do that. I will just use >>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>> record. This way, a selected user will have read/write access to the >>>> chosen zone only, which is exactly what we want to achieve. >>> >>> Yes, this sounds workable to me too. >>> >>> rob >>> >> >> There were some second thoughts about the proposed design, which I would >> like to discuss so that we can eventually accept another (better) >> solution for this feature. >> >> The main concern here was that proposed solution (based on user list in >> managedBy attribute in DNS zone) is not in line with the rest of >> permission&privilege architecture in IPA. >> >> Here is another idea how to address the feature (I tested it and it >> would work): >> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access >> rule (a working patch attached) to avoid current and future issues with >> extending ACIs (deny rules are evil). >> >> 2) Add new Managed Entry Definition and Template to automatically add >> "Manage DNS zone $idsname" permission. These could be used with standard >> IPA privileges, roles and thus could be assigned to users, groups, >> hosts, hostgroups... >> >> 3) New DNS zone managedBy attribute won't be manageable by user, but it >> will hold a DN of the managed Permission entry >> >> 4) Add the following ACIs to cn=dns,$SUFFIX: >> aci: (targetattr = "*") >> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >> userattr = "parent[0,1].managedby#GROUPDN";) >> >> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >> (version 3.0;acl "Add dns entries";allow (add) >> userattr = "parent[1].managedby#GROUPDN";) >> >> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >> (version 3.0;acl "Remove DNS entries";allow (delete) >> userattr = "parent[1].managedby#GROUPDN";) >> >> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || >> dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord >> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >> hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || >> locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || >> dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || >> idnsname || idnszoneactive || idnssoamname || idnssoarname || >> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >> idnsforwarders") >> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update >> DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >> >> I needed to add permission DN to the managedBy attribute so that I could >> create just one set of generic ACIs without having to create a set of >> ACIs for every new zone and thus let users with "Update DNS entries" >> permission have a write access to the "aci" attribute. >> >> Would this design be better than the previous one? Comments welcome. > > Removing Deny ACIs would be great. > But don't we need a second set of ACIs to allow uber admins to still > control all zones ? or is that part of current ACIs not going to > change ? > > Simo. > Thanks to the removal of the deny rule, this would be already allowed by this existing ACI: aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) Martin From simo at redhat.com Fri Jun 22 12:59:58 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 22 Jun 2012 08:59:58 -0400 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <4FE46451.2010509@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> Message-ID: <1340369998.32038.404.camel@willson.li.ssimo.org> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: > On 06/22/2012 02:23 PM, Simo Sorce wrote: > > On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: > >> On 06/18/2012 05:37 PM, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: > >>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > >>>>>> Hello all, > >>>>>> > >>>>>> In a scope of ticket 2511 I would like to implement an ability to > >>>>>> delegate a DNS update permissions to chosen user (or host) without > >>>>>> having to give the user full "Update DNS Entries" privileges, i.e. > >>>>>> allow > >>>>>> him to modify any DNS zone or record. > >>>>>> > >>>>>> So far, this is what I would like to do (comments welcome): > >>>>>> > >>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > >>>>>> in MAY list > >>>>>> 2) Create new DNS commands: > >>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > >>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > >>>>>> - these commands would add/remove chosen user/host DN to managedBy > >>>>>> attribute in chosen DNS zone > >>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: > >>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > >>>>>> "Users and hosts can add DNS entries";allow (add) userattr = > >>>>>> "parent[1].managedby#USERDN";) > >>>>>> ... add similar ACIs for UPDATE, REMOVE access > >>>>>> > >>>>>> With these steps done, all that an administrator would need to do to > >>>>>> delegate a management of a DNS zone "example.com" is to run this > >>>>>> command: > >>>>>> $ ipa dnszone-add-managedby example.com --users=fbar > >>>>>> > >>>>>> The only downside I found so far is that the user would already need to > >>>>>> have "Read DNS Entries" permission assigned, otherwise he would not be > >>>>>> able to actually read DNS entries (allow rules can't take precedence > >>>>>> over deny rule we implemented to deny public access to DNS tree). > >>>>>> > >>>>>> An admin could of course create a special privilege and role with just > >>>>>> "Read DNS Entries" permission and then assign it to relevant > >>>>>> users/groups, but this looks awkward. Any idea to make this simpler? > >>>>>> Maybe creating a group "dns readers" by default which would allow such > >>>>>> access? > >>>>> > >>>>> Change the deny rule to deny to everyone except the user in > >>>>> "parent[1].managedby#USERDN" ? > >>>>> > >>>>> Simo. > >>>>> > >>>> > >>>> Good idea, I will do that. I will just use > >>>> "parent[0,1].managedby#USERDN" so that user can also read the zone > >>>> record. This way, a selected user will have read/write access to the > >>>> chosen zone only, which is exactly what we want to achieve. > >>> > >>> Yes, this sounds workable to me too. > >>> > >>> rob > >>> > >> > >> There were some second thoughts about the proposed design, which I would > >> like to discuss so that we can eventually accept another (better) > >> solution for this feature. > >> > >> The main concern here was that proposed solution (based on user list in > >> managedBy attribute in DNS zone) is not in line with the rest of > >> permission&privilege architecture in IPA. > >> > >> Here is another idea how to address the feature (I tested it and it > >> would work): > >> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access > >> rule (a working patch attached) to avoid current and future issues with > >> extending ACIs (deny rules are evil). > >> > >> 2) Add new Managed Entry Definition and Template to automatically add > >> "Manage DNS zone $idsname" permission. These could be used with standard > >> IPA privileges, roles and thus could be assigned to users, groups, > >> hosts, hostgroups... > >> > >> 3) New DNS zone managedBy attribute won't be manageable by user, but it > >> will hold a DN of the managed Permission entry > >> > >> 4) Add the following ACIs to cn=dns,$SUFFIX: > >> aci: (targetattr = "*") > >> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) > >> userattr = "parent[0,1].managedby#GROUPDN";) > >> > >> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") > >> (version 3.0;acl "Add dns entries";allow (add) > >> userattr = "parent[1].managedby#GROUPDN";) > >> > >> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") > >> (version 3.0;acl "Remove DNS entries";allow (delete) > >> userattr = "parent[1].managedby#GROUPDN";) > >> > >> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || > >> dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord > >> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || > >> hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || > >> locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || > >> dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || > >> idnsname || idnszoneactive || idnssoamname || idnssoarname || > >> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || > >> idnssoaminimum || idnsupdatepolicy || idnsallowquery || > >> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || > >> idnsforwarders") > >> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update > >> DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) > >> > >> I needed to add permission DN to the managedBy attribute so that I could > >> create just one set of generic ACIs without having to create a set of > >> ACIs for every new zone and thus let users with "Update DNS entries" > >> permission have a write access to the "aci" attribute. > >> > >> Would this design be better than the previous one? Comments welcome. > > > > Removing Deny ACIs would be great. > > But don't we need a second set of ACIs to allow uber admins to still > > control all zones ? or is that part of current ACIs not going to > > change ? > > > > Simo. > > > > Thanks to the removal of the deny rule, this would be already allowed by > this existing ACI: > > aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword > || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || > krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || > krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference > || krbPrincipalType || krbPwdHistory || krbLastPwdChange || > krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || > krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || > ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; > acl "Admin can manage any entry"; allow (all) groupdn = > "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) Oh right! I like it even more then :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Fri Jun 22 13:28:00 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 22 Jun 2012 15:28:00 +0200 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI Message-ID: <4FE472E0.6060903@redhat.com> The static preview of trust UI can be seen at: http://pvoborni.fedorapeople.org/trusts/#ipaserver=trust&navigation=ipaserver [Patch] 161 Trust Web UI: This patch adds Web UI for trusts. Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet. Adder dialog supports two ways if adding a trust: 1) adding with domain name, admin name and admin password. 2) adding with domain name, shared secret Search page shows only list of realm names which are trusts' cns. Details page is read only. It contains following attributes: * Realm name (cn) * Domain NetBIOS name (ipantflatname) * Domain Security Identifier (ipanttrusteddomainsid) * Trust direction (trustdirection) * Trust type (trusttype) For Domain Security Identifier is not used ipantsecurityidentifier param which is defined in trust plugin's trust_output_params list. This param is not returned by show command so ipanttrusteddomainsid is used instead. trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code. Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata. https://fedorahosted.org/freeipa/ticket/2829 [PATCH] 160 Same password validator: This patch adds validator which compares passwords in two fields. In future it should be used in various password reset dialogs. A flags attribute was added to field. It's purpose is to define control flags. This patch uses it in details facet and adder dialog to not include fields to command option if the field has 'no_command' flag. Therefore there is no need to use hacks such as disabling of field or removing a value from command's option map when a non-command field is needed (ie verify password). https://fedorahosted.org/freeipa/ticket/2829 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0160-Same-password-validator.patch Type: text/x-patch Size: 3280 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0161-Trust-Web-UI.patch Type: text/x-patch Size: 54115 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jun 22 16:48:42 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 22 Jun 2012 19:48:42 +0300 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE472E0.6060903@redhat.com> References: <4FE472E0.6060903@redhat.com> Message-ID: <20120622164842.GD28689@redhat.com> Hi Petr, On Fri, 22 Jun 2012, Petr Vobornik wrote: >The static preview of trust UI can be seen at: http://pvoborni.fedorapeople.org/trusts/#ipaserver=trust&navigation=ipaserver Looks nice! > >[Patch] 161 Trust Web UI: > >This patch adds Web UI for trusts. > >Navigation path is IPA Server/Trust. It allows to add, deleted and >show trust. Mod command doesn't have defined input options so update >of a trust is not supported yet. Yes, it will get defined once we finish support for uid/gid ranges. >Adder dialog supports two ways if adding a trust: >1) adding with domain name, admin name and admin password. >2) adding with domain name, shared secret > >Search page shows only list of realm names which are trusts' cns. > >Details page is read only. It contains following attributes: >* Realm name (cn) >* Domain NetBIOS name (ipantflatname) >* Domain Security Identifier (ipanttrusteddomainsid) >* Trust direction (trustdirection) >* Trust type (trusttype) > >For Domain Security Identifier is not used ipantsecurityidentifier >param which is defined in trust plugin's trust_output_params list. >This param is not returned by show command so ipanttrusteddomainsid >is used instead. You are using the proper one. I'm attaching a patch to fix existing plugin. The issue here is that we have two attributes, one for SIDs of our objects (users, groups, ...), another one is used specifically for a trusted domain object. It was my mistake to mix them as I also was thinking to allow seeing our own domain SID via 'ipa trust' commands. >trust_output_params also defines 'Trust status' param. This param is >not return by show command as well so it's commented out in code >until it's fixed in plugin code. Yes, the code for this will be implemented as part of trust validation, ticket 2763. >Fields in details pages are using labels defined in internal.py. It >is temporary solution until including of command.has_output_params >will be added to metadata. > >https://fedorahosted.org/freeipa/ticket/2829 1. Please update the patch with regards to the change in my attached patch. 2. First two chunks of install/ui/test/data/ipa_init_commands.json and install/ui/test/data/ipa_init_objects.json changes look unrelated to this ticket. >[PATCH] 160 Same password validator: > >This patch adds validator which compares passwords in two fields. > >In future it should be used in various password reset dialogs. > >A flags attribute was added to field. It's purpose is to define >control flags. This patch uses it in details facet and adder dialog >to not include fields to command option if the field has 'no_command' >flag. Therefore there is no need to use hacks such as disabling of >field or removing a value from command's option map when a >non-command field is needed (ie verify password). > >https://fedorahosted.org/freeipa/ticket/2829 ACK -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jun 22 16:49:33 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 22 Jun 2012 19:49:33 +0300 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <20120622164842.GD28689@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> Message-ID: <20120622164932.GE28689@redhat.com> Promised patch attached! On Fri, 22 Jun 2012, Alexander Bokovoy wrote: >Hi Petr, > >On Fri, 22 Jun 2012, Petr Vobornik wrote: >>The static preview of trust UI can be seen at: http://pvoborni.fedorapeople.org/trusts/#ipaserver=trust&navigation=ipaserver >Looks nice! > >> >>[Patch] 161 Trust Web UI: >> >>This patch adds Web UI for trusts. >> >>Navigation path is IPA Server/Trust. It allows to add, deleted and >>show trust. Mod command doesn't have defined input options so >>update of a trust is not supported yet. >Yes, it will get defined once we finish support for uid/gid ranges. > >>Adder dialog supports two ways if adding a trust: >>1) adding with domain name, admin name and admin password. >>2) adding with domain name, shared secret >> >>Search page shows only list of realm names which are trusts' cns. >> >>Details page is read only. It contains following attributes: >>* Realm name (cn) >>* Domain NetBIOS name (ipantflatname) >>* Domain Security Identifier (ipanttrusteddomainsid) >>* Trust direction (trustdirection) >>* Trust type (trusttype) >> >>For Domain Security Identifier is not used ipantsecurityidentifier >>param which is defined in trust plugin's trust_output_params list. >>This param is not returned by show command so ipanttrusteddomainsid >>is used instead. >You are using the proper one. I'm attaching a patch to fix existing >plugin. The issue here is that we have two attributes, one for SIDs of >our objects (users, groups, ...), another one is used specifically for >a trusted domain object. It was my mistake to mix them as I also was >thinking to allow seeing our own domain SID via 'ipa trust' commands. > >>trust_output_params also defines 'Trust status' param. This param >>is not return by show command as well so it's commented out in code >>until it's fixed in plugin code. >Yes, the code for this will be implemented as part of trust validation, >ticket 2763. > >>Fields in details pages are using labels defined in internal.py. It >>is temporary solution until including of command.has_output_params >>will be added to metadata. >> >>https://fedorahosted.org/freeipa/ticket/2829 >1. Please update the patch with regards to the change in my > attached patch. >2. First two chunks of install/ui/test/data/ipa_init_commands.json and > install/ui/test/data/ipa_init_objects.json changes look unrelated to > this ticket. > >>[PATCH] 160 Same password validator: >> >>This patch adds validator which compares passwords in two fields. >> >>In future it should be used in various password reset dialogs. >> >>A flags attribute was added to field. It's purpose is to define >>control flags. This patch uses it in details facet and adder dialog >>to not include fields to command option if the field has >>'no_command' flag. Therefore there is no need to use hacks such as >>disabling of field or removing a value from command's option map >>when a non-command field is needed (ie verify password). >> >>https://fedorahosted.org/freeipa/ticket/2829 >ACK > >-- >/ Alexander Bokovoy > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -- / Alexander Bokovoy -------------- next part -------------- >From 8f4e5ece17020d31dd75f99a2c337167f896e152 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 22 Jun 2012 19:33:57 +0300 Subject: [PATCH 2/2] Use correct SID attribute for trusted domains We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID. First is used for recording SID of our users/groups, second is to store SID of a remote trusted domain. --- ipalib/plugins/trust.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index b313b30d9b16911adea3c607dbff7e5fe30bda1f..1f2eae584bd45bb62a1ff4740af98dcafb3489ae 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -38,7 +38,7 @@ Manage trust relationship between realms trust_output_params = ( Str('ipantflatname', label=_('Domain NetBIOS name')), - Str('ipantsecurityidentifier', + Str('ipanttrusteddomainsid', label=_('Domain Security Identifier')), Str('trustdirection', label=_('Trust direction')), @@ -90,7 +90,7 @@ class trust(LDAPObject): object_name = _('trust') object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] - default_attributes = ['cn', 'ipantflatname', 'ipantsecurityidentifier', + default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', 'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] -- 1.7.10.2 From rcritten at redhat.com Fri Jun 22 17:27:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jun 2012 13:27:07 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <1340268011.12122.2.camel@balmora.brq.redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> <1340268011.12122.2.camel@balmora.brq.redhat.com> Message-ID: <4FE4AAEB.0@redhat.com> Martin Kosek wrote: > On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Here is a tool that can be used to configure automount in an IPA client. >>>> It can use either SSSD or autofs for automount. It also configures NFSv4 >>>> on the client so secure maps will work. >>> >>> rebased patch >> >> rebase again >> >> rob > > I finally managed to look on this patch. This is generally a good work > and make things a lot easier, but still I found few issues: > > 1) The patch does not apply cleanly+it needs to be rebased: > > # git apply freeipa-rcrit-1023-3-automount.patch > freeipa-rcrit-1023-3-automount.patch:210: trailing whitespace. > > freeipa-rcrit-1023-3-automount.patch:264: trailing whitespace. > > freeipa-rcrit-1023-3-automount.patch:273: trailing whitespace. > > freeipa-rcrit-1023-3-automount.patch:542: trailing whitespace. > .\" > freeipa-rcrit-1023-3-automount.patch:547: trailing whitespace. > .\" > error: patch failed: ipapython/platform/base.py:24 > error: ipapython/platform/base.py: patch does not apply Fixed whitespace and rebased. > 2) This is just an idea, but would it be better to call the new script > "ipa-client-automount" so that it is more visible that it is from > ipa-client binary family (along with ipa-client-install)? Sure, I wasn't completely happy with the name I came up with. > > 3) KeyboardInterrupt is not caught properly: > > 4) Neither is EOFError (CTRL+d): Fixed. > > 5) Would it make sense to check if the given automount location exists? > Currently there is no check for that: > > # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com > --location foo > Searching for IPA server... > IPA server: DNS discovery > Location: foo > Continue to configure the system with these values? [no]: y > Configured /etc/nsswitch.conf > Configured /etc/sysconfig/nfs > Configured /etc/idmapd.conf > Started nfs-server.service > Started nfs-secure.service > Restarting sssd, waiting for it to become available. > Started autofs.service > > Automount then obviously not work: There was even a TODO in the code for this. I went ahead and did it. I had punted originally because it wasn't really a big deal to unconfigure and reconfigure with the right location. > Jun 21 04:05:06 localhost automount[1401]: lookup_read_map: lookup(sss): > getautomntent_r: No such file or directory This is an sssd issue I've been told isn't fatal. > 6) In /etc/sssd/sssd.conf we configure ipa_automount_location and > autofs_provider options. But in uninstall, we remove only > ipa_automount_location and leave autofs_provider configured It is a bug in sssd, https://fedorahosted.org/sssd/ticket/1388 > 7) This is related to ipa-client-install, but even when I disable > autodiscovery and add --server option it still disregards it and tries > to search SRV records: > > # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com > > Unable to confirm that.redhat.com is an IPA v2 server Yeah, I think a separate ticket should be opened up, I call the same code as ipa-client-install. > > 8) When discovery is on, we are not really verbose: > > # ipa-configure-automount > Searching for IPA server... > IPA server: DNS discovery > Location: default > Continue to configure the system with these values? [no]: > > We just write "IPA server: DNS discovery", but I would at least like to > now what servers it detected so that I know it does the right thing. This should be better with Petr^3's patches. Is it not? Perhaps only with --debug? > 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. After > some investigation I found this line is causing it: > > + if not autodiscover: > + ldap_uri = "ldap://%s" % server > + else: > + ldap_uri = "ldap:///%s" % api.env.basedn<<< > > There should be an IPA server, not basedn. When I fixed it, autofs via > LDAP worked. I'm not sure why it didn't work, this is correct. ldap:///dc=example,dc=com tells the autofs client to use DNS discovery to find the right server. It works for me. > > 9) Shouldn't configure_nfs be made optional? I don't think every IPA > client with autofs configured will want to have nfs-server running... I hate systemd. I couldn't find a service other than nfs-server that would start idmapd. I found one, fixed in this patch. > > 10) There are some artifacts in the man page: > +.TP > +Files that will be always be configured: > + > +/etc/nsswitch.conf > + > +Files that will be configured when SSSD is the automount client > (default): > + > +/etc/sssd/sssd.conf > + > +Files that will be configured when using the ldap automount client: > + > +/etc/sysconfig/autofs > + > +/etc/autofs_ldap_auth.conf > > .TP is missing for the latter 2 file lists thus causing a bad indent. Fixed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1023-4-automount.patch Type: text/x-diff Size: 27544 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 22 18:10:56 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jun 2012 14:10:56 -0400 Subject: [Freeipa-devel] [PATCH] 1027 add logging to ipa-upgradeconfig In-Reply-To: <4FE2DC3A.9080703@redhat.com> References: <4FDF92EE.8060504@redhat.com> <4FE07917.2060100@redhat.com> <4FE1DB5D.2080109@redhat.com> <4FE2DC3A.9080703@redhat.com> Message-ID: <4FE4B530.1000706@redhat.com> Petr Viktorin wrote: > On 06/20/2012 04:17 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 06/18/2012 10:43 PM, Rob Crittenden wrote: >>>> Add some additional logging to ipa-upgradeconfig and have it update >>>> /var/log/ipaupgrade.log so we can see what an upgrade has already done. >>>> >>>> rob >>>> >>> >>> I don't think the indentation works too well: >>> >>> 2012-06-19T12:52:47Z INFO Verifying that root certificate is published >>> 2012-06-19T12:52:47Z DEBUG Certificate file exists >>> 2012-06-19T12:52:47Z INFO Verifying that CA proxy configuration is >>> correct >>> 2012-06-19T12:52:47Z DEBUG No CA detected in /etc/pki-ca >>> 2012-06-19T12:52:47Z INFO Verifying that KDC configuration is using >>> ipa-kdb backend >>> 2012-06-19T12:52:47Z DEBUG dbmodules already updated in /etc/krb5.conf >>> >>> >>> It would be nice to add a message right after logging setup saying that >>> ipa-upgradeconfig is being run. >>> >>> >>> The --debug flag only affects console output, standard_logging_setup >>> always sets the file handler to debug level. There's no need for the >>> flag with >/dev/null. >>> >>> >>> Otherwise the patch works great. >>> >> >> I had put the indentation so that when executed in a shell you can tell >> what the heck is going on :-) I'm open to suggestion but I found it hard >> to read when it was all left-justified. > > I guess it works now, but we'll need a better approach. If a subsystem > logs anything between the indented messages, it will be very confusing. > > ipa-client-install uses ini-style sections in debug output, which isn't > ideal either but could work here: > > [Verify root cert] > Verifying that root certificate is published > Certificate file exists > [Verify CA proxy] > Verifying that CA proxy configuration is correct > No CA detected in /etc/pki-ca > [Verify ipa-kdb backend] > Verifying that KDC configuration is using ipa-kdb backend > dbmodules already updated in /etc/krb5.conf > > > Having the logger indent all messages properly would be a nicer solution > but that would be a rather giant change. > >> I'll remove the unnecessary --debug flag. >> >> rob > > The indentation is a tiny issue and shouldn't hold the patch back, so > ACK if you don't want to chase this further. > Ok, I changed added the braces, removed --debug and pushed to master. rob From rcritten at redhat.com Fri Jun 22 20:27:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jun 2012 16:27:07 -0400 Subject: [Freeipa-devel] [PATCH] 1028 service pac types Message-ID: <4FE4D51B.5080601@redhat.com> This patch is more a WIP than anything. I want to see if I'm on the right track. rob -------------- next part -------------- From a9e9433d2cfec79c28de401c16bae198ddedb3d4 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 21 Jun 2012 12:18:34 -0400 Subject: [PATCH] Add per-service option to store the types of PAC it supports. Create a per-service default as well. https://fedorahosted.org/freeipa/ticket/2184 --- API.txt | 12 ++++++++---- VERSION | 2 +- install/share/60basev3.ldif | 1 + install/updates/10-60basev3.update | 3 +++ install/updates/10-selinuxusermap.update | 5 +++++ install/updates/60-trusts.update | 4 ++++ ipalib/plugins/config.py | 9 ++++++++- ipalib/plugins/service.py | 23 ++++++++++++++++++----- tests/test_xmlrpc/test_host_plugin.py | 1 + tests/test_xmlrpc/test_service_plugin.py | 13 +++++++++++++ 10 files changed, 62 insertions(+), 11 deletions(-) diff --git a/API.txt b/API.txt index 5ad2dbaaa75ec4343a256fa64ac56c607f15c6e8..174892a6fa3fb2794b0ed364540e360f8630fdbb 100644 --- a/API.txt +++ b/API.txt @@ -445,7 +445,7 @@ args: 1,0,1 arg: Str('request_id') output: Output('result', None, None) command: config_mod -args: 0,23,3 +args: 0,24,3 option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False) option: IA5Str('ipahomesrootdir', attribute=True, autofill=False, cli_name='homedirectory', multivalue=False, required=False) option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False) @@ -462,6 +462,7 @@ option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwde option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) +option: StrEnum('ipadefaultkrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'UNIX-PAC')) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') @@ -2641,9 +2642,10 @@ output: Output('notmatched', (, , ), output: Output('error', (, , ), None) output: Output('value', , None) command: service_add -args: 1,5,3 +args: 1,6,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True) option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'UNIX-PAC')) option: Flag('force', autofill=True, default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -2675,9 +2677,10 @@ output: Output('summary', (, ), None) output: Output('result', , None) output: Output('value', , None) command: service_find -args: 1,9,4 +args: 1,10,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, primary_key=True, query=True, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, query=True, required=False, values=(u'MS-PAC', u'UNIX-PAC')) option: Int('timelimit?', autofill=False, minvalue=0) option: Int('sizelimit?', autofill=False, minvalue=0) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -2691,9 +2694,10 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: service_mod -args: 1,8,3 +args: 1,9,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'UNIX-PAC')) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') diff --git a/VERSION b/VERSION index 77340e02e91c91b45e5431810aac2a5c9d6237b6..bc76959b3a1709c6bbad76a0e4405c2c6e329bdd 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=38 +IPA_API_VERSION_MINOR=39 diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 2c24137b0dc39f215ed0e4b97079ffce0ec630d3..eb0869568dcb33866a1a42f99ab03becce4e5cee 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -29,6 +29,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') attributeTypes: (2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update index 96d012c14d26133b07a503e78fa1e8b33d2a56d9..c4f3fe35d11af808d4e614579263d73febd0bc7b 100644 --- a/install/updates/10-60basev3.update +++ b/install/updates/10-60basev3.update @@ -5,4 +5,7 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC ' add:objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $$ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') +add:attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') +add:attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaDefaultKrbAuthzData' DESC 'Default service PAC type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') add:objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $$ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' ) +replace:objectClasses: ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy ) X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy $$ ipaKrbAuthzData) X-ORIGIN 'IPA v2' ) diff --git a/install/updates/10-selinuxusermap.update b/install/updates/10-selinuxusermap.update index 431477adf87d2fd9aaf5ed288c8c9eaba7ca35f1..ce11d26e26399d428912a4995a9a47b3a617cdee 100644 --- a/install/updates/10-selinuxusermap.update +++ b/install/updates/10-selinuxusermap.update @@ -21,6 +21,11 @@ add:attributeTypes: X-ORIGIN 'IPA v3') replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder) ) +# Add the default PAC service type relies on the new SELinux user map +# values being there so add it here. +dn: cn=schema +replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder $$ ipaDefaultKrbAuthzData) ) + # Add the SELinux User map schema add:attributeTypes: ( 2.16.840.1.113730.3.8.11.30 diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 82d78315d773a4cc1f25a420e5171270504730a3..9e6a23948c1070edc61f01c8919f8e2e41f782ef 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -60,3 +60,7 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || # Samba user should be able to read NT passwords to authenticate dn: $SUFFIX add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' + +# Add the default PAC type to configuration +dn: cn=ipaConfig,cn=etc,$SUFFIX +add: ipaDefaultKrbAuthzData: MS-PAC diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index c8230e23a779163bca447594206a65b6062d4b37..0e038f40d4c7b8a77bfea43e40810e83a270a059 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -90,7 +90,7 @@ class config(LDAPObject): 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', 'ipapwdexpadvnotify', 'ipaselinuxusermaporder', - 'ipaselinuxusermapdefault', 'ipaconfigstring', + 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipadefaultkrbauthzdata', ] label = _('Configuration') @@ -189,6 +189,13 @@ class config(LDAPObject): label=_('Default SELinux user'), doc=_('Default SELinux user when no match is found in SELinux map rule'), ), + StrEnum('ipadefaultkrbauthzdata*', + cli_name='pac_type', + label=_('PAC type'), + doc=_('Default types of PAC for new services'), + values=(u'MS-PAC', u'UNIX-PAC'), + csv=True, + ), ) def get_dn(self, *keys, **kwargs): diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 60035bf6d8d53a498c6565fef6d3097a85263d20..33453f42e1e973d3659dce594d37634c6f9b3f9e 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -23,7 +23,7 @@ import base64 import os from ipalib import api, errors, util -from ipalib import Str, Flag, Bytes +from ipalib import Str, Flag, Bytes, StrEnum from ipalib.plugins.baseldap import * from ipalib import x509 from ipalib import _, ngettext @@ -223,8 +223,9 @@ class service(LDAPObject): 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal' ] - search_attributes = ['krbprincipalname', 'managedby'] - default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] + search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', + 'ipakrbauthzdata',] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], @@ -251,7 +252,14 @@ class service(LDAPObject): label=_('Certificate'), doc=_('Base-64 encoded server certificate'), flags=['no_search',], - ) + ), + StrEnum('ipakrbauthzdata*', + cli_name='pac_type', + label=_('PAC type'), + doc=_('Types of PAC this service supports'), + values=(u'MS-PAC', u'UNIX-PAC'), + csv=True, + ), ) api.register(service) @@ -291,7 +299,12 @@ class service_add(LDAPCreate): # don't exist in DNS. util.validate_host_dns(self.log, hostname) if not 'managedby' in entry_attrs: - entry_attrs['managedby'] = hostresult['dn'] + entry_attrs['managedby'] = hostresult['dn'] + if 'ipakrbauthzdata' not in entry_attrs: + config = ldap.get_ipa_config()[1] + default_pac_type = config.get('ipadefaultkrbauthzdata', []) + if default_pac_type: + entry_attrs['ipakrbauthzdata'] = default_pac_type # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 69ef82e20dafdfed38669ec36c05a5055754b06c..efd52ed5fd7f50c72bfe8c5594fd96212c4a1799 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -611,6 +611,7 @@ class test_host(Declarative): krbprincipalname=[service1], objectclass=objectclasses.service, managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], ipauniqueid=[fuzzy_uuid], ), ), diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py index 5f089fbbb9099761a4552e0df83a3700b452d7df..28c6bb663429e2ca0336d9597d3d386c1c8d6da5 100644 --- a/tests/test_xmlrpc/test_service_plugin.py +++ b/tests/test_xmlrpc/test_service_plugin.py @@ -179,6 +179,7 @@ class test_service(Declarative): krbprincipalname=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -207,6 +208,7 @@ class test_service(Declarative): dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], has_keytab=False, + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -226,6 +228,7 @@ class test_service(Declarative): objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], has_keytab=False ), ), @@ -244,6 +247,7 @@ class test_service(Declarative): dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], has_keytab=False, ), ], @@ -265,6 +269,7 @@ class test_service(Declarative): ipakrbprincipalalias=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], + ipakrbauthzdata=[u'MS-PAC'], has_keytab=False, managedby_host=[fqdn1], ), @@ -282,6 +287,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -297,6 +303,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -312,6 +319,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1, fqdn2], ), ), @@ -327,6 +335,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -342,6 +351,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1, fqdn3.lower()], ), ), @@ -357,6 +367,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -381,6 +392,7 @@ class test_service(Declarative): result=dict( usercertificate=[base64.b64decode(servercert)], krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, @@ -408,6 +420,7 @@ class test_service(Declarative): krbprincipalname=[service1], has_keytab=False, managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], # These values come from the servercert that is in this # test case. valid_not_before=fuzzy_date, -- 1.7.10.2 From ssorce at redhat.com Fri Jun 22 21:13:43 2012 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Jun 2012 17:13:43 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 1028 service pac types In-Reply-To: <4FE4D51B.5080601@redhat.com> Message-ID: <5251d02c-d545-4dcc-a1aa-61934d312bb9@zmail17.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > This patch is more a WIP than anything. I want to see if I'm on the > right track. Hi Rob, I don't think we need ipaDefaultKrbAuthzData, we can use the same attribute both in ipaGuiConfig and ipaService, where it is placed makes the difference. You haven't changed ipaService in the base ldif. The 'UNIX-PAC' curent name is 'PAD' for Posix Authorization Data, we can call it 'PAD' in the pac_type field I think. Simo. From edewata at redhat.com Fri Jun 22 23:44:51 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jun 2012 18:44:51 -0500 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <20120622164842.GD28689@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> Message-ID: <4FE50373.6020607@redhat.com> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: > 2. First two chunks of install/ui/test/data/ipa_init_commands.json and > install/ui/test/data/ipa_init_objects.json changes look unrelated to > this ticket. These files are snapshots of metadata used for demo/testing. I suppose Petr was updating the entire files which automatically includes recent changes to the metadata. > ACK Ditto. The UI code looks fine so it can be pushed. Btw, nice use of layout class. Some comments: 1. The CLI command to add trust is trust-add-ad. Should the UI button also say "Add AD"? If we later support additional trust types would that appear as separate buttons/dialogs or same button/dialog with maybe drop-down list to select the type? 2. The trust-add-ad has an optional --server parameter. There's no corresponding field in the UI. Is this parameter supported? 3. In the search page we might be able add some other columns such as NetBIOS name, trust type, or status (when it's available later) which can be obtained using the --all option. 4. With Alexander's new patch the ipantsecurityidentifier in the UI should be removed/replaced with ipanttrusteddomainsid. The followings are comments for the server: 5. Should the trust-show return the realm_admin & realm_server? If so they should be displayed in the details page too. 6. Would we support changing the trust password later? If so we would need an action panel. 7. If you add a trust with incomplete parameters the server will return an internal error: % ipa trust-add-ad ad.test ipa: ERROR: an internal error has occured 8. If you add the same trust again (correctly) the server will accept it without error. -- Endi S. Dewata From sbose at redhat.com Mon Jun 25 09:53:10 2012 From: sbose at redhat.com (Sumit Bose) Date: Mon, 25 Jun 2012 11:53:10 +0200 Subject: [Freeipa-devel] [PATCH] Add sidgen postop and task Message-ID: <20120625095310.GU29454@localhost.localdomain> Hi, this patch added support to automatically create SIDs for local objects as described in ticket https://fedorahosted.org/freeipa/ticket/2825. The post-operation plugin adds the SID and if necessary the needed objectclass for a newly created object. The directory server task can you used to set SID to existing objects in one run. Since there were concerns about the amount of replication traffic this task accepts a parameter 'delay' to let the task pause for the given number of micro-seconds after an object was changed. I also do not start the task during ipa-adtrust-install to allow to run the task at a more appropriate time. I wonder if it is ok to just have an ldif file as example and explain in the docs how to start the task with ldapmodify or if a tighter integration is needed. Typically this task should be called only once after ipa-adtrust-install. bye, Sumit -------------- next part -------------- From 82e6725c5e00839b85da29b6232f176aa4266191 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 21 Jun 2012 12:54:34 +0200 Subject: [PATCH] Add sidgen postop and task A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825 --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 60 +++ .../ipa-sidgen/ipa-sidgen-conf.ldif | 16 + .../ipa-sidgen/ipa-sidgen-task-conf.ldif | 20 + .../ipa-sidgen/ipa-sidgen-task-example.ldif | 10 + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 244 +++++++++ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 110 ++++ .../ipa-sidgen/ipa_sidgen_common.c | 568 ++++++++++++++++++++ .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 348 ++++++++++++ freeipa.spec.in | 4 + ipaserver/install/adtrustinstance.py | 8 + 12 Dateien ge?ndert, 1390 Zeilen hinzugef?gt(+) create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c diff --git a/daemons/configure.ac b/daemons/configure.ac index deaa47358445fa552f5a9b53c9b65a9550b71d9e..5dbdca20a6574945ca333d0ce58aaceb34639bc8 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -314,6 +314,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile ipa-slapi-plugins/ipa-modrdn/Makefile + ipa-slapi-plugins/ipa-sidgen/Makefile ]) AC_OUTPUT diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 29b985e69424c9f2ce453ea3607cdb0e936bcce2..58df1a0981ff4f0f12aec84b4706ae3879bdec07 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -9,6 +9,7 @@ SUBDIRS = \ ipa-uuid \ ipa-version \ ipa-winsync \ + ipa-sidgen \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..0d8b74e86369ae9c972e090ff0e6feddc840cfde --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am @@ -0,0 +1,60 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_sidgen.la \ + libipa_sidgen_task.la \ + $(NULL) + +libipa_sidgen_la_SOURCES = \ + ipa_sidgen.c \ + ipa_sidgen_common.c \ + $(NULL) + +libipa_sidgen_la_LDFLAGS = -avoid-version + +libipa_sidgen_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +libipa_sidgen_task_la_SOURCES = \ + ipa_sidgen_task.c \ + ipa_sidgen_common.c \ + $(NULL) + +libipa_sidgen_task_la_LDFLAGS = -avoid-version + +libipa_sidgen_task_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-sidgen-conf.ldif \ + ipa-sidgen-task-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-conf.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..6a8ed5f9ef73a01f5c29015b16283e90a61fc7d1 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=IPA SIDGEN,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: IPA SIDGEN +nsslapd-pluginpath: libipa_sidgen +nsslapd-plugininitfunc: ipa_sidgen_init +nsslapd-plugintype: postoperation +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_sidgen_postop +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: Red Hat, Inc. +nsslapd-plugindescription: IPA SIDGEN post operation +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-conf.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..c54989e144330e3e806724ebfb09c635845b6bc5 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-conf.ldif @@ -0,0 +1,20 @@ +dn: cn=ipa-sidgen-task,cn=plugins,cn=config +changetype: add +objectClass: top +objectClass: nsSlapdPlugin +objectClass: extensibleObject +cn: ipa-sidgen-task +nsslapd-pluginPath: libipa_sidgen_task +nsslapd-pluginInitfunc: sidgen_task_init +nsslapd-pluginType: object +nsslapd-pluginEnabled: on +nsslapd-pluginId: ipa_sidgen_task +nsslapd-pluginVersion: 1.0 +nsslapd-pluginVendor: RedHat +nsslapd-pluginDescription: Generate SIDs for existing user and group entries + +dn: cn=ipa-sidgen-task,cn=tasks,cn=config +changetype: add +objectClass: top +objectClass: extensibleObject +cn: ipa-sidgen-task diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif new file mode 100644 index 0000000000000000000000000000000000000000..9cfded73b1b53461c0c0aa4f563452f51d258aae --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif @@ -0,0 +1,10 @@ +dn: cn=sidgen,cn=ipa-sidgen-task,cn=plugins,cn=config +changetype: add +objectClass: top +objectClass: nsSlapdPlugin +objectClass: extensibleObject +cn: ipa-sidgen-task +nsslapd-pluginPath: libipa_sidgen_task +nsslapd-pluginInitfunc: sidgen_task_init +nsslapd-basedn: $SUFFIX +delay: 0 diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c new file mode 100644 index 0000000000000000000000000000000000000000..135c47a392853e482e5470e7f40cb79b7be86b76 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c @@ -0,0 +1,244 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2012 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include +#include +#include +#include + +#include "util.h" +#include "ipa_sidgen.h" + +Slapi_PluginDesc ipa_sidgen_plugin_desc = { + IPA_SIDGEN_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_SIDGEN_PLUGIN_DESC +}; + +static int ipa_sidgen_start(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_sidgen_close(Slapi_PBlock *pb) +{ + int ret; + struct ipa_sidgen_ctx *ctx; + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret == 0) { + free_ranges(&ctx->ranges); + slapi_ch_free_string(&ctx->dom_sid); + } else { + LOG_FATAL("Missing private plugin context.\n"); + } + + return 0; +} + +static int ipa_sidgen_add_post_op(Slapi_PBlock *pb) +{ + int ret; + int is_repl_op; + struct slapi_entry *entry = NULL; + const char *dn_str; + Slapi_DN *dn = NULL; + struct ipa_sidgen_ctx *ctx; + Slapi_PBlock *search_pb = NULL; + char *errmsg = NULL; + + ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op); + if (ret != 0) { + LOG_FATAL("slapi_pblock_get failed!?\n"); + return LDAP_OPERATIONS_ERROR; + } + + if (is_repl_op) { + LOG("Is replicated operation, nothing to do.\n"); + return LDAP_SUCCESS; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + LOG_FATAL("Missing private plugin context.\n"); + goto done; + } + + if (ctx->dom_sid == NULL) { + ret = get_dom_sid(ctx->plugin_id, ctx->base_dn, &ctx->dom_sid); + if (ret != 0) { + LOG_FATAL("Domain SID not available, nothing to do.\n"); + ret = 0; + goto done; + } + } + + ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn_str); + if (ret != 0) { + LOG_FATAL("Missing target DN.\n"); + goto done; + } + + dn = slapi_sdn_new_dn_byref(dn_str); + if (dn == NULL) { + LOG_FATAL("Failed to convert target DN.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_search_internal_get_entry(dn, NULL, &entry, ctx->plugin_id); + if (ret != 0 || entry == NULL) { + LOG_FATAL("Missing target entry.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + + if (ctx->ranges == NULL) { + ret = get_ranges(ctx->plugin_id, ctx->base_dn, &ctx->ranges); + if (ret != 0) { + if (ret == LDAP_NO_SUCH_OBJECT) { + ret = 0; + LOG("No ID ranges found, nothing to do.\n"); + } else { + LOG_FATAL("Failed to get ID ranges.\n"); + } + goto done; + } + } + + ret = find_sid_for_ldap_entry(entry, ctx->plugin_id, ctx->base_dn, + ctx->dom_sid, ctx->ranges); + if (ret != 0) { + LOG_FATAL("Cannot add SID to new entry.\n"); + goto done; + } + + ret = 0; +done: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + slapi_sdn_free(&dn); + + if (ret != 0) { + if (errmsg == NULL) { + errmsg = "SIDGEN error"; + } + slapi_send_ldap_result(pb, ret, NULL, errmsg, 0, NULL); + } + + return ret; +} + +static int ipa_sidgen_init_ctx(Slapi_PBlock *pb, struct ipa_sidgen_ctx **_ctx) +{ + struct ipa_sidgen_ctx *ctx; + Slapi_Entry *entry; + int ret; + + ctx = calloc(1, sizeof(struct ipa_sidgen_ctx)); + if (ctx == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (ctx->plugin_id == NULL)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &entry); + if (entry == NULL) { + LOG_FATAL("Plugin configuration not found!\n"); + ret = EINVAL; + goto done; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(entry, "nsslapd-basedn"); + if (ctx->base_dn == NULL) { + LOG_FATAL("Base DN not found in plugin configuration!\n"); + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret != 0) { + free(ctx); + } else { + *_ctx = ctx; + } + + return ret; +} + +int ipa_sidgen_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_sidgen_ctx *ctx; + + ret = ipa_sidgen_init_ctx(pb, &ctx); + if (ret != 0) { + LOG_FATAL("Failed ot initialize sidgen postop plugin.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = 0; + if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + SLAPI_PLUGIN_VERSION_03) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *) ipa_sidgen_start) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, + (void *) ipa_sidgen_close) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *) &ipa_sidgen_plugin_desc) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, + (void *) ipa_sidgen_add_post_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, ctx) != 0) { + LOG_FATAL("failed to register plugin\n"); + ret = EFAIL; + } + + return ret; +} diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h new file mode 100644 index 0000000000000000000000000000000000000000..2c488435a03fe8bfc36ce7e4396e87d5b488e1c1 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h @@ -0,0 +1,110 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2012 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _IPA_SIDGEN_H_ +#define _IPA_SIDGEN_H_ + +#define OBJECTCLASS "objectclass" +#define IPA_OBJECT "ipaobject" +#define MEP_MANAGED_ENTRY "mepManagedEntry" +#define UID_NUMBER "uidNumber" +#define GID_NUMBER "gidNumber" +#define IPA_SID "ipaNTSecurityIdentifier" +#define DOM_ATTRS_FILTER OBJECTCLASS"=ipaNTDomainAttrs" +#define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipaDomainIDRange" +#define POSIX_ACCOUNT "posixAccount" +#define POSIX_GROUP "posixGroup" +#define IPA_ID_OBJECT "ipaIDObject" +#define IPANT_USER_ATTRS "ipaNTUserAttrs" +#define IPANT_GROUP_ATTRS "ipaNTGroupAttrs" + +#define IPA_DNA_MAGIC 999 + +#define IPA_PLUGIN_NAME "ipa-sidgen-postop" +#define IPA_SIDGEN_FEATURE_DESC "IPA SIDGEN postop plugin" +#define IPA_SIDGEN_PLUGIN_DESC "Add a SID to newly added or modified " \ + "objects with uid pr gid numbers" + +#define IPA_BASE_ID "ipaBaseID" +#define IPA_ID_RANGE_SIZE "ipaIDRangeSize" +#define IPA_BASE_RID "ipaBaseRID" +#define IPA_SECONDARY_BASE_RID "ipaSecondaryBaseRID" + +struct range_info { + uint32_t base_id; + uint32_t id_range_size; + uint32_t base_rid; + uint32_t secondary_base_rid; +}; + +struct ipa_sidgen_ctx { + Slapi_ComponentId *plugin_id; + const char *base_dn; + char *dom_sid; + struct range_info **ranges; +}; + +void set_plugin_id_for_sidgen_task(Slapi_ComponentId *plugin_id); + +int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e, + Slapi_Entry *eAfter, int *returncode, + char *returntext, void *arg); + +int get_dom_sid(Slapi_ComponentId *plugin_id, const char *base_dn, char **_sid); + +int get_objectclass_flags(char **objectclasses, + bool *has_posix_account, + bool *has_posix_group, + bool *has_ipa_id_object); + +void free_ranges(struct range_info ***_ranges); + +int get_ranges(Slapi_ComponentId *plugin_id, const char *base_dn, + struct range_info ***_ranges); + +int find_sid_for_id(uint32_t id, Slapi_ComponentId *plugin_id, + const char *base_dn, const char *dom_sid, + struct range_info **ranges, char **_sid); + +int find_sid_for_ldap_entry(struct slapi_entry *entry, + Slapi_ComponentId *plugin_id, + const char *base_dn, + const char *dom_sid, + struct range_info **ranges); +#endif /* _IPA_SIDGEN_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c new file mode 100644 index 0000000000000000000000000000000000000000..cbbb2ef183f2d94826a9ead20ca1fc39daa09599 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c @@ -0,0 +1,568 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2012 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include +#include +#include +#include + +#include "util.h" +#include "ipa_sidgen.h" + +int get_dom_sid(Slapi_ComponentId *plugin_id, const char *base_dn, char **_sid) +{ + Slapi_PBlock *search_pb = NULL; + int search_result; + Slapi_Entry **search_entries = NULL; + int ret; + const char *sid; + + search_pb = slapi_pblock_new(); + if (search_pb == NULL) { + LOG_FATAL("Failed to create new pblock.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_search_internal_set_pb(search_pb, base_dn, + LDAP_SCOPE_SUBTREE, DOM_ATTRS_FILTER, + NULL, 0, NULL, NULL, plugin_id, 0); + + ret = slapi_search_internal_pb(search_pb); + if (ret != 0) { + LOG_FATAL("Starting internal search failed.\n"); + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); + if (ret != 0 || search_result != LDAP_SUCCESS) { + LOG_FATAL("Internal search failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); + if (ret != 0) { + LOG_FATAL("Failed to read searched entries.\n"); + goto done; + } + + if (search_entries == NULL || search_entries[0] == NULL) { + LOG("No existing entries.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + + if (search_entries[1] != NULL) { + LOG("Too many results found.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + sid = slapi_entry_attr_get_charptr(search_entries[0], IPA_SID); + if (sid == NULL) { + LOG("Domain object does not have a SID.\n"); + ret = LDAP_NO_SUCH_ATTRIBUTE; + goto done; + } + + *_sid = slapi_ch_strdup(sid); + if (*_sid == NULL) { + LOG("slapi_ch_strdup failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + LOG("Found domain SID [%s].\n", *_sid); + ret = 0; + +done: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + + return ret; +} + +static int slapi_entry_to_range_info(struct slapi_entry *entry, + struct range_info **_range) +{ + int ret; + unsigned long ul_val; + struct range_info *range = NULL; + + range = ( struct range_info *) slapi_ch_calloc(1, sizeof(struct range_info)); + if (range == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_ID); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + range->base_id = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_ID_RANGE_SIZE); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + range->id_range_size = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_RID); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + range->base_rid = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_SECONDARY_BASE_RID); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->secondary_base_rid = ul_val; + + *_range = range; + ret = 0; + +done: + if (ret != 0) { + slapi_ch_free((void **) &range); + } + + return ret; +} + +int get_objectclass_flags(char **objectclasses, + bool *has_posix_account, + bool *has_posix_group, + bool *has_ipa_id_object) +{ + size_t c; + + if (objectclasses == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + *has_posix_account = false; + *has_posix_group = false; + *has_ipa_id_object = false; + + for (c = 0; objectclasses[c] != NULL; c++) { + if (strcasecmp(objectclasses[c], POSIX_ACCOUNT) == 0) { + *has_posix_account = true; + } else if (strcasecmp(objectclasses[c], POSIX_GROUP) == 0) { + *has_posix_group = true; + } else if (strcasecmp(objectclasses[c], IPA_ID_OBJECT) == 0) { + *has_ipa_id_object = true; + } + } + + return 0; +} + +void free_ranges(struct range_info ***_ranges) +{ + size_t c; + struct range_info **ranges = *_ranges; + + if (ranges != NULL) { + for (c = 0; ranges[c] != NULL; c++) { + slapi_ch_free((void **) &ranges[c]); + } + + slapi_ch_free((void **) _ranges); + } +} + +int get_ranges(Slapi_ComponentId *plugin_id, const char *base_dn, + struct range_info ***_ranges) +{ + Slapi_PBlock *search_pb = NULL; + Slapi_Entry **search_entries = NULL; + int search_result; + size_t c; + int ret; + struct range_info **ranges = NULL; + + search_pb = slapi_pblock_new(); + if (search_pb == NULL) { + LOG_FATAL("Failed to create new pblock.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_search_internal_set_pb(search_pb, base_dn, + LDAP_SCOPE_SUBTREE, DOMAIN_ID_RANGE_FILTER, + NULL, 0, NULL, NULL, plugin_id, 0); + + ret = slapi_search_internal_pb(search_pb); + if (ret != 0) { + LOG_FATAL("Starting internal search failed.\n"); + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); + if (ret != 0 || search_result != LDAP_SUCCESS) { + LOG_FATAL("Internal search failed.\n"); + ret = (search_result != LDAP_SUCCESS) ? search_result: + LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); + if (ret != 0) { + LOG_FATAL("Failed to read searched entries.\n"); + goto done; + } + + if (search_entries == NULL || search_entries[0] == NULL) { + LOG("No ranges found.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + + for (c = 0; search_entries[c] != NULL; c++); + ranges = (struct range_info **) slapi_ch_calloc(c + 1, + sizeof(struct range_info *)); + if (ranges == NULL) { + LOG("calloc failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + for (c = 0; search_entries[c] != NULL; c++) { + ret = slapi_entry_to_range_info(search_entries[c], &ranges[c]); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + } + + *_ranges = ranges; + ret = 0; + +done: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + if (ret != 0) { + free_ranges(&ranges); + } + + return ret; +} + +static int find_sid(const char *sid, Slapi_ComponentId *plugin_id, + const char *base_dn) +{ + Slapi_PBlock *search_pb = NULL; + Slapi_Entry **search_entries = NULL; + int search_result; + int ret; + char *filter = NULL; + + search_pb = slapi_pblock_new(); + if (search_pb == NULL) { + LOG_FATAL("Failed to create new pblock.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + filter = slapi_ch_smprintf("%s=%s", IPA_SID, sid); + if (filter == NULL) { + LOG_FATAL("Cannot create search filter to check if SID is used.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_search_internal_set_pb(search_pb, base_dn, + LDAP_SCOPE_SUBTREE, filter, + NULL, 0, NULL, NULL, plugin_id, 0); + + ret = slapi_search_internal_pb(search_pb); + if (ret != 0) { + LOG_FATAL("Starting internal search failed.\n"); + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); + if (ret != 0 || search_result != LDAP_SUCCESS) { + LOG_FATAL("Internal search failed.\n"); + ret = (search_result != LDAP_SUCCESS) ? search_result: + LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); + if (ret != 0) { + LOG_FATAL("Failed to read searched entries.\n"); + goto done; + } + + if (search_entries == NULL || search_entries[0] == NULL) { + LOG("No SID found.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + + ret = 0; + +done: + slapi_ch_free_string(&filter); + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + + return ret; +} + +static int rid_to_sid_with_check(uint32_t rid, Slapi_ComponentId *plugin_id, + const char *base_dn, const char *dom_sid, + char **_sid) +{ + char *sid = NULL; + int ret; + + sid = slapi_ch_smprintf("%s-%lu", dom_sid, (unsigned long) rid); + if (sid == NULL) { + LOG("Failed to create SID string.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + LOG("SID is [%s].\n", sid); + + ret = find_sid(sid, plugin_id, base_dn); + if (ret == LDAP_NO_SUCH_OBJECT) { + *_sid = sid; + ret = 0; + goto done; + } else if (ret != 0) { + LOG_FATAL("Cannot check if SID is already used.\n"); + goto done; + } + + LOG_FATAL("SID [%s] is already used.\n", sid); + ret = LDAP_CONSTRAINT_VIOLATION; + +done: + if (ret != 0) { + slapi_ch_free_string(&sid); + } + + return ret; +} + +int find_sid_for_id(uint32_t id, Slapi_ComponentId *plugin_id, + const char *base_dn, const char *dom_sid, + struct range_info **ranges, char **_sid) +{ + uint32_t rid; + size_t c; + char *sid = NULL; + int ret; + + rid = 0; + for (c = 0; ranges[c] != NULL; c++) { + if (id >= ranges[c]->base_id && + id < (ranges[c]->base_id + ranges[c]->id_range_size)) { + rid = ranges[c]->base_rid + (id - ranges[c]->base_id); + break; + } + } + + if (rid == 0) { + LOG("No matching range found. Cannot add SID.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + + ret = rid_to_sid_with_check(rid, plugin_id, base_dn, dom_sid, &sid); + if (ret != LDAP_CONSTRAINT_VIOLATION) { + goto done; + } + + /* SID is already used, try secondary range.*/ + rid = ranges[c]->secondary_base_rid + (id - ranges[c]->base_id); + + ret = rid_to_sid_with_check(rid, plugin_id, base_dn, dom_sid, &sid); + if (ret != LDAP_CONSTRAINT_VIOLATION) { + goto done; + } + + LOG_FATAL("Secondary SID is used as well.\n"); + +done: + if (ret != 0) { + slapi_ch_free_string(&sid); + } else { + *_sid = sid; + } + + return ret; +} + +int find_sid_for_ldap_entry(struct slapi_entry *entry, + Slapi_ComponentId *plugin_id, + const char *base_dn, + const char *dom_sid, + struct range_info **ranges) +{ + int ret; + const char *dn_str; + uint32_t uid_number; + uint32_t gid_number; + uint32_t id; + char *sid = NULL; + char **objectclasses = NULL; + Slapi_PBlock *mod_pb = NULL; + Slapi_Mods *smods = NULL; + int result; + bool has_posix_account = false; + bool has_posix_group = false; + bool has_ipa_id_object = false; + const char *objectclass_to_add = NULL; + + dn_str = slapi_entry_get_dn_const(entry); + if (dn_str == NULL) { + LOG_FATAL("Cannot find DN of an LDAP entry.\n"); + ret = LDAP_NO_SUCH_ATTRIBUTE; + goto done; + } + LOG("Trying to add SID for [%s].\n", dn_str); + + uid_number = slapi_entry_attr_get_ulong(entry, UID_NUMBER); + gid_number = slapi_entry_attr_get_ulong(entry, GID_NUMBER); + + if (uid_number == 0 && gid_number == 0) { + LOG("[%s] does not have Posix IDs, nothing to do.\n", dn_str); + ret = 0; + goto done; + } + + if (uid_number == IPA_DNA_MAGIC || gid_number == IPA_DNA_MAGIC) { + LOG_FATAL("Looks that DNA plugin was not run before.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) { + LOG_FATAL("ID value too large.\n"); + ret = LDAP_CONSTRAINT_VIOLATION; + goto done; + } + + sid = slapi_entry_attr_get_charptr(entry, IPA_SID); + if (sid != NULL) { + LOG("Object already has a SID, nothing to do.\n"); + ret = 0; + goto done; + } + + objectclasses = slapi_entry_attr_get_charray(entry, OBJECTCLASS); + ret = get_objectclass_flags(objectclasses, &has_posix_account, + &has_posix_group, + &has_ipa_id_object); + if (ret != 0) { + LOG_FATAL("Cannot determine objectclasses.\n"); + goto done; + } + + if (has_posix_account && uid_number != 0 && gid_number != 0) { + id = uid_number; + objectclass_to_add = IPANT_USER_ATTRS; + } else if (has_posix_group && gid_number != 0) { + id = gid_number; + objectclass_to_add = IPANT_GROUP_ATTRS; + } else if (has_ipa_id_object) { + id = (uid_number != 0) ? uid_number : gid_number; + objectclass_to_add = NULL; + } else { + LOG_FATAL("Inconsistent objectclasses and attributes, nothing to do.\n"); + ret = 0; + goto done; + } + + ret = find_sid_for_id(id, plugin_id, base_dn, dom_sid, ranges, &sid); + if (ret != 0) { + LOG_FATAL("Cannot convert Posix ID [%ul] into an unused SID.\n", id); + goto done; + } + + smods = slapi_mods_new(); + if (smods == NULL) { + LOG("slapi_mods_new failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + if (objectclass_to_add != NULL) { + slapi_mods_add_string(smods, LDAP_MOD_ADD, + OBJECTCLASS, objectclass_to_add); + } + slapi_mods_add_string(smods, LDAP_MOD_REPLACE, IPA_SID, sid); + + mod_pb = slapi_pblock_new(); + slapi_modify_internal_set_pb(mod_pb, dn_str, + slapi_mods_get_ldapmods_byref(smods), + NULL, NULL, plugin_id, 0); + + ret = slapi_modify_internal_pb(mod_pb); + if (ret != 0) { + LOG_FATAL("Modify failed with [%d] on entry [%s]\n", ret, dn_str); + goto done; + } + + ret = slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &result); + if (ret != 0 || result != LDAP_SUCCESS){ + LOG_FATAL("Modify failed on entry [%s]\n", dn_str); + goto done; + } + +done: + slapi_ch_free_string(&sid); + slapi_pblock_destroy(mod_pb); + slapi_mods_free(&smods); + slapi_ch_array_free(objectclasses); + + return ret; +} diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c new file mode 100644 index 0000000000000000000000000000000000000000..ffbc9c636e32b0c0a3960ec76eda378a94c504fe --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c @@ -0,0 +1,348 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2012 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include +#include +#include + +#include +#include + +#include "util.h" +#include "ipa_sidgen.h" + +#define NSEC_PER_SEC 1000000000UL + + +#define AT_CN "cn" + +Slapi_ComponentId *global_sidgen_plugin_id = NULL; + +struct worker_ctx { + long delay; + char *base_dn; + Slapi_ComponentId *plugin_id; + pthread_t tid; + char *dom_sid; + struct range_info **ranges; +}; + +static const char *fetch_attr(Slapi_Entry *e, const char *attrname, + const char *default_val) +{ + Slapi_Attr *attr; + Slapi_Value *val = NULL; + + if (slapi_entry_attr_find(e, attrname, &attr) != 0) + return default_val; + slapi_attr_first_value(attr, &val); + return slapi_value_get_string(val); +} + +static void free_pblock(void *arg) +{ + Slapi_PBlock *pb = (Slapi_PBlock *) arg; + + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); +} + +static int do_work(struct worker_ctx *worker_ctx) +{ + Slapi_PBlock *pb; + int ret; + size_t c; + char *filter = NULL; + char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL }; + Slapi_Entry **e = NULL; + struct timespec ts; + + pb = slapi_pblock_new(); + if (pb == NULL) { + return ENOMEM; + } + + pthread_cleanup_push(free_pblock, (void *) pb); + + filter = slapi_ch_smprintf("(&(%s=%s)(!(%s=%s))(|(%s=%s)(%s=%s)(%s=%s))(!(%s=*)))", + OBJECTCLASS, IPA_OBJECT, + OBJECTCLASS, MEP_MANAGED_ENTRY, + OBJECTCLASS, POSIX_ACCOUNT, + OBJECTCLASS, POSIX_GROUP, + OBJECTCLASS, IPA_ID_OBJECT, + IPA_SID); + if (filter == NULL) { + LOG_FATAL("Cannot generate search filter for objects without a SID.\n"); + ret = ENOMEM; + goto done; + } + LOG("Base DN: [%s], Filter: [%s].\n", worker_ctx->base_dn, filter); + + slapi_search_internal_set_pb(pb, worker_ctx->base_dn, LDAP_SCOPE_SUBTREE, + filter, attrs, 0, NULL, NULL, + worker_ctx->plugin_id, 0); + ret = slapi_search_internal_pb(pb); + if (ret != 0) { + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + if (ret != 0) { + LOG_FATAL("Search failed with [%d].\n", ret); + } else { + LOG_FATAL("slapi_search_internal_pb failed, " + "but no error code available.\n"); + ret = EFAULT; + } + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); + if (ret != 0) { + LOG_FATAL("slapi_pblock_get failed.\n"); + ret = EFAULT; + goto done; + } + + if (e == NULL || e[0] == NULL) { + LOG("No entry with missing SID found.\n"); + ret = 0; + goto done; + } + + for (c = 0; e[c] != NULL; c++) { + ret = find_sid_for_ldap_entry(e[c], worker_ctx->plugin_id, + worker_ctx->base_dn, worker_ctx->dom_sid, + worker_ctx->ranges); + if (ret != 0) { + LOG_FATAL("Cannot add SID to existing entry.\n"); + goto done; + } + + if (worker_ctx->delay != 0) { + ts.tv_nsec = worker_ctx->delay % NSEC_PER_SEC; + ts.tv_sec = (worker_ctx->delay - ts.tv_nsec) / NSEC_PER_SEC; + nanosleep(&ts, NULL); + } + }; + +done: + slapi_ch_free_string(&filter); + pthread_cleanup_pop(1); + + LOG("do_work finished with [%d].\n", ret); + + return ret; +} + +static void *sidgen_task_thread(void *arg) +{ + Slapi_Task *task = (Slapi_Task *)arg; + struct worker_ctx *worker_ctx; + int ret; + + if (task == NULL) { + LOG_FATAL("Missing task data!\n"); + ret =SLAPI_DSE_CALLBACK_OK; + goto done; + } + + worker_ctx = slapi_task_get_data(task); + if (worker_ctx == NULL) { + LOG_FATAL("Missing context!\n"); + ret =SLAPI_DSE_CALLBACK_OK; + goto done; + } + + slapi_task_begin(task, 1); + LOG_FATAL("Sidgen task starts ...\n"); + + ret = do_work(worker_ctx); + +done: + LOG_FATAL("Sidgen task finished [%d].\n", ret); + slapi_task_inc_progress(task); + slapi_task_finish(task, ret); + + return NULL; +} + +static void sidgen_task_destructor(Slapi_Task *task) +{ + struct worker_ctx *worker_ctx; + + if (task != NULL) { + worker_ctx = slapi_task_get_data(task); + if (worker_ctx != NULL) { + free_ranges(&worker_ctx->ranges); + slapi_ch_free_string(&worker_ctx->dom_sid); + slapi_ch_free_string(&worker_ctx->base_dn); + slapi_ch_free((void **) &worker_ctx); + } + } +} + +int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e, + Slapi_Entry *eAfter, int *returncode, + char *returntext, void *arg) +{ + int ret = SLAPI_DSE_CALLBACK_ERROR; + const char *str; + struct worker_ctx *worker_ctx = NULL; + char *endptr; + Slapi_Task *task = NULL; + + *returncode = LDAP_OPERATIONS_ERROR; + returntext[0] = '\0'; + + worker_ctx = (struct worker_ctx *) slapi_ch_calloc(1, + sizeof(struct worker_ctx)); + if (worker_ctx == NULL) { + LOG_FATAL("slapi_ch_malloc failed!\n"); + *returncode = LDAP_OPERATIONS_ERROR; + ret = SLAPI_DSE_CALLBACK_ERROR; + goto done; + } + + worker_ctx->plugin_id = global_sidgen_plugin_id; + + str = fetch_attr(e, "delay", NULL); + if (str != NULL) { + errno = 0; + worker_ctx->delay = strtol(str, &endptr, 10); + if (errno != 0 || worker_ctx->delay < 0) { + LOG_FATAL("invalid delay [%s]!\n", str); + *returncode = LDAP_CONSTRAINT_VIOLATION; + ret = SLAPI_DSE_CALLBACK_ERROR; + goto done; + } + } + LOG("delay is [%li].\n", worker_ctx->delay); + + str = fetch_attr(e, "nsslapd-basedn", NULL); + if (str == NULL) { + LOG_FATAL("Missing nsslapd-basedn!\n"); + *returncode = LDAP_CONSTRAINT_VIOLATION; + ret = SLAPI_DSE_CALLBACK_ERROR; + goto done; + } + worker_ctx->base_dn = slapi_ch_strdup(str); + if (worker_ctx->base_dn == NULL) { + LOG_FATAL("Failed to copy base DN.\n"); + *returncode = LDAP_OPERATIONS_ERROR; + ret = ENOMEM; + goto done; + } + + ret = get_dom_sid(worker_ctx->plugin_id, worker_ctx->base_dn, + &worker_ctx->dom_sid); + if (ret != 0) { + LOG_FATAL("Cannot find domain SID.\n"); + goto done; + } + + ret = get_ranges(worker_ctx->plugin_id, worker_ctx->base_dn, + &worker_ctx->ranges); + if (ret != 0) { + LOG_FATAL("Cannot find ranges.\n"); + goto done; + } + + task = slapi_new_task(slapi_entry_get_ndn(e)); + if (task == NULL) { + LOG_FATAL("unable to allocate new task!\n"); + *returncode = LDAP_OPERATIONS_ERROR; + ret = SLAPI_DSE_CALLBACK_ERROR; + goto done; + } + + slapi_task_set_destructor_fn(task, sidgen_task_destructor); + slapi_task_set_data(task, worker_ctx); + + ret = pthread_create(&worker_ctx->tid, NULL, sidgen_task_thread, task); + if (ret != 0) { + LOG_FATAL("unable to create sidgen task thread!\n"); + *returncode = LDAP_OPERATIONS_ERROR; + ret = SLAPI_DSE_CALLBACK_ERROR; + slapi_task_finish(task, *returncode); + goto done; + } + + ret = SLAPI_DSE_CALLBACK_OK; + *returncode = LDAP_SUCCESS; + +done: + if (ret != SLAPI_DSE_CALLBACK_OK) { + slapi_ch_free((void **) &worker_ctx->base_dn); + slapi_ch_free((void **) &worker_ctx); + } + return ret; +} + +static int sigden_task_start(Slapi_PBlock *pb) +{ + int ret = 0; + + ret = slapi_task_register_handler("ipa-sidgen-task", sidgen_task_add); + + return ret; +} + +int sidgen_task_init(Slapi_PBlock *pb) +{ + int ret = 0; + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, + &global_sidgen_plugin_id); + if (ret != 0 || global_sidgen_plugin_id == NULL) { + LOG_FATAL("Plugin identity not available.\n"); + ret = (ret != 0) ? ret : EINVAL; + goto done; + } + + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + (void *) SLAPI_PLUGIN_VERSION_03); + + ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *) sigden_task_start); + +done: + if (ret != 0) { + LOG_FATAL("Failed to initialize plug-in\n" ); + } + + return ret; +} diff --git a/freeipa.spec.in b/freeipa.spec.in index 7c1dc4312e89decb5b911a9962fbb020761b28d2..58393bb0f788cba9bc9c60b6ab85899fc89bcdc9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -355,6 +355,8 @@ rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -664,6 +666,8 @@ fi %{_sbindir}/ipa-adtrust-install %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %{_mandir}/man1/ipa-adtrust-install.1.gz %{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/install/adtrustinstance* diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 4d417c8d1d15e4e7a799e871f886232cbf888331..ba2e6ef5dfe1b2ff6f588adf5ec53882e0f81d9b 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -223,6 +223,13 @@ class ADTRUSTInstance(service.Service): except: pass + def __add_sidgen_module(self): + try: + self._ldap_mod("ipa-sidgen-conf.ldif", self.sub_dict) + self._ldap_mod("ipa-sidgen-task-conf.ldif", self.sub_dict) + except: + pass + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -430,6 +437,7 @@ class ADTRUSTInstance(service.Service): self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) + self.step("activating sidgen plugin and task", self.__add_sidgen_module) self.step("configuring smbd to start on boot", self.__enable) if not self.no_msdcs: self.step("adding special DNS service records", \ -- 1.7.10.2 From pvoborni at redhat.com Mon Jun 25 10:43:03 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 25 Jun 2012 12:43:03 +0200 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE50373.6020607@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> Message-ID: <4FE840B7.1010108@redhat.com> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: > On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >> 2. First two chunks of install/ui/test/data/ipa_init_commands.json and >> install/ui/test/data/ipa_init_objects.json changes look unrelated to >> this ticket. > > These files are snapshots of metadata used for demo/testing. I suppose > Petr was updating the entire files which automatically includes recent > changes to the metadata. > >> ACK > > Ditto. The UI code looks fine so it can be pushed. Btw, nice use of > layout class. > > Some comments: > > 1. The CLI command to add trust is trust-add-ad. Should the UI button > also say "Add AD"? If we later support additional trust types would that > appear as separate buttons/dialogs or same button/dialog with maybe > drop-down list to select the type? "Add AD" label seems weird to me. Now we support only one type of trust. We should keep the 'Add'. When additional trusts support is added I'm in favor of a dropdown list or radios to select the type. Params and method for each trust type would be probably different so various field would have to be hidden/displayed when different trust types are selected. Having more 'Add' buttons would make things less clear. I don't like having different dialogs. It would require having multiple 'Add' buttons in search page which seems inconsistent and non-standard to me. > > 2. The trust-add-ad has an optional --server parameter. There's no > corresponding field in the UI. Is this parameter supported? Alexander? This attr. wasn't mentioned in design specs. IMO it should be in UI if the command supports it, probably under 'Domain' field. Is it for specifying the DC server when auto-discovery fails? I can add it in separate patch. > > 3. In the search page we might be able add some other columns such as > NetBIOS name, trust type, or status (when it's available later) which > can be obtained using the --all option. I'll add them when status is available. IMO status is the really useful one. > > 4. With Alexander's new patch the ipantsecurityidentifier in the UI > should be removed/replaced with ipanttrusteddomainsid. Attaching updated patch with these names changed. > > The followings are comments for the server: > > 5. Should the trust-show return the realm_admin & realm_server? If so > they should be displayed in the details page too. > > 6. Would we support changing the trust password later? If so we would > need an action panel. > > 7. If you add a trust with incomplete parameters the server will return > an internal error: > > % ipa trust-add-ad ad.test > ipa: ERROR: an internal error has occured > > 8. If you add the same trust again (correctly) the server will accept it > without error. > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0161-1-Trust-Web-UI.patch Type: text/x-patch Size: 54107 bytes Desc: not available URL: From sbose at redhat.com Mon Jun 25 10:59:15 2012 From: sbose at redhat.com (Sumit Bose) Date: Mon, 25 Jun 2012 12:59:15 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120621152602.GA28689@redhat.com> References: <20120621152602.GA28689@redhat.com> Message-ID: <20120625105914.GX29454@localhost.localdomain> Hi Alexander, On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: > Hi! > > Attached is the patch to support external group membership for trusted > domains. This is needed to get proper group membership with the work > Sumit and Jan are doing on both IPA and SSSD sides. > > We already have ipaExternalGroup class that includes ipaExternalMember > attribute (multivalued case-insensitive string). The group that has > ipaExternalGroup object class will have to be non-POSIX and > ipaExternalMember > attribute will contain security identifiers (SIDs) of members from > trusted domains. > > The patch takes care of three things: > 1. Extends 'ipa group-add' with --external option to add > ipaExternalGroup object class to a new group > 2. Modifies 'ipa group-add-member' to accept --external CSV argument > to specify SIDs > 3. Modifies 'ipa group-del-member' to allow removing external members. thank you for the patch, it works as expected, but I have a few comments: - there is a trailing whitespace at the end of the "This means we can't check the correctness of a trusted domain SIDs" line - when using ipa group-add-member with --external there are still prompt for [member user] and [member group], can those be suppressed? - with ipa group-mod --posix it is possible to add the posxiGroup objectclass together with a GID to the extern group object. This should result in an error and also the other way round, adding --external to Posix groups. bye, Sumit > > When adding new external member we also perform SID correctness checks. > This is important part of the patch due to potential security > implications of allowing random SIDs. SIDs are universal identifiers and > can point to objects in own domain as well as any other. If so-called > builtin SIDs are used, they are resolved against local domain which will > allow granting permissions trusted domain user should have never had. > > Below is how we do perform validation of SIDs: > 1. Use Samba 4 bindings to parse SID and validate its format > 2. If SID is outside S-1-5- prefix (SID_NT_AUTHORITY), we reject it. > 3. If SID is from our own domain, we reject it. > 4. If SID is from any of our trusted domains, we accept it > 5. Otherwise we reject SID. > > Here is real code: > + def is_trusted_sid_valid(self, sid): > + if not self.domain: > + # our domain is not configured or self.is_configured() never run > + # reject SIDs as we can't check correctness of them > + return False > + # Parse sid string to see if it is really in a SID format > + try: > + test_sid = security.dom_sid(sid) > + except TypeError: > + return False > + (dom, sid_rid) = test_sid.split() > + sid_dom = str(dom) > + # Now we have domain prefix of the sid as sid_dom string and can > + # analyze it against known prefixes > + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: > + # Ignore any potential SIDs that are not S-1-5-* > + return False > + if sid_dom.find(self.sid) == 0: > + # A SID from our own domain cannot be treated as trusted domain's SID > + return False > + # At this point we have SID_NT_AUTHORITY family SID and really need to > + # check it against prefixes of domain SIDs we trust to > + if not self._domains: > + self._domains = self.get_trusted_domains() > + if len(self._domains) == 0: > + # Our domain is configured but no trusted domains are configured > + # This means we can't check the correctness of a > trusted domain SIDs + return False > + # We have non-zero list of trusted domains and have to go through them > + # one by one and check their sids as prefixes > + for (dn, domaininfo) in self._domains: > + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: > + return True > + return False > > > > -- > / Alexander Bokovoy From pviktori at redhat.com Mon Jun 25 11:17:43 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 25 Jun 2012 13:17:43 +0200 Subject: [Freeipa-devel] [PATCH] 0066 Arrange stripping .po files Message-ID: <4FE848D7.1010004@redhat.com> The translation files we currently store in Git are full of redundant information: source strings for untranslated messages, and file locations. The first causes unnecessarily huge files. The second makes diffs unreadable: when code is edited and line numbers change, metadata for all messages shows up as changed. This makes reviewing translation patches, and merging possible conflicts, hard -- it requires specialized tools. This patch changes the Makefile to strip the unneeded data from .po files. Translators using Git must now run msgmerge (or, `make merge-po`) to get .po files they can work with. Transifex users are unaffected, as the source .pot file is not changed. The i18n tests use file locations for producing nice error reports?. To make this work as before, the .pot is merged in before validation to restore comments. Currently this takes a noticeable amount of time, because polib uses a particularly na?ve algorithm for merging. I've sent a patch to polib to resolve this; once that makes it downstream merging will be fast again. Updating the translations with the new Makefile will cause a >5MB patch. I don't want to pollute the mailing list with it, at least until the Makefile patch is reviewed. It's available https://github.com/encukou/freeipa/commit/65e2e4.patch https://fedorahosted.org/freeipa/ticket/2435 -- ? And for divining the programming language messages come from, but that is only done on the .pot file, unaffected by this patch. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0066-Arrange-stripping-.po-files.patch Type: text/x-patch Size: 7917 bytes Desc: not available URL: From abokovoy at redhat.com Mon Jun 25 12:11:18 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jun 2012 15:11:18 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120625105914.GX29454@localhost.localdomain> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> Message-ID: <20120625121118.GA5935@redhat.com> On Mon, 25 Jun 2012, Sumit Bose wrote: >Hi Alexander, > >On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >> Hi! >> >> Attached is the patch to support external group membership for trusted >> domains. This is needed to get proper group membership with the work >> Sumit and Jan are doing on both IPA and SSSD sides. >> >> We already have ipaExternalGroup class that includes ipaExternalMember >> attribute (multivalued case-insensitive string). The group that has >> ipaExternalGroup object class will have to be non-POSIX and >> ipaExternalMember >> attribute will contain security identifiers (SIDs) of members from >> trusted domains. >> >> The patch takes care of three things: >> 1. Extends 'ipa group-add' with --external option to add >> ipaExternalGroup object class to a new group >> 2. Modifies 'ipa group-add-member' to accept --external CSV argument >> to specify SIDs >> 3. Modifies 'ipa group-del-member' to allow removing external members. > >thank you for the patch, it works as expected, but I have a few >comments: > >- there is a trailing whitespace at the end of the "This means we can't > check the correctness of a trusted domain SIDs" line Will fix. >- when using ipa group-add-member with --external there are still prompt > for [member user] and [member group], can those be suppressed? No, because you can add all of them to the group at the same time. An example in the ticket showed that it is supported configuration. >- with ipa group-mod --posix it is possible to add the posxiGroup > objectclass together with a GID to the extern group object. This > should result in an error and also the other way round, adding > --external to Posix groups. Will add that, thanks. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jun 25 12:15:35 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jun 2012 15:15:35 +0300 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE840B7.1010108@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> Message-ID: <20120625121535.GB5935@redhat.com> On Mon, 25 Jun 2012, Petr Vobornik wrote: >On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>2. First two chunks of install/ui/test/data/ipa_init_commands.json and >>>install/ui/test/data/ipa_init_objects.json changes look unrelated to >>>this ticket. >> >>These files are snapshots of metadata used for demo/testing. I suppose >>Petr was updating the entire files which automatically includes recent >>changes to the metadata. >> >>>ACK >> >>Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >>layout class. >> >>Some comments: >> >>1. The CLI command to add trust is trust-add-ad. Should the UI button >>also say "Add AD"? If we later support additional trust types would that >>appear as separate buttons/dialogs or same button/dialog with maybe >>drop-down list to select the type? >"Add AD" label seems weird to me. Now we support only one type of >trust. We should keep the 'Add'. > >When additional trusts support is added I'm in favor of a dropdown >list or radios to select the type. Params and method for each trust >type would be probably different so various field would have to be >hidden/displayed when different trust types are selected. Having more >'Add' buttons would make things less clear. > >I don't like having different dialogs. It would require having >multiple 'Add' buttons in search page which seems inconsistent and >non-standard to me. > >> >>2. The trust-add-ad has an optional --server parameter. There's no >>corresponding field in the UI. Is this parameter supported? >Alexander? This attr. wasn't mentioned in design specs. IMO it should >be in UI if the command supports it, probably under 'Domain' field. >Is it for specifying the DC server when auto-discovery fails? > >I can add it in separate patch. I'd prefer to keep --server option not exposed in the UI to avoid clutter. If auto-discovery fails, you'll need to use CLI anyway as there will probably be need to manipulate DNS setup. >>3. In the search page we might be able add some other columns such as >>NetBIOS name, trust type, or status (when it's available later) which >>can be obtained using the --all option. >I'll add them when status is available. IMO status is the really useful one. You can add NetBIOS name. Trust type will be the same for all trusts until we start supporting IPA-IPA trusts. At which point we'll need to make amendments to the UI anyway. -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 25 12:24:38 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jun 2012 14:24:38 +0200 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FE4AAEB.0@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> <1340268011.12122.2.camel@balmora.brq.redhat.com> <4FE4AAEB.0@redhat.com> Message-ID: <4FE85886.1050305@redhat.com> On 06/22/2012 07:27 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> Here is a tool that can be used to configure automount in an IPA >>>>> client. >>>>> It can use either SSSD or autofs for automount. It also configures >>>>> NFSv4 >>>>> on the client so secure maps will work. >>>> >>>> rebased patch >>> >>> rebase again >>> >>> rob >> >> I finally managed to look on this patch. This is generally a good work >> and make things a lot easier, but still I found few issues: [snip] >> >> 5) Would it make sense to check if the given automount location exists? >> Currently there is no check for that: >> >> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com >> --location foo >> Searching for IPA server... >> IPA server: DNS discovery >> Location: foo >> Continue to configure the system with these values? [no]: y >> Configured /etc/nsswitch.conf >> Configured /etc/sysconfig/nfs >> Configured /etc/idmapd.conf >> Started nfs-server.service >> Started nfs-secure.service >> Restarting sssd, waiting for it to become available. >> Started autofs.service >> >> Automount then obviously not work: > > There was even a TODO in the code for this. I went ahead and did it. I > had punted originally because it wasn't really a big deal to unconfigure > and reconfigure with the right location. Its better, thanks. The error message could be more user-friendly and for example print all available automount location, but its not a blocking issue. We may however print other errors.ExecutionError's, e.g. I hit this when I uninstalled automount support and then installed it again too fast: # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location brno --no-sssdSearching for IPA server... IPA server: DNS discovery Location: brno Traceback (most recent call last): File "/sbin/ipa-client-automount", line 458, in sys.exit(main()) File "/sbin/ipa-client-automount", line 426, in main api.Command['automountlocation_show'](unicode(options.location)) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in forward raise NetworkError(uri=server, error=str(e)) ipalib.errors.NetworkError: cannot connect to 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. >> 7) This is related to ipa-client-install, but even when I disable >> autodiscovery and add --server option it still disregards it and tries >> to search SRV records: >> >> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com >> >> Unable to confirm that.redhat.com is an IPA v2 server > > Yeah, I think a separate ticket should be opened up, I call the same > code as ipa-client-install. The issue here is that you don't pass neither server nor domain to ds.search() function. ipa-client-install use this call: ret = ds.search(domain=options.domain, server=options.server, hostname=hostname) But ipa-client-automount just calls: + ret = ds.search() You may also need to add --domain parameter just like ipa-client-install does. > >> >> 8) When discovery is on, we are not really verbose: >> >> # ipa-configure-automount >> Searching for IPA server... >> IPA server: DNS discovery >> Location: default >> Continue to configure the system with these values? [no]: >> >> We just write "IPA server: DNS discovery", but I would at least like to >> now what servers it detected so that I know it does the right thing. > > This should be better with Petr^3's patches. Is it not? Perhaps only > with --debug? I don't think it does this is printed in ipa-client-automount: + if not autodiscover: + print "IPA server: %s" % server + else: + print "IPA server: DNS discovery" > >> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. After >> some investigation I found this line is causing it: >> >> + if not autodiscover: >> + ldap_uri = "ldap://%s" % server >> + else: >> + ldap_uri = "ldap:///%s" % api.env.basedn<<< >> >> There should be an IPA server, not basedn. When I fixed it, autofs via >> LDAP worked. > > I'm not sure why it didn't work, this is correct. > ldap:///dc=example,dc=com tells the autofs client to use DNS discovery > to find the right server. It works for me. Now, it forked for me too, I must have had some bad setting. [snip] 11) I found another issue, nested indirect maps did not work with sssd provider but they did with ldap provider in nsswitch. But this is a problem on SSSD side, I filed a ticket for them: https://fedorahosted.org/sssd/ticket/1390 I also found 3 new issues (sorry for not finding them in original review). 12) I see we log to ~/.ipa/default.log. I think it would be better to append the log ipaclient-install.log or similar. 13) First three options in ipa-client-automount man pages are not formatted right. Bold format is missing + there is extra tag in --location option: --server=SERVER Set the IPA server to connect to --location=LOCATION Automount location -S, --no-sssd Do not configure the client to use SSSD for automount 14) I assume that your patch covers also ticket 2193, I think it should be added to the patch description too. Martin From simo at redhat.com Mon Jun 25 12:38:36 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 08:38:36 -0400 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE840B7.1010108@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> Message-ID: <1340627916.32038.445.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: > On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: > > On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: > >> 2. First two chunks of install/ui/test/data/ipa_init_commands.json and > >> install/ui/test/data/ipa_init_objects.json changes look unrelated to > >> this ticket. > > > > These files are snapshots of metadata used for demo/testing. I suppose > > Petr was updating the entire files which automatically includes recent > > changes to the metadata. > > > >> ACK > > > > Ditto. The UI code looks fine so it can be pushed. Btw, nice use of > > layout class. > > > > Some comments: > > > > 1. The CLI command to add trust is trust-add-ad. Should the UI button > > also say "Add AD"? If we later support additional trust types would that > > appear as separate buttons/dialogs or same button/dialog with maybe > > drop-down list to select the type? > "Add AD" label seems weird to me. Now we support only one type of trust. > We should keep the 'Add'. I have to say I also find the trust-add-ad command really weird, difficult to use and to spell vaocally and to remember. Alexander can we change it to trust-add --type=ad where we can omit --type=ad for now as it is the only one, later on we can decide what to default to when --type is omitted. Simo. -- Simo Sorce * Red Hat, Inc * New York From pviktori at redhat.com Mon Jun 25 13:00:57 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 25 Jun 2012 15:00:57 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Framework for admin/install tools, with ipa-ldap-updater In-Reply-To: <4FE1F73E.6000003@redhat.com> References: <4FCCCC8B.1030903@redhat.com> <4FDF38AC.1000508@redhat.com> <4FE1F73E.6000003@redhat.com> Message-ID: <4FE86109.8030900@redhat.com> On 06/20/2012 06:15 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/04/2012 04:56 PM, Petr Viktorin wrote: >>> Currently, FreeIPA's install/admin scripts are long pieces of code >>> that aren't very reusable, importable, or testable. >>> They have been extended over time with features such as logging and >>> error handling, but since each tool was extended individually, there >>> is much inconsistency and code duplication. >>> This patch starts a framework which the admin tools can use, and >>> converts ipa-ldap-updater to use the framework. >>> >>> In an earlier patch I found that improving a particular functionality in >>> all the commands is not workable, so I want to tackle this one tool at a >>> time. >>> I'm starting with ipa-ldap-updater, because it's pretty small, doesn't >>> use DNs (I don't want conflicts with John's work), and has the >>> interesting --upgrade option. >>> >>> >>> The framework does these tasks: >>> - Parse options >>> - Select tool to run (see below) >>> - Validate options >>> - Set up logging >>> - Run the tool code >>> - Handle any errors >>> - Log success/failure >>> >>> The base class has some defaults for these that the tools can >>> extend/override. >>> >>> >>> To handle the case where one script does two different things >>> (ipa-ldap-updater with/without --upgrade, or ipa-server-install >>> with/without --uninstall), I want to split the tool in two classes >>> rather than have repeated ifs in the code. >>> This meant that option parsing (and initializing the parser) has to be >>> done before creating an instance of the tool. I use a factory >>> classmethod. >>> >>> >>> I put the admintool base class in ipapython/ as it should be useful for >>> ipa-client-install as well. >>> >>> >>> >>> First part of the work for: >>> https://fedorahosted.org/freeipa/ticket/2652 >>> >>> >> >> Attaching rebased patch. > > I gather you want people to be calling run_cli() in their admin tools. > Should main() be made private then? I could see someone getting confused > and using main instead, which would work, but then the return value > might not do the right thing. > > Or maybe just drop run_cli and have main exit with sys.exit()? I don't see why running a command as a Python function should be discouraged. In fact it could even help -- for example logging could only be set up once, so if we call, say, ipa-ldap-updater from ipa-server-install, all related logs would go to a single file. A C-style main (taking a list of arguments and returning the exit status) is a good thing for modularity and testability. The `run_cli` method is just a convenient shortcut for the usual usage, so the calling modules can be as small as possible. If people get confused and call main instead of run_cli, they need to manually pass in sys.argv. I think this is enough of a warning that their assumptions aren't right. To make it even clearer I've removed the possibility to pass None as argv to main() and have it auto-filled. Some relevant reading: http://www.artima.com/weblogs/viewpost.jsp?thread=4829 (old but still valid) http://en.wikipedia.org/wiki/Main_function#Python > It isn't correctly handling the case of an update not found: > > ipa : INFO Parsing file ad > [Errno 2] No such file or directory: 'ad' > ipa : INFO File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in > execute > self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line > 180, in run > modified = ld.update(self.files) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 828, in update > sys.exit(1) > > ipa : INFO The ipa-ldap-updater command failed, exception: SystemExit: 1 I've added validation for missing files, and improved the error message ldapupdate raises (for cases the validation doesn't catch, like passing directories or unreadable files). Ideally ldapupdate would not try to handle the error itself, but that code is used in more places that I don't want to break, so I'm leaving the extraneous print in. > Running in test mode with the attached update doesn't seem to work > either. There is nothing special about this file, just something I had > lying around: > > ipa : INFO File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in > execute > self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line > 184, in run > 'Update complete, changes to be made, test mode', 2) > > ipa : INFO The ipa-ldap-updater command failed, exception: ScriptError: > Update complete, changes to be made, test mode > ipa : ERROR Update complete, changes to be made, test mode > > ipa : ERROR None Fixed. > The unit tests still pass which is good. > > With ipa-ldap-updater the return value is a bit strange. All the updates > themselves can fail for one reason or another and the command can still > consider this a success (it may fail because a feature is not enabled, > for example). Still, the success message displayed at the end is a bit > jarring when the updates themselves aren't applied. Here is a snippet > when running ad.update live: > > ipa : INFO New entry: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com > ipa : DEBUG --------------------------------------------- > ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com > ipa : DEBUG add: 'account' to objectClass, current value [] > ipa : DEBUG add: updated value [u'account'] > ipa : DEBUG --------------------------------------------- > ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com > ipa : DEBUG objectClass: > ipa : DEBUG account > ipa : DEBUG add: 'adtrust' to uid, current value [] > ipa : DEBUG add: updated value [u'adtrust'] > ipa : DEBUG --------------------------------------------- > ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com > ipa : DEBUG objectClass: > ipa : DEBUG account > ipa : DEBUG uid: > ipa : DEBUG adtrust > ipa : DEBUG --------------------------------------------- > ipa : DEBUG Final value > ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com > ipa : DEBUG objectClass: > ipa : DEBUG account > ipa : DEBUG uid: > ipa : DEBUG adtrust > ipa : INFO Parent DN of uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com > may not exist, cannot create the entry > ipa : INFO The ipa-ldap-updater command was successful > [root at pinto freeipa]# echo $? > 0 > > This may be contrasting just because it is a contrived case. The command > rval is separate from whether the updates all applied, so maybe this is ok. The current ipa-ldap-updater also works this way, so this should go in a separate ticket. I worry that changing the return value could make installations fail, for example. > rob Thanks for the review! -- Petr? From pviktori at redhat.com Mon Jun 25 13:03:23 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 25 Jun 2012 15:03:23 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Framework for admin/install tools, with ipa-ldap-updater In-Reply-To: <4FE86109.8030900@redhat.com> References: <4FCCCC8B.1030903@redhat.com> <4FDF38AC.1000508@redhat.com> <4FE1F73E.6000003@redhat.com> <4FE86109.8030900@redhat.com> Message-ID: <4FE8619B.5080608@redhat.com> On 06/25/2012 03:00 PM, Petr Viktorin wrote: > On 06/20/2012 06:15 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 06/04/2012 04:56 PM, Petr Viktorin wrote: >>>> Currently, FreeIPA's install/admin scripts are long pieces of code >>>> that aren't very reusable, importable, or testable. >>>> They have been extended over time with features such as logging and >>>> error handling, but since each tool was extended individually, there >>>> is much inconsistency and code duplication. >>>> This patch starts a framework which the admin tools can use, and >>>> converts ipa-ldap-updater to use the framework. >>>> >>>> In an earlier patch I found that improving a particular >>>> functionality in >>>> all the commands is not workable, so I want to tackle this one tool >>>> at a >>>> time. >>>> I'm starting with ipa-ldap-updater, because it's pretty small, doesn't >>>> use DNs (I don't want conflicts with John's work), and has the >>>> interesting --upgrade option. >>>> >>>> >>>> The framework does these tasks: >>>> - Parse options >>>> - Select tool to run (see below) >>>> - Validate options >>>> - Set up logging >>>> - Run the tool code >>>> - Handle any errors >>>> - Log success/failure >>>> >>>> The base class has some defaults for these that the tools can >>>> extend/override. >>>> >>>> >>>> To handle the case where one script does two different things >>>> (ipa-ldap-updater with/without --upgrade, or ipa-server-install >>>> with/without --uninstall), I want to split the tool in two classes >>>> rather than have repeated ifs in the code. >>>> This meant that option parsing (and initializing the parser) has to be >>>> done before creating an instance of the tool. I use a factory >>>> classmethod. >>>> >>>> >>>> I put the admintool base class in ipapython/ as it should be useful for >>>> ipa-client-install as well. >>>> >>>> >>>> >>>> First part of the work for: >>>> https://fedorahosted.org/freeipa/ticket/2652 >>>> >>>> >>> >>> Attaching rebased patch. >> >> I gather you want people to be calling run_cli() in their admin tools. >> Should main() be made private then? I could see someone getting confused >> and using main instead, which would work, but then the return value >> might not do the right thing. >> >> Or maybe just drop run_cli and have main exit with sys.exit()? > > I don't see why running a command as a Python function should be > discouraged. In fact it could even help -- for example logging could > only be set up once, so if we call, say, ipa-ldap-updater from > ipa-server-install, all related logs would go to a single file. > A C-style main (taking a list of arguments and returning the exit > status) is a good thing for modularity and testability. > The `run_cli` method is just a convenient shortcut for the usual usage, > so the calling modules can be as small as possible. > > If people get confused and call main instead of run_cli, they need to > manually pass in sys.argv. I think this is enough of a warning that > their assumptions aren't right. > To make it even clearer I've removed the possibility to pass None as > argv to main() and have it auto-filled. > > Some relevant reading: > http://www.artima.com/weblogs/viewpost.jsp?thread=4829 (old but still > valid) > http://en.wikipedia.org/wiki/Main_function#Python > >> It isn't correctly handling the case of an update not found: >> >> ipa : INFO Parsing file ad >> [Errno 2] No such file or directory: 'ad' >> ipa : INFO File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in >> execute >> self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", >> line >> 180, in run >> modified = ld.update(self.files) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >> line 828, in update >> sys.exit(1) >> >> ipa : INFO The ipa-ldap-updater command failed, exception: SystemExit: 1 > > I've added validation for missing files, and improved the error message > ldapupdate raises (for cases the validation doesn't catch, like passing > directories or unreadable files). > Ideally ldapupdate would not try to handle the error itself, but that > code is used in more places that I don't want to break, so I'm leaving > the extraneous print in. > >> Running in test mode with the attached update doesn't seem to work >> either. There is nothing special about this file, just something I had >> lying around: >> >> ipa : INFO File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in >> execute >> self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", >> line >> 184, in run >> 'Update complete, changes to be made, test mode', 2) >> >> ipa : INFO The ipa-ldap-updater command failed, exception: ScriptError: >> Update complete, changes to be made, test mode >> ipa : ERROR Update complete, changes to be made, test mode >> >> ipa : ERROR None > > Fixed. > >> The unit tests still pass which is good. >> >> With ipa-ldap-updater the return value is a bit strange. All the updates >> themselves can fail for one reason or another and the command can still >> consider this a success (it may fail because a feature is not enabled, >> for example). Still, the success message displayed at the end is a bit >> jarring when the updates themselves aren't applied. Here is a snippet >> when running ad.update live: >> >> ipa : INFO New entry: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >> ipa : DEBUG --------------------------------------------- >> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >> ipa : DEBUG add: 'account' to objectClass, current value [] >> ipa : DEBUG add: updated value [u'account'] >> ipa : DEBUG --------------------------------------------- >> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >> ipa : DEBUG objectClass: >> ipa : DEBUG account >> ipa : DEBUG add: 'adtrust' to uid, current value [] >> ipa : DEBUG add: updated value [u'adtrust'] >> ipa : DEBUG --------------------------------------------- >> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >> ipa : DEBUG objectClass: >> ipa : DEBUG account >> ipa : DEBUG uid: >> ipa : DEBUG adtrust >> ipa : DEBUG --------------------------------------------- >> ipa : DEBUG Final value >> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >> ipa : DEBUG objectClass: >> ipa : DEBUG account >> ipa : DEBUG uid: >> ipa : DEBUG adtrust >> ipa : INFO Parent DN of uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >> may not exist, cannot create the entry >> ipa : INFO The ipa-ldap-updater command was successful >> [root at pinto freeipa]# echo $? >> 0 >> >> This may be contrasting just because it is a contrived case. The command >> rval is separate from whether the updates all applied, so maybe this >> is ok. > > The current ipa-ldap-updater also works this way, so this should go in a > separate ticket. > I worry that changing the return value could make installations fail, > for example. > >> rob > > > Thanks for the review! > Once again, this time with the patch. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0056-03-Framework-for-admin-install-tools-with-ipa-ldap-upda.patch Type: text/x-patch Size: 30668 bytes Desc: not available URL: From abokovoy at redhat.com Mon Jun 25 13:07:55 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jun 2012 16:07:55 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120625105914.GX29454@localhost.localdomain> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> Message-ID: <20120625130652.GC5935@redhat.com> On Mon, 25 Jun 2012, Sumit Bose wrote: >Hi Alexander, > >On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >> Hi! >> >> Attached is the patch to support external group membership for trusted >> domains. This is needed to get proper group membership with the work >> Sumit and Jan are doing on both IPA and SSSD sides. >> >> We already have ipaExternalGroup class that includes ipaExternalMember >> attribute (multivalued case-insensitive string). The group that has >> ipaExternalGroup object class will have to be non-POSIX and >> ipaExternalMember >> attribute will contain security identifiers (SIDs) of members from >> trusted domains. >> >> The patch takes care of three things: >> 1. Extends 'ipa group-add' with --external option to add >> ipaExternalGroup object class to a new group >> 2. Modifies 'ipa group-add-member' to accept --external CSV argument >> to specify SIDs >> 3. Modifies 'ipa group-del-member' to allow removing external members. > >thank you for the patch, it works as expected, but I have a few >comments: > >- there is a trailing whitespace at the end of the "This means we can't > check the correctness of a trusted domain SIDs" line >- when using ipa group-add-member with --external there are still prompt > for [member user] and [member group], can those be suppressed? >- with ipa group-mod --posix it is possible to add the posxiGroup > objectclass together with a GID to the extern group object. This > should result in an error and also the other way round, adding > --external to Posix groups. Updated patch is attached. It fixes whitespace and group-mod. -- / Alexander Bokovoy -------------- next part -------------- >From 5139d2c76ff339ca916a600a32618eb146489d54 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 Jun 2012 16:08:33 +0300 Subject: [PATCH 1/2] Add support for external group members When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 --- API.txt | 12 +++-- ipalib/errors.py | 50 +++++++++++++++++++++ ipalib/plugins/baseldap.py | 18 ++++++-- ipalib/plugins/group.py | 106 +++++++++++++++++++++++++++++++++++++++++--- ipalib/plugins/trust.py | 4 ++ ipaserver/dcerpc.py | 93 ++++++++++++++++++++++++++++++++++---- 6 files changed, 262 insertions(+), 21 deletions(-) diff --git a/API.txt b/API.txt index 8127b90b91415d165590845f0ba1b6d94dab28aa..6e993cc9412a354cb882e8f5cc2bd3caede53100 100644 --- a/API.txt +++ b/API.txt @@ -1196,13 +1196,14 @@ output: Output('total', , None) output: Output('count', , None) output: Output('summary', (, ), None) command: group_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Int('gidnumber', attribute=True, cli_name='gid', minvalue=1, multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1210,8 +1211,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_add_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1265,7 +1267,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: group_mod -args: 1,11,3 +args: 1,12,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gid', minvalue=1, multivalue=False, required=False) @@ -1274,6 +1276,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Flag('rights', autofill=True, default=False) option: Flag('posix', autofill=True, cli_name='posix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1282,8 +1285,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_remove_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') diff --git a/ipalib/errors.py b/ipalib/errors.py index 407d9f7dbcf79c47193a3087fe6efbc50728c903..c25560b8e9270a65feb5d9866f6dcc99e39675ef 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1277,6 +1277,56 @@ class SingleMatchExpected(ExecutionError): format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') +class AlreadyExternalGroup(ExecutionError): + """ + **4028** Raised when a group is already an external member group + + For example: + + >>> raise AlreadyExternalGroup + Traceback (most recent call last): + ... + AlreadyExternalGroup: This group already allows external members + + """ + + errno = 4028 + format = _('This group already allows external members') + +class ExternalGroupViolation(ExecutionError): + """ + **4029** Raised when a group is already an external member group + and an attempt is made to use it as posix group + + For example: + + >>> raise ExternalGroupViolation + Traceback (most recent call last): + ... + ExternalGroupViolation: This group cannot be posix because it is external + + """ + + errno = 4029 + format = _('This group cannot be posix because it is external') + +class PosixGroupViolation(ExecutionError): + """ + **4030** Raised when a group is already a posix group + and cannot be converted to external + + For example: + + >>> raise PosixGroupViolation + Traceback (most recent call last): + ... + PosixGroupViolation: This is already a posix group and cannot be converted to external one + + """ + + errno = 4030 + format = _('This is already a posix group and cannot be converted to external one') + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a30863bcc536e1746bf5b338a4e42448..a1c8c2fbafec979c36978e04e752e8a20066e949 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,6 +362,9 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = True + if 'external_callback_normalize' in options: + normalize = options['external_callback_normalize'] # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: @@ -373,9 +376,13 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) if membername not in external_entries and \ - member_dn not in members: + entry[0] not in external_entries and \ + member_dn not in members: # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) completed_external += 1 elif membername in external_entries and \ member_dn not in members: @@ -409,8 +416,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 65657363a463fb0ccb07133c9c84e17b15ffee42..7e0719376ad9120ff662ba4cfb832ad6e7da71e7 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,12 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" Groups of users @@ -83,19 +89,18 @@ class group(LDAPObject): object_name_plural = _('groups') object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' - possible_objectclasses = ['posixGroup', 'mepManagedEntry'] + possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', - 'memberindirect', 'memberofindirect', + 'memberindirect', 'memberofindirect', 'ipaexternalmember', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'member': ['user', 'group'], 'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'memberindirect': ['user', 'group'], - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', - 'sudorule'], + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], } rdn_is_primary_key = True @@ -139,10 +144,19 @@ class group_add(LDAPCreate): doc=_('Create as a non-POSIX group'), default=False, ), + Flag('external', + cli_name='external', + doc=_('Allow adding external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if not options['nonposix']: + if 'external' in options: + entry_attrs['objectclass'].append('ipaexternalgroup') + if 'gidnumber' in options: + raise errors.RequirementError(name='gid') + elif not 'nonposix' in options: entry_attrs['objectclass'].append('posixgroup') if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 @@ -194,11 +208,18 @@ class group_mod(LDAPUpdate): cli_name='posix', doc=_('change to a POSIX group'), ), + Flag('external', + cli_name='external', + doc=_('change to support external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): if options['posix'] or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.ExternalGroupViolation() if 'posixgroup' in old_entry_attrs['objectclass']: if options['posix']: raise errors.AlreadyPosixGroup() @@ -207,6 +228,15 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external'] in options: + (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'posixgroup' in old_entry_attrs['objectclass']: + raise errors.PosixGroupViolation() + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.AlreadyExternalGroup() + else: + old_entry_attrs['objectclass'].append('ipaexternalgroup') + entry_attrs['objectclass'] = old_entry_attrs['objectclass'] # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') @@ -274,12 +304,64 @@ api.register(group_show) class group_add_member(LDAPAddMember): __doc__ = _('Add members to a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('AD Trust'), + reason=_('''Cannot perform external member validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + failed_sids.append((sid, 'Not a trusted domain SID')) + if len(sids) == 0: + raise errors.ValidationError(name=_('external member'), + error=_('values are not recognized as valid SIDs from trusted domain')) + restore = [] + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = add_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options, external_callback_normalize=False) + failed['member']['group'] = restore + failed_sids + return result + api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) @@ -290,6 +372,20 @@ class group_remove_member(LDAPRemoveMember): label=_(u'group'), container=protected_group_name) return dn + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + sids = options['ipaexternalmember'] + restore = list() + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = remove_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options) + failed['member']['group'] = restore + return result + api.register(group_remove_member) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 2fd949cd24145a28ebbe909543914b56027e1d45..b313b30d9b16911adea3c607dbff7e5fe30bda1f 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -154,6 +154,10 @@ class trust_add_ad(LDAPCreate): realm_server = options['realm_server'] trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) + if not trustinstance.configured: + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3bc8b63af3f416cc45cb75c76fd7b9587f367e3e..07e40c2d35b41a2665232f3e6d853b47aef707bb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -58,6 +58,79 @@ class ExtendedDNControl(_ldap.controls.RequestControl): def encodeControlValue(self): return '0\x03\x02\x01\x01' +class DomainValidator(object): + ATTR_FLATNAME = 'ipantflatname' + ATTR_SID = 'ipantsecurityidentifier' + ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' + + def __init__(self, api): + self.api = api + self.ldap = self.api.Backend.ldap2 + self.domain = None + self.flatname = None + self.dn = None + self.sid = None + self._domains = None + + def is_configured(self): + cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + try: + (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME, self.ATTR_SID]) + self.flatname = entry_attrs[self.ATTR_FLATNAME][0] + self.sid = entry_attrs[self.ATTR_SID][0] + self.dn = dn + self.domain = self.api.env.domain + except errors.NotFound, e: + return False + return True + + def get_trusted_domains(self): + cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn) + try: + search_kw = {'objectClass': 'ipaNTTrustedDomain'} + filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=unicode(cn_trust), + attrs_list=[self.ATTR_TRUSTED_SID, 'dn']) + + return entries + except errors.NotFound, e: + return [] + + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False + class TrustDomainInstance(object): def __init__(self, hostname, creds=None): @@ -247,20 +320,18 @@ class TrustDomainInstance(object): self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) class TrustDomainJoins(object): - ATTR_FLATNAME = 'ipantflatname' - def __init__(self, api): self.api = api self.local_domain = None self.remote_domain = None - self.ldap = self.api.Backend.ldap2 - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) - (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME]) - self.local_flatname = entry_attrs[self.ATTR_FLATNAME][0] - self.local_dn = dn + domain_validator = DomainValidator(api) + self.configured = domain_validator.is_configured() - self.__populate_local_domain() + if self.configured: + self.local_flatname = domain_validator.flatname + self.local_dn = domain_validator.dn + self.__populate_local_domain() def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -308,6 +379,9 @@ class TrustDomainJoins(object): self.remote_domain = rd def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) @@ -317,6 +391,9 @@ class TrustDomainJoins(object): return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_passwd=None) self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain) -- 1.7.10.4 From abokovoy at redhat.com Mon Jun 25 13:50:45 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jun 2012 16:50:45 +0300 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <1340627916.32038.445.camel@willson.li.ssimo.org> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> Message-ID: <20120625135045.GD5935@redhat.com> On Mon, 25 Jun 2012, Simo Sorce wrote: >On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >> > On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >> >> 2. First two chunks of install/ui/test/data/ipa_init_commands.json and >> >> install/ui/test/data/ipa_init_objects.json changes look unrelated to >> >> this ticket. >> > >> > These files are snapshots of metadata used for demo/testing. I suppose >> > Petr was updating the entire files which automatically includes recent >> > changes to the metadata. >> > >> >> ACK >> > >> > Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >> > layout class. >> > >> > Some comments: >> > >> > 1. The CLI command to add trust is trust-add-ad. Should the UI button >> > also say "Add AD"? If we later support additional trust types would that >> > appear as separate buttons/dialogs or same button/dialog with maybe >> > drop-down list to select the type? >> "Add AD" label seems weird to me. Now we support only one type of trust. >> We should keep the 'Add'. > >I have to say I also find the trust-add-ad command really weird, >difficult to use and to spell vaocally and to remember. > >Alexander can we change it to trust-add --type=ad >where we can omit --type=ad for now as it is the only one, later on we >can decide what to default to when --type is omitted. Patch attached (not tested). -- / Alexander Bokovoy -------------- next part -------------- >From 7fa1ec9125608d0cc97259e1f2eee80c546011bb Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 25 Jun 2012 16:41:52 +0300 Subject: [PATCH 3/3] Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' --- API.txt | 5 +++-- ipalib/plugins/trust.py | 23 +++++++++++++++++++---- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 6e993cc9412a354cb882e8f5cc2bd3caede53100..97aef49a6ff6b6f92d82ff286f49879c7b5504f3 100644 --- a/API.txt +++ b/API.txt @@ -3089,9 +3089,10 @@ option: Str('version?', exclude='webui') output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) -command: trust_add_ad -args: 1,7,3 +command: trust_add +args: 1,8,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) +option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=(u'ad',)) option: Str('realm_admin?', cli_name='admin') option: Password('realm_passwd?', cli_name='password', confirm=False) option: Str('realm_server?', cli_name='server') diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 1f2eae584bd45bb62a1ff4740af98dcafb3489ae..2dbd06f1154994a7c61ef979ad9d542b8b1144a1 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -18,7 +18,7 @@ # along with this program. If not, see . from ipalib.plugins.baseldap import * -from ipalib import api, Str, Password, DefaultFrom, _, ngettext, Object +from ipalib import api, Str, StrEnum, Password, DefaultFrom, _, ngettext, Object from ipalib.parameters import Enum from ipalib import Command from ipalib import errors @@ -112,10 +112,17 @@ def make_trust_dn(env, trust_type, dn): return unicode(DN(DN(dn)[0], container_dn)) return dn -class trust_add_ad(LDAPCreate): - __doc__ = _('Add new trust to use against Active Directory domain.') +class trust_add(LDAPCreate): + __doc__ = _('Add new trust to use') takes_options = ( + StrEnum('trust_type', + cli_name='type', + label=_('Trust type (ad for Active Directory, default)'), + values=(u'ad',), + default=u'ad', + autofill=True, + ), Str('realm_admin?', cli_name='admin', label=_("Active Directory domain administrator"), @@ -140,6 +147,14 @@ class trust_add_ad(LDAPCreate): msg_summary = _('Added Active Directory trust for realm "%(value)s"') def execute(self, *keys, **options): + if 'trust_type' in options: + if options['trust_type'] == u'ad': + self.execute_ad(keys, options) + else: + raise errors.ValidationError(name=_('trust type'), error=_('only "ad" is supported')) + raise errors.RequirementError(name=_('trust type')) + + def execute_ad(self, *keys, **options): # Join domain using full credentials and with random trustdom # secret (will be generated by the join method) trustinstance = None @@ -250,7 +265,7 @@ class trust_show(LDAPRetrieve): return dn api.register(trust) -api.register(trust_add_ad) +api.register(trust_add) api.register(trust_mod) api.register(trust_del) api.register(trust_find) -- 1.7.10.4 From abokovoy at redhat.com Mon Jun 25 14:37:31 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jun 2012 17:37:31 +0300 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <20120625135045.GD5935@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> Message-ID: <20120625143730.GE5935@redhat.com> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >On Mon, 25 Jun 2012, Simo Sorce wrote: >>On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>> 2. First two chunks of install/ui/test/data/ipa_init_commands.json and >>>>> install/ui/test/data/ipa_init_objects.json changes look unrelated to >>>>> this ticket. >>>> >>>> These files are snapshots of metadata used for demo/testing. I suppose >>>> Petr was updating the entire files which automatically includes recent >>>> changes to the metadata. >>>> >>>>> ACK >>>> >>>> Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >>>> layout class. >>>> >>>> Some comments: >>>> >>>> 1. The CLI command to add trust is trust-add-ad. Should the UI button >>>> also say "Add AD"? If we later support additional trust types would that >>>> appear as separate buttons/dialogs or same button/dialog with maybe >>>> drop-down list to select the type? >>>"Add AD" label seems weird to me. Now we support only one type of trust. >>>We should keep the 'Add'. >> >>I have to say I also find the trust-add-ad command really weird, >>difficult to use and to spell vaocally and to remember. >> >>Alexander can we change it to trust-add --type=ad >>where we can omit --type=ad for now as it is the only one, later on we >>can decide what to default to when --type is omitted. >Patch attached (not tested). Attached is tested patch. -- / Alexander Bokovoy -------------- next part -------------- >From 498a7542014fdc42e71be252939ffb447bdc2069 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 25 Jun 2012 16:41:52 +0300 Subject: [PATCH 3/3] Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' --- API.txt | 5 +++-- ipalib/plugins/trust.py | 26 ++++++++++++++++++++++---- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 6e993cc9412a354cb882e8f5cc2bd3caede53100..97aef49a6ff6b6f92d82ff286f49879c7b5504f3 100644 --- a/API.txt +++ b/API.txt @@ -3089,9 +3089,10 @@ option: Str('version?', exclude='webui') output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) -command: trust_add_ad -args: 1,7,3 +command: trust_add +args: 1,8,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) +option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=(u'ad',)) option: Str('realm_admin?', cli_name='admin') option: Password('realm_passwd?', cli_name='password', confirm=False) option: Str('realm_server?', cli_name='server') diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 1f2eae584bd45bb62a1ff4740af98dcafb3489ae..40bd93e654c0365ad202abfd82e84345583459dd 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -18,7 +18,7 @@ # along with this program. If not, see . from ipalib.plugins.baseldap import * -from ipalib import api, Str, Password, DefaultFrom, _, ngettext, Object +from ipalib import api, Str, StrEnum, Password, DefaultFrom, _, ngettext, Object from ipalib.parameters import Enum from ipalib import Command from ipalib import errors @@ -112,10 +112,17 @@ def make_trust_dn(env, trust_type, dn): return unicode(DN(DN(dn)[0], container_dn)) return dn -class trust_add_ad(LDAPCreate): - __doc__ = _('Add new trust to use against Active Directory domain.') +class trust_add(LDAPCreate): + __doc__ = _('Add new trust to use') takes_options = ( + StrEnum('trust_type', + cli_name='type', + label=_('Trust type (ad for Active Directory, default)'), + values=(u'ad',), + default=u'ad', + autofill=True, + ), Str('realm_admin?', cli_name='admin', label=_("Active Directory domain administrator"), @@ -140,6 +147,16 @@ class trust_add_ad(LDAPCreate): msg_summary = _('Added Active Directory trust for realm "%(value)s"') def execute(self, *keys, **options): + if 'trust_type' in options: + if options['trust_type'] == u'ad': + result = self.execute_ad(*keys, **options) + else: + raise errors.ValidationError(name=_('trust type'), error=_('only "ad" is supported')) + else: + raise errors.RequirementError(name=_('trust type')) + return result + + def execute_ad(self, *keys, **options): # Join domain using full credentials and with random trustdom # secret (will be generated by the join method) trustinstance = None @@ -181,6 +198,7 @@ class trust_add_ad(LDAPCreate): if 'trust_secret' in options: result = trustinstance.join_ad_ipa_half(keys[-1], realm_server, options['trust_secret']) return dict(result=dict(), value=trustinstance.remote_domain.info['dns_domain']) + raise errors.ValidationError(name=_('AD Trust setup'), reason=_('Not enough arguments specified to perform trust setup')) class trust_del(LDAPDelete): __doc__ = _('Delete a trust.') @@ -250,7 +268,7 @@ class trust_show(LDAPRetrieve): return dn api.register(trust) -api.register(trust_add_ad) +api.register(trust_add) api.register(trust_mod) api.register(trust_del) api.register(trust_find) -- 1.7.10.4 From pvoborni at redhat.com Mon Jun 25 14:52:03 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 25 Jun 2012 16:52:03 +0200 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <20120625143730.GE5935@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> Message-ID: <4FE87B13.4000806@redhat.com> On 06/25/2012 04:37 PM, Alexander Bokovoy wrote: > On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >> On Mon, 25 Jun 2012, Simo Sorce wrote: >>> On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>>> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>>> 2. First two chunks of install/ui/test/data/ipa_init_commands.json >>>>>> and >>>>>> install/ui/test/data/ipa_init_objects.json changes look unrelated to >>>>>> this ticket. >>>>> >>>>> These files are snapshots of metadata used for demo/testing. I suppose >>>>> Petr was updating the entire files which automatically includes recent >>>>> changes to the metadata. >>>>> >>>>>> ACK >>>>> >>>>> Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >>>>> layout class. >>>>> >>>>> Some comments: >>>>> >>>>> 1. The CLI command to add trust is trust-add-ad. Should the UI button >>>>> also say "Add AD"? If we later support additional trust types would >>>>> that >>>>> appear as separate buttons/dialogs or same button/dialog with maybe >>>>> drop-down list to select the type? >>>> "Add AD" label seems weird to me. Now we support only one type of >>>> trust. >>>> We should keep the 'Add'. >>> >>> I have to say I also find the trust-add-ad command really weird, >>> difficult to use and to spell vaocally and to remember. >>> >>> Alexander can we change it to trust-add --type=ad >>> where we can omit --type=ad for now as it is the only one, later on we >>> can decide what to default to when --type is omitted. >> Patch attached (not tested). > Attached is tested patch. > Attached updated UI patch. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0161-2-Trust-Web-UI.patch Type: text/x-patch Size: 54076 bytes Desc: not available URL: From pviktori at redhat.com Mon Jun 25 14:59:47 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 25 Jun 2012 16:59:47 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <4FE1EFA5.4090602@redhat.com> References: <4FDA097D.4030601@redhat.com> <4FDA4AF7.1050102@redhat.com> <1339738614.12383.5.camel@priserak> <4FE1EFA5.4090602@redhat.com> Message-ID: <4FE87CE3.9020706@redhat.com> On 06/20/2012 05:43 PM, Ondrej Hamada wrote: > On 06/15/2012 07:36 AM, Martin Kosek wrote: >> On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: >>> Ondrej Hamada wrote: >>>> Improved options checking so that host-mod operation is not changing >>>> password for enrolled host when '--random' option is used. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2799 >>>> >>>> Updated set of characters that is used for generating random passwords >>>> for ipa hosts. Following characters were removed from the set: '"`\$<> >>>> >>>> https://fedorahosted.org/freeipa/ticket/2800 >>> This works ok but it would be nice to have a test for both setting a >>> password and random on an enrolled host to prevent regressions. We have >>> some ipa-getkeytab tests already and these can be extended to test this >>> I think. >>> >>> Might be nice to mention in the inline comment the set of characters >>> excluded and why. >>> >>> rob >>> > I've added new test class into test_host_plugin.py that takes care of > that. Just there is a problem that the ipa-join command always fails on > 'adding key into keytab'. But the attributes necessary for testing are > set correctly, so the testing can continue. >> We already generate passwords for users with this character set: >> user_pwdchars = string.digits + string.ascii_letters + '_,. at +-=' >> >> Why would we want to generate passwords for host enrolling with a >> different set? Additionally, I think the set of characters you chose is >> too wide, try entering a passwords with ' ', !, (, ), &, or ; without >> careful escaping or quoting... >> >> Martin >> > Ok, I've used the same set of characters as for the user passwords. Should this set just be used for generated passwords by default? Possibly with slightly longer passwords so they aren't suddenly weaker. Anyway, the patch works great here. I just have a few style issues: > > freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch > > > From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001 > From: Ondrej Hamada > Date: Mon, 18 Jun 2012 15:25:05 +0200 > Subject: [PATCH] Change random passwords behaviour > > Improved options checking so that host-mod operation is not changing > password for enrolled host when '--random' option is used. > > Unit tests added. > > https://fedorahosted.org/freeipa/ticket/2799 > > Updated set of characters that is used for generating random passwords > for ipa hosts. All characters that might need escaping were removed. > > https://fedorahosted.org/freeipa/ticket/2800 > --- > ipalib/plugins/host.py | 11 ++++- > tests/test_xmlrpc/test_host_plugin.py | 75 ++++++++++++++++++++++++++++++++- > 2 files changed, 82 insertions(+), 4 deletions(-) > > diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py > index 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf 100644 > --- a/ipalib/plugins/host.py > +++ b/ipalib/plugins/host.py > @@ -24,6 +24,7 @@ import sys > from nss.error import NSPRError > import nss.nss as nss > import netaddr > +import string > > from ipalib import api, errors, util > from ipalib import Str, Flag, Bytes > @@ -99,6 +100,10 @@ EXAMPLES: > ipa host-add-managedby --hosts=test2 test > """) > > +# Characters to be used by random password generator > +# The set was chosen to avoid the need for escaping the characters by user > +host_pwd_chars=string.digits + string.ascii_letters + '_,. at +-=' > + > def remove_fwd_ptr(ipaddr, host, domain, recordtype): > api.log.debug('deleting ipaddr %s' % ipaddr) > try: > @@ -404,7 +409,7 @@ class host_add(LDAPCreate): > if 'krbprincipal' in entry_attrs['objectclass']: > entry_attrs['objectclass'].remove('krbprincipal') > if options.get('random'): > - entry_attrs['userpassword'] = ipa_generate_password() > + entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) > # save the password so it can be displayed in post_callback > setattr(context, 'randompassword', entry_attrs['userpassword']) > cert = options.get('usercertificate') > @@ -596,7 +601,7 @@ class host_mod(LDAPUpdate): > def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): > # Allow an existing OTP to be reset but don't allow a OTP to be > # added to an enrolled host. > - if 'userpassword' in options: > + if options.get('userpassword') or options.get('random'): > entry = {} > self.obj.get_password_attributes(ldap, dn, entry) > if not entry['has_password'] and entry['has_keytab']: > @@ -649,7 +654,7 @@ class host_mod(LDAPUpdate): > entry_attrs['usercertificate'] = cert > > if options.get('random'): > - entry_attrs['userpassword'] = ipa_generate_password() > + entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) > setattr(context, 'randompassword', entry_attrs['userpassword']) > if 'macaddress' in entry_attrs: > if 'objectclass' in entry_attrs: > diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py > index 8798168afa71653b64870c77d11a7fa81ec4c952..fa1f2906f556af388499eac316c4b7c05c66ad85 100644 > --- a/tests/test_xmlrpc/test_host_plugin.py > +++ b/tests/test_xmlrpc/test_host_plugin.py > @@ -22,9 +22,13 @@ > Test the `ipalib.plugins.host` module. > """ > > +import os > +import tempfile > +from ipapython import ipautil > from ipalib import api, errors, x509 > from ipalib.dn import * > -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_digits > +from tests.test_xmlrpc.xmlrpc_test import Declarative, XMLRPC_test > +from tests.test_xmlrpc.xmlrpc_test import fuzzy_uuid, fuzzy_digits > from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date, fuzzy_issuer > from tests.test_xmlrpc.xmlrpc_test import fuzzy_hex To avoid the repetition you can put the imported names in parentheses: from tests.test_xmlrpc.xmlrpc_test import (Declarative, XMLRPC_test, fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_date, fuzzy_issuer, fuzzy_hex) > from tests.test_xmlrpc import objectclasses > @@ -740,3 +744,72 @@ class test_host(Declarative): > ), > > ] > + > +class test_host_false_pwd_change(XMLRPC_test): > + > + fqdn1 = u'testhost1.%s' % api.env.domain > + short1 = u'testhost1' > + new_pass = u'pass_123' > + > + command = "ipa-client/ipa-join" > + [keytabfd, keytabname] = tempfile.mkstemp() > + os.close(keytabfd) > + > + # auxiliary function for checking whether the join operation has set > + # correct attributes > + def keytab_exists(self): > + ret = api.Command['host_show'](self.fqdn1,all=True) > + assert (ret['result']['has_keytab'] == True) > + assert (ret['result']['has_password'] == False) The parentheses around assert's argument are unnecessary. > + def test_a_join_host(self): > + """ > + Create a test host and join him into IPA. > + """ > + try: > + random_pass = api.Command['host_add'](self.fqdn1, random=True, force=True)['result']['randompassword'] > + except: > + # new host must be created with the random password > + assert (False) I don't see why you used a try/except block here. It's not good to hide the error that was raised. > + new_args = [self.command, > + "-s", api.env.host, > + "-h", self.fqdn1, > + "-k", self.keytabname, > + "-w", random_pass, > + "-q", > + ] > + try: > + # join operation may fail on 'adding key into keytab', but > + # the keytab is not necessary for further tests > + (out, err, rc) = ipautil.run(new_args, None) > + self.keytab_exists() > + except ipautil.CalledProcessError, e: > + self.keytab_exists() > + > + def test_b_try_password(self): > + """ > + Try to change the password of enrolled host with specified password > + """ > + try: > + api.Command['host_mod'](self.fqdn1,userpassword=self.new_pass) Add a space after the comma (here and below). > + assert (False) > + except errors.ValidationError: > + pass It's better to use nose's @raises decorator here. See for example test_hbac_plugin.py. > + def test_c_try_random(self): > + """ > + Try to change the password of enrolled host with random password > + """ > + try: > + api.Command['host_mod'](self.fqdn1,random=True) > + assert (False) > + except errors.ValidationError: > + pass > + > + def test_d_cleanup(self): > + """ > + Clean up test data > + """ > + os.unlink(self.keytabname) > + api.Command['host_del'](self.fqdn1) > -- 1.7.6.5 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Petr? From edewata at redhat.com Mon Jun 25 15:09:48 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jun 2012 10:09:48 -0500 Subject: [Freeipa-devel] [PATCH] 159 Action panel for certificates In-Reply-To: <4FD73A99.9020300@redhat.com> References: <4FD73A99.9020300@redhat.com> Message-ID: <4FE87F3C.3010603@redhat.com> On 6/12/2012 7:48 AM, Petr Vobornik wrote: > This is a continuation of effort which transforms status widgets with > buttons executing actions to separate status widget and action panels. > This patch strips certificate status widget of its buttons and separates > the actions to their own objects. Appropriate modifications are taken in > host and service details facets. > > New certificate loader, facet policy and evaluator are introduced to > make actions and status widget independent. On facet load event new > certificate facet policy loads a certificate from result. Unfortunately > results don't contain revocation reason so it also executes additional > cert-show command to get the revocation reason. Policy store the > certifacete to facet. It raises the certifacet_loaded event to notify > certificate evaluator and status widget. Status widget updates its > state. Certificate evaluator updates state and actions get disabled or > enabled. > > https://fedorahosted.org/freeipa/ticket/2250 I'm testing using self-signed CA. When I open the host/service details page there's a JS error at certificate.js:928 (undefined status_revoked), so the page seems to hang and looks blank. In the old code the status_revoked panel will only be created if you use Dogtag CA (the IPA.cert.is_selfsign() will return false). This check might not be necessary anymore because you can just hide the panel. -- Endi S. Dewata From pvoborni at redhat.com Mon Jun 25 15:33:06 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 25 Jun 2012 17:33:06 +0200 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE87B13.4000806@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> <4FE87B13.4000806@redhat.com> Message-ID: <4FE884B2.7010101@redhat.com> On 06/25/2012 04:52 PM, Petr Vobornik wrote: > On 06/25/2012 04:37 PM, Alexander Bokovoy wrote: >> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>> On Mon, 25 Jun 2012, Simo Sorce wrote: >>>> On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>>> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>>>> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>>>> 2. First two chunks of install/ui/test/data/ipa_init_commands.json >>>>>>> and >>>>>>> install/ui/test/data/ipa_init_objects.json changes look unrelated to >>>>>>> this ticket. >>>>>> >>>>>> These files are snapshots of metadata used for demo/testing. I >>>>>> suppose >>>>>> Petr was updating the entire files which automatically includes >>>>>> recent >>>>>> changes to the metadata. >>>>>> >>>>>>> ACK >>>>>> >>>>>> Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >>>>>> layout class. >>>>>> >>>>>> Some comments: >>>>>> >>>>>> 1. The CLI command to add trust is trust-add-ad. Should the UI button >>>>>> also say "Add AD"? If we later support additional trust types would >>>>>> that >>>>>> appear as separate buttons/dialogs or same button/dialog with maybe >>>>>> drop-down list to select the type? >>>>> "Add AD" label seems weird to me. Now we support only one type of >>>>> trust. >>>>> We should keep the 'Add'. >>>> >>>> I have to say I also find the trust-add-ad command really weird, >>>> difficult to use and to spell vaocally and to remember. >>>> >>>> Alexander can we change it to trust-add --type=ad >>>> where we can omit --type=ad for now as it is the only one, later on we >>>> can decide what to default to when --type is omitted. >>> Patch attached (not tested). >> Attached is tested patch. >> > > Attached updated UI patch. > > Previous patch didn't have updated testing .json files. Attaching corrected one. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0161-3-Trust-Web-UI.patch Type: text/x-patch Size: 54629 bytes Desc: not available URL: From edewata at redhat.com Mon Jun 25 15:58:59 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jun 2012 10:58:59 -0500 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE884B2.7010101@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> <4FE87B13.4000806@redhat.com> <4FE884B2.7010101@redhat.com> Message-ID: <4FE88AC3.4060109@redhat.com> On 6/25/2012 10:33 AM, Petr Vobornik wrote: > On 06/25/2012 04:52 PM, Petr Vobornik wrote: >> On 06/25/2012 04:37 PM, Alexander Bokovoy wrote: >>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>> On Mon, 25 Jun 2012, Simo Sorce wrote: >>>>> On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>>>> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>>>>> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>>>>> 2. First two chunks of install/ui/test/data/ipa_init_commands.json >>>>>>>> and >>>>>>>> install/ui/test/data/ipa_init_objects.json changes look >>>>>>>> unrelated to >>>>>>>> this ticket. >>>>>>> >>>>>>> These files are snapshots of metadata used for demo/testing. I >>>>>>> suppose >>>>>>> Petr was updating the entire files which automatically includes >>>>>>> recent >>>>>>> changes to the metadata. >>>>>>> >>>>>>>> ACK >>>>>>> >>>>>>> Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >>>>>>> layout class. >>>>>>> >>>>>>> Some comments: >>>>>>> >>>>>>> 1. The CLI command to add trust is trust-add-ad. Should the UI >>>>>>> button >>>>>>> also say "Add AD"? If we later support additional trust types would >>>>>>> that >>>>>>> appear as separate buttons/dialogs or same button/dialog with maybe >>>>>>> drop-down list to select the type? >>>>>> "Add AD" label seems weird to me. Now we support only one type of >>>>>> trust. >>>>>> We should keep the 'Add'. >>>>> >>>>> I have to say I also find the trust-add-ad command really weird, >>>>> difficult to use and to spell vaocally and to remember. >>>>> >>>>> Alexander can we change it to trust-add --type=ad >>>>> where we can omit --type=ad for now as it is the only one, later on we >>>>> can decide what to default to when --type is omitted. >>>> Patch attached (not tested). >>> Attached is tested patch. ACK abbra-53 & abbra-54. One thing though, the error message is not very user friendly. Feel free to fix before push. % ipa trust-add ad.test --type=asdf ipa: ERROR: invalid 'type': must be one of (u'ad',) The ValidationError specifies this message 'only "ad" is supported' but it doesn't appear in the error message above. >> Attached updated UI patch. ACK pvoborni-161-2. One thing also, the test data files would need to be updated because of the command rename. Feel free to fix before push. -- Endi S. Dewata From abokovoy at redhat.com Mon Jun 25 16:18:05 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jun 2012 19:18:05 +0300 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE88AC3.4060109@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> <4FE87B13.4000806@redhat.com> <4FE884B2.7010101@redhat.com> <4FE88AC3.4060109@redhat.com> Message-ID: <20120625161805.GG5935@redhat.com> On Mon, 25 Jun 2012, Endi Sukma Dewata wrote: >On 6/25/2012 10:33 AM, Petr Vobornik wrote: >>On 06/25/2012 04:52 PM, Petr Vobornik wrote: >>>On 06/25/2012 04:37 PM, Alexander Bokovoy wrote: >>>>On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>On Mon, 25 Jun 2012, Simo Sorce wrote: >>>>>>On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>>>>>On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>>>>>>On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>>>>>>2. First two chunks of install/ui/test/data/ipa_init_commands.json >>>>>>>>>and >>>>>>>>>install/ui/test/data/ipa_init_objects.json changes look >>>>>>>>>unrelated to >>>>>>>>>this ticket. >>>>>>>> >>>>>>>>These files are snapshots of metadata used for demo/testing. I >>>>>>>>suppose >>>>>>>>Petr was updating the entire files which automatically includes >>>>>>>>recent >>>>>>>>changes to the metadata. >>>>>>>> >>>>>>>>>ACK >>>>>>>> >>>>>>>>Ditto. The UI code looks fine so it can be pushed. Btw, nice use of >>>>>>>>layout class. >>>>>>>> >>>>>>>>Some comments: >>>>>>>> >>>>>>>>1. The CLI command to add trust is trust-add-ad. Should the UI >>>>>>>>button >>>>>>>>also say "Add AD"? If we later support additional trust types would >>>>>>>>that >>>>>>>>appear as separate buttons/dialogs or same button/dialog with maybe >>>>>>>>drop-down list to select the type? >>>>>>>"Add AD" label seems weird to me. Now we support only one type of >>>>>>>trust. >>>>>>>We should keep the 'Add'. >>>>>> >>>>>>I have to say I also find the trust-add-ad command really weird, >>>>>>difficult to use and to spell vaocally and to remember. >>>>>> >>>>>>Alexander can we change it to trust-add --type=ad >>>>>>where we can omit --type=ad for now as it is the only one, later on we >>>>>>can decide what to default to when --type is omitted. >>>>>Patch attached (not tested). >>>>Attached is tested patch. > >ACK abbra-53 & abbra-54. One thing though, the error message is not >very user friendly. Feel free to fix before push. > > % ipa trust-add ad.test --type=asdf > ipa: ERROR: invalid 'type': must be one of (u'ad',) > >The ValidationError specifies this message 'only "ad" is supported' >but it doesn't appear in the error message above. The message above comes from StrEnum() validator which is common one for all StrEnum()s. I made a ValidationError in execute() method to catch up any discrepancies when other types of trust will be added as Python doesn't have 'case/switch' so you are left alone with 'if' or list-based lambdas which don't look so clear. What we probably want to add is more friendly way to display these StrEnum values, dropping u'' and simply showing proper unicode as we do for help already. Endi, could you please file a minor bug for it? -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 25 16:22:19 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jun 2012 18:22:19 +0200 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <20120625161805.GG5935@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> <4FE87B13.4000806@redhat.com> <4FE884B2.7010101@redhat.com> <4FE88AC3.4060109@redhat.com> <20120625161805.GG5935@redhat.com> Message-ID: <4FE8903B.7070109@redhat.com> On 06/25/2012 06:18 PM, Alexander Bokovoy wrote: > On Mon, 25 Jun 2012, Endi Sukma Dewata wrote: >> On 6/25/2012 10:33 AM, Petr Vobornik wrote: >>> On 06/25/2012 04:52 PM, Petr Vobornik wrote: >>>> On 06/25/2012 04:37 PM, Alexander Bokovoy wrote: >>>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>> On Mon, 25 Jun 2012, Simo Sorce wrote: >>>>>>> On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>>>>>> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>>>>>>> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>>>>>>> 2. First two chunks of >>>>>>>>>> install/ui/test/data/ipa_init_commands.json >>>>>>>>>> and >>>>>>>>>> install/ui/test/data/ipa_init_objects.json changes look >>>>>>>>>> unrelated to >>>>>>>>>> this ticket. >>>>>>>>> >>>>>>>>> These files are snapshots of metadata used for demo/testing. I >>>>>>>>> suppose >>>>>>>>> Petr was updating the entire files which automatically includes >>>>>>>>> recent >>>>>>>>> changes to the metadata. >>>>>>>>> >>>>>>>>>> ACK >>>>>>>>> >>>>>>>>> Ditto. The UI code looks fine so it can be pushed. Btw, nice >>>>>>>>> use of >>>>>>>>> layout class. >>>>>>>>> >>>>>>>>> Some comments: >>>>>>>>> >>>>>>>>> 1. The CLI command to add trust is trust-add-ad. Should the UI >>>>>>>>> button >>>>>>>>> also say "Add AD"? If we later support additional trust types >>>>>>>>> would >>>>>>>>> that >>>>>>>>> appear as separate buttons/dialogs or same button/dialog with >>>>>>>>> maybe >>>>>>>>> drop-down list to select the type? >>>>>>>> "Add AD" label seems weird to me. Now we support only one type of >>>>>>>> trust. >>>>>>>> We should keep the 'Add'. >>>>>>> >>>>>>> I have to say I also find the trust-add-ad command really weird, >>>>>>> difficult to use and to spell vaocally and to remember. >>>>>>> >>>>>>> Alexander can we change it to trust-add --type=ad >>>>>>> where we can omit --type=ad for now as it is the only one, later >>>>>>> on we >>>>>>> can decide what to default to when --type is omitted. >>>>>> Patch attached (not tested). >>>>> Attached is tested patch. >> >> ACK abbra-53 & abbra-54. One thing though, the error message is not >> very user friendly. Feel free to fix before push. >> >> % ipa trust-add ad.test --type=asdf >> ipa: ERROR: invalid 'type': must be one of (u'ad',) >> >> The ValidationError specifies this message 'only "ad" is supported' >> but it doesn't appear in the error message above. > The message above comes from StrEnum() validator which is common one for > all StrEnum()s. I made a ValidationError in execute() method to catch up > any discrepancies when other types of trust will be added as Python > doesn't have 'case/switch' so you are left alone with 'if' or list-based > lambdas which don't look so clear. > > What we probably want to add is more friendly way to display these > StrEnum values, dropping u'' and simply showing proper unicode as we do > for help already. > > Endi, could you please file a minor bug for it? > Since this will be filed in a separate bug, I went ahead and pushed all 3 acked patches in this thread to master: 2012-06-13 17:44 Petr Vobornik o Trust Web UI 2012-06-25 16:41 Alexander Bokovoy o Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' 2012-06-22 19:33 Alexander Bokovoy o Use correct SID attribute for trusted domains Martin From edewata at redhat.com Mon Jun 25 16:39:39 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jun 2012 11:39:39 -0500 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <20120625161805.GG5935@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> <4FE87B13.4000806@redhat.com> <4FE884B2.7010101@redhat.com> <4FE88AC3.4060109@redhat.com> <20120625161805.GG5935@redhat.com> Message-ID: <4FE8944B.1000105@redhat.com> On 6/25/2012 11:18 AM, Alexander Bokovoy wrote: >> ACK abbra-53 & abbra-54. One thing though, the error message is not >> very user friendly. Feel free to fix before push. >> >> % ipa trust-add ad.test --type=asdf >> ipa: ERROR: invalid 'type': must be one of (u'ad',) >> >> The ValidationError specifies this message 'only "ad" is supported' >> but it doesn't appear in the error message above. > The message above comes from StrEnum() validator which is common one for > all StrEnum()s. I made a ValidationError in execute() method to catch up > any discrepancies when other types of trust will be added as Python > doesn't have 'case/switch' so you are left alone with 'if' or list-based > lambdas which don't look so clear. > > What we probably want to add is more friendly way to display these > StrEnum values, dropping u'' and simply showing proper unicode as we do > for help already. > > Endi, could you please file a minor bug for it? https://fedorahosted.org/freeipa/ticket/2869 -- Endi S. Dewata From sgallagh at redhat.com Mon Jun 25 16:58:00 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 12:58:00 -0400 Subject: [Freeipa-devel] Announcing SSSD 1.9.0 beta 3 Message-ID: <1340643480.2774.46.camel@sgallagh520.sgallagh.bos.redhat.com> The SSSD is proud to announce the third of five preview releases of version 1.9 of the System Security Services Daemon. Beta 4 will be released on July 10th and include a new AD provider (wrapping the intricacies of setting up AD, configuring LDAP attributes and Kerberos realm into a simpler set of configuration options) Beta 5 will be released on July 31st and will contain a new tool for "seeding" accounts with a temporary password for sending machines to remotees as well as introducing a concept of primary vs. secondary servers. After Beta 5, no new features will be added to SSSD 1.9.0 and we will focus on stability and our backlog of bugfixes until the final release around September 1st. We will most likely issue a series of release candidate builds prior to that, but these have not yet been scheduled. As always, you can download the latest sources at https://fedorahosted.org/sssd/ == Highlights == * Add a new PAC responder for dealing with cross-realm Kerberos trusts * Terminate idle connections to the NSS and PAM responders * Switch from libunistring to glib2 for unicode support == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1163 [Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts) https://fedorahosted.org/sssd/ticket/1354 Add support for terminating idle connections in sssd_nss https://fedorahosted.org/sssd/ticket/1383 sssd_nss segfaults performing netgroup lookups without a specified domain == Detailed Changelog == Jan Zeleny (5): * Fix possible segfault in sdap_save_group() * PAC responder: add some utility functions * PAC responder: test suite * Fix re_expression matching with subdomains * SELinux user maps: pick just one map Shantanu Goel (4): * Set return errno to the value prior to calling close(). * Log message if close() fails in destructor. * Do not send SIGPIPE on disconnection * Add support for terminating idle connections Simo Sorce (2): * Do not leak file descriptors in client libs. * Add close on exec support for old platforms Stef Walter (1): * Move some debug lines to new debug log levels Stephen Gallagher (6): * Bumping version to 1.9.0 beta 3 * Fix typo breaking DIR cache detection * Make the client idle timeout configurable * UTILS: Fix segfault due to sss_parse_name_for_domains * BUILD: Change default unicode library to glib2 * Update translations for 1.9.0 beta 3 release Sumit Bose (11): * PAC responder: add basic infrastructure * PAC responder: add the core functionality * PAC responder: support in spec file * PAC client: add basic support in common client code * PAC client: add krb5 authdata plugin * Add support for ID ranges * Add range support to PAC responder * Try to build PAC responder only if all dependencies are available * Build pac responder tests only if pac responder is build * Add man page section for the PAC responder * Set default for subdomain_homedir -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Mon Jun 25 18:20:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 14:20:32 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FE85886.1050305@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> <1340268011.12122.2.camel@balmora.brq.redhat.com> <4FE4AAEB.0@redhat.com> <4FE85886.1050305@redhat.com> Message-ID: <4FE8ABF0.9040203@redhat.com> Martin Kosek wrote: > On 06/22/2012 07:27 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Here is a tool that can be used to configure automount in an IPA >>>>>> client. >>>>>> It can use either SSSD or autofs for automount. It also configures >>>>>> NFSv4 >>>>>> on the client so secure maps will work. >>>>> >>>>> rebased patch >>>> >>>> rebase again >>>> >>>> rob >>> >>> I finally managed to look on this patch. This is generally a good work >>> and make things a lot easier, but still I found few issues: > [snip] >>> >>> 5) Would it make sense to check if the given automount location exists? >>> Currently there is no check for that: >>> >>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com >>> --location foo >>> Searching for IPA server... >>> IPA server: DNS discovery >>> Location: foo >>> Continue to configure the system with these values? [no]: y >>> Configured /etc/nsswitch.conf >>> Configured /etc/sysconfig/nfs >>> Configured /etc/idmapd.conf >>> Started nfs-server.service >>> Started nfs-secure.service >>> Restarting sssd, waiting for it to become available. >>> Started autofs.service >>> >>> Automount then obviously not work: >> >> There was even a TODO in the code for this. I went ahead and did it. I >> had punted originally because it wasn't really a big deal to unconfigure >> and reconfigure with the right location. > > Its better, thanks. The error message could be more user-friendly and > for example print all available automount location, but its not a > blocking issue. > > We may however print other errors.ExecutionError's, e.g. I hit this when > I uninstalled automount support and then installed it again too fast: > > # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location > brno --no-sssdSearching for IPA server... > IPA server: DNS discovery > Location: brno > Traceback (most recent call last): > File "/sbin/ipa-client-automount", line 458, in > sys.exit(main()) > File "/sbin/ipa-client-automount", line 426, in main > api.Command['automountlocation_show'](unicode(options.location)) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, > in __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, > in run > return self.forward(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, > in forward > return self.Backend.xmlclient.forward(self.name, *args, **kw) > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in > forward > return self.forward(name, *args, **kw) > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in > forward > raise NetworkError(uri=server, error=str(e)) > ipalib.errors.NetworkError: cannot connect to > 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053] > (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. I don't think this was related to the speed in which you configured and unconfigured though it looks like a timing issue. I wasn't able to reproduce this but I did make the logging on it a little nicer if it happens again. > >>> 7) This is related to ipa-client-install, but even when I disable >>> autodiscovery and add --server option it still disregards it and tries >>> to search SRV records: >>> >>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com >>> >>> Unable to confirm that.redhat.com is an IPA v2 server >> >> Yeah, I think a separate ticket should be opened up, I call the same >> code as ipa-client-install. > > The issue here is that you don't pass neither server nor domain to > ds.search() function. ipa-client-install use this call: > > ret = ds.search(domain=options.domain, server=options.server, > hostname=hostname) > > But ipa-client-automount just calls: > > + ret = ds.search() > > You may also need to add --domain parameter just like ipa-client-install > does. Ok, I see the problem. I'm not actually trying to do discovery, I'm just seeing if it works. If we are able to autodiscover the IPA servers then we configure the client to use discovery. Otherwise a server is hardcoded in. It would do this even if a server was provided, I changed that in this patch. > >> >>> >>> 8) When discovery is on, we are not really verbose: >>> >>> # ipa-configure-automount >>> Searching for IPA server... >>> IPA server: DNS discovery >>> Location: default >>> Continue to configure the system with these values? [no]: >>> >>> We just write "IPA server: DNS discovery", but I would at least like to >>> now what servers it detected so that I know it does the right thing. >> >> This should be better with Petr^3's patches. Is it not? Perhaps only >> with --debug? > > I don't think it does this is printed in ipa-client-automount: > > + if not autodiscover: > + print "IPA server: %s" % server > + else: > + print "IPA server: DNS discovery" > I'm open to changing the message but basically it is saying whether or not a fixed IPA server is going to be configured on the client for autofs. >> >>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. After >>> some investigation I found this line is causing it: >>> >>> + if not autodiscover: >>> + ldap_uri = "ldap://%s" % server >>> + else: >>> + ldap_uri = "ldap:///%s" % api.env.basedn<<< >>> >>> There should be an IPA server, not basedn. When I fixed it, autofs via >>> LDAP worked. >> >> I'm not sure why it didn't work, this is correct. >> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery >> to find the right server. It works for me. > > Now, it forked for me too, I must have had some bad setting. > > [snip] > > 11) I found another issue, nested indirect maps did not work with sssd > provider but they did with ldap provider in nsswitch. But this is a > problem on SSSD side, I filed a ticket for them: > > https://fedorahosted.org/sssd/ticket/1390 > > I also found 3 new issues (sorry for not finding them in original review). > > 12) I see we log to ~/.ipa/default.log. I think it would be better to > append the log ipaclient-install.log or similar. Ok, good idea. Done. > 13) First three options in ipa-client-automount man pages are not > formatted right. Bold format is missing + there is extra tag in > --location option: > > --server=SERVER Set the IPA server to connect to > > --location=LOCATION > Automount location > > -S, --no-sssd > Do not configure the client to use SSSD for automount I only saw the bad which I fixed. They are otherwise bolded for me. > 14) I assume that your patch covers also ticket 2193, I think it should > be added to the patch description too. Fixed that too rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1023-5-automount.patch Type: text/x-diff Size: 5106 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 25 18:50:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 14:50:51 -0400 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <1340369998.32038.404.camel@willson.li.ssimo.org> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> Message-ID: <4FE8B30B.4050005@redhat.com> Simo Sorce wrote: > On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>> Hello all, >>>>>>>> >>>>>>>> In a scope of ticket 2511 I would like to implement an ability to >>>>>>>> delegate a DNS update permissions to chosen user (or host) without >>>>>>>> having to give the user full "Update DNS Entries" privileges, i.e. >>>>>>>> allow >>>>>>>> him to modify any DNS zone or record. >>>>>>>> >>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>> >>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>>>>>>> in MAY list >>>>>>>> 2) Create new DNS commands: >>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>> - these commands would add/remove chosen user/host DN to managedBy >>>>>>>> attribute in chosen DNS zone >>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>> >>>>>>>> With these steps done, all that an administrator would need to do to >>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>> command: >>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>> >>>>>>>> The only downside I found so far is that the user would already need to >>>>>>>> have "Read DNS Entries" permission assigned, otherwise he would not be >>>>>>>> able to actually read DNS entries (allow rules can't take precedence >>>>>>>> over deny rule we implemented to deny public access to DNS tree). >>>>>>>> >>>>>>>> An admin could of course create a special privilege and role with just >>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>> users/groups, but this looks awkward. Any idea to make this simpler? >>>>>>>> Maybe creating a group "dns readers" by default which would allow such >>>>>>>> access? >>>>>>> >>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>> "parent[1].managedby#USERDN" ? >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> Good idea, I will do that. I will just use >>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>> record. This way, a selected user will have read/write access to the >>>>>> chosen zone only, which is exactly what we want to achieve. >>>>> >>>>> Yes, this sounds workable to me too. >>>>> >>>>> rob >>>>> >>>> >>>> There were some second thoughts about the proposed design, which I would >>>> like to discuss so that we can eventually accept another (better) >>>> solution for this feature. >>>> >>>> The main concern here was that proposed solution (based on user list in >>>> managedBy attribute in DNS zone) is not in line with the rest of >>>> permission&privilege architecture in IPA. >>>> >>>> Here is another idea how to address the feature (I tested it and it >>>> would work): >>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access >>>> rule (a working patch attached) to avoid current and future issues with >>>> extending ACIs (deny rules are evil). >>>> >>>> 2) Add new Managed Entry Definition and Template to automatically add >>>> "Manage DNS zone $idsname" permission. These could be used with standard >>>> IPA privileges, roles and thus could be assigned to users, groups, >>>> hosts, hostgroups... >>>> >>>> 3) New DNS zone managedBy attribute won't be manageable by user, but it >>>> will hold a DN of the managed Permission entry >>>> >>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>> aci: (targetattr = "*") >>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>> >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>> (version 3.0;acl "Add dns entries";allow (add) >>>> userattr = "parent[1].managedby#GROUPDN";) >>>> >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>> userattr = "parent[1].managedby#GROUPDN";) >>>> >>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || >>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord >>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>> hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || >>>> locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || >>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || >>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>> idnsforwarders") >>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update >>>> DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>>> >>>> I needed to add permission DN to the managedBy attribute so that I could >>>> create just one set of generic ACIs without having to create a set of >>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>> permission have a write access to the "aci" attribute. >>>> >>>> Would this design be better than the previous one? Comments welcome. >>> >>> Removing Deny ACIs would be great. >>> But don't we need a second set of ACIs to allow uber admins to still >>> control all zones ? or is that part of current ACIs not going to >>> change ? >>> >>> Simo. >>> >> >> Thanks to the removal of the deny rule, this would be already allowed by >> this existing ACI: >> >> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword >> || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || >> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >> krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference >> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >> acl "Admin can manage any entry"; allow (all) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) > > Oh right! > I like it even more then :-) > > Simo. > Yes, this looks like it will work and eliminating a deny rule is a definite plus. rob From rcritten at redhat.com Mon Jun 25 19:35:17 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 15:35:17 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FE8ABF0.9040203@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> <1340268011.12122.2.camel@balmora.brq.redhat.com> <4FE4AAEB.0@redhat.com> <4FE85886.1050305@redhat.com> <4FE8ABF0.9040203@redhat.com> Message-ID: <4FE8BD75.8080007@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On 06/22/2012 07:27 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Here is a tool that can be used to configure automount in an IPA >>>>>>> client. >>>>>>> It can use either SSSD or autofs for automount. It also configures >>>>>>> NFSv4 >>>>>>> on the client so secure maps will work. >>>>>> >>>>>> rebased patch >>>>> >>>>> rebase again >>>>> >>>>> rob >>>> >>>> I finally managed to look on this patch. This is generally a good work >>>> and make things a lot easier, but still I found few issues: >> [snip] >>>> >>>> 5) Would it make sense to check if the given automount location exists? >>>> Currently there is no check for that: >>>> >>>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com >>>> --location foo >>>> Searching for IPA server... >>>> IPA server: DNS discovery >>>> Location: foo >>>> Continue to configure the system with these values? [no]: y >>>> Configured /etc/nsswitch.conf >>>> Configured /etc/sysconfig/nfs >>>> Configured /etc/idmapd.conf >>>> Started nfs-server.service >>>> Started nfs-secure.service >>>> Restarting sssd, waiting for it to become available. >>>> Started autofs.service >>>> >>>> Automount then obviously not work: >>> >>> There was even a TODO in the code for this. I went ahead and did it. I >>> had punted originally because it wasn't really a big deal to unconfigure >>> and reconfigure with the right location. >> >> Its better, thanks. The error message could be more user-friendly and >> for example print all available automount location, but its not a >> blocking issue. >> >> We may however print other errors.ExecutionError's, e.g. I hit this when >> I uninstalled automount support and then installed it again too fast: >> >> # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location >> brno --no-sssdSearching for IPA server... >> IPA server: DNS discovery >> Location: brno >> Traceback (most recent call last): >> File "/sbin/ipa-client-automount", line 458, in >> sys.exit(main()) >> File "/sbin/ipa-client-automount", line 426, in main >> api.Command['automountlocation_show'](unicode(options.location)) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, >> in __call__ >> ret = self.run(*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, >> in run >> return self.forward(*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, >> in forward >> return self.Backend.xmlclient.forward(self.name, *args, **kw) >> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in >> forward >> return self.forward(name, *args, **kw) >> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in >> forward >> raise NetworkError(uri=server, error=str(e)) >> ipalib.errors.NetworkError: cannot connect to >> 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053] >> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. > > I don't think this was related to the speed in which you configured and > unconfigured though it looks like a timing issue. I wasn't able to > reproduce this but I did make the logging on it a little nicer if it > happens again. > >> >>>> 7) This is related to ipa-client-install, but even when I disable >>>> autodiscovery and add --server option it still disregards it and tries >>>> to search SRV records: >>>> >>>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com >>>> >>>> Unable to confirm that.redhat.com is an IPA v2 server >>> >>> Yeah, I think a separate ticket should be opened up, I call the same >>> code as ipa-client-install. >> >> The issue here is that you don't pass neither server nor domain to >> ds.search() function. ipa-client-install use this call: >> >> ret = ds.search(domain=options.domain, server=options.server, >> hostname=hostname) >> >> But ipa-client-automount just calls: >> >> + ret = ds.search() >> >> You may also need to add --domain parameter just like ipa-client-install >> does. > > Ok, I see the problem. I'm not actually trying to do discovery, I'm just > seeing if it works. If we are able to autodiscover the IPA servers then > we configure the client to use discovery. Otherwise a server is > hardcoded in. > > It would do this even if a server was provided, I changed that in this > patch. > >> >>> >>>> >>>> 8) When discovery is on, we are not really verbose: >>>> >>>> # ipa-configure-automount >>>> Searching for IPA server... >>>> IPA server: DNS discovery >>>> Location: default >>>> Continue to configure the system with these values? [no]: >>>> >>>> We just write "IPA server: DNS discovery", but I would at least like to >>>> now what servers it detected so that I know it does the right thing. >>> >>> This should be better with Petr^3's patches. Is it not? Perhaps only >>> with --debug? >> >> I don't think it does this is printed in ipa-client-automount: >> >> + if not autodiscover: >> + print "IPA server: %s" % server >> + else: >> + print "IPA server: DNS discovery" >> > > I'm open to changing the message but basically it is saying whether or > not a fixed IPA server is going to be configured on the client for autofs. > >>> >>>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. >>>> After >>>> some investigation I found this line is causing it: >>>> >>>> + if not autodiscover: >>>> + ldap_uri = "ldap://%s" % server >>>> + else: >>>> + ldap_uri = "ldap:///%s" % api.env.basedn<<< >>>> >>>> There should be an IPA server, not basedn. When I fixed it, autofs via >>>> LDAP worked. >>> >>> I'm not sure why it didn't work, this is correct. >>> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery >>> to find the right server. It works for me. >> >> Now, it forked for me too, I must have had some bad setting. >> >> [snip] >> >> 11) I found another issue, nested indirect maps did not work with sssd >> provider but they did with ldap provider in nsswitch. But this is a >> problem on SSSD side, I filed a ticket for them: >> >> https://fedorahosted.org/sssd/ticket/1390 >> >> I also found 3 new issues (sorry for not finding them in original >> review). >> >> 12) I see we log to ~/.ipa/default.log. I think it would be better to >> append the log ipaclient-install.log or similar. > > Ok, good idea. Done. > >> 13) First three options in ipa-client-automount man pages are not >> formatted right. Bold format is missing + there is extra tag in >> --location option: >> >> --server=SERVER Set the IPA server to connect to >> >> --location=LOCATION >> Automount location >> >> -S, --no-sssd >> Do not configure the client to use SSSD for automount > > I only saw the bad which I fixed. They are otherwise bolded for me. > >> 14) I assume that your patch covers also ticket 2193, I think it should >> be added to the patch description too. > > Fixed that too > > rob And now the correct patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1023-5-automount.patch Type: text/x-diff Size: 27513 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 25 20:23:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 16:23:32 -0400 Subject: [Freeipa-devel] [PATCH] 1028 service pac types In-Reply-To: <5251d02c-d545-4dcc-a1aa-61934d312bb9@zmail17.collab.prod.int.phx2.redhat.com> References: <5251d02c-d545-4dcc-a1aa-61934d312bb9@zmail17.collab.prod.int.phx2.redhat.com> Message-ID: <4FE8C8C4.8040600@redhat.com> Simo Sorce wrote: > ----- Original Message ----- >> This patch is more a WIP than anything. I want to see if I'm on the >> right track. > > Hi Rob, > I don't think we need ipaDefaultKrbAuthzData, we can use the same attribute both in ipaGuiConfig and ipaService, where it is placed makes the difference. > > You haven't changed ipaService in the base ldif. On new installs the updates are still applied, gets added. > The 'UNIX-PAC' curent name is 'PAD' for Posix Authorization Data, we can call it 'PAD' in the pac_type field I think. Ok done. The ticket mentions something about marking some as critical. Is that within the scope of this? I'm not sure what you had in mind for that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1028-2-pac.patch Type: text/x-diff Size: 20831 bytes Desc: not available URL: From simo at redhat.com Mon Jun 25 21:22:02 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 17:22:02 -0400 Subject: [Freeipa-devel] [PATCH] 1028 service pac types In-Reply-To: <4FE8C8C4.8040600@redhat.com> References: <5251d02c-d545-4dcc-a1aa-61934d312bb9@zmail17.collab.prod.int.phx2.redhat.com> <4FE8C8C4.8040600@redhat.com> Message-ID: <1340659322.32038.560.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 16:23 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > ----- Original Message ----- > >> This patch is more a WIP than anything. I want to see if I'm on the > >> right track. > > > > Hi Rob, > > I don't think we need ipaDefaultKrbAuthzData, we can use the same attribute both in ipaGuiConfig and ipaService, where it is placed makes the difference. > > > > You haven't changed ipaService in the base ldif. > > On new installs the updates are still applied, gets added. Sure it 'works' but the ldif files are now incomplete and slightly misleading, is there a good reason to not update them ? > > The 'UNIX-PAC' curent name is 'PAD' for Posix Authorization Data, we can call it 'PAD' in the pac_type field I think. > > Ok done. > > The ticket mentions something about marking some as critical. Is that > within the scope of this? I'm not sure what you had in mind for that. It is for the multi-PAC case, where we may decide to not attach stuff if the ticket become too big. But I think we should defer that part for later, when we will have multiple formats. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jun 25 21:38:24 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 17:38:24 -0400 Subject: [Freeipa-devel] [PATCH] 1028 service pac types In-Reply-To: <1340659322.32038.560.camel@willson.li.ssimo.org> References: <5251d02c-d545-4dcc-a1aa-61934d312bb9@zmail17.collab.prod.int.phx2.redhat.com> <4FE8C8C4.8040600@redhat.com> <1340659322.32038.560.camel@willson.li.ssimo.org> Message-ID: <4FE8DA50.9050403@redhat.com> Simo Sorce wrote: > On Mon, 2012-06-25 at 16:23 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> ----- Original Message ----- >>>> This patch is more a WIP than anything. I want to see if I'm on the >>>> right track. >>> >>> Hi Rob, >>> I don't think we need ipaDefaultKrbAuthzData, we can use the same attribute both in ipaGuiConfig and ipaService, where it is placed makes the difference. >>> >>> You haven't changed ipaService in the base ldif. >> >> On new installs the updates are still applied, gets added. > > Sure it 'works' but the ldif files are now incomplete and slightly > misleading, is there a good reason to not update them ? It is because it is in a file 60basev2.ldif. This is a v3 schema addition. It is one confusing element over another. >>> The 'UNIX-PAC' curent name is 'PAD' for Posix Authorization Data, we can call it 'PAD' in the pac_type field I think. >> >> Ok done. >> >> The ticket mentions something about marking some as critical. Is that >> within the scope of this? I'm not sure what you had in mind for that. > > It is for the multi-PAC case, where we may decide to not attach stuff if > the ticket become too big. > > But I think we should defer that part for later, when we will have > multiple formats. > > Simo. > rob From simo at redhat.com Mon Jun 25 21:55:50 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 17:55:50 -0400 Subject: [Freeipa-devel] [PATCH] 1028 service pac types In-Reply-To: <4FE8DA50.9050403@redhat.com> References: <5251d02c-d545-4dcc-a1aa-61934d312bb9@zmail17.collab.prod.int.phx2.redhat.com> <4FE8C8C4.8040600@redhat.com> <1340659322.32038.560.camel@willson.li.ssimo.org> <4FE8DA50.9050403@redhat.com> Message-ID: <1340661350.32038.574.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 17:38 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2012-06-25 at 16:23 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> ----- Original Message ----- > >>>> This patch is more a WIP than anything. I want to see if I'm on the > >>>> right track. > >>> > >>> Hi Rob, > >>> I don't think we need ipaDefaultKrbAuthzData, we can use the same attribute both in ipaGuiConfig and ipaService, where it is placed makes the difference. > >>> > >>> You haven't changed ipaService in the base ldif. > >> > >> On new installs the updates are still applied, gets added. > > > > Sure it 'works' but the ldif files are now incomplete and slightly > > misleading, is there a good reason to not update them ? > > It is because it is in a file 60basev2.ldif. This is a v3 schema > addition. It is one confusing element over another. My concern is that if you pick the ipa schema files to install somewhere else you will not have the full schema. If we do not provide the full schema in our installable ldif files then we also need to publish a separate set of documents with the official schema. If that's what we decide to do, then please open a ticket to address publication of this separate set of ldif file, although it will become yet another thing to maintain and make sure it doesn't get de-synchronized with the actual data in the git tree. Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Mon Jun 25 22:36:31 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 25 Jun 2012 16:36:31 -0600 Subject: [Freeipa-devel] 389 ticket 392 - where does kerberos close /var/tmp/ldap_499? Message-ID: <4FE8E7EF.1020608@redhat.com> https://fedorahosted.org/389/ticket/392 The platform is F-17 with 389 1.2.11 and ipa 2.2 Attached to the ticket are various gdb bt of calls to open /var/tmp/ldap_499 - where are these supposed to be closed? With the server under a very light load, calling ipa commands to do sasl/gssapi binds, I can see the lsof on this file fluctuating between 0 and 16. I have not been able to get more than 16 sustained, although I can see it high slightly higher while an operation is in progress. My question is - where is the corresponding close() for the open in krb5int_labeled_open()? From mkosek at redhat.com Tue Jun 26 07:00:43 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 26 Jun 2012 09:00:43 +0200 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FE8BD75.8080007@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> <1340268011.12122.2.camel@balmora.brq.redhat.com> <4FE4AAEB.0@redhat.com> <4FE85886.1050305@redhat.com> <4FE8ABF0.9040203@redhat.com> <4FE8BD75.8080007@redhat.com> Message-ID: <4FE95E1B.6060000@redhat.com> On 06/25/2012 09:35 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 06/22/2012 07:27 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> Here is a tool that can be used to configure automount in an IPA >>>>>>>> client. >>>>>>>> It can use either SSSD or autofs for automount. It also configures >>>>>>>> NFSv4 >>>>>>>> on the client so secure maps will work. >>>>>>> >>>>>>> rebased patch >>>>>> >>>>>> rebase again >>>>>> >>>>>> rob >>>>> >>>>> I finally managed to look on this patch. This is generally a good work >>>>> and make things a lot easier, but still I found few issues: >>> [snip] >>>>> >>>>> 5) Would it make sense to check if the given automount location >>>>> exists? >>>>> Currently there is no check for that: >>>>> >>>>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com >>>>> --location foo >>>>> Searching for IPA server... >>>>> IPA server: DNS discovery >>>>> Location: foo >>>>> Continue to configure the system with these values? [no]: y >>>>> Configured /etc/nsswitch.conf >>>>> Configured /etc/sysconfig/nfs >>>>> Configured /etc/idmapd.conf >>>>> Started nfs-server.service >>>>> Started nfs-secure.service >>>>> Restarting sssd, waiting for it to become available. >>>>> Started autofs.service >>>>> >>>>> Automount then obviously not work: >>>> >>>> There was even a TODO in the code for this. I went ahead and did it. I >>>> had punted originally because it wasn't really a big deal to >>>> unconfigure >>>> and reconfigure with the right location. >>> >>> Its better, thanks. The error message could be more user-friendly and >>> for example print all available automount location, but its not a >>> blocking issue. >>> >>> We may however print other errors.ExecutionError's, e.g. I hit this when >>> I uninstalled automount support and then installed it again too fast: >>> >>> # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location >>> brno --no-sssdSearching for IPA server... >>> IPA server: DNS discovery >>> Location: brno >>> Traceback (most recent call last): >>> File "/sbin/ipa-client-automount", line 458, in >>> sys.exit(main()) >>> File "/sbin/ipa-client-automount", line 426, in main >>> api.Command['automountlocation_show'](unicode(options.location)) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, >>> in __call__ >>> ret = self.run(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, >>> in run >>> return self.forward(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, >>> in forward >>> return self.Backend.xmlclient.forward(self.name, *args, **kw) >>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in >>> forward >>> return self.forward(name, *args, **kw) >>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in >>> forward >>> raise NetworkError(uri=server, error=str(e)) >>> ipalib.errors.NetworkError: cannot connect to >>> 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053] >>> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. >> >> I don't think this was related to the speed in which you configured and >> unconfigured though it looks like a timing issue. I wasn't able to >> reproduce this but I did make the logging on it a little nicer if it >> happens again. >> >>> >>>>> 7) This is related to ipa-client-install, but even when I disable >>>>> autodiscovery and add --server option it still disregards it and tries >>>>> to search SRV records: >>>>> >>>>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com >>>>> >>>>> Unable to confirm that.redhat.com is an IPA v2 >>>>> server >>>> >>>> Yeah, I think a separate ticket should be opened up, I call the same >>>> code as ipa-client-install. >>> >>> The issue here is that you don't pass neither server nor domain to >>> ds.search() function. ipa-client-install use this call: >>> >>> ret = ds.search(domain=options.domain, server=options.server, >>> hostname=hostname) >>> >>> But ipa-client-automount just calls: >>> >>> + ret = ds.search() >>> >>> You may also need to add --domain parameter just like ipa-client-install >>> does. >> >> Ok, I see the problem. I'm not actually trying to do discovery, I'm just >> seeing if it works. If we are able to autodiscover the IPA servers then >> we configure the client to use discovery. Otherwise a server is >> hardcoded in. >> >> It would do this even if a server was provided, I changed that in this >> patch. >> >>> >>>> >>>>> >>>>> 8) When discovery is on, we are not really verbose: >>>>> >>>>> # ipa-configure-automount >>>>> Searching for IPA server... >>>>> IPA server: DNS discovery >>>>> Location: default >>>>> Continue to configure the system with these values? [no]: >>>>> >>>>> We just write "IPA server: DNS discovery", but I would at least >>>>> like to >>>>> now what servers it detected so that I know it does the right thing. >>>> >>>> This should be better with Petr^3's patches. Is it not? Perhaps only >>>> with --debug? >>> >>> I don't think it does this is printed in ipa-client-automount: >>> >>> + if not autodiscover: >>> + print "IPA server: %s" % server >>> + else: >>> + print "IPA server: DNS discovery" >>> >> >> I'm open to changing the message but basically it is saying whether or >> not a fixed IPA server is going to be configured on the client for >> autofs. >> >>>> >>>>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. >>>>> After >>>>> some investigation I found this line is causing it: >>>>> >>>>> + if not autodiscover: >>>>> + ldap_uri = "ldap://%s" % server >>>>> + else: >>>>> + ldap_uri = "ldap:///%s" % api.env.basedn<<< >>>>> >>>>> There should be an IPA server, not basedn. When I fixed it, autofs via >>>>> LDAP worked. >>>> >>>> I'm not sure why it didn't work, this is correct. >>>> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery >>>> to find the right server. It works for me. >>> >>> Now, it forked for me too, I must have had some bad setting. >>> >>> [snip] >>> >>> 11) I found another issue, nested indirect maps did not work with sssd >>> provider but they did with ldap provider in nsswitch. But this is a >>> problem on SSSD side, I filed a ticket for them: >>> >>> https://fedorahosted.org/sssd/ticket/1390 >>> >>> I also found 3 new issues (sorry for not finding them in original >>> review). >>> >>> 12) I see we log to ~/.ipa/default.log. I think it would be better to >>> append the log ipaclient-install.log or similar. >> >> Ok, good idea. Done. >> >>> 13) First three options in ipa-client-automount man pages are not >>> formatted right. Bold format is missing + there is extra tag in >>> --location option: >>> >>> --server=SERVER Set the IPA server to connect to >>> >>> --location=LOCATION >>> Automount location >>> >>> -S, --no-sssd >>> Do not configure the client to use SSSD for automount >> >> I only saw the bad which I fixed. They are otherwise bolded for me. >> >>> 14) I assume that your patch covers also ticket 2193, I think it should >>> be added to the patch description too. >> >> Fixed that too >> >> rob > > And now the correct patch. > > rob Thanks, everything seems to be fixed. I just see that ipaclient-install.log is truncated when I start ipa-client-automount. So I would rather append the log to it (like we do in ipa-dns-install) so that we don't loose the client install debug info. ACK if you do this change or choose a different log file. Martin From sbose at redhat.com Tue Jun 26 08:23:05 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 Jun 2012 10:23:05 +0200 Subject: [Freeipa-devel] [PATCH] Filter groups in the PAC Message-ID: <20120626082305.GA29454@localhost.localdomain> Hi, this patch contains the KDC part of the external groups handling. If group SIDs from the PAC can be found in the ipaExternalGroup objects and the external groups are member of local groups, the SIDs of the local groups are added to the PAC. If the PAC this then read by the SSSD pac responder the user from the PAC is added to the local groups on the client. bye, Sumit -------------- next part -------------- From 2e1415e17b811f76d2611a70560ab024765ab3ad Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 Apr 2012 15:30:01 +0200 Subject: [PATCH] Filter groups in the PAC If one or more of the external groups given in the PAC can be found in the ipaExternalGroup objects and these objects are members of local groups, the SIDs of the local groups are added to the PAC. --- daemons/ipa-kdb/ipa_kdb_mspac.c | 453 ++++++++++++++++++++++++++++++++++++++- 1 Datei ge?ndert, 452 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 7993867032b52edce6291b16b262f73da79c0ab1..f640b545a636a2c58e3eb31951de142e5b0ffbe2 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -22,9 +22,13 @@ #include "ipa_kdb.h" #include +#include #include "util/time.h" #include "gen_ndr/ndr_krb5pac.h" + +int krb5_klog_syslog(int, const char *, ...); + static char *user_pac_attrs[] = { "objectClass", "uid", @@ -63,7 +67,9 @@ static char *memberof_pac_attrs[] = { NULL }; +#define SID_ID_AUTHS 6 #define SID_SUB_AUTHS 15 +#define MAX(a,b) (((a)>(b))?(a):(b)) static int string_to_sid(char *str, struct dom_sid *sid) { @@ -126,6 +132,80 @@ static int string_to_sid(char *str, struct dom_sid *sid) return 0; } +static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) +{ + size_t c; + size_t len; + int ofs; + uint32_t ia; + char *buf; + + if (dom_sid == NULL) { + return NULL; + } + + len = 25 + dom_sid->num_auths * 11; + + buf = talloc_zero_size(memctx, len); + + ia = (dom_sid->id_auth[5]) + + (dom_sid->id_auth[4] << 8 ) + + (dom_sid->id_auth[3] << 16) + + (dom_sid->id_auth[2] << 24); + + ofs = snprintf(buf, len, "S-%u-%lu", (unsigned int) dom_sid->sid_rev_num, + (unsigned long) ia); + + for (c = 0; c < dom_sid->num_auths; c++) { + ofs += snprintf(buf + ofs, MAX(len - ofs, 0), "-%lu", + (unsigned long) dom_sid->sub_auths[c]); + } + + if (ofs >= len) { + talloc_free(buf); + return NULL; + } + + return buf; +} + +static struct dom_sid *dom_sid_dup(TALLOC_CTX *memctx, + const struct dom_sid *dom_sid) +{ + struct dom_sid *new_sid; + size_t c; + + if (dom_sid == NULL) { + return NULL; + } + + new_sid = talloc(memctx, struct dom_sid); + if (new_sid == NULL) { + return NULL; + } + + new_sid->sid_rev_num = dom_sid->sid_rev_num; + for (c = 0; c < SID_ID_AUTHS; c++) { + new_sid->id_auth[c] = dom_sid->id_auth[c]; + } + new_sid->num_auths = dom_sid->num_auths; + for (c = 0; c < SID_SUB_AUTHS; c++) { + new_sid->sub_auths[c] = dom_sid->sub_auths[c]; + } + + return new_sid; +} + +static int sid_append_rid(struct dom_sid *sid, uint32_t rid) +{ + if (sid->num_auths >= SID_SUB_AUTHS) { + return EINVAL; + } + + sid->sub_auths[sid->num_auths++] = rid; + return 0; +} + /** * @brief Takes a user sid and removes the rid. * The sid is changed by this function, @@ -143,7 +223,9 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid) } sid->num_auths--; - *rid = sid->sub_auths[sid->num_auths]; + if (rid != NULL) { + *rid = sid->sub_auths[sid->num_auths]; + } sid->sub_auths[sid->num_auths] = 0; return 0; @@ -538,6 +620,349 @@ static bool is_cross_realm_krbtgt(krb5_const_principal princ) return true; } +static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid, + uint32_t rid) +{ + char *str = NULL; + int ret; + + ret = sid_append_rid(dom_sid, rid); + if (ret != 0) { + krb5_klog_syslog(LOG_ERR, "sid_append_rid failed"); + return NULL; + } + + str = dom_sid_string(memctx, dom_sid); + ret = sid_split_rid(dom_sid, NULL); + if (ret != 0) { + krb5_klog_syslog(LOG_ERR, "sid_split_rid failed"); + talloc_free(str); + return NULL; + } + + return str; +} + +static int get_group_sids(TALLOC_CTX *memctx, + struct PAC_LOGON_INFO_CTR *logon_info, + char ***_group_sids) +{ + int ret; + size_t c; + size_t p = 0; + struct dom_sid *domain_sid = NULL; + char **group_sids = NULL; + + domain_sid = dom_sid_dup(memctx, logon_info->info->info3.base.domain_sid); + if (domain_sid == NULL) { + krb5_klog_syslog(LOG_ERR, "dom_sid_dup failed"); + ret = ENOMEM; + goto done; + } + + group_sids = talloc_array(memctx, char *, + 2 + + logon_info->info->info3.base.groups.count + + logon_info->info->info3.sidcount); + if (group_sids == NULL) { + krb5_klog_syslog(LOG_ERR, "talloc_array failed"); + ret = ENOMEM; + goto done; + } + + group_sids[p] = gen_sid_string(memctx, domain_sid, + logon_info->info->info3.base.primary_gid); + if (group_sids[p] == NULL) { + krb5_klog_syslog(LOG_ERR, "gen_sid_string failed"); + ret = EINVAL; + goto done; + } + p++; + + for (c = 0; c < logon_info->info->info3.base.groups.count; c++) { + group_sids[p] = gen_sid_string(memctx, domain_sid, + logon_info->info->info3.base.groups.rids[c].rid); + if (group_sids[p] == NULL) { + krb5_klog_syslog(LOG_ERR, "gen_sid_string 2 failed"); + ret = EINVAL; + goto done; + } + p++; + } + for (c = 0; c < logon_info->info->info3.sidcount; c++) { + group_sids[p] = dom_sid_string(memctx, + logon_info->info->info3.sids[c].sid); + if (group_sids[p] == NULL) { + krb5_klog_syslog(LOG_ERR, "dom_sid_string failed"); + ret = EINVAL; + goto done; + } + p++; + } + + group_sids[p] = NULL; + + *_group_sids = group_sids; + + ret = 0; +done: + talloc_free(domain_sid); + if (ret != 0) { + talloc_free(group_sids); + } + + return ret; +} + +static int add_groups(TALLOC_CTX *memctx, + struct PAC_LOGON_INFO_CTR *logon_info, + size_t ipa_group_sids_count, + struct dom_sid2 *ipa_group_sids) +{ + size_t c; + struct netr_SidAttr *sids = NULL; + + if (ipa_group_sids_count == 0) { + return 0; + } + + sids = talloc_realloc(memctx, logon_info->info->info3.sids, + struct netr_SidAttr, + logon_info->info->info3.sidcount + ipa_group_sids_count); + if (sids == NULL) { + return ENOMEM; + } + + + for (c = 0; c < ipa_group_sids_count; c++) { + sids[c + logon_info->info->info3.sidcount].sid = &ipa_group_sids[c]; + sids[c + logon_info->info->info3.sidcount].attributes = + SE_GROUP_ENABLED | + SE_GROUP_MANDATORY | + SE_GROUP_ENABLED_BY_DEFAULT; + } + + logon_info->info->info3.sidcount += ipa_group_sids_count; + logon_info->info->info3.sids = sids; + + + return 0; +} + +static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext, + char **group_sids, size_t *_ipa_group_sids_count, + struct dom_sid **_ipa_group_sids) +{ + struct ipadb_context *ipactx; + krb5_error_code kerr; + int ret; + LDAPMessage *results = NULL; + LDAPMessage *lentry; + char *basedn = NULL; + char *filter = NULL; + LDAPDerefRes *deref_results = NULL; + LDAPDerefRes *dres; + LDAPDerefVal *dval; + size_t c; + size_t count = 0; + size_t sid_index = 0; + struct dom_sid *sids = NULL; + char *entry_attrs[] ={"1.1", NULL}; + unsigned long gid; + struct dom_sid sid; + char *endptr; + + ipactx = ipadb_get_context(kcontext); + if (ipactx == NULL) { + return KRB5_KDB_DBNOTINITED; + } + + basedn = talloc_asprintf(memctx, "cn=groups,cn=accounts,%s", ipactx->base); + if (basedn == NULL) { + krb5_klog_syslog(LOG_ERR, "talloc_asprintf failed."); + kerr = ENOMEM; + goto done; + } + + for (c = 0; group_sids[c] != NULL; c++) { + talloc_free(filter); + filter = talloc_asprintf(memctx, "(&(objectclass=ipaExternalGroup)(ipaExternalMember=%s))", + group_sids[c]); + if (filter == NULL) { + krb5_klog_syslog(LOG_ERR, "talloc_asprintf failed."); + kerr = ENOMEM; + goto done; + } + + kerr = ipadb_deref_search(ipactx, basedn, LDAP_SCOPE_ONE, filter, + entry_attrs, deref_search_attrs, + memberof_pac_attrs, &results); + if (kerr != 0) { + krb5_klog_syslog(LOG_ERR, "ipadb_deref_search failed."); + goto done; + } + + lentry = ldap_first_entry(ipactx->lcontext, results); + if (lentry == NULL) { + continue; + } + + ldap_derefresponse_free(deref_results); + ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); + switch (ret) { + case ENOENT: + /* No entry found, try next SID */ + break; + case 0: + if (deref_results == NULL) { + krb5_klog_syslog(LOG_ERR, "No results."); + break; + } + + for (dres = deref_results; dres; dres = dres->next) { + count++; + } + + sids = talloc_realloc(memctx, sids, struct dom_sid, count); + if (sids == NULL) { + krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); + kerr = ENOMEM; + goto done; + } + + for (dres = deref_results; dres; dres = dres->next) { + gid = 0; + memset(&sid, '\0', sizeof(struct dom_sid)); + for (dval = dres->attrVals; dval; dval = dval->next) { + if (strcasecmp(dval->type, "gidNumber") == 0) { + errno = 0; + gid = strtoul((char *)dval->vals[0].bv_val, + &endptr,10); + if (gid == 0 || gid >= UINT32_MAX || errno != 0 || + *endptr != '\0') { + continue; + } + } + if (strcasecmp(dval->type, + "ipaNTSecurityIdentifier") == 0) { + kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); + if (kerr != 0) { + continue; + } + } + } + if (gid != 0 && sid.sid_rev_num != 0) { + /* TODO: check if gid maps to sid */ + if (sid_index >= count) { + krb5_klog_syslog(LOG_ERR, "Index larger than " + "array, this shoould " + "never happen."); + kerr = EFAULT; + goto done; + } + memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid)); + sid_index++; + } + } + + break; + default: + goto done; + } + } + + *_ipa_group_sids_count = sid_index; + *_ipa_group_sids = sids; + + kerr = 0; + +done: + ldap_derefresponse_free(deref_results); + talloc_free(basedn); + talloc_free(filter); + ldap_msgfree(results); + return kerr; +} + +static krb5_error_code filter_pac(krb5_context context, krb5_data *old_data, + krb5_data *new_data) +{ + DATA_BLOB pac_data; + union PAC_INFO pac_info; + krb5_error_code kerr; + enum ndr_err_code ndr_err; + TALLOC_CTX *tmpctx; + int ret; + char **group_sids = NULL; + size_t ipa_group_sids_count = 0; + struct dom_sid *ipa_group_sids = NULL; + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + pac_data.length = old_data->length; + pac_data.data = (uint8_t *) old_data->data; + + ndr_err = ndr_pull_union_blob(&pac_data, tmpctx, &pac_info, + PAC_TYPE_LOGON_INFO, + (ndr_pull_flags_fn_t) ndr_pull_PAC_INFO); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + krb5_klog_syslog(LOG_ERR, "ndr_pull_union_blob failed"); + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + ret = get_group_sids(tmpctx, &pac_info.logon_info, &group_sids); + if (ret != 0) { + krb5_klog_syslog(LOG_ERR, "get_group_sids failed"); + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + ret = map_groups(tmpctx, context, group_sids, &ipa_group_sids_count, + &ipa_group_sids); + if (ret != 0) { + krb5_klog_syslog(LOG_ERR, "map_groups failed"); + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + ret = add_groups(tmpctx, &pac_info.logon_info, ipa_group_sids_count, + ipa_group_sids); + if (ret != 0) { + krb5_klog_syslog(LOG_ERR, "add_groups failed"); + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + ndr_err = ndr_push_union_blob(&pac_data, tmpctx, &pac_info, + PAC_TYPE_LOGON_INFO, + (ndr_push_flags_fn_t)ndr_push_PAC_INFO); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + krb5_klog_syslog(LOG_ERR, "ndr_push_union_blob failed"); + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + new_data->magic = KV5M_DATA; + new_data->data = malloc(pac_data.length); + if (new_data->data == NULL) { + kerr = ENOMEM; + goto done; + } + memcpy(new_data->data, pac_data.data, pac_data.length); + new_data->length = pac_data.length; + + kerr = 0; + +done: + talloc_free(tmpctx); + + return kerr; +} + static krb5_error_code ipadb_verify_pac(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -557,6 +982,7 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, krb5_pac old_pac = NULL; krb5_pac new_pac = NULL; krb5_data data; + krb5_data filtered_data; size_t i; kerr = krb5_pac_parse(context, @@ -567,6 +993,7 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, goto done; } + memset(&filtered_data, 0, sizeof(filtered_data)); /* for cross realm trusts cases we need to check the right checksum. * when the PAC is signed by our realm, we can always just check it * passing our realm krbtgt key as the kdc checksum key (privsvr). @@ -584,6 +1011,16 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, /* TODO: Here is where we need to plug our PAC Filtering, later on */ srv_key = krbtgt_key; + + kerr = krb5_pac_get_buffer(context, old_pac, KRB5_PAC_LOGON_INFO, &data); + if (kerr != 0) { + goto done; + } + + kerr = filter_pac(context, &data, &filtered_data); + if (kerr != 0) { + goto done; + } } else { /* krbtgt from our own realm */ priv_key = krbtgt_key; @@ -613,6 +1050,20 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, buffer_types[i] == KRB5_PAC_PRIVSVR_CHECKSUM) { continue; } + + if (buffer_types[i] == KRB5_PAC_LOGON_INFO && + filtered_data.length != 0) { + kerr = krb5_pac_add_buffer(context, new_pac, + buffer_types[i], &filtered_data); + krb5_free_data_contents(context, &filtered_data); + if (kerr) { + krb5_pac_free(context, new_pac); + goto done; + } + + continue; + } + kerr = krb5_pac_get_buffer(context, old_pac, buffer_types[i], &data); if (kerr == 0) { -- 1.7.10.2 From sbose at redhat.com Tue Jun 26 08:29:00 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 Jun 2012 10:29:00 +0200 Subject: [Freeipa-devel] [PATCH] Fix typo Message-ID: <20120626082900.GB29454@localhost.localdomain> Hi, this patch fixes a small typo and silences a compiler warning. I think it is right to use authdata instead of &authdata here, but I have to admit that I cannot say why we have not seen any issues before. bye, Sumit -------------- next part -------------- From 94ee2395539bad666f0ffea4ccb688d4a5330582 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 26 Jun 2012 09:58:01 +0200 Subject: [PATCH] Fix typo --- daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- 1 Datei ge?ndert, 1 Zeile hinzugef?gt(+), 1 Zeile entfernt(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index f640b545a636a2c58e3eb31951de142e5b0ffbe2..1c7487c3c8f75d02466a2e0746fbef5d36e3d995 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1267,7 +1267,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, kerr = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, - &authdata, + authdata, signed_auth_data); if (kerr != 0) { goto done; -- 1.7.10.2 From sbose at redhat.com Tue Jun 26 10:30:14 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 Jun 2012 12:30:14 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120617194720.GB29454@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> Message-ID: <20120626103014.GC29454@localhost.localdomain> On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > > > > users/groups and users from trusted domains new range objects are > > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > > > > > > > 0022: LDAP schema update > > > > > > > > > > ack > > > > > > > > > > > 0023: Create a range object during installation fir the local ID range > > > > > > > > > > nack, I think we need to find a way to handle adding at least the base > > > > > range on update. Otherwise an updated server won't be able to have IDs > > > > > for most of its users. > > > > > > > > I fully agree, but since we said that we concentrate on update issues in > > > > beta2 I wanted to send the version for the fresh install first to allow > > > > testing. > > > > > > The reason I'd like updates is that this patchset can be installed on > > > top of existing servers for testing w/o having to reinstall from scratch > > > or manually creating the ipaDomainIDRange object :):) > > > > ok, will do. > > > > Do you otherwise agree with the patches or is there something I should > > change while adding the updates? > > > > bye, > > Sumit > > > > > > > > > > > > > > > > 0024: add primary and secondary RID base to the local range object > > > > > > during ipa-adtrust-install > > > > > > > > > > Not sure if setting the range belongs in the previous patch or this one. > > > > > > > > I think it is right here, because a plain IPA server does not need the > > > > RID related attributes. > > > > > > > > > We might decide to ask questions during ipa-adtrust-install if the range > > > > > is not available, maybe presenting a set of pre-canned choices if we can > > > > > detect them. > > > > > > > > I agree here, too. But as above I would like to handle update issues > > > > in a second round. > > > > > > > > > > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > > > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > > > > falls outside the configured range (either because we failed to detect > > > > > ranges on upgrade and the user botched the question or because the admin > > > > > added arbitrary IDs. > > > > > If a warning we should warn that missing a range that suitably covers > > > > > these IDs, those users/groups will not be available for the trust. > > > > > > > > > > Maybe we should also have a simple ipa command that can list all > > > > > users/groups that fall outside the ranges as well. > > > > > > > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > > > > range-find' etc. I can add it there. > > > > > > Hi, > > this new series of patches add the cli plugin to create the ID ranges > manually. I'm still working on a detection of the locally used id range > of an upgrade domain in ipa-adtrust-install and an plugin which rejects > new ranges which overlaps with existing ones. > > bye, > Sumit the attached patch adds a preop plugin which checks for overlaps with existing ranges. bye, Sumit -------------- next part -------------- From 36c86c5c44c1838fe36b5c0fb307f067f9b8ce5c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 18 Jun 2012 21:25:31 +0200 Subject: [PATCH] Add range check preop plugin To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-range-check/Makefile.am | 46 +++ .../ipa-range-check/ipa_range_check.c | 423 ++++++++++++++++++++ .../ipa-range-check/range-check-conf.ldif | 16 + freeipa.spec.in | 2 + ipaserver/install/dsinstance.py | 4 + 7 Dateien ge?ndert, 493 Zeilen hinzugef?gt(+) create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index 76ebaa67f802e20009ef764bdbdcd09cc7937a22..b94673026a2c6b71670a67b1f629d9960d8fad31 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -342,6 +342,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-uuid/Makefile ipa-slapi-plugins/ipa-modrdn/Makefile ipa-slapi-plugins/ipa-sidgen/Makefile + ipa-slapi-plugins/ipa-range-check/Makefile ]) AC_OUTPUT diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 5a3c9e7034020b4f80815e865c2ed0de419264c9..c79e68db112c9d21bcbffba3d00442d2fd20ab3a 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -11,6 +11,7 @@ SUBDIRS = \ ipa-version \ ipa-winsync \ ipa-sidgen \ + ipa-range-check \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..f284b42ff339bc97463260749d948f9aff9f54a4 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am @@ -0,0 +1,46 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_range_check.la \ + $(NULL) + +libipa_range_check_la_SOURCES = \ + ipa_range_check.c \ + $(NULL) + +libipa_range_check_la_LDFLAGS = -avoid-version + +libipa_range_check_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + range-check-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c new file mode 100644 index 0000000000000000000000000000000000000000..c3235b9b8300b41cf3c6fff2ba9625c02063cd42 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -0,0 +1,423 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include +#include +#include +#include + +#include "util.h" + +#define IPA_BASE_ID "ipaBaseID" +#define IPA_ID_RANGE_SIZE "ipaIDRangeSize" +#define IPA_BASE_RID "ipaBaseRID" +#define IPA_SECONDARY_BASE_RID "ipaSecondaryBaseRID" +#define RANGES_FILTER "objectclass=ipaIDRange" + +#define IPA_PLUGIN_NAME "ipa-range-check" +#define IPA_RANGE_CHECK_FEATURE_DESC "IPA ID range check plugin" +#define IPA_RANGE_CHECK_PLUGIN_DESC "Check if newly added or modified " \ + "ID ranges do not overlap with existing ones" + +Slapi_PluginDesc ipa_range_check_plugin_desc = { + IPA_RANGE_CHECK_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_RANGE_CHECK_PLUGIN_DESC +}; + +struct ipa_range_check_ctx { + Slapi_ComponentId *plugin_id; + const char *base_dn; +}; + +struct range_info { + uint32_t base_id; + uint32_t id_range_size; + uint32_t base_rid; + uint32_t secondary_base_rid; +}; + +static int slapi_entry_to_range_info(struct slapi_entry *entry, + struct range_info **_range) +{ + int ret; + unsigned long ul_val; + struct range_info *range = NULL; + + range = calloc(1, sizeof(struct range_info)); + if (range == NULL) { + return ENOMEM; + } + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_ID); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->base_id = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_ID_RANGE_SIZE); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->id_range_size = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_RID); + if (ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->base_rid = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_SECONDARY_BASE_RID); + if (ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->secondary_base_rid = ul_val; + + *_range = range; + ret = 0; + +done: + if (ret != 0) { + free(range); + } + + return ret; +} + +#define IN_RANGE(x,base,size) ( (x) >= (base) && ((x) - (base)) < (size) ) +static bool ranges_overlap(struct range_info *r1, struct range_info *r2) +{ + if (IN_RANGE(r1->base_id, r2->base_id, r2->id_range_size) || + IN_RANGE((r1->base_id + r1->id_range_size - 1), r2->base_id, r2->id_range_size) || + IN_RANGE(r2->base_id, r1->base_id, r1->id_range_size) || + IN_RANGE((r2->base_id + r2->id_range_size - 1), r1->base_id, r1->id_range_size)) { + return true; + } + + return false; +} + +static int ipa_range_check_start(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_range_check_close(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_range_check_pre_op(Slapi_PBlock *pb, int modtype) +{ + int ret; + int is_repl_op; + struct slapi_entry *entry = NULL; + struct range_info *new_range = NULL; + struct range_info *old_range = NULL; + const char *dn_str; + Slapi_DN *dn = NULL; + struct ipa_range_check_ctx *ctx; + LDAPMod **mods = NULL; + Slapi_PBlock *search_pb = NULL; + int search_result; + Slapi_Entry **search_entries = NULL; + size_t c; + bool overlap = true; + const char *check_attr; + char *errmsg = NULL; + + ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op); + if (ret != 0) { + LOG_FATAL("slapi_pblock_get failed!?\n"); + return LDAP_OPERATIONS_ERROR; + } + + if (is_repl_op) { + LOG("Is replicated operation, nothing to do.\n"); + return LDAP_SUCCESS; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + LOG_FATAL("Missing private plugin context.\n"); + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn_str); + if (ret != 0) { + LOG_FATAL("Missing target DN.\n"); + goto done; + } + + dn = slapi_sdn_new_dn_byref(dn_str); + if (dn == NULL) { + LOG_FATAL("Failed to convert target DN.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + + switch (modtype) { + case LDAP_CHANGETYPE_ADD: + ret = slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &entry); + if (ret != 0) { + LOG_FATAL("Missing entry to add.\n"); + goto done; + } + + /* Check if this is a range object */ + check_attr = slapi_entry_attr_get_charptr(entry, IPA_BASE_ID); + if (check_attr == NULL) { + LOG("Not an ID range object, nothing to do.\n"); + ret = 0; + goto done; + } + + break; + case LDAP_CHANGETYPE_MODIFY: + ret = slapi_search_internal_get_entry(dn, NULL, &entry, + ctx->plugin_id); + if (ret != 0 || entry == NULL) { + LOG_FATAL("Missing entry to modify.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + + /* Check if this is a range object */ + check_attr = slapi_entry_attr_get_charptr(entry, IPA_BASE_ID); + if (check_attr == NULL) { + LOG("Not an ID range object, nothing to do.\n"); + ret = 0; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); + if (ret != 0) { + LOG_FATAL("Missing modify values.\n"); + goto done; + } + + ret = slapi_entry_apply_mods(entry, mods); + if (ret != 0) { + LOG_FATAL("Failed to apply modifications.\n"); + goto done; + } + + break; + default: + ret = LDAP_OPERATIONS_ERROR; + LOG_FATAL("Unsupported LDAP operation.\n"); + goto done; + } + + ret = slapi_entry_to_range_info(entry, &new_range); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + + search_pb = slapi_pblock_new(); + if (search_pb == NULL) { + LOG_FATAL("Failed to create new pblock.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_search_internal_set_pb(search_pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, RANGES_FILTER, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + ret = slapi_search_internal_pb(search_pb); + if (ret != 0) { + LOG_FATAL("Starting internal search failed.\n"); + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); + if (ret != 0 || search_result != LDAP_SUCCESS) { + LOG_FATAL("Internal search failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); + if (ret != 0) { + LOG_FATAL("Failed to read searched entries.\n"); + goto done; + } + + if (search_entries == NULL || search_entries[0] == NULL) { + LOG("No existing entries.\n"); + ret = 0; + goto done; + } + + for (c = 0; search_entries[c] != NULL; c++) { + ret = slapi_entry_to_range_info(search_entries[c], &old_range); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + + overlap = ranges_overlap(old_range, new_range); + free(old_range); + old_range = NULL; + if (overlap) { + LOG_FATAL("New range overlaps with existing one.\n"); + ret = LDAP_CONSTRAINT_VIOLATION; + errmsg = "New range overlaps with existing one."; + goto done; + } + } + LOG("No overlaps found.\n"); + + ret = 0; + +done: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + slapi_sdn_free(&dn); + free(old_range); + free(new_range); + + if (ret != 0) { + if (errmsg == NULL) { + errmsg = "Range Check error"; + } + slapi_send_ldap_result(pb, ret, NULL, errmsg, 0, NULL); + } + + return ret; +} + +static int ipa_range_check_mod_pre_op(Slapi_PBlock * pb) +{ + return ipa_range_check_pre_op(pb, LDAP_CHANGETYPE_MODIFY); +} + +static int ipa_range_check_add_pre_op(Slapi_PBlock *pb) +{ + return ipa_range_check_pre_op(pb, LDAP_CHANGETYPE_ADD); +} + +static int ipa_range_check_init_ctx(Slapi_PBlock *pb, + struct ipa_range_check_ctx **_ctx) +{ + struct ipa_range_check_ctx *ctx; + Slapi_Entry *entry; + int ret; + + ctx = calloc(1, sizeof(struct ipa_range_check_ctx)); + if (ctx == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (ctx->plugin_id == NULL)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &entry); + if (entry == NULL) { + LOG_FATAL("Plugin configuration not found!\n"); + ret = EINVAL; + goto done; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(entry, "nsslapd-basedn"); + if (ctx->base_dn == NULL) { + LOG_FATAL("Base DN not found in plugin configuration!\n"); + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret != 0) { + free(ctx); + } else { + *_ctx = ctx; + } + + return ret; +} + +int ipa_range_check_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_range_check_ctx *rc_ctx; + + ret = ipa_range_check_init_ctx(pb, &rc_ctx); + if (ret != 0) { + LOG_FATAL("Failed ot initialize range check plugin.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = 0; + if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + SLAPI_PLUGIN_VERSION_01) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *) ipa_range_check_start) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, + (void *) ipa_range_check_close) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *) &ipa_range_check_plugin_desc) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_MODIFY_FN, + (void *) ipa_range_check_mod_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_ADD_FN, + (void *) ipa_range_check_add_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, rc_ctx) != 0) { + LOG_FATAL("failed to register plugin\n"); + ret = EFAIL; + } + + return ret; +} diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif b/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..6452304f4324a37c8b2b72c95ac623743c7d00b3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=IPA Range-Check,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: IPA Range-Check +nsslapd-pluginpath: libipa_range_check +nsslapd-plugininitfunc: ipa_range_check_init +nsslapd-plugintype: preoperation +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_range_check_version +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: Red Hat, Inc. +nsslapd-plugindescription: IPA Range-Check plugin +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/freeipa.spec.in b/freeipa.spec.in index 398d17ceac230b06163ad26d54f1fccd91dcef6e..8d55108ae9e0d99d78da354bb96c605cb1802a76 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -360,6 +360,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_cldap.la rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -636,6 +637,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so %attr(755,root,root) %{plugin_dir}/libipa_lockout.so %attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 93c6b50c274506949d1cdb81ad952141de10dab1..d74ee8987a3387b78ec7203c9b8c70059b35a812 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -240,6 +240,7 @@ class DsInstance(service.Service): self.step("configuring netgroups from hostgroups", self.__host_nis_groups) self.step("creating default Sudo bind user", self.__add_sudo_binduser) self.step("creating default Auto Member layout", self.__add_automember_config) + self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) @@ -788,6 +789,9 @@ class DsInstance(service.Service): def __add_replica_automember_config(self): self._ldap_mod("replica-automember.ldif", self.sub_dict) + def __add_range_check_plugin(self): + self._ldap_mod("range-check-conf.ldif", self.sub_dict) + def replica_populate(self): self.ldap_connect() -- 1.7.10.2 From mkosek at redhat.com Tue Jun 26 10:34:55 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 26 Jun 2012 12:34:55 +0200 Subject: [Freeipa-devel] [PATCH] 160,161 Trust Web UI In-Reply-To: <4FE8903B.7070109@redhat.com> References: <4FE472E0.6060903@redhat.com> <20120622164842.GD28689@redhat.com> <4FE50373.6020607@redhat.com> <4FE840B7.1010108@redhat.com> <1340627916.32038.445.camel@willson.li.ssimo.org> <20120625135045.GD5935@redhat.com> <20120625143730.GE5935@redhat.com> <4FE87B13.4000806@redhat.com> <4FE884B2.7010101@redhat.com> <4FE88AC3.4060109@redhat.com> <20120625161805.GG5935@redhat.com> <4FE8903B.7070109@redhat.com> Message-ID: <4FE9904F.7030502@redhat.com> On 06/25/2012 06:22 PM, Martin Kosek wrote: > On 06/25/2012 06:18 PM, Alexander Bokovoy wrote: >> On Mon, 25 Jun 2012, Endi Sukma Dewata wrote: >>> On 6/25/2012 10:33 AM, Petr Vobornik wrote: >>>> On 06/25/2012 04:52 PM, Petr Vobornik wrote: >>>>> On 06/25/2012 04:37 PM, Alexander Bokovoy wrote: >>>>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>>> On Mon, 25 Jun 2012, Simo Sorce wrote: >>>>>>>> On Mon, 2012-06-25 at 12:43 +0200, Petr Vobornik wrote: >>>>>>>>> On 06/23/2012 01:44 AM, Endi Sukma Dewata wrote: >>>>>>>>>> On 6/22/2012 11:48 AM, Alexander Bokovoy wrote: >>>>>>>>>>> 2. First two chunks of >>>>>>>>>>> install/ui/test/data/ipa_init_commands.json >>>>>>>>>>> and >>>>>>>>>>> install/ui/test/data/ipa_init_objects.json changes look >>>>>>>>>>> unrelated to >>>>>>>>>>> this ticket. >>>>>>>>>> >>>>>>>>>> These files are snapshots of metadata used for demo/testing. I >>>>>>>>>> suppose >>>>>>>>>> Petr was updating the entire files which automatically includes >>>>>>>>>> recent >>>>>>>>>> changes to the metadata. >>>>>>>>>> >>>>>>>>>>> ACK >>>>>>>>>> >>>>>>>>>> Ditto. The UI code looks fine so it can be pushed. Btw, nice >>>>>>>>>> use of >>>>>>>>>> layout class. >>>>>>>>>> >>>>>>>>>> Some comments: >>>>>>>>>> >>>>>>>>>> 1. The CLI command to add trust is trust-add-ad. Should the UI >>>>>>>>>> button >>>>>>>>>> also say "Add AD"? If we later support additional trust types >>>>>>>>>> would >>>>>>>>>> that >>>>>>>>>> appear as separate buttons/dialogs or same button/dialog with >>>>>>>>>> maybe >>>>>>>>>> drop-down list to select the type? >>>>>>>>> "Add AD" label seems weird to me. Now we support only one type of >>>>>>>>> trust. >>>>>>>>> We should keep the 'Add'. >>>>>>>> >>>>>>>> I have to say I also find the trust-add-ad command really weird, >>>>>>>> difficult to use and to spell vaocally and to remember. >>>>>>>> >>>>>>>> Alexander can we change it to trust-add --type=ad >>>>>>>> where we can omit --type=ad for now as it is the only one, later >>>>>>>> on we >>>>>>>> can decide what to default to when --type is omitted. >>>>>>> Patch attached (not tested). >>>>>> Attached is tested patch. >>> >>> ACK abbra-53 & abbra-54. One thing though, the error message is not >>> very user friendly. Feel free to fix before push. >>> >>> % ipa trust-add ad.test --type=asdf >>> ipa: ERROR: invalid 'type': must be one of (u'ad',) >>> >>> The ValidationError specifies this message 'only "ad" is supported' >>> but it doesn't appear in the error message above. >> The message above comes from StrEnum() validator which is common one for >> all StrEnum()s. I made a ValidationError in execute() method to catch up >> any discrepancies when other types of trust will be added as Python >> doesn't have 'case/switch' so you are left alone with 'if' or list-based >> lambdas which don't look so clear. >> >> What we probably want to add is more friendly way to display these >> StrEnum values, dropping u'' and simply showing proper unicode as we do >> for help already. >> >> Endi, could you please file a minor bug for it? >> > > Since this will be filed in a separate bug, I went ahead and pushed all > 3 acked patches in this thread to master: > 2012-06-13 17:44 Petr Vobornik o Trust Web UI > 2012-06-25 16:41 Alexander Bokovoy o Rename 'ipa trust-add-ad' to 'ipa > trust-add --type=ad' > 2012-06-22 19:33 Alexander Bokovoy o Use correct SID attribute for > trusted domains > > Martin We just found out that patch 160 got lost and was not pushed. Fixed - pushed patch 160 to master. Martin From pvoborni at redhat.com Tue Jun 26 11:47:20 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Jun 2012 13:47:20 +0200 Subject: [Freeipa-devel] [PATCH] 159 Action panel for certificates In-Reply-To: <4FE87F3C.3010603@redhat.com> References: <4FD73A99.9020300@redhat.com> <4FE87F3C.3010603@redhat.com> Message-ID: <4FE9A148.6050601@redhat.com> Updated patch attached. On 06/25/2012 05:09 PM, Endi Sukma Dewata wrote: > On 6/12/2012 7:48 AM, Petr Vobornik wrote: >> This is a continuation of effort which transforms status widgets with >> buttons executing actions to separate status widget and action panels. >> This patch strips certificate status widget of its buttons and separates >> the actions to their own objects. Appropriate modifications are taken in >> host and service details facets. >> >> New certificate loader, facet policy and evaluator are introduced to >> make actions and status widget independent. On facet load event new >> certificate facet policy loads a certificate from result. Unfortunately >> results don't contain revocation reason so it also executes additional >> cert-show command to get the revocation reason. Policy store the >> certifacete to facet. It raises the certifacet_loaded event to notify >> certificate evaluator and status widget. Status widget updates its >> state. Certificate evaluator updates state and actions get disabled or >> enabled. >> >> https://fedorahosted.org/freeipa/ticket/2250 > > I'm testing using self-signed CA. When I open the host/service details > page there's a JS error at certificate.js:928 (undefined > status_revoked), so the page seems to hang and looks blank. In the old > code the status_revoked panel will only be created if you use Dogtag CA > (the IPA.cert.is_selfsign() will return false). This check might not be > necessary anymore because you can just hide the panel. > Fixed - Not the panel is always created but it remains hidden (display:none). I also removed calling cert-show on facet load when using selfsign. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0159-1-Action-panel-for-certificates.patch Type: text/x-patch Size: 41700 bytes Desc: not available URL: From loris at lgs.com.ve Tue Jun 26 01:02:14 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Mon, 25 Jun 2012 20:32:14 -0430 Subject: [Freeipa-devel] freeIPA as a samba backend Message-ID: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> Hi, while using freeIPA as a user database for a samba installation I found a problem in the enforcement of password policies. FreeIPA password policies are more detailed than samba's, in freeIPA one may enforce password history and the number of character classes in a password, but normally samba connects to freeIPA with the "Directory Manager" so those policies are not enforced. Reading the source of ipa_pwd_extop I see there are three possibilities when changing passwords: * Password change by the user, with full enforcement of policies * Password change by an admin, with no enforcement of policies and the new password is set as expired so the user has to change it on next logon * Password change by Directory Manager, with no enforcement of policies and the password is not set as expired. None of the aforementioned possibilities are ideal for samba, samba should connect to freeIPA with a user privileged enough to change password for all users but with fully enforced policies. What do you think about this? Would you consider adding such feature? Would you accept patches? -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4030 bytes Desc: not available URL: From loris at lgs.com.ve Tue Jun 26 01:02:14 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Mon, 25 Jun 2012 20:32:14 -0430 Subject: [Freeipa-devel] freeIPA as a samba backend Message-ID: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> Hi, while using freeIPA as a user database for a samba installation I found a problem in the enforcement of password policies. FreeIPA password policies are more detailed than samba's, in freeIPA one may enforce password history and the number of character classes in a password, but normally samba connects to freeIPA with the "Directory Manager" so those policies are not enforced. Reading the source of ipa_pwd_extop I see there are three possibilities when changing passwords: * Password change by the user, with full enforcement of policies * Password change by an admin, with no enforcement of policies and the new password is set as expired so the user has to change it on next logon * Password change by Directory Manager, with no enforcement of policies and the password is not set as expired. None of the aforementioned possibilities are ideal for samba, samba should connect to freeIPA with a user privileged enough to change password for all users but with fully enforced policies. What do you think about this? Would you consider adding such feature? Would you accept patches? -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4030 bytes Desc: not available URL: From ohamada at redhat.com Tue Jun 26 14:27:07 2012 From: ohamada at redhat.com (Ondrej Hamada) Date: Tue, 26 Jun 2012 16:27:07 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <4FE87CE3.9020706@redhat.com> References: <4FDA097D.4030601@redhat.com> <4FDA4AF7.1050102@redhat.com> <1339738614.12383.5.camel@priserak> <4FE1EFA5.4090602@redhat.com> <4FE87CE3.9020706@redhat.com> Message-ID: <4FE9C6BB.4000109@redhat.com> On 06/25/2012 04:59 PM, Petr Viktorin wrote: > On 06/20/2012 05:43 PM, Ondrej Hamada wrote: >> On 06/15/2012 07:36 AM, Martin Kosek wrote: >>> On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: >>>> Ondrej Hamada wrote: >>>>> Improved options checking so that host-mod operation is not changing >>>>> password for enrolled host when '--random' option is used. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2799 >>>>> >>>>> Updated set of characters that is used for generating random >>>>> passwords >>>>> for ipa hosts. Following characters were removed from the set: >>>>> '"`\$<> >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2800 >>>> This works ok but it would be nice to have a test for both setting a >>>> password and random on an enrolled host to prevent regressions. We >>>> have >>>> some ipa-getkeytab tests already and these can be extended to test >>>> this >>>> I think. >>>> >>>> Might be nice to mention in the inline comment the set of characters >>>> excluded and why. >>>> >>>> rob >>>> >> I've added new test class into test_host_plugin.py that takes care of >> that. Just there is a problem that the ipa-join command always fails on >> 'adding key into keytab'. But the attributes necessary for testing are >> set correctly, so the testing can continue. >>> We already generate passwords for users with this character set: >>> user_pwdchars = string.digits + string.ascii_letters + '_,. at +-=' >>> >>> Why would we want to generate passwords for host enrolling with a >>> different set? Additionally, I think the set of characters you chose is >>> too wide, try entering a passwords with ' ', !, (, ), &, or ; without >>> careful escaping or quoting... >>> >>> Martin >>> >> Ok, I've used the same set of characters as for the user passwords. > > Should this set just be used for generated passwords by default? > Possibly with slightly longer passwords so they aren't suddenly weaker. I prefer to generate strong passwords by default and if anyone needs easier one, then he must adjust it. Especially in this case when we use one generator in different places. > > > > Anyway, the patch works great here. I just have a few style issues: > >> >> freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch >> >> >> From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001 >> From: Ondrej Hamada >> Date: Mon, 18 Jun 2012 15:25:05 +0200 >> Subject: [PATCH] Change random passwords behaviour >> >> Improved options checking so that host-mod operation is not changing >> password for enrolled host when '--random' option is used. >> >> Unit tests added. >> >> https://fedorahosted.org/freeipa/ticket/2799 >> >> Updated set of characters that is used for generating random passwords >> for ipa hosts. All characters that might need escaping were removed. >> >> https://fedorahosted.org/freeipa/ticket/2800 >> --- >> ipalib/plugins/host.py | 11 ++++- >> tests/test_xmlrpc/test_host_plugin.py | 75 >> ++++++++++++++++++++++++++++++++- >> 2 files changed, 82 insertions(+), 4 deletions(-) >> >> diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py >> index >> 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf >> 100644 >> --- a/ipalib/plugins/host.py >> +++ b/ipalib/plugins/host.py >> @@ -24,6 +24,7 @@ import sys >> from nss.error import NSPRError >> import nss.nss as nss >> import netaddr >> +import string >> >> from ipalib import api, errors, util >> from ipalib import Str, Flag, Bytes >> @@ -99,6 +100,10 @@ EXAMPLES: >> ipa host-add-managedby --hosts=test2 test >> """) >> >> +# Characters to be used by random password generator >> +# The set was chosen to avoid the need for escaping the characters >> by user >> +host_pwd_chars=string.digits + string.ascii_letters + '_,. at +-=' >> + >> def remove_fwd_ptr(ipaddr, host, domain, recordtype): >> api.log.debug('deleting ipaddr %s' % ipaddr) >> try: >> @@ -404,7 +409,7 @@ class host_add(LDAPCreate): >> if 'krbprincipal' in entry_attrs['objectclass']: >> entry_attrs['objectclass'].remove('krbprincipal') >> if options.get('random'): >> - entry_attrs['userpassword'] = ipa_generate_password() >> + entry_attrs['userpassword'] = >> ipa_generate_password(characters=host_pwd_chars) >> # save the password so it can be displayed in >> post_callback >> setattr(context, 'randompassword', >> entry_attrs['userpassword']) >> cert = options.get('usercertificate') >> @@ -596,7 +601,7 @@ class host_mod(LDAPUpdate): >> def pre_callback(self, ldap, dn, entry_attrs, attrs_list, >> *keys, **options): >> # Allow an existing OTP to be reset but don't allow a OTP >> to be >> # added to an enrolled host. >> - if 'userpassword' in options: >> + if options.get('userpassword') or options.get('random'): >> entry = {} >> self.obj.get_password_attributes(ldap, dn, entry) >> if not entry['has_password'] and entry['has_keytab']: >> @@ -649,7 +654,7 @@ class host_mod(LDAPUpdate): >> entry_attrs['usercertificate'] = cert >> >> if options.get('random'): >> - entry_attrs['userpassword'] = ipa_generate_password() >> + entry_attrs['userpassword'] = >> ipa_generate_password(characters=host_pwd_chars) >> setattr(context, 'randompassword', >> entry_attrs['userpassword']) >> if 'macaddress' in entry_attrs: >> if 'objectclass' in entry_attrs: >> diff --git a/tests/test_xmlrpc/test_host_plugin.py >> b/tests/test_xmlrpc/test_host_plugin.py >> index >> 8798168afa71653b64870c77d11a7fa81ec4c952..fa1f2906f556af388499eac316c4b7c05c66ad85 >> 100644 >> --- a/tests/test_xmlrpc/test_host_plugin.py >> +++ b/tests/test_xmlrpc/test_host_plugin.py >> @@ -22,9 +22,13 @@ >> Test the `ipalib.plugins.host` module. >> """ >> >> +import os >> +import tempfile >> +from ipapython import ipautil >> from ipalib import api, errors, x509 >> from ipalib.dn import * >> -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, >> fuzzy_digits >> +from tests.test_xmlrpc.xmlrpc_test import Declarative, XMLRPC_test >> +from tests.test_xmlrpc.xmlrpc_test import fuzzy_uuid, fuzzy_digits >> from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date, >> fuzzy_issuer >> from tests.test_xmlrpc.xmlrpc_test import fuzzy_hex > > To avoid the repetition you can put the imported names in parentheses: > > from tests.test_xmlrpc.xmlrpc_test import (Declarative, XMLRPC_test, > fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_date, fuzzy_issuer, > fuzzy_hex) > > >> from tests.test_xmlrpc import objectclasses >> @@ -740,3 +744,72 @@ class test_host(Declarative): >> ), >> >> ] >> + >> +class test_host_false_pwd_change(XMLRPC_test): >> + >> + fqdn1 = u'testhost1.%s' % api.env.domain >> + short1 = u'testhost1' >> + new_pass = u'pass_123' >> + >> + command = "ipa-client/ipa-join" >> + [keytabfd, keytabname] = tempfile.mkstemp() >> + os.close(keytabfd) >> + >> + # auxiliary function for checking whether the join operation has >> set >> + # correct attributes >> + def keytab_exists(self): >> + ret = api.Command['host_show'](self.fqdn1,all=True) >> + assert (ret['result']['has_keytab'] == True) >> + assert (ret['result']['has_password'] == False) > > The parentheses around assert's argument are unnecessary. > >> + def test_a_join_host(self): >> + """ >> + Create a test host and join him into IPA. >> + """ >> + try: >> + random_pass = api.Command['host_add'](self.fqdn1, >> random=True, force=True)['result']['randompassword'] >> + except: >> + # new host must be created with the random password >> + assert (False) > > I don't see why you used a try/except block here. It's not good to > hide the error that was raised. > >> + new_args = [self.command, >> + "-s", api.env.host, >> + "-h", self.fqdn1, >> + "-k", self.keytabname, >> + "-w", random_pass, >> + "-q", >> + ] >> + try: >> + # join operation may fail on 'adding key into keytab', but >> + # the keytab is not necessary for further tests >> + (out, err, rc) = ipautil.run(new_args, None) >> + self.keytab_exists() >> + except ipautil.CalledProcessError, e: >> + self.keytab_exists() >> + >> + def test_b_try_password(self): >> + """ >> + Try to change the password of enrolled host with specified >> password >> + """ >> + try: >> + api.Command['host_mod'](self.fqdn1,userpassword=self.new_pass) > > Add a space after the comma (here and below). > >> + assert (False) >> + except errors.ValidationError: >> + pass > > It's better to use nose's @raises decorator here. See for example > test_hbac_plugin.py. > >> + def test_c_try_random(self): >> + """ >> + Try to change the password of enrolled host with random >> password >> + """ >> + try: >> + api.Command['host_mod'](self.fqdn1,random=True) >> + assert (False) >> + except errors.ValidationError: >> + pass >> + >> + def test_d_cleanup(self): >> + """ >> + Clean up test data >> + """ >> + os.unlink(self.keytabname) >> + api.Command['host_del'](self.fqdn1) >> -- 1.7.6.5 >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > Thanks for the coding style hints, it looks better now. Corrected patch attached. -- Regards, Ondrej Hamada FreeIPA team jabber: ohama at jabbim.cz IRC: ohamada -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ohamada-26-3-Change-random-passwords-behaviour.patch Type: text/x-patch Size: 6376 bytes Desc: not available URL: From dpal at redhat.com Tue Jun 26 14:35:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 26 Jun 2012 10:35:18 -0400 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> Message-ID: <4FE9C8A6.5040400@redhat.com> On 06/25/2012 09:02 PM, Loris Santamaria wrote: > Hi, > > while using freeIPA as a user database for a samba installation I found > a problem in the enforcement of password policies. FreeIPA password > policies are more detailed than samba's, in freeIPA one may enforce > password history and the number of character classes in a password, but > normally samba connects to freeIPA with the "Directory Manager" so those > policies are not enforced. > > Reading the source of ipa_pwd_extop I see there are three possibilities > when changing passwords: > > * Password change by the user, with full enforcement of policies > * Password change by an admin, with no enforcement of policies and > the new password is set as expired so the user has to change it > on next logon > * Password change by Directory Manager, with no enforcement of > policies and the password is not set as expired. > > None of the aforementioned possibilities are ideal for samba, samba > should connect to freeIPA with a user privileged enough to change > password for all users but with fully enforced policies. > > What do you think about this? Would you consider adding such feature? > Would you accept patches? > Can you please explain why samba needs to connect to IPA and change the passwords? In what role you use samba? As a file server or as something else? I am not sure I follow why you need the password change functionality. There is a way to setup Samba FS with IPA without trying to make IPA a back end for Samba. I can try to dig some writeups on the matter if you are interested. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 26 14:36:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jun 2012 10:36:32 -0400 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> Message-ID: <4FE9C8F0.8070000@redhat.com> Loris Santamaria wrote: > Hi, > > while using freeIPA as a user database for a samba installation I found > a problem in the enforcement of password policies. FreeIPA password > policies are more detailed than samba's, in freeIPA one may enforce > password history and the number of character classes in a password, but > normally samba connects to freeIPA with the "Directory Manager" so those > policies are not enforced. > > Reading the source of ipa_pwd_extop I see there are three possibilities > when changing passwords: > > * Password change by the user, with full enforcement of policies > * Password change by an admin, with no enforcement of policies and > the new password is set as expired so the user has to change it > on next logon > * Password change by Directory Manager, with no enforcement of > policies and the password is not set as expired. > > None of the aforementioned possibilities are ideal for samba, samba > should connect to freeIPA with a user privileged enough to change > password for all users but with fully enforced policies. > > What do you think about this? Would you consider adding such feature? > Would you accept patches? This would bump up the complexity a bit as we'd need a fourth class of password change types. This could be managed similar to the passsync_dn list. You'd need to bind to the IPA LDAP server using a special account, which is probably a better idea than DM anyway. Yes, patches are accepted. regards rob From rcritten at redhat.com Tue Jun 26 14:41:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jun 2012 10:41:51 -0400 Subject: [Freeipa-devel] [PATCH] 1023 tool for configuring automount In-Reply-To: <4FE95E1B.6060000@redhat.com> References: <4FCE61FD.80801@redhat.com> <4FD0CC45.6080803@redhat.com> <4FE2071A.10008@redhat.com> <1340268011.12122.2.camel@balmora.brq.redhat.com> <4FE4AAEB.0@redhat.com> <4FE85886.1050305@redhat.com> <4FE8ABF0.9040203@redhat.com> <4FE8BD75.8080007@redhat.com> <4FE95E1B.6060000@redhat.com> Message-ID: <4FE9CA2F.2030708@redhat.com> Martin Kosek wrote: > On 06/25/2012 09:35 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On 06/22/2012 07:27 PM, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> Rob Crittenden wrote: >>>>>>>>> Here is a tool that can be used to configure automount in an IPA >>>>>>>>> client. >>>>>>>>> It can use either SSSD or autofs for automount. It also configures >>>>>>>>> NFSv4 >>>>>>>>> on the client so secure maps will work. >>>>>>>> >>>>>>>> rebased patch >>>>>>> >>>>>>> rebase again >>>>>>> >>>>>>> rob >>>>>> >>>>>> I finally managed to look on this patch. This is generally a good work >>>>>> and make things a lot easier, but still I found few issues: >>>> [snip] >>>>>> >>>>>> 5) Would it make sense to check if the given automount location >>>>>> exists? >>>>>> Currently there is no check for that: >>>>>> >>>>>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com >>>>>> --location foo >>>>>> Searching for IPA server... >>>>>> IPA server: DNS discovery >>>>>> Location: foo >>>>>> Continue to configure the system with these values? [no]: y >>>>>> Configured /etc/nsswitch.conf >>>>>> Configured /etc/sysconfig/nfs >>>>>> Configured /etc/idmapd.conf >>>>>> Started nfs-server.service >>>>>> Started nfs-secure.service >>>>>> Restarting sssd, waiting for it to become available. >>>>>> Started autofs.service >>>>>> >>>>>> Automount then obviously not work: >>>>> >>>>> There was even a TODO in the code for this. I went ahead and did it. I >>>>> had punted originally because it wasn't really a big deal to >>>>> unconfigure >>>>> and reconfigure with the right location. >>>> >>>> Its better, thanks. The error message could be more user-friendly and >>>> for example print all available automount location, but its not a >>>> blocking issue. >>>> >>>> We may however print other errors.ExecutionError's, e.g. I hit this when >>>> I uninstalled automount support and then installed it again too fast: >>>> >>>> # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location >>>> brno --no-sssdSearching for IPA server... >>>> IPA server: DNS discovery >>>> Location: brno >>>> Traceback (most recent call last): >>>> File "/sbin/ipa-client-automount", line 458, in >>>> sys.exit(main()) >>>> File "/sbin/ipa-client-automount", line 426, in main >>>> api.Command['automountlocation_show'](unicode(options.location)) >>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, >>>> in __call__ >>>> ret = self.run(*args, **options) >>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, >>>> in run >>>> return self.forward(*args, **options) >>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, >>>> in forward >>>> return self.Backend.xmlclient.forward(self.name, *args, **kw) >>>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in >>>> forward >>>> return self.forward(name, *args, **kw) >>>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in >>>> forward >>>> raise NetworkError(uri=server, error=str(e)) >>>> ipalib.errors.NetworkError: cannot connect to >>>> 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053] >>>> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. >>> >>> I don't think this was related to the speed in which you configured and >>> unconfigured though it looks like a timing issue. I wasn't able to >>> reproduce this but I did make the logging on it a little nicer if it >>> happens again. >>> >>>> >>>>>> 7) This is related to ipa-client-install, but even when I disable >>>>>> autodiscovery and add --server option it still disregards it and tries >>>>>> to search SRV records: >>>>>> >>>>>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com >>>>>> >>>>>> Unable to confirm that.redhat.com is an IPA v2 >>>>>> server >>>>> >>>>> Yeah, I think a separate ticket should be opened up, I call the same >>>>> code as ipa-client-install. >>>> >>>> The issue here is that you don't pass neither server nor domain to >>>> ds.search() function. ipa-client-install use this call: >>>> >>>> ret = ds.search(domain=options.domain, server=options.server, >>>> hostname=hostname) >>>> >>>> But ipa-client-automount just calls: >>>> >>>> + ret = ds.search() >>>> >>>> You may also need to add --domain parameter just like ipa-client-install >>>> does. >>> >>> Ok, I see the problem. I'm not actually trying to do discovery, I'm just >>> seeing if it works. If we are able to autodiscover the IPA servers then >>> we configure the client to use discovery. Otherwise a server is >>> hardcoded in. >>> >>> It would do this even if a server was provided, I changed that in this >>> patch. >>> >>>> >>>>> >>>>>> >>>>>> 8) When discovery is on, we are not really verbose: >>>>>> >>>>>> # ipa-configure-automount >>>>>> Searching for IPA server... >>>>>> IPA server: DNS discovery >>>>>> Location: default >>>>>> Continue to configure the system with these values? [no]: >>>>>> >>>>>> We just write "IPA server: DNS discovery", but I would at least >>>>>> like to >>>>>> now what servers it detected so that I know it does the right thing. >>>>> >>>>> This should be better with Petr^3's patches. Is it not? Perhaps only >>>>> with --debug? >>>> >>>> I don't think it does this is printed in ipa-client-automount: >>>> >>>> + if not autodiscover: >>>> + print "IPA server: %s" % server >>>> + else: >>>> + print "IPA server: DNS discovery" >>>> >>> >>> I'm open to changing the message but basically it is saying whether or >>> not a fixed IPA server is going to be configured on the client for >>> autofs. >>> >>>>> >>>>>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. >>>>>> After >>>>>> some investigation I found this line is causing it: >>>>>> >>>>>> + if not autodiscover: >>>>>> + ldap_uri = "ldap://%s" % server >>>>>> + else: >>>>>> + ldap_uri = "ldap:///%s" % api.env.basedn<<< >>>>>> >>>>>> There should be an IPA server, not basedn. When I fixed it, autofs via >>>>>> LDAP worked. >>>>> >>>>> I'm not sure why it didn't work, this is correct. >>>>> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery >>>>> to find the right server. It works for me. >>>> >>>> Now, it forked for me too, I must have had some bad setting. >>>> >>>> [snip] >>>> >>>> 11) I found another issue, nested indirect maps did not work with sssd >>>> provider but they did with ldap provider in nsswitch. But this is a >>>> problem on SSSD side, I filed a ticket for them: >>>> >>>> https://fedorahosted.org/sssd/ticket/1390 >>>> >>>> I also found 3 new issues (sorry for not finding them in original >>>> review). >>>> >>>> 12) I see we log to ~/.ipa/default.log. I think it would be better to >>>> append the log ipaclient-install.log or similar. >>> >>> Ok, good idea. Done. >>> >>>> 13) First three options in ipa-client-automount man pages are not >>>> formatted right. Bold format is missing + there is extra tag in >>>> --location option: >>>> >>>> --server=SERVER Set the IPA server to connect to >>>> >>>> --location=LOCATION >>>> Automount location >>>> >>>> -S, --no-sssd >>>> Do not configure the client to use SSSD for automount >>> >>> I only saw the bad which I fixed. They are otherwise bolded for me. >>> >>>> 14) I assume that your patch covers also ticket 2193, I think it should >>>> be added to the patch description too. >>> >>> Fixed that too >>> >>> rob >> >> And now the correct patch. >> >> rob > > Thanks, everything seems to be fixed. I just see that > ipaclient-install.log is truncated when I start ipa-client-automount. So > I would rather append the log to it (like we do in ipa-dns-install) so > that we don't loose the client install debug info. > > ACK if you do this change or choose a different log file. > > Martin fixed and pushed to master From pvoborni at redhat.com Tue Jun 26 14:46:02 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Jun 2012 16:46:02 +0200 Subject: [Freeipa-devel] [PATCH] 162 Web UI password is going to expire in n days notification Message-ID: <4FE9CB2A.70704@redhat.com> This is patch is more like a draft. I'm not sure where to display the 'password is going to expire' notification. I was deciding between: 1) red bold text in Web UI header 2) popup dialog after Web UI initialization I don't like unwanted pop-up dialogs so I used first option. I didn't make a 'password reset link' because it is done in user's detail page and a link there is right next to this notification. Patch description: This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days' is shown in Web UI's header (on the left next to 'Logged in as...'). https://fedorahosted.org/freeipa/ticket/2625 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0162-Web-UI-password-is-going-to-expire-in-n-days-notific.patch Type: text/x-patch Size: 9332 bytes Desc: not available URL: From loris at lgs.com.ve Tue Jun 26 15:11:01 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 26 Jun 2012 10:41:01 -0430 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9C8A6.5040400@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> Message-ID: <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: > On 06/25/2012 09:02 PM, Loris Santamaria wrote: > > Hi, > > > > while using freeIPA as a user database for a samba installation I found > > a problem in the enforcement of password policies. FreeIPA password > > policies are more detailed than samba's, in freeIPA one may enforce > > password history and the number of character classes in a password, but > > normally samba connects to freeIPA with the "Directory Manager" so those > > policies are not enforced. > > > > Reading the source of ipa_pwd_extop I see there are three possibilities > > when changing passwords: > > > > * Password change by the user, with full enforcement of policies > > * Password change by an admin, with no enforcement of policies and > > the new password is set as expired so the user has to change it > > on next logon > > * Password change by Directory Manager, with no enforcement of > > policies and the password is not set as expired. > > > > None of the aforementioned possibilities are ideal for samba, samba > > should connect to freeIPA with a user privileged enough to change > > password for all users but with fully enforced policies. > > > > What do you think about this? Would you consider adding such feature? > > Would you accept patches? > > > > Can you please explain why samba needs to connect to IPA and change > the passwords? > In what role you use samba? As a file server or as something else? > I am not sure I follow why you need the password change functionality. > There is a way to setup Samba FS with IPA without trying to make IPA a > back end for Samba. > I can try to dig some writeups on the matter if you are interested. Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group database. To do that samba connects with a privileged user to the LDAP directory and manages some attributes of users and groups in the directory, adding the sambaSAMAccount objectclass and the sambaSID attribute to users, groups and machines of the domain. When users of Windows workstations in a samba domain change their passwords samba updates the sambaNTPassword, userPassword, sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding ldap user. Using freeIPA as ldap user backend for samba works quite well, except for the password policy problem mentioned in last mail and that it is hard to mantain in sync the enabled/disabled status of an account. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4030 bytes Desc: not available URL: From loris at lgs.com.ve Tue Jun 26 15:11:01 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 26 Jun 2012 10:41:01 -0430 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9C8A6.5040400@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> Message-ID: <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: > On 06/25/2012 09:02 PM, Loris Santamaria wrote: > > Hi, > > > > while using freeIPA as a user database for a samba installation I found > > a problem in the enforcement of password policies. FreeIPA password > > policies are more detailed than samba's, in freeIPA one may enforce > > password history and the number of character classes in a password, but > > normally samba connects to freeIPA with the "Directory Manager" so those > > policies are not enforced. > > > > Reading the source of ipa_pwd_extop I see there are three possibilities > > when changing passwords: > > > > * Password change by the user, with full enforcement of policies > > * Password change by an admin, with no enforcement of policies and > > the new password is set as expired so the user has to change it > > on next logon > > * Password change by Directory Manager, with no enforcement of > > policies and the password is not set as expired. > > > > None of the aforementioned possibilities are ideal for samba, samba > > should connect to freeIPA with a user privileged enough to change > > password for all users but with fully enforced policies. > > > > What do you think about this? Would you consider adding such feature? > > Would you accept patches? > > > > Can you please explain why samba needs to connect to IPA and change > the passwords? > In what role you use samba? As a file server or as something else? > I am not sure I follow why you need the password change functionality. > There is a way to setup Samba FS with IPA without trying to make IPA a > back end for Samba. > I can try to dig some writeups on the matter if you are interested. Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group database. To do that samba connects with a privileged user to the LDAP directory and manages some attributes of users and groups in the directory, adding the sambaSAMAccount objectclass and the sambaSID attribute to users, groups and machines of the domain. When users of Windows workstations in a samba domain change their passwords samba updates the sambaNTPassword, userPassword, sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding ldap user. Using freeIPA as ldap user backend for samba works quite well, except for the password policy problem mentioned in last mail and that it is hard to mantain in sync the enabled/disabled status of an account. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4030 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 26 16:38:53 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 26 Jun 2012 18:38:53 +0200 Subject: [Freeipa-devel] [PATCH] 278 Remove ipaNTHash from global allow ACI Message-ID: <4FE9E59D.40209@redhat.com> ipaNTHash contains security sensitive information, it should be hidden just like other password attributes. As a part of preparation for ticket #2511, the ACI allowing global access is also updated to hide DNS zones. https://fedorahosted.org/freeipa/ticket/2856 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-278-remove-ipanthash-from-global-allow-aci.patch Type: text/x-patch Size: 8885 bytes Desc: not available URL: From dpal at redhat.com Tue Jun 26 17:13:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 26 Jun 2012 13:13:18 -0400 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> Message-ID: <4FE9EDAE.2090203@redhat.com> On 06/26/2012 11:11 AM, Loris Santamaria wrote: > El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: >> On 06/25/2012 09:02 PM, Loris Santamaria wrote: >>> Hi, >>> >>> while using freeIPA as a user database for a samba installation I found >>> a problem in the enforcement of password policies. FreeIPA password >>> policies are more detailed than samba's, in freeIPA one may enforce >>> password history and the number of character classes in a password, but >>> normally samba connects to freeIPA with the "Directory Manager" so those >>> policies are not enforced. >>> >>> Reading the source of ipa_pwd_extop I see there are three possibilities >>> when changing passwords: >>> >>> * Password change by the user, with full enforcement of policies >>> * Password change by an admin, with no enforcement of policies and >>> the new password is set as expired so the user has to change it >>> on next logon >>> * Password change by Directory Manager, with no enforcement of >>> policies and the password is not set as expired. >>> >>> None of the aforementioned possibilities are ideal for samba, samba >>> should connect to freeIPA with a user privileged enough to change >>> password for all users but with fully enforced policies. >>> >>> What do you think about this? Would you consider adding such feature? >>> Would you accept patches? >>> >> Can you please explain why samba needs to connect to IPA and change >> the passwords? >> In what role you use samba? As a file server or as something else? >> I am not sure I follow why you need the password change functionality. >> There is a way to setup Samba FS with IPA without trying to make IPA a >> back end for Samba. >> I can try to dig some writeups on the matter if you are interested. > Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group > database. To do that samba connects with a privileged user to the LDAP > directory and manages some attributes of users and groups in the > directory, adding the sambaSAMAccount objectclass and the sambaSID > attribute to users, groups and machines of the domain. > > When users of Windows workstations in a samba domain change their > passwords samba updates the sambaNTPassword, userPassword, > sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding > ldap user. > > Using freeIPA as ldap user backend for samba works quite well, except > for the password policy problem mentioned in last mail and that it is > hard to mantain in sync the enabled/disabled status of an account. What is the value of using FreeIPA as a Samba back end in comparison to other variants? Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba? What other features of IPA are used in such setup? Answering these (and may be other) questions would help us to understand how common is the use case that you brought up. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 26 17:28:43 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 Jun 2012 11:28:43 -0600 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9EDAE.2090203@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> <4FE9EDAE.2090203@redhat.com> Message-ID: <4FE9F14B.9050702@redhat.com> On 06/26/2012 11:13 AM, Dmitri Pal wrote: > On 06/26/2012 11:11 AM, Loris Santamaria wrote: >> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: >>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: >>>> Hi, >>>> >>>> while using freeIPA as a user database for a samba installation I found >>>> a problem in the enforcement of password policies. FreeIPA password >>>> policies are more detailed than samba's, in freeIPA one may enforce >>>> password history and the number of character classes in a password, but >>>> normally samba connects to freeIPA with the "Directory Manager" so those >>>> policies are not enforced. >>>> >>>> Reading the source of ipa_pwd_extop I see there are three possibilities >>>> when changing passwords: >>>> >>>> * Password change by the user, with full enforcement of policies >>>> * Password change by an admin, with no enforcement of policies and >>>> the new password is set as expired so the user has to change it >>>> on next logon >>>> * Password change by Directory Manager, with no enforcement of >>>> policies and the password is not set as expired. >>>> >>>> None of the aforementioned possibilities are ideal for samba, samba >>>> should connect to freeIPA with a user privileged enough to change >>>> password for all users but with fully enforced policies. >>>> >>>> What do you think about this? Would you consider adding such feature? >>>> Would you accept patches? >>>> >>> Can you please explain why samba needs to connect to IPA and change >>> the passwords? >>> In what role you use samba? As a file server or as something else? >>> I am not sure I follow why you need the password change functionality. >>> There is a way to setup Samba FS with IPA without trying to make IPA a >>> back end for Samba. >>> I can try to dig some writeups on the matter if you are interested. >> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group >> database. To do that samba connects with a privileged user to the LDAP >> directory and manages some attributes of users and groups in the >> directory, adding the sambaSAMAccount objectclass and the sambaSID >> attribute to users, groups and machines of the domain. >> >> When users of Windows workstations in a samba domain change their >> passwords samba updates the sambaNTPassword, userPassword, >> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding >> ldap user. >> >> Using freeIPA as ldap user backend for samba works quite well, except >> for the password policy problem mentioned in last mail and that it is >> hard to mantain in sync the enabled/disabled status of an account. > > What is the value of using FreeIPA as a Samba back end in comparison > to other variants? > Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba? IPA will keep all of your passwords in sync - userPassword, sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 cannot do this - the functionality that does this is provided by an IPA password plugin. Openldap has a similar plugin, but I think it is "contrib" and not "officially supported". > What other features of IPA are used in such setup? > > Answering these (and may be other) questions would help us to > understand how common is the use case that you brought up. > >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Jun 26 17:36:14 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Jun 2012 19:36:14 +0200 Subject: [Freeipa-devel] [PATCH] 159 Action panel for certificates In-Reply-To: <4FE9A148.6050601@redhat.com> References: <4FD73A99.9020300@redhat.com> <4FE87F3C.3010603@redhat.com> <4FE9A148.6050601@redhat.com> Message-ID: <4FE9F30E.1060300@redhat.com> On 06/26/2012 01:47 PM, Petr Vobornik wrote: > Updated patch attached. > > On 06/25/2012 05:09 PM, Endi Sukma Dewata wrote: >> On 6/12/2012 7:48 AM, Petr Vobornik wrote: >>> This is a continuation of effort which transforms status widgets with >>> buttons executing actions to separate status widget and action panels. >>> This patch strips certificate status widget of its buttons and separates >>> the actions to their own objects. Appropriate modifications are taken in >>> host and service details facets. >>> >>> New certificate loader, facet policy and evaluator are introduced to >>> make actions and status widget independent. On facet load event new >>> certificate facet policy loads a certificate from result. Unfortunately >>> results don't contain revocation reason so it also executes additional >>> cert-show command to get the revocation reason. Policy store the >>> certifacete to facet. It raises the certifacet_loaded event to notify >>> certificate evaluator and status widget. Status widget updates its >>> state. Certificate evaluator updates state and actions get disabled or >>> enabled. >>> >>> https://fedorahosted.org/freeipa/ticket/2250 >> >> I'm testing using self-signed CA. When I open the host/service details >> page there's a JS error at certificate.js:928 (undefined >> status_revoked), so the page seems to hang and looks blank. In the old >> code the status_revoked panel will only be created if you use Dogtag CA >> (the IPA.cert.is_selfsign() will return false). This check might not be >> necessary anymore because you can just hide the panel. >> > > Fixed - Not the panel is always created but it remains hidden > (display:none). > > I also removed calling cert-show on facet load when using selfsign. > > Instructions for generating service certificate were invalid. (regression). The host part also contained service name. Attaching updated version which fixes it. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0159-2-Action-panel-for-certificates.patch Type: text/x-patch Size: 42156 bytes Desc: not available URL: From dpal at redhat.com Tue Jun 26 17:39:39 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 26 Jun 2012 13:39:39 -0400 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9F14B.9050702@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> <4FE9EDAE.2090203@redhat.com> <4FE9F14B.9050702@redhat.com> Message-ID: <4FE9F3DB.2090403@redhat.com> On 06/26/2012 01:28 PM, Rich Megginson wrote: > On 06/26/2012 11:13 AM, Dmitri Pal wrote: >> On 06/26/2012 11:11 AM, Loris Santamaria wrote: >>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: >>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: >>>>> Hi, >>>>> >>>>> while using freeIPA as a user database for a samba installation I found >>>>> a problem in the enforcement of password policies. FreeIPA password >>>>> policies are more detailed than samba's, in freeIPA one may enforce >>>>> password history and the number of character classes in a password, but >>>>> normally samba connects to freeIPA with the "Directory Manager" so those >>>>> policies are not enforced. >>>>> >>>>> Reading the source of ipa_pwd_extop I see there are three possibilities >>>>> when changing passwords: >>>>> >>>>> * Password change by the user, with full enforcement of policies >>>>> * Password change by an admin, with no enforcement of policies and >>>>> the new password is set as expired so the user has to change it >>>>> on next logon >>>>> * Password change by Directory Manager, with no enforcement of >>>>> policies and the password is not set as expired. >>>>> >>>>> None of the aforementioned possibilities are ideal for samba, samba >>>>> should connect to freeIPA with a user privileged enough to change >>>>> password for all users but with fully enforced policies. >>>>> >>>>> What do you think about this? Would you consider adding such feature? >>>>> Would you accept patches? >>>>> >>>> Can you please explain why samba needs to connect to IPA and change >>>> the passwords? >>>> In what role you use samba? As a file server or as something else? >>>> I am not sure I follow why you need the password change functionality. >>>> There is a way to setup Samba FS with IPA without trying to make IPA a >>>> back end for Samba. >>>> I can try to dig some writeups on the matter if you are interested. >>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group >>> database. To do that samba connects with a privileged user to the LDAP >>> directory and manages some attributes of users and groups in the >>> directory, adding the sambaSAMAccount objectclass and the sambaSID >>> attribute to users, groups and machines of the domain. >>> >>> When users of Windows workstations in a samba domain change their >>> passwords samba updates the sambaNTPassword, userPassword, >>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding >>> ldap user. >>> >>> Using freeIPA as ldap user backend for samba works quite well, except >>> for the password policy problem mentioned in last mail and that it is >>> hard to mantain in sync the enabled/disabled status of an account. >> >> What is the value of using FreeIPA as a Samba back end in comparison >> to other variants? >> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba? > > IPA will keep all of your passwords in sync - userPassword, > sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 > cannot do this - the functionality that does this is provided by an > IPA password plugin. Openldap has a similar plugin, but I think it is > "contrib" and not "officially supported". > I know that Endi did the work to make 389 be a viable back end for Samba and it passed all the Samba torture tests so I am not sure I agree with you. Samba does the kerberos operations itself and uses LDAP as a storage only. This is why I am struggling to understand the use case. It seems that Loris has a different configuration that I do not quite understand, thus questions. >> What other features of IPA are used in such setup? >> >> Answering these (and may be other) questions would help us to >> understand how common is the use case that you brought up. >> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 26 17:53:02 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 Jun 2012 11:53:02 -0600 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9F3DB.2090403@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> <4FE9EDAE.2090203@redhat.com> <4FE9F14B.9050702@redhat.com> <4FE9F3DB.2090403@redhat.com> Message-ID: <4FE9F6FE.2090604@redhat.com> On 06/26/2012 11:39 AM, Dmitri Pal wrote: > On 06/26/2012 01:28 PM, Rich Megginson wrote: >> On 06/26/2012 11:13 AM, Dmitri Pal wrote: >>> On 06/26/2012 11:11 AM, Loris Santamaria wrote: >>>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: >>>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: >>>>>> Hi, >>>>>> >>>>>> while using freeIPA as a user database for a samba installation I found >>>>>> a problem in the enforcement of password policies. FreeIPA password >>>>>> policies are more detailed than samba's, in freeIPA one may enforce >>>>>> password history and the number of character classes in a password, but >>>>>> normally samba connects to freeIPA with the "Directory Manager" so those >>>>>> policies are not enforced. >>>>>> >>>>>> Reading the source of ipa_pwd_extop I see there are three possibilities >>>>>> when changing passwords: >>>>>> >>>>>> * Password change by the user, with full enforcement of policies >>>>>> * Password change by an admin, with no enforcement of policies and >>>>>> the new password is set as expired so the user has to change it >>>>>> on next logon >>>>>> * Password change by Directory Manager, with no enforcement of >>>>>> policies and the password is not set as expired. >>>>>> >>>>>> None of the aforementioned possibilities are ideal for samba, samba >>>>>> should connect to freeIPA with a user privileged enough to change >>>>>> password for all users but with fully enforced policies. >>>>>> >>>>>> What do you think about this? Would you consider adding such feature? >>>>>> Would you accept patches? >>>>>> >>>>> Can you please explain why samba needs to connect to IPA and change >>>>> the passwords? >>>>> In what role you use samba? As a file server or as something else? >>>>> I am not sure I follow why you need the password change functionality. >>>>> There is a way to setup Samba FS with IPA without trying to make IPA a >>>>> back end for Samba. >>>>> I can try to dig some writeups on the matter if you are interested. >>>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group >>>> database. To do that samba connects with a privileged user to the LDAP >>>> directory and manages some attributes of users and groups in the >>>> directory, adding the sambaSAMAccount objectclass and the sambaSID >>>> attribute to users, groups and machines of the domain. >>>> >>>> When users of Windows workstations in a samba domain change their >>>> passwords samba updates the sambaNTPassword, userPassword, >>>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding >>>> ldap user. >>>> >>>> Using freeIPA as ldap user backend for samba works quite well, except >>>> for the password policy problem mentioned in last mail and that it is >>>> hard to mantain in sync the enabled/disabled status of an account. >>> >>> What is the value of using FreeIPA as a Samba back end in comparison >>> to other variants? >>> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba? >> >> IPA will keep all of your passwords in sync - userPassword, >> sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 >> cannot do this - the functionality that does this is provided by an >> IPA password plugin. Openldap has a similar plugin, but I think it >> is "contrib" and not "officially supported". >> > > > I know that Endi did the work to make 389 be a viable back end for > Samba and it passed all the Samba torture tests so I am not sure I > agree with you. Was that for samba4 or samba3? > Samba does the kerberos operations itself and uses LDAP as a storage only. Samba4 or samba3? > This is why I am struggling to understand the use case. It seems that > Loris has a different configuration that I do not quite understand, > thus questions. > >>> What other features of IPA are used in such setup? >>> >>> Answering these (and may be other) questions would help us to >>> understand how common is the use case that you brought up. >>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 26 18:48:54 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jun 2012 14:48:54 -0400 Subject: [Freeipa-devel] [PATCH] 278 Remove ipaNTHash from global allow ACI In-Reply-To: <4FE9E59D.40209@redhat.com> References: <4FE9E59D.40209@redhat.com> Message-ID: <4FEA0416.9090408@redhat.com> Martin Kosek wrote: > ipaNTHash contains security sensitive information, it should be hidden just > like other password attributes. As a part of preparation for ticket #2511, > the ACI allowing global access is also updated to hide DNS zones. > > https://fedorahosted.org/freeipa/ticket/2856 There is a comment referencing the DNS work. Fix that and ACK. rob From edewata at redhat.com Tue Jun 26 18:51:27 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jun 2012 13:51:27 -0500 Subject: [Freeipa-devel] [PATCH] 159 Action panel for certificates In-Reply-To: <4FE9F30E.1060300@redhat.com> References: <4FD73A99.9020300@redhat.com> <4FE87F3C.3010603@redhat.com> <4FE9A148.6050601@redhat.com> <4FE9F30E.1060300@redhat.com> Message-ID: <4FEA04AF.7080408@redhat.com> On 6/26/2012 12:36 PM, Petr Vobornik wrote: >>> I'm testing using self-signed CA. When I open the host/service details >>> page there's a JS error at certificate.js:928 (undefined >>> status_revoked), so the page seems to hang and looks blank. In the old >>> code the status_revoked panel will only be created if you use Dogtag CA >>> (the IPA.cert.is_selfsign() will return false). This check might not be >>> necessary anymore because you can just hide the panel. >> >> Fixed - Not the panel is always created but it remains hidden >> (display:none). >> >> I also removed calling cert-show on facet load when using selfsign. > > Instructions for generating service certificate were invalid. > (regression). The host part also contained service name. > > Attaching updated version which fixes it. ACK. -- Endi S. Dewata From rcritten at redhat.com Tue Jun 26 18:52:13 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jun 2012 14:52:13 -0400 Subject: [Freeipa-devel] [PATCH] 0064 Typo fixes In-Reply-To: <4FE0AEF8.3050604@redhat.com> References: <4FE0AEF8.3050604@redhat.com> Message-ID: <4FEA04DD.6060302@redhat.com> Petr Viktorin wrote: > Fixing a typo in the ipa-rmkeytab man page. > > Over the past few months I also found a few typos in docstrings and > comments. I'm including those in the patch. ACK, pushed to master. rob From rcritten at redhat.com Tue Jun 26 19:21:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jun 2012 15:21:11 -0400 Subject: [Freeipa-devel] [PATCH] 0065 Improve output validation In-Reply-To: <4FE2F292.8070803@redhat.com> References: <4FE2F292.8070803@redhat.com> Message-ID: <4FEA0BA7.1030705@redhat.com> Petr Viktorin wrote: > In my patch 62 I fixed output validation. Since that patch was rejected, > I'm submitting the fix separately. > > https://fedorahosted.org/freeipa/ticket/2860 ACK, pushed to master From mkosek at redhat.com Tue Jun 26 19:30:22 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 26 Jun 2012 21:30:22 +0200 Subject: [Freeipa-devel] [PATCH] 278 Remove ipaNTHash from global allow ACI In-Reply-To: <4FEA0416.9090408@redhat.com> References: <4FE9E59D.40209@redhat.com> <4FEA0416.9090408@redhat.com> Message-ID: <1340739022.3403.1.camel@priserak> On Tue, 2012-06-26 at 14:48 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > ipaNTHash contains security sensitive information, it should be hidden just > > like other password attributes. As a part of preparation for ticket #2511, > > the ACI allowing global access is also updated to hide DNS zones. > > > > https://fedorahosted.org/freeipa/ticket/2856 > > There is a comment referencing the DNS work. Fix that and ACK. > > rob As agreed with Rob on IRC, this comment was left there on purpose so that it is obvious why I also added the (target != ...) part to the global allow ACI. Pushed to master as-is. Martin From edewata at redhat.com Tue Jun 26 19:45:35 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jun 2012 14:45:35 -0500 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9F6FE.2090604@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> <4FE9EDAE.2090203@redhat.com> <4FE9F14B.9050702@redhat.com> <4FE9F3DB.2090403@redhat.com> <4FE9F6FE.2090604@redhat.com> Message-ID: <4FEA115F.80000@redhat.com> On 6/26/2012 12:53 PM, Rich Megginson wrote: >>> IPA will keep all of your passwords in sync - userPassword, >>> sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 >>> cannot do this - the functionality that does this is provided by an >>> IPA password plugin. Openldap has a similar plugin, but I think it >>> is "contrib" and not "officially supported". >> >> I know that Endi did the work to make 389 be a viable back end for >> Samba and it passed all the Samba torture tests so I am not sure I >> agree with you. > > Was that for samba4 or samba3? It was for Samba 4, but that was done a while ago. I'm not sure the current status of the code. It worked up to some point, but it's no longer maintained due to lack of OpenLDAP experts to make further modification since this involves Samba code that are shared between both backends. -- Endi S. Dewata From abokovoy at redhat.com Tue Jun 26 20:14:38 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Jun 2012 23:14:38 +0300 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FEA115F.80000@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> <4FE9EDAE.2090203@redhat.com> <4FE9F14B.9050702@redhat.com> <4FE9F3DB.2090403@redhat.com> <4FE9F6FE.2090604@redhat.com> <4FEA115F.80000@redhat.com> Message-ID: <20120626201438.GA16889@redhat.com> On Tue, 26 Jun 2012, Endi Sukma Dewata wrote: >On 6/26/2012 12:53 PM, Rich Megginson wrote: >>>>IPA will keep all of your passwords in sync - userPassword, >>>>sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 >>>>cannot do this - the functionality that does this is provided by an >>>>IPA password plugin. Openldap has a similar plugin, but I think it >>>>is "contrib" and not "officially supported". >>> >>>I know that Endi did the work to make 389 be a viable back end for >>>Samba and it passed all the Samba torture tests so I am not sure I >>>agree with you. >> >>Was that for samba4 or samba3? > >It was for Samba 4, but that was done a while ago. I'm not sure the >current status of the code. It worked up to some point, but it's no >longer maintained due to lack of OpenLDAP experts to make further >modification since this involves Samba code that are shared between >both backends. Samba4 deprecated LDAP backend long time ago. Only ldb backend is supported. smbd in Samba4 is still using the same PDB interface as Samba 3 and has traditional ldapsam module that Loris is using (most likely). For Samba4 AD DC integration it has few Samba4 specific modules, both for PDB and VFS interfaces. ipasam module in FreeIPAv3 is expansion of ldapsam to support trusted domains and works with smbd from Samba4. This module is using new schema for Samba-specific attributes introduced in FreeIPAv3, which values are co-maintained by various slapd plugins and ipasam, as well as new FreeIPA kdb driver for MIT Kerberos KDC. Turning back to original Dmitri's question: besides file serving capabilities, what are other use cases that could be solved by a combination of FreeIPA and Samba member server? As FreeIPA provides alternative means to join machines to a single realm (FreeIPA Kerberos realm) and maintain them reliably with sssd, Samba DC functionality in pure FreeIPA setup seems to be of less importance. If there is a need to join Windows machines to FreeIPA setup without utilizing Active Directory domain, then I'd like also to hear how important is that. Right now we miss few capabilities in FreeIPAv3 to make Samba 4's smbd a non-Active Directory DC (a.k.a. classic NT-style domain with enhanced encryption) and knowing how important this integrated setup is would help prioritising features. -- / Alexander Bokovoy From loris at lgs.com.ve Tue Jun 26 20:44:08 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 26 Jun 2012 16:14:08 -0430 Subject: [Freeipa-devel] freeIPA as a samba backend In-Reply-To: <4FE9F3DB.2090403@redhat.com> References: <1340672533.4964.17.camel@toron.pzo.lgs.com.ve> <4FE9C8A6.5040400@redhat.com> <1340723461.8801.9.camel@toron.pzo.lgs.com.ve> <4FE9EDAE.2090203@redhat.com> <4FE9F14B.9050702@redhat.com> <4FE9F3DB.2090403@redhat.com> Message-ID: <1340743448.11173.28.camel@toron.pzo.lgs.com.ve> El mar, 26-06-2012 a las 13:39 -0400, Dmitri Pal escribi?: > On 06/26/2012 01:28 PM, Rich Megginson wrote: > > On 06/26/2012 11:13 AM, Dmitri Pal wrote: > > > On 06/26/2012 11:11 AM, Loris Santamaria wrote: > > > > El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribi?: > > > > > On 06/25/2012 09:02 PM, Loris Santamaria wrote: > > > > > > Hi, > > > > > > > > > > > > while using freeIPA as a user database for a samba installation I found > > > > > > a problem in the enforcement of password policies. FreeIPA password > > > > > > policies are more detailed than samba's, in freeIPA one may enforce > > > > > > password history and the number of character classes in a password, but > > > > > > normally samba connects to freeIPA with the "Directory Manager" so those > > > > > > policies are not enforced. > > > > > > > > > > > > Reading the source of ipa_pwd_extop I see there are three possibilities > > > > > > when changing passwords: > > > > > > > > > > > > * Password change by the user, with full enforcement of policies > > > > > > * Password change by an admin, with no enforcement of policies and > > > > > > the new password is set as expired so the user has to change it > > > > > > on next logon > > > > > > * Password change by Directory Manager, with no enforcement of > > > > > > policies and the password is not set as expired. > > > > > > > > > > > > None of the aforementioned possibilities are ideal for samba, samba > > > > > > should connect to freeIPA with a user privileged enough to change > > > > > > password for all users but with fully enforced policies. > > > > > > > > > > > > What do you think about this? Would you consider adding such feature? > > > > > > Would you accept patches? > > > > > > > > > > > Can you please explain why samba needs to connect to IPA and change > > > > > the passwords? > > > > > In what role you use samba? As a file server or as something else? > > > > > I am not sure I follow why you need the password change functionality. > > > > > There is a way to setup Samba FS with IPA without trying to make IPA a > > > > > back end for Samba. > > > > > I can try to dig some writeups on the matter if you are interested. > > > > Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group > > > > database. To do that samba connects with a privileged user to the LDAP > > > > directory and manages some attributes of users and groups in the > > > > directory, adding the sambaSAMAccount objectclass and the sambaSID > > > > attribute to users, groups and machines of the domain. > > > > > > > > When users of Windows workstations in a samba domain change their > > > > passwords samba updates the sambaNTPassword, userPassword, > > > > sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding > > > > ldap user. > > > > > > > > Using freeIPA as ldap user backend for samba works quite well, except > > > > for the password policy problem mentioned in last mail and that it is > > > > hard to mantain in sync the enabled/disabled status of an account. > > > > > > What is the value of using FreeIPA as a Samba back end in > > > comparison to other variants? > > > Why IPA is more interesting than say 389-DS or OpenLDAP or native > > > Samba? > > > > IPA will keep all of your passwords in sync - userPassword, > > sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 > > cannot do this - the functionality that does this is provided by an > > IPA password plugin. Openldap has a similar plugin, but I think it > > is "contrib" and not "officially supported". > > > > > I know that Endi did the work to make 389 be a viable back end for > Samba and it passed all the Samba torture tests so I am not sure I > agree with you. Samba does the kerberos operations itself and uses > LDAP as a storage only. This is why I am struggling to understand the > use case. It seems that Loris has a different configuration that I do > not quite understand, thus questions. > > > > What other features of IPA are used in such setup? > > > > > > Answering these (and may be other) questions would help us to > > > understand how common is the use case that you brought up. First of all, the use case is that of using Samba 3 as a Domain Controller. Here in Venezuela the government itself promotes the use of free software so most government agencies and industries won't install Active Directory to administer windows desktops. There are some medium to large deployments of Samba 3 as a domain controller here, and there are a number of Linux desktops deployed in the same networks. When you use Samba 3 as a Domain Controller with a largish number of users and machines is mandatory to use a Ldap server as a backend, and for that you have basically two choices which are of course OpenLdap and 389-DS, but those servers have to be combined with some administration tools to be really useful. The ideal choice for us is 389-DS with freeIPA as an administration framework because of: * Really easy to use to administer users and groups. Those users and groups are visible from the samba domain and from linux machines in the IPA realm or from legacy unix and linux machines configured as ldap clients * ipa_pwd_extop keeps ldap, samba and kerberos passwords in sync. Well, this could be better * freeIPA sets up 389-ds very well, with sane indexes and permissions. For good performance with samba you just have to add indexes for some samba attributes So you set up Samba 3 with freeIPA, and use the ipa tools to administer users and groups, and those users and group can login in windows and linux workstations. To set up Samba 3 with freeIPA 2.x you have to: * extend the ipa user and group objects to have them add the sambaSAMAccount and SambaGroupType objectclasses * add a Distributed Numeric Assignment configuration to have 389-DS generate the sambaSID for objects with the above objectClasses * add a script used by samba 3 when a windows machine tries to join the domain, so that ipa creates a new host if it doesn't exist * add indexes for common samba attributes. The alternative to all this, using free software, would be using samba 4 and have Linux workstations join the Samba 4 domain, or use samba 4 for the windows domain with a trust relationship to ipa 3 when it is ready. Thank you, Loris Santamaria -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4030 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 27 01:54:19 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jun 2012 20:54:19 -0500 Subject: [Freeipa-devel] [PATCH] 162 Web UI password is going to expire in n days notification In-Reply-To: <4FE9CB2A.70704@redhat.com> References: <4FE9CB2A.70704@redhat.com> Message-ID: <4FEA67CB.2060205@redhat.com> On 6/26/2012 9:46 AM, Petr Vobornik wrote: > This is patch is more like a draft. > > I'm not sure where to display the 'password is going to expire' > notification. > > I was deciding between: > 1) red bold text in Web UI header > 2) popup dialog after Web UI initialization > > I don't like unwanted pop-up dialogs so I used first option. If we only support 1 short message I'd prefer option #1. Some users might not want to reset the password immediately, so they need to be constantly reminded about the password expiration. If the message is too long, or we want to support multiple messages (not just for password expiration), we can show a message icon like in the upper right corner of Fedora desktop. When you click it it will open a dialog box listing all messages. In this dialog you can delete each message. The icon will disappear only if there's no message left. > I didn't make a 'password reset link' because it is done in user's > detail page and a link there is right next to this notification. I'd say the message should include a link, something like this: Your password will expire in n days. [Reset your password]. The link is important because: * Without the link the message doesn't tell you what to do or how to reset the password. * Users might not realize that the [Logged In As: ] is a link that can bring them to their profile page. * Even if they're in the right page, they might not know there's a reset password link in the action panel. The [Reset your password] link can open the Password Reset dialog for the current user, regardless of the current page. To avoid confusion the dialog probably should be changed to show the username of the user being updated. What do you think? -- Endi S. Dewata From pvoborni at redhat.com Wed Jun 27 07:00:00 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jun 2012 09:00:00 +0200 Subject: [Freeipa-devel] [PATCH] 159 Action panel for certificates In-Reply-To: <4FEA04AF.7080408@redhat.com> References: <4FD73A99.9020300@redhat.com> <4FE87F3C.3010603@redhat.com> <4FE9A148.6050601@redhat.com> <4FE9F30E.1060300@redhat.com> <4FEA04AF.7080408@redhat.com> Message-ID: <4FEAAF70.5000404@redhat.com> On 06/26/2012 08:51 PM, Endi Sukma Dewata wrote: > On 6/26/2012 12:36 PM, Petr Vobornik wrote: >>>> I'm testing using self-signed CA. When I open the host/service details >>>> page there's a JS error at certificate.js:928 (undefined >>>> status_revoked), so the page seems to hang and looks blank. In the old >>>> code the status_revoked panel will only be created if you use Dogtag CA >>>> (the IPA.cert.is_selfsign() will return false). This check might not be >>>> necessary anymore because you can just hide the panel. >>> >>> Fixed - Not the panel is always created but it remains hidden >>> (display:none). >>> >>> I also removed calling cert-show on facet load when using selfsign. >> >> Instructions for generating service certificate were invalid. >> (regression). The host part also contained service name. >> >> Attaching updated version which fixes it. > > ACK. > Pushed to master. -- Petr Vobornik From abokovoy at redhat.com Wed Jun 27 09:56:56 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 12:56:56 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120625130652.GC5935@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> Message-ID: <20120627095656.GB16889@redhat.com> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: > On Mon, 25 Jun 2012, Sumit Bose wrote: >> Hi Alexander, >> >> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>> Hi! >>> >>> Attached is the patch to support external group membership for trusted >>> domains. This is needed to get proper group membership with the work >>> Sumit and Jan are doing on both IPA and SSSD sides. >>> >>> We already have ipaExternalGroup class that includes ipaExternalMember >>> attribute (multivalued case-insensitive string). The group that has >>> ipaExternalGroup object class will have to be non-POSIX and >>> ipaExternalMember >>> attribute will contain security identifiers (SIDs) of members from >>> trusted domains. >>> >>> The patch takes care of three things: >>> 1. Extends 'ipa group-add' with --external option to add >>> ipaExternalGroup object class to a new group >>> 2. Modifies 'ipa group-add-member' to accept --external CSV argument >>> to specify SIDs >>> 3. Modifies 'ipa group-del-member' to allow removing external members. >> >> thank you for the patch, it works as expected, but I have a few >> comments: >> >> - there is a trailing whitespace at the end of the "This means we can't >> check the correctness of a trusted domain SIDs" line >> - when using ipa group-add-member with --external there are still prompt >> for [member user] and [member group], can those be suppressed? >> - with ipa group-mod --posix it is possible to add the posxiGroup >> objectclass together with a GID to the extern group object. This >> should result in an error and also the other way round, adding >> --external to Posix groups. > Updated patch is attached. It fixes whitespace and group-mod. New revision. -- / Alexander Bokovoy -------------- next part -------------- >From 7c376e99e939a8aaf39eca2f195de93e2cb7ae8f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 Jun 2012 16:08:33 +0300 Subject: [PATCH 10/12] Add support for external group members When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 --- API.txt | 12 +++-- ipalib/errors.py | 50 ++++++++++++++++++++ ipalib/plugins/baseldap.py | 18 +++++-- ipalib/plugins/group.py | 111 +++++++++++++++++++++++++++++++++++++++++--- ipalib/plugins/trust.py | 4 ++ ipaserver/dcerpc.py | 93 +++++++++++++++++++++++++++++++++---- 6 files changed, 266 insertions(+), 22 deletions(-) diff --git a/API.txt b/API.txt index 9d91832d995d605b161c13a5ec915f5d84f1d515..ccae47a947c180c0c85658bc393a0d38d4b32c0d 100644 --- a/API.txt +++ b/API.txt @@ -1196,13 +1196,14 @@ output: Output('total', , None) output: Output('count', , None) output: Output('summary', (, ), None) command: group_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Int('gidnumber', attribute=True, cli_name='gid', minvalue=1, multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1210,8 +1211,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_add_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1265,7 +1267,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: group_mod -args: 1,11,3 +args: 1,12,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gid', minvalue=1, multivalue=False, required=False) @@ -1274,6 +1276,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Flag('rights', autofill=True, default=False) option: Flag('posix', autofill=True, cli_name='posix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1282,8 +1285,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_remove_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') diff --git a/ipalib/errors.py b/ipalib/errors.py index 407d9f7dbcf79c47193a3087fe6efbc50728c903..c25560b8e9270a65feb5d9866f6dcc99e39675ef 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1277,6 +1277,56 @@ class SingleMatchExpected(ExecutionError): format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') +class AlreadyExternalGroup(ExecutionError): + """ + **4028** Raised when a group is already an external member group + + For example: + + >>> raise AlreadyExternalGroup + Traceback (most recent call last): + ... + AlreadyExternalGroup: This group already allows external members + + """ + + errno = 4028 + format = _('This group already allows external members') + +class ExternalGroupViolation(ExecutionError): + """ + **4029** Raised when a group is already an external member group + and an attempt is made to use it as posix group + + For example: + + >>> raise ExternalGroupViolation + Traceback (most recent call last): + ... + ExternalGroupViolation: This group cannot be posix because it is external + + """ + + errno = 4029 + format = _('This group cannot be posix because it is external') + +class PosixGroupViolation(ExecutionError): + """ + **4030** Raised when a group is already a posix group + and cannot be converted to external + + For example: + + >>> raise PosixGroupViolation + Traceback (most recent call last): + ... + PosixGroupViolation: This is already a posix group and cannot be converted to external one + + """ + + errno = 4030 + format = _('This is already a posix group and cannot be converted to external one') + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a30863bcc536e1746bf5b338a4e42448..a1c8c2fbafec979c36978e04e752e8a20066e949 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,6 +362,9 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = True + if 'external_callback_normalize' in options: + normalize = options['external_callback_normalize'] # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: @@ -373,9 +376,13 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) if membername not in external_entries and \ - member_dn not in members: + entry[0] not in external_entries and \ + member_dn not in members: # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) completed_external += 1 elif membername in external_entries and \ member_dn not in members: @@ -409,8 +416,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 65657363a463fb0ccb07133c9c84e17b15ffee42..1a6959912e9a6caa556bc164cd9e9ef81574494c 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,12 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" Groups of users @@ -83,19 +89,18 @@ class group(LDAPObject): object_name_plural = _('groups') object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' - possible_objectclasses = ['posixGroup', 'mepManagedEntry'] + possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', - 'memberindirect', 'memberofindirect', + 'memberindirect', 'memberofindirect', 'ipaexternalmember', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'member': ['user', 'group'], 'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'memberindirect': ['user', 'group'], - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', - 'sudorule'], + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], } rdn_is_primary_key = True @@ -139,10 +144,22 @@ class group_add(LDAPCreate): doc=_('Create as a non-POSIX group'), default=False, ), + Flag('external', + cli_name='external', + doc=_('Allow adding external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if not options['nonposix']: + # As both 'external' and 'nonposix' options have default= set for + # them, they will always be present in options dict, thus we can + # safely reference the values + if options['external']: + entry_attrs['objectclass'].append('ipaexternalgroup') + if 'gidnumber' in options: + raise errors.RequirementError(name='gid') + elif not options['nonposix']: entry_attrs['objectclass'].append('posixgroup') if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 @@ -194,11 +211,18 @@ class group_mod(LDAPUpdate): cli_name='posix', doc=_('change to a POSIX group'), ), + Flag('external', + cli_name='external', + doc=_('change to support external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - if options['posix'] or 'gidnumber' in options: + if ('posix' in options and options['posix']) or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.ExternalGroupViolation() if 'posixgroup' in old_entry_attrs['objectclass']: if options['posix']: raise errors.AlreadyPosixGroup() @@ -207,6 +231,15 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external']: + (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'posixgroup' in old_entry_attrs['objectclass']: + raise errors.PosixGroupViolation() + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.AlreadyExternalGroup() + else: + old_entry_attrs['objectclass'].append('ipaexternalgroup') + entry_attrs['objectclass'] = old_entry_attrs['objectclass'] # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') @@ -274,12 +307,64 @@ api.register(group_show) class group_add_member(LDAPAddMember): __doc__ = _('Add members to a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('AD Trust'), + reason=_('''Cannot perform external member validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + failed_sids.append((sid, 'Not a trusted domain SID')) + if len(sids) == 0: + raise errors.ValidationError(name=_('external member'), + error=_('values are not recognized as valid SIDs from trusted domain')) + restore = [] + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = add_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options, external_callback_normalize=False) + failed['member']['group'] = restore + failed_sids + return result + api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) @@ -290,6 +375,20 @@ class group_remove_member(LDAPRemoveMember): label=_(u'group'), container=protected_group_name) return dn + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + sids = options['ipaexternalmember'] + restore = list() + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = remove_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options) + failed['member']['group'] = restore + return result + api.register(group_remove_member) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 71ca23abae393fff68e366bba96050deba3d3281..40bd93e654c0365ad202abfd82e84345583459dd 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -171,6 +171,10 @@ class trust_add(LDAPCreate): realm_server = options['realm_server'] trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) + if not trustinstance.configured: + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3bc8b63af3f416cc45cb75c76fd7b9587f367e3e..07e40c2d35b41a2665232f3e6d853b47aef707bb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -58,6 +58,79 @@ class ExtendedDNControl(_ldap.controls.RequestControl): def encodeControlValue(self): return '0\x03\x02\x01\x01' +class DomainValidator(object): + ATTR_FLATNAME = 'ipantflatname' + ATTR_SID = 'ipantsecurityidentifier' + ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' + + def __init__(self, api): + self.api = api + self.ldap = self.api.Backend.ldap2 + self.domain = None + self.flatname = None + self.dn = None + self.sid = None + self._domains = None + + def is_configured(self): + cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + try: + (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME, self.ATTR_SID]) + self.flatname = entry_attrs[self.ATTR_FLATNAME][0] + self.sid = entry_attrs[self.ATTR_SID][0] + self.dn = dn + self.domain = self.api.env.domain + except errors.NotFound, e: + return False + return True + + def get_trusted_domains(self): + cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn) + try: + search_kw = {'objectClass': 'ipaNTTrustedDomain'} + filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=unicode(cn_trust), + attrs_list=[self.ATTR_TRUSTED_SID, 'dn']) + + return entries + except errors.NotFound, e: + return [] + + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False + class TrustDomainInstance(object): def __init__(self, hostname, creds=None): @@ -247,20 +320,18 @@ class TrustDomainInstance(object): self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) class TrustDomainJoins(object): - ATTR_FLATNAME = 'ipantflatname' - def __init__(self, api): self.api = api self.local_domain = None self.remote_domain = None - self.ldap = self.api.Backend.ldap2 - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) - (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME]) - self.local_flatname = entry_attrs[self.ATTR_FLATNAME][0] - self.local_dn = dn + domain_validator = DomainValidator(api) + self.configured = domain_validator.is_configured() - self.__populate_local_domain() + if self.configured: + self.local_flatname = domain_validator.flatname + self.local_dn = domain_validator.dn + self.__populate_local_domain() def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -308,6 +379,9 @@ class TrustDomainJoins(object): self.remote_domain = rd def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) @@ -317,6 +391,9 @@ class TrustDomainJoins(object): return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_passwd=None) self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain) -- 1.7.10.4 From sbose at redhat.com Wed Jun 27 10:36:05 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 Jun 2012 12:36:05 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120627095656.GB16889@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> Message-ID: <20120627103605.GG29454@localhost.localdomain> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: > On Mon, 25 Jun 2012, Alexander Bokovoy wrote: > >On Mon, 25 Jun 2012, Sumit Bose wrote: > >>Hi Alexander, > >> > >>On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: > >>>Hi! > >>> > >>>Attached is the patch to support external group membership for trusted > >>>domains. This is needed to get proper group membership with the work > >>>Sumit and Jan are doing on both IPA and SSSD sides. > >>> > >>>We already have ipaExternalGroup class that includes ipaExternalMember > >>>attribute (multivalued case-insensitive string). The group that has > >>>ipaExternalGroup object class will have to be non-POSIX and > >>>ipaExternalMember > >>>attribute will contain security identifiers (SIDs) of members from > >>>trusted domains. > >>> > >>>The patch takes care of three things: > >>>1. Extends 'ipa group-add' with --external option to add > >>> ipaExternalGroup object class to a new group > >>>2. Modifies 'ipa group-add-member' to accept --external CSV argument > >>> to specify SIDs > >>>3. Modifies 'ipa group-del-member' to allow removing external members. > >> > >>thank you for the patch, it works as expected, but I have a few > >>comments: > >> > >>- there is a trailing whitespace at the end of the "This means we can't > >> check the correctness of a trusted domain SIDs" line > >>- when using ipa group-add-member with --external there are still prompt > >> for [member user] and [member group], can those be suppressed? > >>- with ipa group-mod --posix it is possible to add the posxiGroup > >> objectclass together with a GID to the extern group object. This > >> should result in an error and also the other way round, adding > >> --external to Posix groups. > >Updated patch is attached. It fixes whitespace and group-mod. > New revision. Thank you. This version works well in my tests, so ACK. It would be nice if someone can have a short look at the changes to baseldap.py to see if there are any unexpected side effects. bye, Sumit > > > -- > / Alexander Bokovoy From pviktori at redhat.com Wed Jun 27 10:45:31 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 27 Jun 2012 12:45:31 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <4FE9C6BB.4000109@redhat.com> References: <4FDA097D.4030601@redhat.com> <4FDA4AF7.1050102@redhat.com> <1339738614.12383.5.camel@priserak> <4FE1EFA5.4090602@redhat.com> <4FE87CE3.9020706@redhat.com> <4FE9C6BB.4000109@redhat.com> Message-ID: <4FEAE44B.5060309@redhat.com> On 06/26/2012 04:27 PM, Ondrej Hamada wrote: > On 06/25/2012 04:59 PM, Petr Viktorin wrote: >> On 06/20/2012 05:43 PM, Ondrej Hamada wrote: >>> On 06/15/2012 07:36 AM, Martin Kosek wrote: >>>> On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: >>>>> Ondrej Hamada wrote: >>>>>> Improved options checking so that host-mod operation is not changing >>>>>> password for enrolled host when '--random' option is used. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2799 >>>>>> >>>>>> Updated set of characters that is used for generating random >>>>>> passwords >>>>>> for ipa hosts. Following characters were removed from the set: >>>>>> '"`\$<> >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2800 >>>>> This works ok but it would be nice to have a test for both setting a >>>>> password and random on an enrolled host to prevent regressions. We >>>>> have >>>>> some ipa-getkeytab tests already and these can be extended to test >>>>> this >>>>> I think. >>>>> >>>>> Might be nice to mention in the inline comment the set of characters >>>>> excluded and why. >>>>> >>>>> rob >>>>> >>> I've added new test class into test_host_plugin.py that takes care of >>> that. Just there is a problem that the ipa-join command always fails on >>> 'adding key into keytab'. But the attributes necessary for testing are >>> set correctly, so the testing can continue. >>>> We already generate passwords for users with this character set: >>>> user_pwdchars = string.digits + string.ascii_letters + '_,. at +-=' >>>> >>>> Why would we want to generate passwords for host enrolling with a >>>> different set? Additionally, I think the set of characters you chose is >>>> too wide, try entering a passwords with ' ', !, (, ), &, or ; without >>>> careful escaping or quoting... >>>> >>>> Martin >>>> >>> Ok, I've used the same set of characters as for the user passwords. >> >> Should this set just be used for generated passwords by default? >> Possibly with slightly longer passwords so they aren't suddenly weaker. > > I prefer to generate strong passwords by default and if anyone needs > easier one, then he must adjust it. Especially in this case when we use > one generator in different places. >> >> >> >> Anyway, the patch works great here. I just have a few style issues: >> >>> >>> freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch >>> >>> >>> From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001 >>> From: Ondrej Hamada >>> Date: Mon, 18 Jun 2012 15:25:05 +0200 >>> Subject: [PATCH] Change random passwords behaviour >>> >>> Improved options checking so that host-mod operation is not changing >>> password for enrolled host when '--random' option is used. >>> >>> Unit tests added. >>> >>> https://fedorahosted.org/freeipa/ticket/2799 >>> >>> Updated set of characters that is used for generating random passwords >>> for ipa hosts. All characters that might need escaping were removed. >>> >>> https://fedorahosted.org/freeipa/ticket/2800 >>> --- >>> ipalib/plugins/host.py | 11 ++++- >>> tests/test_xmlrpc/test_host_plugin.py | 75 >>> ++++++++++++++++++++++++++++++++- >>> 2 files changed, 82 insertions(+), 4 deletions(-) >>> >>> diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py >>> index >>> 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf >>> 100644 >>> --- a/ipalib/plugins/host.py >>> +++ b/ipalib/plugins/host.py >>> @@ -24,6 +24,7 @@ import sys >>> from nss.error import NSPRError >>> import nss.nss as nss >>> import netaddr >>> +import string >>> >>> from ipalib import api, errors, util >>> from ipalib import Str, Flag, Bytes >>> @@ -99,6 +100,10 @@ EXAMPLES: >>> ipa host-add-managedby --hosts=test2 test >>> """) >>> >>> +# Characters to be used by random password generator >>> +# The set was chosen to avoid the need for escaping the characters >>> by user >>> +host_pwd_chars=string.digits + string.ascii_letters + '_,. at +-=' >>> + >>> def remove_fwd_ptr(ipaddr, host, domain, recordtype): >>> api.log.debug('deleting ipaddr %s' % ipaddr) >>> try: >>> @@ -404,7 +409,7 @@ class host_add(LDAPCreate): >>> if 'krbprincipal' in entry_attrs['objectclass']: >>> entry_attrs['objectclass'].remove('krbprincipal') >>> if options.get('random'): >>> - entry_attrs['userpassword'] = ipa_generate_password() >>> + entry_attrs['userpassword'] = >>> ipa_generate_password(characters=host_pwd_chars) >>> # save the password so it can be displayed in >>> post_callback >>> setattr(context, 'randompassword', >>> entry_attrs['userpassword']) >>> cert = options.get('usercertificate') >>> @@ -596,7 +601,7 @@ class host_mod(LDAPUpdate): >>> def pre_callback(self, ldap, dn, entry_attrs, attrs_list, >>> *keys, **options): >>> # Allow an existing OTP to be reset but don't allow a OTP >>> to be >>> # added to an enrolled host. >>> - if 'userpassword' in options: >>> + if options.get('userpassword') or options.get('random'): >>> entry = {} >>> self.obj.get_password_attributes(ldap, dn, entry) >>> if not entry['has_password'] and entry['has_keytab']: >>> @@ -649,7 +654,7 @@ class host_mod(LDAPUpdate): >>> entry_attrs['usercertificate'] = cert >>> >>> if options.get('random'): >>> - entry_attrs['userpassword'] = ipa_generate_password() >>> + entry_attrs['userpassword'] = >>> ipa_generate_password(characters=host_pwd_chars) >>> setattr(context, 'randompassword', >>> entry_attrs['userpassword']) >>> if 'macaddress' in entry_attrs: >>> if 'objectclass' in entry_attrs: >>> diff --git a/tests/test_xmlrpc/test_host_plugin.py >>> b/tests/test_xmlrpc/test_host_plugin.py >>> index >>> 8798168afa71653b64870c77d11a7fa81ec4c952..fa1f2906f556af388499eac316c4b7c05c66ad85 >>> 100644 >>> --- a/tests/test_xmlrpc/test_host_plugin.py >>> +++ b/tests/test_xmlrpc/test_host_plugin.py >>> @@ -22,9 +22,13 @@ >>> Test the `ipalib.plugins.host` module. >>> """ >>> >>> +import os >>> +import tempfile >>> +from ipapython import ipautil >>> from ipalib import api, errors, x509 >>> from ipalib.dn import * >>> -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, >>> fuzzy_digits >>> +from tests.test_xmlrpc.xmlrpc_test import Declarative, XMLRPC_test >>> +from tests.test_xmlrpc.xmlrpc_test import fuzzy_uuid, fuzzy_digits >>> from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date, >>> fuzzy_issuer >>> from tests.test_xmlrpc.xmlrpc_test import fuzzy_hex >> >> To avoid the repetition you can put the imported names in parentheses: >> >> from tests.test_xmlrpc.xmlrpc_test import (Declarative, XMLRPC_test, >> fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_date, fuzzy_issuer, >> fuzzy_hex) >> >> >>> from tests.test_xmlrpc import objectclasses >>> @@ -740,3 +744,72 @@ class test_host(Declarative): >>> ), >>> >>> ] >>> + >>> +class test_host_false_pwd_change(XMLRPC_test): >>> + >>> + fqdn1 = u'testhost1.%s' % api.env.domain >>> + short1 = u'testhost1' >>> + new_pass = u'pass_123' >>> + >>> + command = "ipa-client/ipa-join" >>> + [keytabfd, keytabname] = tempfile.mkstemp() >>> + os.close(keytabfd) >>> + >>> + # auxiliary function for checking whether the join operation has >>> set >>> + # correct attributes >>> + def keytab_exists(self): >>> + ret = api.Command['host_show'](self.fqdn1,all=True) >>> + assert (ret['result']['has_keytab'] == True) >>> + assert (ret['result']['has_password'] == False) >> >> The parentheses around assert's argument are unnecessary. >> >>> + def test_a_join_host(self): >>> + """ >>> + Create a test host and join him into IPA. >>> + """ >>> + try: >>> + random_pass = api.Command['host_add'](self.fqdn1, >>> random=True, force=True)['result']['randompassword'] >>> + except: >>> + # new host must be created with the random password >>> + assert (False) >> >> I don't see why you used a try/except block here. It's not good to >> hide the error that was raised. >> >>> + new_args = [self.command, >>> + "-s", api.env.host, >>> + "-h", self.fqdn1, >>> + "-k", self.keytabname, >>> + "-w", random_pass, >>> + "-q", >>> + ] >>> + try: >>> + # join operation may fail on 'adding key into keytab', but >>> + # the keytab is not necessary for further tests >>> + (out, err, rc) = ipautil.run(new_args, None) >>> + self.keytab_exists() >>> + except ipautil.CalledProcessError, e: >>> + self.keytab_exists() >>> + >>> + def test_b_try_password(self): >>> + """ >>> + Try to change the password of enrolled host with specified >>> password >>> + """ >>> + try: >>> + api.Command['host_mod'](self.fqdn1,userpassword=self.new_pass) >> >> Add a space after the comma (here and below). >> >>> + assert (False) >>> + except errors.ValidationError: >>> + pass >> >> It's better to use nose's @raises decorator here. See for example >> test_hbac_plugin.py. >> >>> + def test_c_try_random(self): >>> + """ >>> + Try to change the password of enrolled host with random >>> password >>> + """ >>> + try: >>> + api.Command['host_mod'](self.fqdn1,random=True) >>> + assert (False) >>> + except errors.ValidationError: >>> + pass >>> + >>> + def test_d_cleanup(self): >>> + """ >>> + Clean up test data >>> + """ >>> + os.unlink(self.keytabname) >>> + api.Command['host_del'](self.fqdn1) >>> -- 1.7.6.5 >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> > Thanks for the coding style hints, it looks better now. Corrected patch > attached. > Looks good. ACK. -- Petr? From mkosek at redhat.com Wed Jun 27 11:00:38 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jun 2012 13:00:38 +0200 Subject: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin In-Reply-To: <4FEAE44B.5060309@redhat.com> References: <4FDA097D.4030601@redhat.com> <4FDA4AF7.1050102@redhat.com> <1339738614.12383.5.camel@priserak> <4FE1EFA5.4090602@redhat.com> <4FE87CE3.9020706@redhat.com> <4FE9C6BB.4000109@redhat.com> <4FEAE44B.5060309@redhat.com> Message-ID: <4FEAE7D6.2060107@redhat.com> On 06/27/2012 12:45 PM, Petr Viktorin wrote: > On 06/26/2012 04:27 PM, Ondrej Hamada wrote: >> On 06/25/2012 04:59 PM, Petr Viktorin wrote: >>> On 06/20/2012 05:43 PM, Ondrej Hamada wrote: >>>> On 06/15/2012 07:36 AM, Martin Kosek wrote: >>>>> On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: >>>>>> Ondrej Hamada wrote: >>>>>>> Improved options checking so that host-mod operation is not changing >>>>>>> password for enrolled host when '--random' option is used. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2799 >>>>>>> >>>>>>> Updated set of characters that is used for generating random >>>>>>> passwords >>>>>>> for ipa hosts. Following characters were removed from the set: >>>>>>> '"`\$<> >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2800 >>>>>> This works ok but it would be nice to have a test for both setting a >>>>>> password and random on an enrolled host to prevent regressions. We >>>>>> have >>>>>> some ipa-getkeytab tests already and these can be extended to test >>>>>> this >>>>>> I think. >>>>>> >>>>>> Might be nice to mention in the inline comment the set of characters >>>>>> excluded and why. >>>>>> >>>>>> rob >>>>>> >>>> I've added new test class into test_host_plugin.py that takes care of >>>> that. Just there is a problem that the ipa-join command always fails on >>>> 'adding key into keytab'. But the attributes necessary for testing are >>>> set correctly, so the testing can continue. >>>>> We already generate passwords for users with this character set: >>>>> user_pwdchars = string.digits + string.ascii_letters + '_,. at +-=' >>>>> >>>>> Why would we want to generate passwords for host enrolling with a >>>>> different set? Additionally, I think the set of characters you chose is >>>>> too wide, try entering a passwords with ' ', !, (, ), &, or ; without >>>>> careful escaping or quoting... >>>>> >>>>> Martin >>>>> >>>> Ok, I've used the same set of characters as for the user passwords. >>> >>> Should this set just be used for generated passwords by default? >>> Possibly with slightly longer passwords so they aren't suddenly weaker. >> >> I prefer to generate strong passwords by default and if anyone needs >> easier one, then he must adjust it. Especially in this case when we use >> one generator in different places. >>> >>> >>> >>> Anyway, the patch works great here. I just have a few style issues: >>> >>>> >>>> freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch >>>> >>>> >>>> From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001 >>>> From: Ondrej Hamada >>>> Date: Mon, 18 Jun 2012 15:25:05 +0200 >>>> Subject: [PATCH] Change random passwords behaviour >>>> >>>> Improved options checking so that host-mod operation is not changing >>>> password for enrolled host when '--random' option is used. >>>> >>>> Unit tests added. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2799 >>>> >>>> Updated set of characters that is used for generating random passwords >>>> for ipa hosts. All characters that might need escaping were removed. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2800 >>>> --- >>>> ipalib/plugins/host.py | 11 ++++- >>>> tests/test_xmlrpc/test_host_plugin.py | 75 >>>> ++++++++++++++++++++++++++++++++- >>>> 2 files changed, 82 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py >>>> index >>>> 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf >>>> >>>> 100644 >>>> --- a/ipalib/plugins/host.py >>>> +++ b/ipalib/plugins/host.py >>>> @@ -24,6 +24,7 @@ import sys >>>> from nss.error import NSPRError >>>> import nss.nss as nss >>>> import netaddr >>>> +import string >>>> >>>> from ipalib import api, errors, util >>>> from ipalib import Str, Flag, Bytes >>>> @@ -99,6 +100,10 @@ EXAMPLES: >>>> ipa host-add-managedby --hosts=test2 test >>>> """) >>>> >>>> +# Characters to be used by random password generator >>>> +# The set was chosen to avoid the need for escaping the characters >>>> by user >>>> +host_pwd_chars=string.digits + string.ascii_letters + '_,. at +-=' >>>> + >>>> def remove_fwd_ptr(ipaddr, host, domain, recordtype): >>>> api.log.debug('deleting ipaddr %s' % ipaddr) >>>> try: >>>> @@ -404,7 +409,7 @@ class host_add(LDAPCreate): >>>> if 'krbprincipal' in entry_attrs['objectclass']: >>>> entry_attrs['objectclass'].remove('krbprincipal') >>>> if options.get('random'): >>>> - entry_attrs['userpassword'] = ipa_generate_password() >>>> + entry_attrs['userpassword'] = >>>> ipa_generate_password(characters=host_pwd_chars) >>>> # save the password so it can be displayed in >>>> post_callback >>>> setattr(context, 'randompassword', >>>> entry_attrs['userpassword']) >>>> cert = options.get('usercertificate') >>>> @@ -596,7 +601,7 @@ class host_mod(LDAPUpdate): >>>> def pre_callback(self, ldap, dn, entry_attrs, attrs_list, >>>> *keys, **options): >>>> # Allow an existing OTP to be reset but don't allow a OTP >>>> to be >>>> # added to an enrolled host. >>>> - if 'userpassword' in options: >>>> + if options.get('userpassword') or options.get('random'): >>>> entry = {} >>>> self.obj.get_password_attributes(ldap, dn, entry) >>>> if not entry['has_password'] and entry['has_keytab']: >>>> @@ -649,7 +654,7 @@ class host_mod(LDAPUpdate): >>>> entry_attrs['usercertificate'] = cert >>>> >>>> if options.get('random'): >>>> - entry_attrs['userpassword'] = ipa_generate_password() >>>> + entry_attrs['userpassword'] = >>>> ipa_generate_password(characters=host_pwd_chars) >>>> setattr(context, 'randompassword', >>>> entry_attrs['userpassword']) >>>> if 'macaddress' in entry_attrs: >>>> if 'objectclass' in entry_attrs: >>>> diff --git a/tests/test_xmlrpc/test_host_plugin.py >>>> b/tests/test_xmlrpc/test_host_plugin.py >>>> index >>>> 8798168afa71653b64870c77d11a7fa81ec4c952..fa1f2906f556af388499eac316c4b7c05c66ad85 >>>> >>>> 100644 >>>> --- a/tests/test_xmlrpc/test_host_plugin.py >>>> +++ b/tests/test_xmlrpc/test_host_plugin.py >>>> @@ -22,9 +22,13 @@ >>>> Test the `ipalib.plugins.host` module. >>>> """ >>>> >>>> +import os >>>> +import tempfile >>>> +from ipapython import ipautil >>>> from ipalib import api, errors, x509 >>>> from ipalib.dn import * >>>> -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, >>>> fuzzy_digits >>>> +from tests.test_xmlrpc.xmlrpc_test import Declarative, XMLRPC_test >>>> +from tests.test_xmlrpc.xmlrpc_test import fuzzy_uuid, fuzzy_digits >>>> from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date, >>>> fuzzy_issuer >>>> from tests.test_xmlrpc.xmlrpc_test import fuzzy_hex >>> >>> To avoid the repetition you can put the imported names in parentheses: >>> >>> from tests.test_xmlrpc.xmlrpc_test import (Declarative, XMLRPC_test, >>> fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_date, fuzzy_issuer, >>> fuzzy_hex) >>> >>> >>>> from tests.test_xmlrpc import objectclasses >>>> @@ -740,3 +744,72 @@ class test_host(Declarative): >>>> ), >>>> >>>> ] >>>> + >>>> +class test_host_false_pwd_change(XMLRPC_test): >>>> + >>>> + fqdn1 = u'testhost1.%s' % api.env.domain >>>> + short1 = u'testhost1' >>>> + new_pass = u'pass_123' >>>> + >>>> + command = "ipa-client/ipa-join" >>>> + [keytabfd, keytabname] = tempfile.mkstemp() >>>> + os.close(keytabfd) >>>> + >>>> + # auxiliary function for checking whether the join operation has >>>> set >>>> + # correct attributes >>>> + def keytab_exists(self): >>>> + ret = api.Command['host_show'](self.fqdn1,all=True) >>>> + assert (ret['result']['has_keytab'] == True) >>>> + assert (ret['result']['has_password'] == False) >>> >>> The parentheses around assert's argument are unnecessary. >>> >>>> + def test_a_join_host(self): >>>> + """ >>>> + Create a test host and join him into IPA. >>>> + """ >>>> + try: >>>> + random_pass = api.Command['host_add'](self.fqdn1, >>>> random=True, force=True)['result']['randompassword'] >>>> + except: >>>> + # new host must be created with the random password >>>> + assert (False) >>> >>> I don't see why you used a try/except block here. It's not good to >>> hide the error that was raised. >>> >>>> + new_args = [self.command, >>>> + "-s", api.env.host, >>>> + "-h", self.fqdn1, >>>> + "-k", self.keytabname, >>>> + "-w", random_pass, >>>> + "-q", >>>> + ] >>>> + try: >>>> + # join operation may fail on 'adding key into keytab', but >>>> + # the keytab is not necessary for further tests >>>> + (out, err, rc) = ipautil.run(new_args, None) >>>> + self.keytab_exists() >>>> + except ipautil.CalledProcessError, e: >>>> + self.keytab_exists() >>>> + >>>> + def test_b_try_password(self): >>>> + """ >>>> + Try to change the password of enrolled host with specified >>>> password >>>> + """ >>>> + try: >>>> + api.Command['host_mod'](self.fqdn1,userpassword=self.new_pass) >>> >>> Add a space after the comma (here and below). >>> >>>> + assert (False) >>>> + except errors.ValidationError: >>>> + pass >>> >>> It's better to use nose's @raises decorator here. See for example >>> test_hbac_plugin.py. >>> >>>> + def test_c_try_random(self): >>>> + """ >>>> + Try to change the password of enrolled host with random >>>> password >>>> + """ >>>> + try: >>>> + api.Command['host_mod'](self.fqdn1,random=True) >>>> + assert (False) >>>> + except errors.ValidationError: >>>> + pass >>>> + >>>> + def test_d_cleanup(self): >>>> + """ >>>> + Clean up test data >>>> + """ >>>> + os.unlink(self.keytabname) >>>> + api.Command['host_del'](self.fqdn1) >>>> -- 1.7.6.5 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> >> Thanks for the coding style hints, it looks better now. Corrected patch >> attached. >> > > Looks good. ACK. > Pushed to master. Martin From pviktori at redhat.com Wed Jun 27 11:34:03 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 27 Jun 2012 13:34:03 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120627103605.GG29454@localhost.localdomain> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> Message-ID: <4FEAEFAB.2080604@redhat.com> On 06/27/2012 12:36 PM, Sumit Bose wrote: > On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>> On Mon, 25 Jun 2012, Sumit Bose wrote: >>>> Hi Alexander, >>>> >>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>> Hi! >>>>> >>>>> Attached is the patch to support external group membership for trusted >>>>> domains. This is needed to get proper group membership with the work >>>>> Sumit and Jan are doing on both IPA and SSSD sides. >>>>> >>>>> We already have ipaExternalGroup class that includes ipaExternalMember >>>>> attribute (multivalued case-insensitive string). The group that has >>>>> ipaExternalGroup object class will have to be non-POSIX and >>>>> ipaExternalMember >>>>> attribute will contain security identifiers (SIDs) of members from >>>>> trusted domains. >>>>> >>>>> The patch takes care of three things: >>>>> 1. Extends 'ipa group-add' with --external option to add >>>>> ipaExternalGroup object class to a new group >>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV argument >>>>> to specify SIDs >>>>> 3. Modifies 'ipa group-del-member' to allow removing external members. >>>> >>>> thank you for the patch, it works as expected, but I have a few >>>> comments: >>>> >>>> - there is a trailing whitespace at the end of the "This means we can't >>>> check the correctness of a trusted domain SIDs" line >>>> - when using ipa group-add-member with --external there are still prompt >>>> for [member user] and [member group], can those be suppressed? >>>> - with ipa group-mod --posix it is possible to add the posxiGroup >>>> objectclass together with a GID to the extern group object. This >>>> should result in an error and also the other way round, adding >>>> --external to Posix groups. >>> Updated patch is attached. It fixes whitespace and group-mod. >> New revision. > > Thank you. This version works well in my tests, so ACK. > > It would be nice if someone can have a short look at the changes to > baseldap.py to see if there are any unexpected side effects. > > bye, > Sumit > I'm concerned about this: membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) if membername not in external_entries and \ + entry[0] not in external_entries and \ member_dn not in members: Do you want to do a case-insensitive compare here? In that case it would be better to do: lowercase_external_entries = set(e.lower() for e in external_entries) if membername not in lowercase_external_entries ... instead of comparing the lowercased entry and the entry itself to the original list. The `in` operator is also faster on a set. You should also update the `elif membername in external_entries` block below this one. There's a similar situation in remove_external_post_callback. Anyway, if you ran into a situation where the `entry[0] not in external_entries` check is needed, there should be a test for it. I think something is rotten with add_external_post_callback: it's defined as add_external_post_callback(... *keys, **options), but invariably called as add_external_post_callback(... keys, options). That existed before the patch, though, so I guess it warrants a separate ticket. I also have a few obligatory style nitpicks. For line continuation, instead of backslashes: if membername not in external_entries and \ entry[0] not in external_entries and \ member_dn not in members: we prefer parentheses: if (membername not in external_entries and entry[0] not in external_entries and member_dn not in members): Instead of: normalize = True if 'external_callback_normalize' in options: normalize = options['external_callback_normalize'] you can use: options.get('external_callback_normalize', True) And in group.py: - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', - 'sudorule'], + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], Our style guide limits lines to 80 characters. Not much of IPA follows that rule currently, but I don't see a reason for a change that *only* breaks the rule. -- Petr? From mkosek at redhat.com Wed Jun 27 11:37:59 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jun 2012 13:37:59 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <4FEAEFAB.2080604@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> Message-ID: <4FEAF097.9030405@redhat.com> On 06/27/2012 01:34 PM, Petr Viktorin wrote: > On 06/27/2012 12:36 PM, Sumit Bose wrote: >> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>> On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>> Hi Alexander, >>>>> >>>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>> Hi! >>>>>> >>>>>> Attached is the patch to support external group membership for trusted >>>>>> domains. This is needed to get proper group membership with the work >>>>>> Sumit and Jan are doing on both IPA and SSSD sides. >>>>>> >>>>>> We already have ipaExternalGroup class that includes ipaExternalMember >>>>>> attribute (multivalued case-insensitive string). The group that has >>>>>> ipaExternalGroup object class will have to be non-POSIX and >>>>>> ipaExternalMember >>>>>> attribute will contain security identifiers (SIDs) of members from >>>>>> trusted domains. >>>>>> >>>>>> The patch takes care of three things: >>>>>> 1. Extends 'ipa group-add' with --external option to add >>>>>> ipaExternalGroup object class to a new group >>>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV argument >>>>>> to specify SIDs >>>>>> 3. Modifies 'ipa group-del-member' to allow removing external members. >>>>> >>>>> thank you for the patch, it works as expected, but I have a few >>>>> comments: >>>>> >>>>> - there is a trailing whitespace at the end of the "This means we can't >>>>> check the correctness of a trusted domain SIDs" line >>>>> - when using ipa group-add-member with --external there are still prompt >>>>> for [member user] and [member group], can those be suppressed? >>>>> - with ipa group-mod --posix it is possible to add the posxiGroup >>>>> objectclass together with a GID to the extern group object. This >>>>> should result in an error and also the other way round, adding >>>>> --external to Posix groups. >>>> Updated patch is attached. It fixes whitespace and group-mod. >>> New revision. >> >> Thank you. This version works well in my tests, so ACK. >> >> It would be nice if someone can have a short look at the changes to >> baseldap.py to see if there are any unexpected side effects. >> >> bye, >> Sumit >> > > > I'm concerned about this: > > membername = entry[0].lower() > member_dn = api.Object[membertype].get_dn(membername) > if membername not in external_entries and \ > + entry[0] not in external_entries and \ > member_dn not in members: > > Do you want to do a case-insensitive compare here? In that case it would be > better to do: > > lowercase_external_entries = set(e.lower() for e in external_entries) > if membername not in lowercase_external_entries ... > > instead of comparing the lowercased entry and the entry itself to the original > list. > The `in` operator is also faster on a set. > You should also update the `elif membername in external_entries` block below > this one. > There's a similar situation in remove_external_post_callback. > > Anyway, if you ran into a situation where the `entry[0] not in > external_entries` check is needed, there should be a test for it. > > > I think something is rotten with add_external_post_callback: it's defined as > add_external_post_callback(... *keys, **options), but invariably called as > add_external_post_callback(... keys, options). That existed before the patch, > though, so I guess it warrants a separate ticket. > > > I also have a few obligatory style nitpicks. > > For line continuation, instead of backslashes: > > if membername not in external_entries and \ > entry[0] not in external_entries and \ > member_dn not in members: > > we prefer parentheses: > > if (membername not in external_entries and > entry[0] not in external_entries and > member_dn not in members): > > Instead of: > > normalize = True > if 'external_callback_normalize' in options: > normalize = options['external_callback_normalize'] > > you can use: > > options.get('external_callback_normalize', True) > > And in group.py: > > - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', > - 'sudorule'], > + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], > > Our style guide limits lines to 80 characters. Not much of IPA follows that > rule currently, but I don't see a reason for a change that *only* breaks the rule. > I also miss test cases for the new functionality. New exceptions were added, behavior was changed - we need to cover this in our unit tests. Martin From mkosek at redhat.com Wed Jun 27 12:50:34 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jun 2012 14:50:34 +0200 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <4FE8B30B.4050005@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> <4FE8B30B.4050005@redhat.com> Message-ID: <4FEB019A.5040603@redhat.com> On 06/25/2012 08:50 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >>> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> In a scope of ticket 2511 I would like to implement an ability to >>>>>>>>> delegate a DNS update permissions to chosen user (or host) without >>>>>>>>> having to give the user full "Update DNS Entries" privileges, i.e. >>>>>>>>> allow >>>>>>>>> him to modify any DNS zone or record. >>>>>>>>> >>>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>>> >>>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>>>>>>>> in MAY list >>>>>>>>> 2) Create new DNS commands: >>>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>> - these commands would add/remove chosen user/host DN to managedBy >>>>>>>>> attribute in chosen DNS zone >>>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>>> >>>>>>>>> With these steps done, all that an administrator would need to do to >>>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>>> command: >>>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>>> >>>>>>>>> The only downside I found so far is that the user would already need to >>>>>>>>> have "Read DNS Entries" permission assigned, otherwise he would not be >>>>>>>>> able to actually read DNS entries (allow rules can't take precedence >>>>>>>>> over deny rule we implemented to deny public access to DNS tree). >>>>>>>>> >>>>>>>>> An admin could of course create a special privilege and role with just >>>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>>> users/groups, but this looks awkward. Any idea to make this simpler? >>>>>>>>> Maybe creating a group "dns readers" by default which would allow such >>>>>>>>> access? >>>>>>>> >>>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>>> "parent[1].managedby#USERDN" ? >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> >>>>>>> Good idea, I will do that. I will just use >>>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>>> record. This way, a selected user will have read/write access to the >>>>>>> chosen zone only, which is exactly what we want to achieve. >>>>>> >>>>>> Yes, this sounds workable to me too. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> There were some second thoughts about the proposed design, which I would >>>>> like to discuss so that we can eventually accept another (better) >>>>> solution for this feature. >>>>> >>>>> The main concern here was that proposed solution (based on user list in >>>>> managedBy attribute in DNS zone) is not in line with the rest of >>>>> permission&privilege architecture in IPA. >>>>> >>>>> Here is another idea how to address the feature (I tested it and it >>>>> would work): >>>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access >>>>> rule (a working patch attached) to avoid current and future issues with >>>>> extending ACIs (deny rules are evil). >>>>> >>>>> 2) Add new Managed Entry Definition and Template to automatically add >>>>> "Manage DNS zone $idsname" permission. These could be used with standard >>>>> IPA privileges, roles and thus could be assigned to users, groups, >>>>> hosts, hostgroups... >>>>> >>>>> 3) New DNS zone managedBy attribute won't be manageable by user, but it >>>>> will hold a DN of the managed Permission entry >>>>> >>>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>>> aci: (targetattr = "*") >>>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>>> >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>> (version 3.0;acl "Add dns entries";allow (add) >>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>> >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>> >>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || >>>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord >>>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>>> hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || >>>>> locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || >>>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || >>>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>>> idnsforwarders") >>>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update >>>>> DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>>>> >>>>> I needed to add permission DN to the managedBy attribute so that I could >>>>> create just one set of generic ACIs without having to create a set of >>>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>>> permission have a write access to the "aci" attribute. >>>>> >>>>> Would this design be better than the previous one? Comments welcome. >>>> >>>> Removing Deny ACIs would be great. >>>> But don't we need a second set of ACIs to allow uber admins to still >>>> control all zones ? or is that part of current ACIs not going to >>>> change ? >>>> >>>> Simo. >>>> >>> >>> Thanks to the removal of the deny rule, this would be already allowed by >>> this existing ACI: >>> >>> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword >>> || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || >>> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >>> krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference >>> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >>> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >>> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >>> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >>> acl "Admin can manage any entry"; allow (all) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >> >> Oh right! >> I like it even more then :-) >> >> Simo. >> > > Yes, this looks like it will work and eliminating a deny rule is a definite plus. > > rob I have finished a patch based on the second design. IMO it is indeed better - no deny ACI for DNS and just a standard permission for per-zone access delegation. There is just one difference from the proposed design draft: per-zone permissions are not created automatically by Managed Entry plugin, but rather manually and only for DNS zones where per-zone access is needed. There is a new command for that - dnszone-add-permission. This will leave permission tree cleaner + we won't have to deal with all Managed Entry plugin machinery. More details can be found in a commit message. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-277-2-per-domain-dns-record-permissions.patch Type: text/x-patch Size: 36430 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 27 13:30:53 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jun 2012 15:30:53 +0200 Subject: [Freeipa-devel] [PATCH] 1014 configurable service timeout In-Reply-To: <4FC4DDBB.7070902@redhat.com> References: <4FB3F267.2070104@redhat.com> <4FB6AAF6.9080800@redhat.com> <4FBE2654.4030207@redhat.com> <4FBE560E.1080108@redhat.com> <1338293075.30643.52.camel@balmora.brq.redhat.com> <4FC4DDBB.7070902@redhat.com> Message-ID: <4FEB0B0D.1000206@redhat.com> On 05/29/2012 04:31 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Thu, 2012-05-24 at 11:38 -0400, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> On 05/18/2012 10:03 PM, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> A hardcoded timeout was used in ipactl for service restarts, set rather >>>>>> low. A separate timeout was hardcoded into the installer. >>>>>> >>>>>> I centralized them into a single timeout, configurable in the standard >>>>>> way in /etc/ipa/*.conf. >>>>>> >>>>>> On install it will always default to 120 seconds and remain there unless >>>>>> changed in default.conf (not replicated either). >>>>>> >>>>>> I tested this on systemd systems and sysV systems and it works ok for >>>>>> me. You'll also want to double-check that this works when other 389-ds >>>>>> instances are installed. >>>>>> >>>>>> Getting the naming of instances right was a bit tricky. >>>>> >>>>> Noticed a problem on upgrades and fixed that. Updated patch attached. >>>>> >>>>> rob >>>>> >>>>> >>>> >>>> Please rebase the patch onto current master. >>>> >>>> >>> >>> Done >> >> This is a good start. I just found few places where I found that the >> remaining wait function calls are redundant: >> >> 1) install/tools/ipactl: >> >> if lurl.urlscheme == 'ldapi': >> - wait_for_open_socket(lurl.hostport, timeout=6) >> + wait_for_open_socket(lurl.hostport, >> timeout=api.env.startup_timeout) >> else: >> (host,port) = lurl.hostport.split(':') >> - wait_for_open_ports(host, [int(port)], timeout=6) >> + wait_for_open_ports(host, [int(port)], >> timeout=api.env.startup_timeout) >> >> Aren't these calls redundant? We already wait for ports when dirsrv is >> started (dirsrv.start()) or restarted (dirsrv.restart()). > > It is redundant in some cases but there are some calls we make where this is > used to determine the availability of the service. This call is needed. > >> 2) ipaserver/install/replication.py: >> - installutils.wait_for_open_ports('localhost', [389, 636], 300) >> + ipautil.wait_for_open_ports('localhost', [389, 636], 300) >> >> Isn't this now redundant? Port check should be done in service restart. > > Yes, looks like this call can go. > >> 3) ipaserver/install/plugins/updateclient.py: >> >> - installutils.wait_for_open_socket(socket_name) >> + wait_for_open_socket(socket_name) >> >> Also seems redundant, dirsrv should be already up as it was restarted >> via our Service framework. Though we only check for ports in the Service >> framework, I wonder if this is enough and we can be sure that when ports >> are up, the LDAPI socket is also up. > > No, sockets and ports are separate, particularly when updating. In fact, we > disable the ports so a wait_for_port() will always fail which is why I added > the wait flag. This may be a case I missed with upgrades. Let me test upgrades > again... > > rob I think we want to either send a revised patch to this ticket to get it to Beta 1 or to defer it to some future version... Martin From william at firstyear.id.au Wed Jun 27 13:32:20 2012 From: william at firstyear.id.au (William Brown) Date: Wed, 27 Jun 2012 23:02:20 +0930 Subject: [Freeipa-devel] DHCP support - Request for review Message-ID: <4FEB0B64.7020604@firstyear.id.au> Hi, I have been working on adding support for FreeIPA to support configuration storage for ISC-DHCP 4.X servers. I have added the schema which is included at installation, added the template / empty files that will be filled in and used for the installation and created the ipalib plugin for this. At this stage, this feature is still far from done. I would appreciate a review of the work I have done to ensure I am on the right track. I would like to know if there is a better way to add ACLs than by manually updating ldap by hand (IE, using the ACL libraries) (See /install/share/dhcpd.ldif). -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- From 6ea88fce9cde90e357164b77933591b7a6bacd1b Mon Sep 17 00:00:00 2001 From: William Brown Date: Mon, 7 May 2012 14:28:15 +0930 Subject: [PATCH] Create patch for review of DHCP support --- .gitignore | 1 + TODO.DHCP | 41 +++ install/share/60dhcpd.ldif | 550 +++++++++++++++++++++++++++++++++ install/share/Makefile.am | 2 + install/share/dhcpd.ldif | 90 ++++++ install/tools/Makefile.am | 1 + install/tools/ipa-dhcp-install | 24 ++ ipalib/constants.py | 1 + ipalib/plugins/dhcp.py | 601 +++++++++++++++++++++++++++++++++++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/dhcpinstance.py | 134 +++++++++ ipaserver/install/dsinstance.py | 1 + ipaserver/install/service.py | 2 + 13 files changed, 1449 insertions(+) create mode 100644 TODO.DHCP create mode 100644 install/share/60dhcpd.ldif create mode 100644 install/share/dhcpd.ldif create mode 100644 install/tools/ipa-dhcp-install create mode 100644 ipalib/plugins/dhcp.py create mode 100644 ipaserver/install/dhcpinstance.py diff --git a/.gitignore b/.gitignore index d20747c04b22a30866a8996ee2bcdf10ca4d471b..fb4fd402153430587bd496cd302c9ece12ff297d 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ Makefile.in *.lo *.o *.pyc +*.swp .bzr freeipa2-dev-doc build diff --git a/TODO.DHCP b/TODO.DHCP new file mode 100644 index 0000000000000000000000000000000000000000..c09790af7a67bb60bb22f4943833f6d347cf8ce2 --- /dev/null +++ b/TODO.DHCP @@ -0,0 +1,41 @@ +DHCP server integration todo list +================================= + +See http://www.freeipa.org/page/DHCP_Integration_Design + +Stage 1) + +- Add DHCPD schema files to be installed as part of the IPA server installation. (DONE, AWAITING TEST) +- Add DHCP installation option. This option can be modeled off the DNS option, as they are both "optional". + - An installer file must be created into ipaserver/install/dhcpinstance.py (DONE, needs CODING) + - This installation should populate some basic information into the LDAP tree (This is done in freeipa/install/share/dhcpd.ldif). There is an example of how to do this in ./ipaserver/install/bindinstance.py:509. (DONE, ADD TO dhcpinstance.py, INCLUDES INDICIES) + - This should also create the necesarry anonymous service accounts and keys. + - Support multiple locations for the installation. Each install can support two server in failover mode. + - We need to also setup DHCP 389ds permissions + - DHCP admin permission, that should be able to modify and read the contents of cn=dhcp + - Dhcp viewer permission. + - DHCP server permission. This can read the server information, but it can write to the leases subtree. + - This should create the dhcpd.conf, dhcpd6.conf and dhrelay.conf. + - What do we do about radvd.conf? + -For the installer to work, we need to create the public api in ipalib/plugins/dhcp.py. We also need to register some constants into contstants.py in the same DIR +- The manpage for this should be updated. ./install/tools/man/ipa-dhcp-install.1 +- Add support for IPA admin tool to interact with the ldap dhcp information. + +Stage 1.5) + +- Add 60dhcpd.ldif to the ISC-DHCP source tree for maintenence. (DONE, AWAITING APPROVAL) +- Add support for ISC-DHCP to authenticate with GSSAPI to the LDAP server. + - Update configure.ac at line 631 to support GSSAPI flag + - This should check for the relevant GSSAPI libaries + - GSSAPI support should be added to ldap_rebind_cb. This handles all the auth. + - We need to add the KRB5 config options to be parsed in ldap_start + - How do we add options? Stables.c? + +Stage 2) + +- Add support for IPA admin tool to create a dhcpd.conf, or rather, dhcrelay on a machine joined to the domain. + +Stage 3) + +- Work on the WEB UI components. + diff --git a/install/share/60dhcpd.ldif b/install/share/60dhcpd.ldif new file mode 100644 index 0000000000000000000000000000000000000000..ecdd78f57f23ea7ebe617c5265c7bc56d42ce914 --- /dev/null +++ b/install/share/60dhcpd.ldif @@ -0,0 +1,550 @@ +dn: cn=schema +attributeTypes: ( + 2.16.840.1.113719.1.203.4.1 + NAME 'dhcpPrimaryDN' + DESC 'The DN of the dhcpServer which is the primary server for the configuration.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.2 + NAME 'dhcpSecondaryDN' + DESC 'The DN of dhcpServer(s) which provide backup service for the configuration.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.3 + NAME 'dhcpStatements' + DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.4 + NAME 'dhcpRange' + DESC 'The starting & ending IP Addresses in the range (inclusive), separated by a hyphen; if the range only contains one address, then just the address can be specified with no hyphen. Each range is defined as a separate value.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.5 + NAME 'dhcpPermitList' + DESC 'This attribute contains the permit lists associated with a pool. Each permit list is defined as a separate value.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.6 + NAME 'dhcpNetMask' + DESC 'The subnet mask length for the subnet. The mask can be easily computed from this length.' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.7 + NAME 'dhcpOption' + DESC 'Encoded option values to be sent to clients. Each value represents a single option and contains (OptionTag, Length, OptionValue) encoded in the format used by DHCP.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.8 + NAME 'dhcpClassData' + DESC 'Encoded text string or list of bytes expressed in hexadecimal, separated by colons. Clients match subclasses based on matching the class data with the results of match or spawn with statements in the class name declarations.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.9 + NAME 'dhcpOptionsDN' + DESC 'The distinguished name(s) of the dhcpOption objects containing the configuration options provided by the server.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.10 + NAME 'dhcpHostDN' + DESC 'the distinguished name(s) of the dhcpHost objects.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.11 + NAME 'dhcpPoolDN' + DESC 'The distinguished name(s) of pools.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.12 + NAME 'dhcpGroupDN' + DESC 'The distinguished name(s) of the groups.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.13 + NAME 'dhcpSubnetDN' + DESC 'The distinguished name(s) of the subnets.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.14 + NAME 'dhcpLeaseDN' + DESC 'The distinguished name of a client address.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.15 + NAME 'dhcpLeasesDN' + DESC 'The distinguished name(s) client addresses.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.16 + NAME 'dhcpClassesDN' + DESC 'The distinguished name(s) of a class(es) in a subclass.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.17 + NAME 'dhcpSubclassesDN' + DESC 'The distinguished name(s) of subclass(es).' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.18 + NAME 'dhcpSharedNetworkDN' + DESC 'The distinguished name(s) of sharedNetworks.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.19 + NAME 'dhcpServiceDN' + DESC 'The DN of dhcpService object(s)which contain the configuration information. Each dhcpServer object has this attribute identifying the DHCP configuration(s) that the server is associated with.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.20 + NAME 'dhcpVersion' + DESC 'The version attribute of this object.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.21 + NAME 'dhcpImplementation' + DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendor.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.22 + NAME 'dhcpAddressState' + DESC 'This stores information about the current binding-status of an address. For dynamic addresses managed by DHCP, the values should be restricted to the following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED", "BACKUP". For other addresses, it SHOULD be one of the following: "UNKNOWN", "RESERVED" (an address that is managed by DHCP that is reserved for a specific client), "RESERVED-ACTIVE" (same as reserved, but address is currently in use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED", "NOTASSIGNABLE".' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.23 + NAME 'dhcpExpirationTime' + DESC 'This is the time the current lease for an address expires.' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.24 + NAME 'dhcpStartTimeOfState' + DESC 'This is the time of the last state change for a leased address.' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.25 + NAME 'dhcpLastTransactionTime' + DESC 'This is the last time a valid DHCP packet was received from the client.' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.26 + NAME 'dhcpBootpFlag' + DESC 'This indicates whether the address was assigned via BOOTP.' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.27 + NAME 'dhcpDomainName' + DESC 'This is the name of the domain sent to the client by the server. It is essentially the same as the value for DHCP option 15 sent to the client, and represents only the domain - not the full FQDN. To obtain the full FQDN assigned to the client you must prepend the "dhcpAssignedHostName" to this value with a ".".' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.28 + NAME 'dhcpDnsStatus' + DESC 'This indicates the status of updating DNS resource records on behalf of the client by the DHCP server for this address. The value is a 16-bit bitmask.' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.29 + NAME 'dhcpRequestedHostName' + DESC 'This is the hostname that was requested by the client.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.30 + NAME 'dhcpAssignedHostName' + DESC 'This is the actual hostname that was assigned to a client. It may not be the name that was requested by the client. The fully qualified domain name can be determined by appending the value of "dhcpDomainName" (with a dot separator) to this name.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.31 + NAME 'dhcpReservedForClient' + DESC 'The distinguished name of a "dhcpClient" that an address is reserved for. This may not be the same as the "dhcpAssignedToClient" attribute if the address is being reassigned but the current lease has not yet expired.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.32 + NAME 'dhcpAssignedToClient' + DESC 'This is the distinguished name of a "dhcpClient" that an address is currently assigned to. This attribute is only present in the class when the address is leased.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.33 + NAME 'dhcpRelayAgentInfo' + DESC 'If the client request was received via a relay agent, this contains information about the relay agent that was available from the DHCP request. This is a hex-encoded option value.' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.34 + NAME 'dhcpHWAddress' + DESC 'The clients hardware address that requested this IP address.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.35 + NAME 'dhcpHashBucketAssignment' + DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in DHC Load Balancing Algorithm [RFC 3074].' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.36 + NAME 'dhcpDelayedServiceParameter' + DESC 'Delay in seconds corresponding to Delayed Service Parameter configuration, as defined in DHC Load Balancing Algorithm [RFC 3074]. ' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.37 + NAME 'dhcpMaxClientLeadTime' + DESC 'Maximum Client Lead Time configuration in seconds, as defined in DHCP Failover Protocol [FAILOVR]' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.38 + NAME 'dhcpFailOverEndpointState' + DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover Protocol [FAILOVR]' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.39 + NAME 'dhcpErrorLog' + DESC 'Generic error log attribute that allows logging error conditions within a dhcpService or a dhcpSubnet, like no IP addresses available for lease.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.40 + NAME 'dhcpLocatorDN' + DESC 'The DN of dhcpLocator object which contain the DNs of all DHCP configuration objects. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.41 + NAME 'dhcpKeyAlgorithm' + DESC 'Algorithm to generate TSIG Key' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.42 + NAME 'dhcpKeySecret' + DESC 'Secret to generate TSIG Key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.43 + NAME 'dhcpDnsZoneServer' + DESC 'Master server of the DNS Zone' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.44 + NAME 'dhcpKeyDN' + DESC 'The DNs of TSIG Key to use in secure dynamic updates. In case of locator object, this will be list of TSIG keys. In case of DHCP Service, Shared Network, Subnet and DNS Zone, it will be a single key.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.45 + NAME 'dhcpZoneDN' + DESC 'The DNs of DNS Zone. In case of locator object, this will be list of DNS Zones in the tree. In case of DHCP Service, Shared Network and Subnet, it will be a single DNS Zone.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.46 + NAME 'dhcpFailOverPrimaryServer' + DESC 'IP address or DNS name of the server playing primary role in DHC Load Balancing and Fail over.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.47 + NAME 'dhcpFailOverSecondaryServer' + DESC 'IP address or DNS name of the server playing secondary role in DHC Load Balancing and Fail over.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.48 + NAME 'dhcpFailOverPrimaryPort' + DESC 'Port on which primary server listens for connections from its fail over peer (secondary server)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.49 + NAME 'dhcpFailOverSecondaryPort' + DESC 'Port on which secondary server listens for connections from its fail over peer (primary server)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.50 + NAME 'dhcpFailOverResponseDelay' + DESC 'Maximum response time in seconds, before Server assumes that connection to fail over peer has failed' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.51 + NAME 'dhcpFailOverUnackedUpdates' + DESC 'Number of BNDUPD messages that server can send before it receives BNDACK from its fail over peer' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.52 + NAME 'dhcpFailOverSplit' + DESC 'Split between the primary and secondary servers for fail over purpose' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.53 + NAME 'dhcpFailOverLoadBalanceTime' + DESC 'Cutoff time in seconds, after which load balance is disabled' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.54 + NAME 'dhcpFailOverPeerDN' + DESC 'The DNs of Fail over peers. In case of locator object, this will be list of fail over peers in the tree. In case of Subnet and pool, it will be a single Fail Over Peer' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.55 + NAME 'dhcpServerDN' + DESC 'List of all DHCP Servers in the tree. Used by dhcpLocatorObject' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +attributeTypes: ( + 2.16.840.1.113719.1.203.4.56 + NAME 'dhcpComments' + DESC 'Generic attribute that allows coments within any DHCP object' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.1 + NAME 'dhcpService' + DESC 'Service object that represents the actual DHCP Service configuration. This is a container object.' + SUP top + MUST ( cn ) + MAY ( dhcpPrimaryDN $ dhcpSecondaryDN $ dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.2 + NAME 'dhcpSharedNetwork' + DESC 'This stores configuration information for a shared network.' + SUP top + MUST cn + MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpStatements $dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.3 + NAME 'dhcpSubnet' + DESC 'This class defines a subnet. This is a container object.' + SUP top + MUST ( cn $ dhcpNetMask ) + MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.4 + NAME 'dhcpPool' + DESC 'This stores configuration information about a pool.' + SUP top + MUST ( cn $ dhcpRange ) + MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.5 + NAME 'dhcpGroup' + DESC 'Group object that lists host DNs and parameters. This is a container object.' + SUP top + MUST cn + MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.6 + NAME 'dhcpHost' + DESC 'This represents information about a particular client' + SUP top + MUST cn + MAY ( dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.7 + NAME 'dhcpClass' + DESC 'Represents information about a collection of related clients.' + SUP top + MUST cn + MAY ( dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.8 + NAME 'dhcpSubClass' + DESC 'Represents information about a collection of related classes.' + SUP top + MUST cn + MAY ( dhcpClassData $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.9 + NAME 'dhcpOptions' + DESC 'Represents information about a collection of options defined.' + SUP top + AUXILIARY + MUST cn + MAY ( dhcpOption $ dhcpComments ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.10 + NAME 'dhcpLeases' + DESC 'This class represents an IP Address, which may or may not have been leased.' + SUP top + MUST ( cn $ dhcpAddressState ) + MAY ( dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.11 + NAME 'dhcpLog' + DESC 'This is the object that holds past information about the IP address. The cn is the time/date stamp when the address was assigned or released, the address state at the time, if the address was assigned or released.' + SUP top + MUST ( cn ) + MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.12 + NAME 'dhcpServer' + DESC 'DHCP Server Object' + SUP top + MUST ( cn ) + MAY ( dhcpServiceDN $ dhcpLocatorDN $ dhcpVersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServiceParameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements $ dhcpComments $ dhcpOption ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.13 + NAME 'dhcpTSigKey' + DESC 'TSIG key for secure dynamic updates' + SUP top + MUST ( cn $ dhcpKeyAlgorithm $ dhcpKeySecret ) + MAY ( dhcpComments ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.14 + NAME 'dhcpDnsZone' + DESC 'DNS Zone for updating leases' + SUP top + MUST ( cn $ dhcpDnsZoneServer ) + MAY ( dhcpKeyDN $ dhcpComments ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.15 + NAME 'dhcpFailOverPeer' + DESC 'This class defines the Fail over peer' + SUP top + MUST ( cn $ dhcpFailOverPrimaryServer $ dhcpFailOverSecondaryServer $ dhcpFailoverPrimaryPort $ dhcpFailOverSecondaryPort ) + MAY ( dhcpFailOverResponseDelay $ dhcpFailOverUnackedUpdates $ dhcpMaxClientLeadTime $ dhcpFailOverSplit $ dhcpHashBucketAssignment $ dhcpFailOverLoadBalanceTime $ dhcpComments ) + ) +objectClasses: ( + 2.16.840.1.113719.1.203.6.16 + NAME 'dhcpLocator' + DESC 'Locator object for DHCP configuration in the tree. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree' + SUP top + MUST ( cn ) + MAY ( dhcpServiceDN $dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments ) + ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 68c98e05a9986a4fff1a2070bb9e3c104937b21b..7d9c9288fbc114657824cc6c00990827ad1daa36 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -10,6 +10,7 @@ app_DATA = \ 60basev3.ldif \ 60ipadns.ldif \ 61kerberos-ipav3.ldif \ + 60dhcpd.ldif \ 65ipasudo.ldif \ anonymous-vlv.ldif \ bootstrap-template.ldif \ @@ -20,6 +21,7 @@ app_DATA = \ replica-acis.ldif \ ds-nfiles.ldif \ dns.ldif \ + dhcpd.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dhcpd.ldif b/install/share/dhcpd.ldif new file mode 100644 index 0000000000000000000000000000000000000000..6995f44dd1495bdc2a8ebf1d2cabe4244856ab6b --- /dev/null +++ b/install/share/dhcpd.ldif @@ -0,0 +1,90 @@ +dn: cn=dhcpHWAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +objectClass:top +objectClass:nsIndex +cn:dhcpHWAddress +nsSystemIndex:false +nsIndexType:eq + +dn: cn=dhcpClassData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +objectClass:top +objectClass:nsIndex +cn:dhcpClassData +nsSystemIndex:false +nsIndexType:eq + +dn: $SUFFIX +changetype: modify +add: aci +#aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) +#aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) +#aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) +#aci: (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";) + +dn: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX +changeType: add +objectClass: groupofnames +objectClass: nestedgroup +objectClass: top +cn: DHCP Administrators + +dn: cn=DHCP Servers,cn=privileges,cn=pbac,$SUFFIX +changeType: add +objectClass: groupofnames +objectClass: nestedgroup +objectClass: top +cn: DHCP Servers + +dn: cn=Read DHCP configuration,cn=permissions,cn=pbac,$SUFFIX +changeType: add +objectClass: groupofnames +objectClass: nestedgroup +objectClass: top +cn: Read DHCP configuration +member: cn=DHCP Servers,cn=privileges,cn=pbac,$SUFFIX +member: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Read DHCP leases,cn=permissions,cn=pbac,$SUFFIX +changeType: add +objectClass: groupofnames +objectClass: nestedgroup +objectClass: top +cn: Read DHCP leases +member: cn=DHCP Servers,cn=privileges,cn=pbac,$SUFFIX +member: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Write DHCP configuration,cn=permissions,cn=pbac,$SUFFIX +changeType: add +objectClass: groupofnames +objectClass: nestedgroup +objectClass: top +cn: Write DHCP configuration +member: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Write DHCP leases,cn=permissions,cn=pbac,$SUFFIX +changeType: add +objectClass: groupofnames +objectClass: nestedgroup +objectClass: top +cn: Write DHCP leases +member: cn=DHCP Servers,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=dhcp,dc=dev,$SUFFIX +changeType: add +objectclass: nsContainer +objectclass: top +cn: dhcp + +dn: cn=v4servers,cn=dhcp,$SUFFIX +changeType: add +objectclass: nsContainer +objectclass: top +cn: v4 + +dn: cn=v6servers,cn=dhcp,$SUFFIX +changeType: add +objectclass: nsContainer +objectclass: top +cn: v6 + diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7f1504cd59f7959d25ee291bbe7bc4d461f22c8c..e9aae9915cfaaa6b009343715a08a5f21991603f 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -7,6 +7,7 @@ SUBDIRS = \ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ + ipa-dhcp-install \ ipa-server-install \ ipa-adtrust-install \ ipa-replica-conncheck \ diff --git a/install/tools/ipa-dhcp-install b/install/tools/ipa-dhcp-install new file mode 100644 index 0000000000000000000000000000000000000000..0a2ffcaba6eb3349b2efdb20b5d370d5b73141d8 --- /dev/null +++ b/install/tools/ipa-dhcp-install @@ -0,0 +1,24 @@ +#! /usr/bin/python -E +# Authors: William Brown +# Based on ipa-server-install by Karl MacMillan +# +# Copyright (C) 2007 - 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +#Setup options parsing. + +#Pass the options to our DHCP instance setup tool. diff --git a/ipalib/constants.py b/ipalib/constants.py index 8f87a18eef80e9824203aedf50e29e9819ae7c18..8c63bf796b0ea47f78a53aefcdea7448000e3355 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -104,6 +104,7 @@ DEFAULT_CONFIG = ( ('container_cifsdomains', 'cn=ad,cn=etc'), ('container_trusts', 'cn=trusts'), ('container_adtrusts', 'cn=ad,cn=trusts'), + ('container_dhcp', 'cn=dhcp'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipalib/plugins/dhcp.py b/ipalib/plugins/dhcp.py new file mode 100644 index 0000000000000000000000000000000000000000..8999624b3b91a391e9706568e4bfb21e91335a2d --- /dev/null +++ b/ipalib/plugins/dhcp.py @@ -0,0 +1,601 @@ +# Authors: William Brown +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from ipalib.plugins.baseldap import * +from ipalib import _, api, errors + +__doc__ = _(""" +""") + + + +class dhcpserver(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Server') + object_name_plural = _('Dhcp Servers') + object_class = ['dhcpServer', 'top'] + default_attributes = ['cn'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Servers') + label_singular = _('Dhcp Server') + takes_params = ( + Str('cn', + cli_name='dhcp_server_name', + label=_('Dhcp Server name'), + primary_key=True, + ), + Str('dhcpservicedn', + cli_name='dhcp_server_service_dn', + label=_('Dhcp Server Service DN'), + primary_key=False, + ), + Str('dhcplocatordn', + cli_name='dhcp_server_locator_dn', + label=_('Dhcp Server Locator DN'), + primary_key=False, + ), + Str('dhcpversion', + cli_name='dhcp_server_version', + label=_('Dhcp Server Version'), + primary_key=False, + ), + Str('dhcpimplementation', + cli_name='dhcp_server_implementation', + label=_('Dhcp Server implementation'), + primary_key=False, + ), + Str('dhcphashbucketassignment', + cli_name='dhcp_server_hash_bucket_assignment', + label=_('Dhcp Server Hash bucket assignment'), + primary_key=False, + ), + Str('dhcpdelayedserviceparameter', + cli_name='dhcp_server_delayed_service_parameter', + label=_('Dhcp Server Delayed Service Parameter'), + primary_key=False, + ), + Str('dhcpmaxclientleadtime', + cli_name='dhcp_server_max_client_lead_time', + label=_('Dhcp Server Max Client Lead Time'), + primary_key=False, + ), + Str('dhcpfailoverendpointstate', + cli_name='dhcp_server_fail_over_endpoint_state', + label=_('Dhcp Server Fail Over Endpoint State'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_server_statements', + label=_('Dhcp Server Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_server_comments', + label=_('Dhcp Server Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_server_option', + label=_('Dhcp Server Option'), + primary_key=False, + ), + + ) + +api.register(dhcpserver) + +class dhcpservice(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Service') + object_name_plural = _('Dhcp Servicess') + object_class = ['dhcpService', 'top'] + default_attributes = ['cn'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Services') + label_singular = _('Dhcp Service') + takes_params = ( + Str('cn', + cli_name='dhcp_service_name', + label=_('Dhcp Service Name'), + primary_key=True, + ), + Str('dhcpprimarydn', + cli_name='dhcp_service_primary_dn', + label=_('Dhcp Service Primary DN'), + primary_key=False, + ), + Str('dhcpsecondarydn', + cli_name='dhcp_service_secondary_dn', + label=_('Dhcp Service Secondary DN'), + primary_key=False, + ), + Str('dhcpserverdn', + cli_name='dhcp_service_server_dn', + label=_('Dhcp Service Server DN'), + primary_key=False, + ), + Str('dhcpsharednetworkdn', + cli_name='dhcp_service_shared_network_dn', + label=_('Dhcp Service Shared Network DN'), + primary_key=False, + ), + Str('dhcpsubnetdn', + cli_name='dhcp_service_subnet_dn', + label=_('Dhcp Service Subnet DN'), + primary_key=False, + ), + Str('dhcpgroupdn', + cli_name='dhcp_service_group_dn', + label=_('Dhcp Service Group DN'), + primary_key=False, + ), + Str('dhcphostdn', + cli_name='dhcp_service_host_dn', + label=_('Dhcp Service Host DN'), + primary_key=False, + ), + Str('dhcpclassesdn', + cli_name='dhcp_service_classes_dn', + label=_('Dhcp Service Classes DN'), + primary_key=False, + ), + Str('dhcpoptionsdn', + cli_name='dhcp_service_options_dn', + label=_('Dhcp Service Options DN'), + primary_key=False, + ), + Str('dhcpzonedn', + cli_name='dhcp_service_zone_dn', + label=_('Dhcp Service Zone DN'), + primary_key=False, + ), + Str('dhcpkeydn', + cli_name='dhcp_service_key_dn', + label=_('Dhcp Service Key DN'), + primary_key=False, + ), + Str('dhcpfailoverpeerdn', + cli_name='dhcp_service_fail_over_peer_dn', + label=_('Dhcp Service Fail Over Peer DN'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_service_statements', + label=_('DHcp Service Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_service_comments', + label=_('Dhcp Service Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_service_option', + label=_('Dhcp Service Option'), + primary_key=False, + ), + + ) + +api.register(dhcpservice) + +class dhcpfailoverpeer(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Fail Over Peer') + object_name_plural = _('Dhcp Fail Over Peers') + object_class = ['dhcpServer', 'top'] + default_attributes = ['cn', + 'dhcpFailOverPrimaryServer', + 'dhcpFailOverSecondaryServer', + 'dhcpFailOverPrimaryPort', + 'dhcpFailOvreSecondaryPort',] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Fail Over Peers') + label_singular = _('Dhcp Fail Over Peer') + takes_params = ( + Str('cn', + cli_name='dhcp_fail_over_peer_name', + label=_('Dhcp Fail Over Peer Name'), + primary_key=True, + ), + Str('dhcpfailoverprimaryserver', + cli_name='dhcp_fail_over_primary_server', + label=_('Dhcp Fail Over Primary Server'), + primary_key=False, + ), + Str('dhcpfailoversecondaryserver', + cli_name='dhcp_fail_over_secondary_server', + label=_('Dhcp Fail Over Secondary Server'), + primary_key=False, + ), + Str('dhcpfailoverprimaryport', + cli_name='dhcp_fail_over_primary_port', + label=_('Dhcp Fail Over Primary Port'), + primary_key=False, + ), + Str('dhcpfailoversecondaryport', + cli_name='dhcp_fail_over_secondary_port', + label=_('Dhcp Fail Over Secondary Port'), + primary_key=False, + ), + Str('dhcpfailoverresponsedelay', + cli_name='dhcp_fail_over_response_delay', + label=_('Dhcp Fail Over Response Delay'), + primary_key=False, + ), + Str('dhcpfailoverunackedupdates', + cli_name='dhcp_fail_over_unacked_updates', + label=_('Dhcp Fail Over Unacked Updates'), + primary_key=False, + ), + Str('dhcpmaxclientleadtime', + cli_name='dhcp_fail_over_max_client_lead_time', + label=_('Dhcp Fail Over Max Client Lead Time'), + primary_key=False, + ), + Str('dhcpfailoversplit', + cli_name='dhcp_fail_over_split', + label=_('Dhcp Fail Over Split'), + primary_key=False, + ), + Str('dhcphashbucketassignment', + cli_name='dhcp_fail_over_hash_bucket_assignment', + label=_('Dhcp Fail Over Hash Bucket Assignment'), + primary_key=False, + ), + Str('dhcpfailoverloadbalancetime', + cli_name='dhcp_fail_over_load_balance_time', + label=_('Dhcp Fail Over Load Balance Time'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_fail_over_comments', + label=_('Dhcp Fail Over Comments'), + primary_key=False, + ), + + ) + +api.register(dhcpfailoverpeer) + +class dhcpsharednetwork(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Shared Network') + object_name_plural = _('Dhcp Shared Networks') + object_class = ['dhcpServer', 'top'] + default_attributes = ['cn'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Shared Networks') + label_singular = _('Dhcp Shared Network') + takes_params = ( + Str('cn', + cli_name='dhcp_shared_network_name', + label=_('Dhcp Shared Network Name'), + primary_key=True, + ), + Str('dhcpsubnetdn', + cli_name='dhcp_shared_network_subnet_dn', + label=_('Dhcp Shared Network Subnet DN'), + primary_key=False, + ), + Str('dhcppooldn', + cli_name='dhcp_shared_network_pool_dn', + label=_('Dhcp Shared Network Pool DN'), + primary_key=False, + ), + Str('dhcpoptionsdn', + cli_name='dhcp_shared_network_options_dn', + label=_('Dhcp Shared Network Options DN'), + primary_key=False, + ), + Str('dhcpzonedn', + cli_name='dhcp_shared_network_zone_dn', + label=_('Dhcp Shared Network Zone DN'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_shared_network_statements', + label=_('Dhcp Shared Network Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_shared_network_comments', + label=_('Dhcp Shared Network Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_shared_network_option', + label=_('Dhcp Shared Network Option'), + primary_key=False, + ), + + ) + +api.register(dhcpsharednetwork) + +class dhcpsubnet(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Subnet') + object_name_plural = _('Dhcp Subnets') + object_class = ['dhcpSubnet', 'dhcpOptions', 'top'] + default_attributes = ['cn', 'dhcpNetMask'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Subnets') + label_singular = _('Dhcp Subnet') + takes_params = ( + Str('cn', + cli_name='dhcp_subnet_name', + label=_('Dhcp Subnet Name'), + primary_key=True, + ), + Str('dhcpnetmask', + cli_name='dhcp_subnet_netmask', + label=_('Dhcp Subnet Netmask'), + primary_key=False, + ), + Str('dhcprange', + cli_name='dhcp_subnet_range', + label=_('Dhcp Subnet Range'), + primary_key=False, + ), + Str('dhcppooldn', + cli_name='dhcp_subnet_pool_dn', + label=_('Dhcp Subnet Pool DN'), + primary_key=False, + ), + Str('dhcpgroupdn', + cli_name='dhcp_subnet_group_dn', + label=_('Dhcp Subnet Group DN'), + primary_key=False, + ), + Str('dhcphostdn', + cli_name='dhcp_subnet_host_dn', + label=_('Dhcp Subnet Host DN'), + primary_key=False, + ), + Str('dhcpclassesdn', + cli_name='dhcp_subnet_classes_dn', + label=_('Dhcp Subnet Classes DN'), + primary_key=False, + ), + Str('dhcpleasesdn', + cli_name='dhcp_subnet_leases_dn', + label=_('Dhcp Subnet Leases DN'), + primary_key=False, + ), + Str('dhcpoptionsdn', + cli_name='dhcp_subnet_options_dn', + label=_('Dhcp Subnet Options DN'), + primary_key=False, + ), + Str('dhcpzonedn', + cli_name='dhcp_subnet_zone_dn', + label=_('Dhcp Subnet Zone DN'), + primary_key=False, + ), + Str('dhcpkeydn', + cli_name='dhcp_subnet_key_dn', + label=_('Dhcp Subnet Key DN'), + primary_key=False, + ), + Str('dhcpfailoverpeerdn', + cli_name='dhcp_subnet_fail_over_peer_dn', + label=_('Dhcp Subnet Fail Over Peer DN'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_subnet_statements', + label=_('Dhcp Subnet Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_subnet_comments', + label=_('Dhcp Subnet Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_subnet_option', + label=_('Dhcp Subnet Option'), + primary_key=False, + ), + + ) + +api.register(dhcpsubnet) + +class dhcppool(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Pool') + object_name_plural = _('Dhcp Pools') + object_class = ['dhcpPool', 'top'] + default_attributes = ['cn', 'dhcpRange'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Pools') + label_singular = _('Dhcp Pool') + takes_params = ( + Str('cn', + cli_name='dhcp_pool_name', + label=_('Dhcp Pool Name'), + primary_key=True, + ), + Str('dhcprange', + cli_name='dhcp_pool_range', + label=_('Dhcp Pool Range'), + primary_key=False, + ), + Str('dhcpclassesdn', + cli_name='dhcp_pool_classes_dn', + label=_('Dhcp Pool Classes DN'), + primary_key=False, + ), + Str('dhcppermitlist', + cli_name='dhcp_pool_permit_list', + label=_('Dhcp Pool Permit List'), + primary_key=False, + ), + Str('dhcpleasesdn', + cli_name='dhcp_pool_leases_dn', + label=_('Dhcp Pool Leases DN'), + primary_key=False, + ), + Str('dhcpoptionsdn', + cli_name='dhcp_pool_options_dn', + label=_('Dhcp Pool Options DN'), + primary_key=False, + ), + Str('dhcpzonedn', + cli_name='dhcp_pool_zone_dn', + label=_('Dhcp Pool Zone DN'), + primary_key=False, + ), + Str('dhcpkeydn', + cli_name='dhcp_pool_key_dn', + label=_('Dhcp Pool Key DN'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_pool_statements', + label=_('Dhcp Pool Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_pool_comments', + label=_('Dhcp Pool Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_pool_option', + label=_('Dhcp Pool Option'), + primary_key=False, + ), + + ) + +api.register(dhcppool) + +class dhcpgroup(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Group') + object_name_plural = _('Dhcp Groups') + object_class = ['dhcpGroup', 'top'] + default_attributes = ['cn'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Groups') + label_singular = _('Dhcp Group') + takes_params = ( + Str('cn', + cli_name='dhcp_group_name', + label=_('Dhcp Group Name'), + primary_key=True, + ), + Str('dhcphostdn', + cli_name='dhcp_group_host_dn', + label=_('Dhcp Group Host DN'), + primary_key=False, + ), + Str('dhcpoptionsdn', + cli_name='dhcp_group_options_dn', + label=_('Dhcp Group Options DN'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_group_statements', + label=_('Dhcp Group Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_group_comments', + label=_('Dhcp Group Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_group_option', + label=_('Dhcp Group Option'), + primary_key=False, + ), + + ) + +api.register(dhcpgroup) + +class dhcphost(LDAPObject): + container_dn = api.env.container_dhcp + object_name = _('Dhcp Host') + object_name_plural = _('Dhcp Hosts') + object_class = ['dhcpHost', 'top'] + default_attributes = ['cn'] + #uuid_attribute + #rdn_attribute + #attributer_members + label = _('Dhcp Hosts') + label_singular = _('Dhcp Host') + takes_params = ( + Str('cn', + cli_name='dhcp_host_name', + label=_('Dhcp Host Name'), + primary_key=True, + ), + Str('dhcpleasedn', + cli_name='dhcp_host_lease_dn', + label=_('Dhcp Host Lease DN'), + primary_key=False, + ), + Str('dhcphwaddress', + cli_name='dhcp_host_hwaddress', + label=_('Dhcp Host HWAddress'), + primary_key=False, + ), + Str('dhcpoptionsdn', + cli_name='dhcp_host_options_dn', + label=_('Dhcp Host Options DN'), + primary_key=False, + ), + Str('dhcpstatements', + cli_name='dhcp_host_statements', + label=_('Dhcp Host Statements'), + primary_key=False, + ), + Str('dhcpcomments', + cli_name='dhcp_host_comments', + label=_('Dhcp Host Comments'), + primary_key=False, + ), + Str('dhcpoption', + cli_name='dhcp_host_option', + label=_('Dhcp Host Option'), + primary_key=False, + ), + + ) + +api.register(dhcphost) diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 9fcad4e77c93cf44ed5fcf3ff793233ba35482c1..08829e2ed9622c9e1b8601c1d657fe324bb328d2 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -5,6 +5,7 @@ app_PYTHON = \ __init__.py \ bindinstance.py \ cainstance.py \ + dhcpinstance.py \ dsinstance.py \ ipaldap.py \ krbinstance.py \ diff --git a/ipaserver/install/dhcpinstance.py b/ipaserver/install/dhcpinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..4c3255cc8efd4a9fbd7a1437d7ebb0c1c83e5003 --- /dev/null +++ b/ipaserver/install/dhcpinstance.py @@ -0,0 +1,134 @@ +# Authors: William Brown +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import installutils +import ldap +import service + +import ipalib +from ipalib import api, util, errors +from ipapython import sysrestore + +def _ldap_object_exists(conn, dn): + try: + conn.search_ext_s(dn, ldap.SCOPE_BASE) + except ldap.NO_SUCH_OBJECT: + return False + else: + return True + +class DhcpInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "dhcpd", dm_password=dm_password) + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def setup(self, fqdn, ipaddress, v4=False, v6=False, location="Default"): + self.fqdn = fqdn + self.ipaddress = ipaddress + self.location = location + self.v4 = v4 + self.v6 = v6 + + def create_instance(self): + try: + self.stop() + except: + pass + + #self.ldap_connect() + #Check if we already have the DHCP container setup. If not, install it. + # This is also a check of the permissions of the use we are running as. + if not self._check_dhcp_container(): + self.step("Creating base DHCP objects", self.__setup_dhcp_ldap) + elif self._check_dhcp_preinstalled(): + #We need to throw an error here. + pass + # Create the specified location, or create "default" location. Check that there are not 2 servers already in this location with the type of instance we want. + if not self._check_dhcp_location(): + self.step("Creating location %s" % self.location, self.__create_location) + # + # Now, we check if -v4 was specified. If yes, we install a dhcpv4 server instance on this server. + # If -v6 was specificed, we install a dhcp6 instance into this location. + # + # If this machine does not yet have a generic account for accessing the DHCP as a server, we need to add it, and add the permission to this account for DHCP server read, and leases write. + # + if self.v4: + self.step("Creating dhcp instance", self.__create_v4_instance) + if self.v6: + self.step("Creating dhcp6 instance", self.__create_v6_instance) + if self.v4: + self.step("Starting dhcp", self.__start_dhcp) + self.step("Registering dhcp to start at boot", self.__enable_dhcp) + if self.v6: + self.step("Starting dhcp6", self.__start_dhcp6) + self.step("Resgistering dhcp6 to start at boot", self.__enable_dhcp6) + # Post install we need to warn the user about opening certain firewall ports. + # If v4, we need port 68 for outbound / inbound for DHCP + # If v6, we need port 546 (I think) For ipv6 on a specific fe80::/16 subnet. + self.start_creation("Configuring dhcp:") + + def uninstall(self): + pass + + def __create_location(self): + #This should be calling the ipa.api.command.dhcp_addlocation + #This addition of a location adds the v4 and v6 branches + pass + + def __create_v4_instance(self): + #This should add the server to the ldap, in the cn=v4,cn=dhcp, with the correct DHCPServer objects. + #This should then create the relevant files on disk for this server. + pass + + def __create_v6_instance(self): + #This should add the server to the ldap in the cn=v6,cn=dhcp container, with the correct DHCP server objects. + #This should create the relevant files on disk for this server. + pass + + def __start_dhcp(self): + pass + + def __start_dhcp6(self): + pass + + def __enable_dhcp(self): + pass + + def __enable_dhcp6(self): + pass + + def _check_dhcp_container(self): + #Check that our dhcp container exists cn=dhcp,dc=foo,dc=bar + pass + + def _check_dhcp_location(self): + #Check the location exists. + #Check that there are not more than 2 servers already in this location. This will need to be done by checking their configuration dns + pass + + def _check_dhcp_preinstalled(self): + pass + + def __setup_dhcp_ldap(self): + #sub_dict is list of WORDS in the ldif to replace. + #self._ldap_mod("dhcpd.ldif", self.sub_dict + pass diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fb620a82e0d432d50e6c40ab8a7053ced153965a..e5c2305daa7d5e0fd99e6a33b9beb1d436c972e6 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -389,6 +389,7 @@ class DsInstance(service.Service): "60basev2.ldif", "60basev3.ldif", "60ipadns.ldif", + "60dhcpd.ldif", "61kerberos-ipav3.ldif", "65ipasudo.ldif"): target_fname = schema_dirname(self.serverid) + schema_fname diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a3d09fcd633a851a67ef94b2025f1afb605d3d84..c21598b020639e6cd2c541ab7ff6986d6e825355 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -39,6 +39,8 @@ SERVICE_LIST = { 'KDC':('krb5kdc', 10), 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), + 'DHCP':('dhcpd', 33), + 'DHCP6':('dhcpd6', 36), 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), -- 1.7.10.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 945 bytes Desc: OpenPGP digital signature URL: From pspacek at redhat.com Wed Jun 27 14:07:38 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 27 Jun 2012 16:07:38 +0200 Subject: [Freeipa-devel] [PATCH 0023] SOA serial number auto incrementation Message-ID: <4FEB13AA.1040001@redhat.com> Hello, this patch is first proof-of-concept implementation of https://fedorahosted.org/bind-dyndb-ldap/ticket/67: Implement SOA serial number increments for external changes. No optimizations are inside. SOA serial is bumped for each record after each restart, changes in root records are not handled and so on. It is really proof-of-concept. It uses unix timestamp for "local" SOA serials to improve situation with local serials. Unix timestamps should not go to far future as YEAR-MONTH-DAY serials. Please, let me know if you see some "principle" problems. Thanks. Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0023-SOA-autoincrement-feature.patch Type: text/x-patch Size: 4968 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jun 27 14:19:30 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 17:19:30 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <4FEAEFAB.2080604@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> Message-ID: <20120627141930.GC16889@redhat.com> On Wed, 27 Jun 2012, Petr Viktorin wrote: >On 06/27/2012 12:36 PM, Sumit Bose wrote: >>On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>>On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>>Hi Alexander, >>>>> >>>>>On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>>Hi! >>>>>> >>>>>>Attached is the patch to support external group membership for trusted >>>>>>domains. This is needed to get proper group membership with the work >>>>>>Sumit and Jan are doing on both IPA and SSSD sides. >>>>>> >>>>>>We already have ipaExternalGroup class that includes ipaExternalMember >>>>>>attribute (multivalued case-insensitive string). The group that has >>>>>>ipaExternalGroup object class will have to be non-POSIX and >>>>>>ipaExternalMember >>>>>>attribute will contain security identifiers (SIDs) of members from >>>>>>trusted domains. >>>>>> >>>>>>The patch takes care of three things: >>>>>>1. Extends 'ipa group-add' with --external option to add >>>>>> ipaExternalGroup object class to a new group >>>>>>2. Modifies 'ipa group-add-member' to accept --external CSV argument >>>>>> to specify SIDs >>>>>>3. Modifies 'ipa group-del-member' to allow removing external members. >>>>> >>>>>thank you for the patch, it works as expected, but I have a few >>>>>comments: >>>>> >>>>>- there is a trailing whitespace at the end of the "This means we can't >>>>>check the correctness of a trusted domain SIDs" line >>>>>- when using ipa group-add-member with --external there are still prompt >>>>>for [member user] and [member group], can those be suppressed? >>>>>- with ipa group-mod --posix it is possible to add the posxiGroup >>>>>objectclass together with a GID to the extern group object. This >>>>>should result in an error and also the other way round, adding >>>>>--external to Posix groups. >>>>Updated patch is attached. It fixes whitespace and group-mod. >>>New revision. >> >>Thank you. This version works well in my tests, so ACK. >> >>It would be nice if someone can have a short look at the changes to >>baseldap.py to see if there are any unexpected side effects. >> >>bye, >>Sumit >> > > >I'm concerned about this: > > membername = entry[0].lower() > member_dn = api.Object[membertype].get_dn(membername) > if membername not in external_entries and \ >+ entry[0] not in external_entries and \ > member_dn not in members: > >Do you want to do a case-insensitive compare here? In that case it >would be better to do: > > lowercase_external_entries = set(e.lower() for e in external_entries) > if membername not in lowercase_external_entries ... > >instead of comparing the lowercased entry and the entry itself to the >original list. >The `in` operator is also faster on a set. Given that this list going to be short (~dozen members in most cases) it is affordable to produce new set. I'll change it. >You should also update the `elif membername in external_entries` >block below this one. >There's a similar situation in remove_external_post_callback. > >Anyway, if you ran into a situation where the `entry[0] not in >external_entries` check is needed, there should be a test for it. Originally this callback was forcing all references to lower case before comparing. This was applied both to existing and truly external references. However, for external references we cannot guarantee that lower case is the right one -- and, indeed, with SIDs one has to follow SID format which is S-1-* so lowcasing the value is not possible as that value will be used by SSSD and other sides (DCERPC requests) which don't expect it to break the format. Thus I tried to keep the format. I've added several tests: 1. Create group with external membership 2. Attempt to convert posix group to external one 3. Attempt to convert external group to posix 4. Attempt to add external member to it. 5. Delete external membership group to avoid disturbing other tests (group-find, etc) that depend on number of groups. In the #4 I'm only checking that we are getting exceptions -- either ValidationError or NotFound. You can't do more without setting up the full trust. Even to do that I had to introduce new type of checkers -- checkers that can be activated with a 'expected' attribute being a callable in a declarative test definition in xmlrpc tests. This is an easiest way to deal with multiple exceptions -- just define a lambda that tests various conditions and let it be executed by the checker. >I think something is rotten with add_external_post_callback: it's >defined as add_external_post_callback(... *keys, **options), but >invariably called as add_external_post_callback(... keys, options). >That existed before the patch, though, so I guess it warrants a >separate ticket. > > >I also have a few obligatory style nitpicks. > >For line continuation, instead of backslashes: > > if membername not in external_entries and \ > entry[0] not in external_entries and \ > member_dn not in members: > >we prefer parentheses: > > if (membername not in external_entries and > entry[0] not in external_entries and > member_dn not in members): Don't shoot the follower, it is what was there before me. :) Fixed. >Instead of: > > normalize = True > if 'external_callback_normalize' in options: > normalize = options['external_callback_normalize'] > >you can use: > > options.get('external_callback_normalize', True) Fixed. > >And in group.py: > >- 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >- 'sudorule'], >+ 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], > >Our style guide limits lines to 80 characters. Not much of IPA >follows that rule currently, but I don't see a reason for a change >that *only* breaks the rule. I find it unreadable when a single element of a list is on the separate line and also doesn't follow logical identation for its level. New patch is attached. -- / Alexander Bokovoy -------------- next part -------------- >From 70d1870e99ccad9ca41c3f40d380f1348b895bb6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 Jun 2012 16:08:33 +0300 Subject: [PATCH 10/13] Add support for external group members When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 --- API.txt | 12 ++-- ipalib/errors.py | 50 +++++++++++++++ ipalib/plugins/baseldap.py | 23 ++++--- ipalib/plugins/group.py | 108 ++++++++++++++++++++++++++++++-- ipalib/plugins/trust.py | 4 ++ ipaserver/dcerpc.py | 93 ++++++++++++++++++++++++--- tests/test_xmlrpc/objectclasses.py | 2 + tests/test_xmlrpc/test_group_plugin.py | 65 +++++++++++++++++++ tests/test_xmlrpc/xmlrpc_test.py | 17 +++++ 9 files changed, 351 insertions(+), 23 deletions(-) diff --git a/API.txt b/API.txt index 9d91832d995d605b161c13a5ec915f5d84f1d515..ccae47a947c180c0c85658bc393a0d38d4b32c0d 100644 --- a/API.txt +++ b/API.txt @@ -1196,13 +1196,14 @@ output: Output('total', , None) output: Output('count', , None) output: Output('summary', (, ), None) command: group_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Int('gidnumber', attribute=True, cli_name='gid', minvalue=1, multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1210,8 +1211,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_add_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1265,7 +1267,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: group_mod -args: 1,11,3 +args: 1,12,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gid', minvalue=1, multivalue=False, required=False) @@ -1274,6 +1276,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Flag('rights', autofill=True, default=False) option: Flag('posix', autofill=True, cli_name='posix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1282,8 +1285,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_remove_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') diff --git a/ipalib/errors.py b/ipalib/errors.py index 407d9f7dbcf79c47193a3087fe6efbc50728c903..c25560b8e9270a65feb5d9866f6dcc99e39675ef 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1277,6 +1277,56 @@ class SingleMatchExpected(ExecutionError): format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') +class AlreadyExternalGroup(ExecutionError): + """ + **4028** Raised when a group is already an external member group + + For example: + + >>> raise AlreadyExternalGroup + Traceback (most recent call last): + ... + AlreadyExternalGroup: This group already allows external members + + """ + + errno = 4028 + format = _('This group already allows external members') + +class ExternalGroupViolation(ExecutionError): + """ + **4029** Raised when a group is already an external member group + and an attempt is made to use it as posix group + + For example: + + >>> raise ExternalGroupViolation + Traceback (most recent call last): + ... + ExternalGroupViolation: This group cannot be posix because it is external + + """ + + errno = 4029 + format = _('This group cannot be posix because it is external') + +class PosixGroupViolation(ExecutionError): + """ + **4030** Raised when a group is already a posix group + and cannot be converted to external + + For example: + + >>> raise PosixGroupViolation + Traceback (most recent call last): + ... + PosixGroupViolation: This is already a posix group and cannot be converted to external one + + """ + + errno = 4030 + format = _('This is already a posix group and cannot be converted to external one') + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a30863bcc536e1746bf5b338a4e42448..b841435fdcb5e28195fd38a6792233fdc4b7e32a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,23 +362,29 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = options.get('external_callback_normalize', True) # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: (dn, entry_attrs_) = ldap.get_entry(dn, [externalattr]) members = entry_attrs.get(memberattr, []) external_entries = entry_attrs_.get(externalattr, []) + lc_external_entries = set(e.lower() for e in external_entries) failed_entries = [] for entry in failed[memberattr][membertype]: membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) - if membername not in external_entries and \ - member_dn not in members: + if (membername not in lc_external_entries and + member_dn not in members): # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) + lc_external_entries.add(membername) completed_external += 1 - elif membername in external_entries and \ - member_dn not in members: + elif (membername in lc_external_entries and + member_dn not in members): # Already an external member, reset the error message msg = unicode(errors.AlreadyGroupMember().message) newerror = (entry[0], msg) @@ -409,8 +415,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 65657363a463fb0ccb07133c9c84e17b15ffee42..74bea1700f16803af25c3df10a17bd7e20e37942 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,12 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" Groups of users @@ -83,11 +89,11 @@ class group(LDAPObject): object_name_plural = _('groups') object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' - possible_objectclasses = ['posixGroup', 'mepManagedEntry'] + possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', - 'memberindirect', 'memberofindirect', + 'memberindirect', 'memberofindirect', 'ipaexternalmember', ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -139,10 +145,22 @@ class group_add(LDAPCreate): doc=_('Create as a non-POSIX group'), default=False, ), + Flag('external', + cli_name='external', + doc=_('Allow adding external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if not options['nonposix']: + # As both 'external' and 'nonposix' options have default= set for + # them, they will always be present in options dict, thus we can + # safely reference the values + if options['external']: + entry_attrs['objectclass'].append('ipaexternalgroup') + if 'gidnumber' in options: + raise errors.RequirementError(name='gid') + elif not options['nonposix']: entry_attrs['objectclass'].append('posixgroup') if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 @@ -194,11 +212,18 @@ class group_mod(LDAPUpdate): cli_name='posix', doc=_('change to a POSIX group'), ), + Flag('external', + cli_name='external', + doc=_('change to support external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - if options['posix'] or 'gidnumber' in options: + if ('posix' in options and options['posix']) or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.ExternalGroupViolation() if 'posixgroup' in old_entry_attrs['objectclass']: if options['posix']: raise errors.AlreadyPosixGroup() @@ -207,6 +232,15 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external']: + (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'posixgroup' in old_entry_attrs['objectclass']: + raise errors.PosixGroupViolation() + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.AlreadyExternalGroup() + else: + old_entry_attrs['objectclass'].append('ipaexternalgroup') + entry_attrs['objectclass'] = old_entry_attrs['objectclass'] # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') @@ -274,12 +308,64 @@ api.register(group_show) class group_add_member(LDAPAddMember): __doc__ = _('Add members to a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('AD Trust'), + reason=_('''Cannot perform external member validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + failed_sids.append((sid, 'Not a trusted domain SID')) + if len(sids) == 0: + raise errors.ValidationError(name=_('external member'), + error=_('values are not recognized as valid SIDs from trusted domain')) + restore = [] + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = add_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options, external_callback_normalize=False) + failed['member']['group'] = restore + failed_sids + return result + api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) @@ -290,6 +376,20 @@ class group_remove_member(LDAPRemoveMember): label=_(u'group'), container=protected_group_name) return dn + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + sids = options['ipaexternalmember'] + restore = list() + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = remove_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options) + failed['member']['group'] = restore + return result + api.register(group_remove_member) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 71ca23abae393fff68e366bba96050deba3d3281..40bd93e654c0365ad202abfd82e84345583459dd 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -171,6 +171,10 @@ class trust_add(LDAPCreate): realm_server = options['realm_server'] trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) + if not trustinstance.configured: + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3bc8b63af3f416cc45cb75c76fd7b9587f367e3e..07e40c2d35b41a2665232f3e6d853b47aef707bb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -58,6 +58,79 @@ class ExtendedDNControl(_ldap.controls.RequestControl): def encodeControlValue(self): return '0\x03\x02\x01\x01' +class DomainValidator(object): + ATTR_FLATNAME = 'ipantflatname' + ATTR_SID = 'ipantsecurityidentifier' + ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' + + def __init__(self, api): + self.api = api + self.ldap = self.api.Backend.ldap2 + self.domain = None + self.flatname = None + self.dn = None + self.sid = None + self._domains = None + + def is_configured(self): + cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + try: + (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME, self.ATTR_SID]) + self.flatname = entry_attrs[self.ATTR_FLATNAME][0] + self.sid = entry_attrs[self.ATTR_SID][0] + self.dn = dn + self.domain = self.api.env.domain + except errors.NotFound, e: + return False + return True + + def get_trusted_domains(self): + cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn) + try: + search_kw = {'objectClass': 'ipaNTTrustedDomain'} + filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=unicode(cn_trust), + attrs_list=[self.ATTR_TRUSTED_SID, 'dn']) + + return entries + except errors.NotFound, e: + return [] + + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False + class TrustDomainInstance(object): def __init__(self, hostname, creds=None): @@ -247,20 +320,18 @@ class TrustDomainInstance(object): self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) class TrustDomainJoins(object): - ATTR_FLATNAME = 'ipantflatname' - def __init__(self, api): self.api = api self.local_domain = None self.remote_domain = None - self.ldap = self.api.Backend.ldap2 - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) - (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME]) - self.local_flatname = entry_attrs[self.ATTR_FLATNAME][0] - self.local_dn = dn + domain_validator = DomainValidator(api) + self.configured = domain_validator.is_configured() - self.__populate_local_domain() + if self.configured: + self.local_flatname = domain_validator.flatname + self.local_dn = domain_validator.dn + self.__populate_local_domain() def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -308,6 +379,9 @@ class TrustDomainJoins(object): self.remote_domain = rd def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) @@ -317,6 +391,9 @@ class TrustDomainJoins(object): return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_passwd=None) self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain) diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index a036b34dee195619ce4f2d5e557dae2d5069c700..ed3f73dbe9b92b6f138657766b15f7838b59279f 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -45,6 +45,8 @@ group = [ u'ipaobject', ] +externalgroup = group + [u'ipaexternalgroup'] + host = [ u'ipasshhost', u'ipaSshGroupOfPubKeys', diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 9597992c5d0644cf13fea5ca2a030f49e4f600be..08cf74185bb7f30211cf94e80174e7c5853e30ca 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -28,11 +28,18 @@ from ipalib.dn import * group1 = u'testgroup1' group2 = u'testgroup2' +group3 = u'testgroup3' renamedgroup1 = u'testgroup' user1 = u'tuser1' invalidgroup1=u'+tgroup1' +# When adding external SID member to a group we can't test +# it fully due to possibly missing Samba 4 python bindings +# and/or not configured AD trusts. Thus, we'll use incorrect +# SID value to merely test that proper exceptions are raised +external_sid1=u'S-1-1-123456-789-1' + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) @@ -40,6 +47,7 @@ class test_group(Declarative): cleanup_commands = [ ('group_del', [group1], {}), ('group_del', [group2], {}), + ('group_del', [group3], {}), ('user_del', [user1], {}), ] @@ -373,6 +381,63 @@ class test_group(Declarative): ), ), + ############### + # test external SID members for group3: + dict( + desc='Create external %r' % group3, + command=( + 'group_add', [group3], dict(description=u'Test desc 3',external=True) + ), + expected=dict( + value=group3, + summary=u'Added group "testgroup3"', + result=dict( + cn=[group3], + description=[u'Test desc 3'], + objectclass=objectclasses.externalgroup, + ipauniqueid=[fuzzy_uuid], + dn=lambda x: DN(x) == get_group_dn(group3), + ), + ), + ), + + + dict( + desc='Convert posix group %r to support external membership' % (group2), + command=( + 'group_mod', [group2], dict(external=True) + ), + expected=errors.PosixGroupViolation(), + ), + + + dict( + desc='Convert external members group %r to posix' % (group3), + command=( + 'group_mod', [group3], dict(posix=True) + ), + expected=errors.ExternalGroupViolation(), + ), + + + dict( + desc='Add external member %r to %r' % (external_sid1, group3), + command=( + 'group_add_member', [group3], dict(ipaexternalmember=external_sid1) + ), + expected=lambda x, output: type(x) == errors.ValidationError or type(x) == errors.NotFound, + ), + + + dict( + desc='Remove group %r with external membership' % (group3), + command=('group_del', [group3], {}), + expected=dict( + result=dict(failed=u''), + value=group3, + summary=u'Deleted group "testgroup3"', + ), + ), ############### diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py index c279107b3e0955cd453612bfe0feeb63225d7904..5a73aba77deec20ef344196cb4a854af5d697a71 100644 --- a/tests/test_xmlrpc/xmlrpc_test.py +++ b/tests/test_xmlrpc/xmlrpc_test.py @@ -260,6 +260,8 @@ class Declarative(XMLRPC_test): raise nose.SkipTest('%r not in api.Command' % cmd) if isinstance(expected, errors.PublicError): self.check_exception(nice, cmd, args, options, expected) + elif hasattr(expected, '__call__'): + self.check_callable(nice, cmd, args, options, expected) else: self.check_output(nice, cmd, args, options, expected, extra_check) @@ -285,6 +287,21 @@ class Declarative(XMLRPC_test): # For now just compare the strings assert_deepequal(expected.strerror, e.strerror) + def check_callable(self, nice, cmd, args, options, expected): + output = dict() + try: + output = api.Command[cmd](*args, **options) + except StandardError, e: + pass + else: + raise AssertionError( + EXPECTED % (cmd, 'StandardError exception', args, options, output) + ) + if not expected(e, output): + raise AssertionError( + UNEXPECTED % (cmd, args, options, e.__class__.__name__, e) + ) + def check_output(self, nice, cmd, args, options, expected, extra_check): got = api.Command[cmd](*args, **options) assert_deepequal(expected, got, nice) -- 1.7.10.4 From abokovoy at redhat.com Wed Jun 27 14:29:07 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 17:29:07 +0300 Subject: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module Message-ID: <20120627142907.GD16889@redhat.com> Hi, attached patch adds comprehensive error condition handling to SASL bind callback in ipasam module. The callback is doing keytab-based auth against FreeIPA LDAP server and original version lacked error checks on purpose. Now it is time to fix the purpose. :) -- / Alexander Bokovoy -------------- next part -------------- >From 041d1b8e49398e991f49b6709d8ae5d57f7dc93f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 27 Jun 2012 17:11:33 +0300 Subject: [PATCH 13/13] Add error condition handling to the SASL bind callback in ipasam https://fedorahosted.org/freeipa/ticket/2877 --- daemons/ipa-sam/ipa_sam.c | 92 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 80 insertions(+), 12 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index f63ea1899e6eb994c1ef03487e0477dac6c7e504..e41cb966837da9dc73ee9a5571caa36e682903cd 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -1453,7 +1453,6 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, int ret; uint32_t has_objectclass = 0; NTSTATUS status; - char *inp; if (!search_krb_princ(ldap_state, mem_ctx, princ, base_dn, &entry)) { return false; @@ -3102,9 +3101,6 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s sasl_interact_t *in = NULL; int ret = LDAP_OTHER; struct ipasam_sasl_interact_priv *data = (struct ipasam_sasl_interact_priv*) priv_data; - krb5_context krbctx; - char *outname = NULL; - krb5_error_code krberr; if (!ld) return LDAP_PARAM_ERROR; @@ -3129,10 +3125,40 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s return ret; } +static void bind_callback_cleanup(struct ipasam_sasl_interact_priv *data) +{ + if (!data->context) { + return; + } + + krb5_free_cred_contents(data->context, &data->creds); + + if (data->options) { + krb5_get_init_creds_opt_free(data->context, data->options); + data->options = NULL; + } + + if (data->keytab) { + krb5_kt_close(data->context, data->keytab); + data->keytab = NULL; + } + + if (data->ccache) { + krb5_cc_close(data->context, data->ccache); + data->ccache = NULL; + } + + if (data->principal) { + krb5_free_principal(data->context, data->principal); + data->principal = NULL; + } + + krb5_free_context(data->context); + data->context = NULL; +} + extern const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def); -extern void become_root(); -extern void unbecome_root(); -static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) +static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, void* ipasam_principal) { char *ccache_name = NULL; krb5_error_code rc; @@ -3140,7 +3166,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) struct ipasam_sasl_interact_priv data; int ret; - data.name = lp_parm_const_string(-1, "ipasam", "principal", NULL); + data.name = (const char*)ipasam_principal; if (data.name == NULL) { DEBUG(0, ("bind_callback: ipasam:principal is not set, cannot use GSSAPI bind\n")); return LDAP_LOCAL_ERROR; @@ -3149,24 +3175,67 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) data.name_len = strlen(data.name); rc = krb5_init_context(&data.context); + if (rc) { + return LDAP_LOCAL_ERROR; + } rc = krb5_parse_name(data.context, data.name, &data.principal); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_cc_default(data.context, &data.ccache); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_cc_initialize(data.context, data.ccache, data.principal); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_cc_get_full_name(data.context, data.ccache, &ccache_name); + if (rc) { + if (ccache_name) { + krb5_free_string(data.context, ccache_name); + } + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } + rc = krb5_cc_set_default_name(data.context, ccache_name); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_kt_resolve(data.context, "FILE:/etc/samba/samba.keytab", &data.keytab); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_get_init_creds_opt_alloc(data.context, &data.options); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_get_init_creds_opt_set_out_ccache(data.context, data.options, data.ccache); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_get_init_creds_keytab(data.context, &data.creds, data.principal, data.keytab, 0, NULL, data.options); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } ret = ldap_sasl_interactive_bind_s(ldap_struct, NULL, "GSSAPI", @@ -3177,10 +3246,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) DEBUG(0, ("bind_callback: cannot perform interactive SASL bind with GSSAPI\n")); } - krb5_get_init_creds_opt_free(data.context, data.options); - krb5_kt_close(data.context, data.keytab); - krb5_cc_close(data.context, data.ccache); - krb5_free_context(data.context); + bind_callback_cleanup(&data); return ret; } @@ -3243,6 +3309,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, &ldap_state->smbldap_state); if (NT_STATUS_IS_OK(status)) { ldap_state->smbldap_state->bind_callback = bind_callback; + ldap_state->smbldap_state->bind_callback_data = + (void*)lp_parm_const_string(-1, "ipasam", "principal", NULL); } } -- 1.7.10.4 From pvoborni at redhat.com Wed Jun 27 14:33:26 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jun 2012 16:33:26 +0200 Subject: [Freeipa-devel] [PATCH] 162 Web UI password is going to expire in n days notification In-Reply-To: <4FEA67CB.2060205@redhat.com> References: <4FE9CB2A.70704@redhat.com> <4FEA67CB.2060205@redhat.com> Message-ID: <4FEB19B6.2070408@redhat.com> On 06/27/2012 03:54 AM, Endi Sukma Dewata wrote: > On 6/26/2012 9:46 AM, Petr Vobornik wrote: >> This is patch is more like a draft. >> >> I'm not sure where to display the 'password is going to expire' >> notification. >> >> I was deciding between: >> 1) red bold text in Web UI header >> 2) popup dialog after Web UI initialization >> >> I don't like unwanted pop-up dialogs so I used first option. > > If we only support 1 short message I'd prefer option #1. Some users > might not want to reset the password immediately, so they need to be > constantly reminded about the password expiration. > > If the message is too long, or we want to support multiple messages (not > just for password expiration), we can show a message icon like in the > upper right corner of Fedora desktop. When you click it it will open a > dialog box listing all messages. In this dialog you can delete each > message. The icon will disappear only if there's no message left. > >> I didn't make a 'password reset link' because it is done in user's >> detail page and a link there is right next to this notification. > > I'd say the message should include a link, something like this: > > Your password will expire in n days. [Reset your password]. > > The link is important because: > > * Without the link the message doesn't tell you what to do or how > to reset the password. > * Users might not realize that the [Logged In As: ] is a link > that can bring them to their profile page. > * Even if they're in the right page, they might not know there's a > reset password link in the action panel. > > The [Reset your password] link can open the Password Reset dialog for > the current user, regardless of the current page. To avoid confusion the > dialog probably should be changed to show the username of the user being > updated. > > What do you think? > I like it. I'll add the reset link next to the message. If we encounter more cases we can moved it to the notification icon functionality. I found more non-existing options used and also #2876. I'll return to this ticket when I fix these regression. -- Petr Vobornik From rcritten at redhat.com Wed Jun 27 14:34:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jun 2012 10:34:25 -0400 Subject: [Freeipa-devel] [PATCH] 1029 defer some s4u2proxy settings Message-ID: <4FEB19F1.5040704@redhat.com> Removing adding ipa-cifs-delegation-targets in an ldif. If it is needed it will be added by an update file at the end of the install. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1029-s4u2proxy.patch Type: text/x-diff Size: 1437 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jun 27 14:36:51 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 17:36:51 +0300 Subject: [Freeipa-devel] [PATCH] 0056 Support requests for DOMAIN$ account for trusted domain in ipasam module Message-ID: <20120627143651.GE16889@redhat.com> Hi, Windows 2008R2 attempts to authenticate as DOMAIN$ with trust password when trust is established. Change ipasam module to consider DOMAIN$ when checking for trusted domain accounts as current code only checks for DOMAIN. (ending with dot). https://fedorahosted.org/freeipa/ticket/2870 -- / Alexander Bokovoy -------------- next part -------------- >From ae96260a95f7dadba400e2051455ed3f92d6627d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 26 Jun 2012 12:51:17 +0300 Subject: [PATCH 11/13] Support requests for DOMAIN$ account for trusted domains in ipasam module https://fedorahosted.org/freeipa/ticket/2870 --- daemons/ipa-sam/ipa_sam.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 851df8c62f0ffb159610ce0ac311463233eea497..f63ea1899e6eb994c1ef03487e0477dac6c7e504 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2545,22 +2545,18 @@ fn_exit: static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods, struct samu *user, - const char *sname) + const char *sname, int lastidx) { char *dom_name; struct ldapsam_privates *ldap_state = (struct ldapsam_privates *) methods->private_data; - int slen; TALLOC_CTX *tmp_ctx; struct pdb_trusted_domain *td; NTSTATUS status; - slen = strlen(sname); - if (sname[slen - 1] != '.') { - DEBUG(5, ("Requested account [%s] is not a inter domain " - "trust account.\n", sname)); - return NT_STATUS_NO_SUCH_USER; - } + /* The caller must check that (sname[lastidx] == '.') || (sname[lastidx] == '$')) + * before calling this function. + */ tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -2572,7 +2568,7 @@ static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods, status = NT_STATUS_NO_MEMORY; goto done; } - dom_name[slen - 1] = '\0'; + dom_name[lastidx] = '\0'; status = ipasam_get_trusted_domain(methods, tmp_ctx, dom_name, &td); if (!NT_STATUS_IS_OK(status)) { @@ -2598,7 +2594,7 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods, { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *) methods->private_data; - int slen; + int lastidx; TALLOC_CTX *tmp_ctx; NTSTATUS status; char *filter; @@ -2608,9 +2604,20 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods, int ret; int count; - slen = strlen(sname); - if (sname[slen - 1] == '.') { - return getsam_interdom_trust_account(methods, user, sname); + lastidx = strlen(sname); + if (lastidx > 0) { + lastidx--; + } else { + /* strlen() must return >= 0 so it means we've got an empty name */ + return NT_STATUS_NO_SUCH_USER; + } + if ((sname[lastidx] == '.') || (sname[lastidx] == '$')) { + status = getsam_interdom_trust_account(methods, user, sname, lastidx); + /* If last character was '$', we should ignore failure and continue + * as this could still be a machine account */ + if ((sname[lastidx] == '.') || NT_STATUS_IS_OK(status)) { + return status; + } } tmp_ctx = talloc_new(NULL); -- 1.7.10.4 From abokovoy at redhat.com Wed Jun 27 14:43:17 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 17:43:17 +0300 Subject: [Freeipa-devel] [PATCH] 1029 defer some s4u2proxy settings In-Reply-To: <4FEB19F1.5040704@redhat.com> References: <4FEB19F1.5040704@redhat.com> Message-ID: <20120627144317.GF16889@redhat.com> On Wed, 27 Jun 2012, Rob Crittenden wrote: >Removing adding ipa-cifs-delegation-targets in an ldif. If it is >needed it will be added by an update file at the end of the install. ACK. We discussed this originally when cifs delegation was created and decided to add it in both places "as it doesn't hurt". It hurts. Better now than after release. :) -- / Alexander Bokovoy From mkosek at redhat.com Wed Jun 27 14:51:23 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jun 2012 16:51:23 +0200 Subject: [Freeipa-devel] [PATCH] 1029 defer some s4u2proxy settings In-Reply-To: <20120627144317.GF16889@redhat.com> References: <4FEB19F1.5040704@redhat.com> <20120627144317.GF16889@redhat.com> Message-ID: <4FEB1DEB.4060808@redhat.com> On 06/27/2012 04:43 PM, Alexander Bokovoy wrote: > On Wed, 27 Jun 2012, Rob Crittenden wrote: >> Removing adding ipa-cifs-delegation-targets in an ldif. If it is needed it >> will be added by an update file at the end of the install. > ACK. > > We discussed this originally when cifs delegation was created and > decided to add it in both places "as it doesn't hurt". It hurts. > Better now than after release. :) > I did a parallel review, replica is now installed without any error. ACK #2, pushed to master. Martin From atkac at redhat.com Wed Jun 27 15:51:11 2012 From: atkac at redhat.com (Adam Tkac) Date: Wed, 27 Jun 2012 17:51:11 +0200 Subject: [Freeipa-devel] [PATCH 0023] SOA serial number auto incrementation In-Reply-To: <4FEB13AA.1040001@redhat.com> References: <4FEB13AA.1040001@redhat.com> Message-ID: <20120627155110.GA30055@redhat.com> On Wed, Jun 27, 2012 at 04:07:38PM +0200, Petr Spacek wrote: > Hello, > > this patch is first proof-of-concept implementation of > https://fedorahosted.org/bind-dyndb-ldap/ticket/67: Implement SOA > serial number increments for external changes. > > No optimizations are inside. SOA serial is bumped for each record > after each restart, changes in root records are not handled and so > on. It is really proof-of-concept. > > It uses unix timestamp for "local" SOA serials to improve situation > with local serials. Unix timestamps should not go to far future as > YEAR-MONTH-DAY serials. > > Please, let me know if you see some "principle" problems. Hello Peter, I'm fine with this approach. Regards, Adam > From c14eedd35682185702f58c3f6eaabb0237f38b15 Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Wed, 27 Jun 2012 10:36:26 +0200 > Subject: [PATCH] SOA autoincrement feature Signed-off-by: Petr Spacek > > > --- > src/ldap_helper.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++- > 1 files changed, 71 insertions(+), 1 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 7f0a6f4b37171a6fa4db79cd32fdd8bc62288e0f..ff84ff7256a352f776b31dd221d291234eaabae7 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -34,6 +34,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -172,6 +173,7 @@ struct ldap_instance { > isc_boolean_t exiting; > isc_boolean_t sync_ptr; > isc_boolean_t dyn_update; > + isc_boolean_t soa_autoincrement; > }; > > struct ldap_pool { > @@ -343,6 +345,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > { "ldap_hostname", default_string("") }, > { "sync_ptr", default_boolean(ISC_FALSE) }, > { "dyn_update", default_boolean(ISC_FALSE) }, > + { "serial_autoincrement", default_boolean(ISC_FALSE) }, > end_of_settings > }; > > @@ -401,6 +404,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > ldap_settings[i++].target = ldap_inst->ldap_hostname; > ldap_settings[i++].target = &ldap_inst->sync_ptr; > ldap_settings[i++].target = &ldap_inst->dyn_update; > + ldap_settings[i++].target = &ldap_inst->soa_autoincrement; > CHECK(set_settings(ldap_settings, argv)); > > /* Set timer for deadlock detection inside semaphore_wait_timed . */ > @@ -463,6 +467,13 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > "increasing limit"); > ldap_inst->connections = 3; > } > + if (ldap_inst->soa_autoincrement == ISC_TRUE > + && ldap_inst->psearch != ISC_TRUE) { > + log_error("SOA serial number auto-increment feature requires " > + "persistent search"); > + result = ISC_R_FAILURE; > + goto cleanup; > + } > > CHECK(new_ldap_cache(mctx, argv, &ldap_inst->cache, ldap_inst->psearch)); > CHECK(ldap_pool_create(mctx, ldap_inst->connections, &ldap_inst->pool)); > @@ -2741,6 +2752,60 @@ ldap_pscontrol_destroy(isc_mem_t *mctx, LDAPControl **ctrlp) > *ctrlp = NULL; > } > > +isc_result_t > +increment_soa_serial(isc_mem_t *mctx, ldap_instance_t *inst, dns_name_t *zone_name) { > + isc_result_t result = ISC_R_FAILURE; > + ldap_connection_t * conn = NULL; > + ld_string_t *zone_dn = NULL; > + ldapdb_rdatalist_t rdatalist; > + dns_rdatalist_t *rdlist = NULL; > + dns_rdata_t *soa_rdata = NULL; > + isc_uint32_t old_serial; > + isc_uint32_t new_serial; > + isc_time_t curr_time; > + > + REQUIRE(inst != NULL); > + REQUIRE(zone_name != NULL); > + > + CHECK(str_new(mctx, &zone_dn)); > + CHECK(dnsname_to_dn(inst->zone_register, zone_name, zone_dn)); > + log_debug(5, "incrementing SOA serial number in zone '%s'", > + str_buf(zone_dn)); > + > + /* get actual SOA serial value */ > + INIT_LIST(rdatalist); > + CHECK(ldapdb_rdatalist_get(mctx, inst, zone_name, zone_name, &rdatalist)); > + CHECK(ldapdb_rdatalist_findrdatatype(&rdatalist, dns_rdatatype_soa, &rdlist)); > + soa_rdata = ISC_LIST_HEAD(rdlist->rdata); > + old_serial = dns_soa_getserial(soa_rdata); > + > + /* Compute the new SOA serial - use actual timestamp. > + * If timestamp < oldSOAserial then increment old serial by one. */ > + isc_time_now(&curr_time); > + new_serial = isc_time_seconds(&curr_time); > + if (new_serial <= old_serial) { > + /* RFC1982, from bind-9.8.2/bin/named/update.c */ > + new_serial = (old_serial + 1) & 0xFFFFFFFF; > + if (new_serial == 0) > + new_serial = 1; > + } > + dns_soa_setserial(new_serial, soa_rdata); > + > + /* write the new serial back to DB */ > + CHECK(ldap_pool_getconnection(inst->pool, &conn)); > + CHECK(modify_soa_record(conn, str_buf(zone_dn), soa_rdata)); > + > +cleanup: > + if (result != ISC_R_SUCCESS) > + log_error("SOA serial number incrementation failed in zone '%s'", > + str_buf(zone_dn)); > + > + str_destroy(&zone_dn); > + ldap_pool_putconnection(inst->pool, &conn); > + ldapdb_rdatalist_destroy(mctx, &rdatalist); > + return result; > +} > + > /* > * update_action routine is processed asynchronously so it cannot assume > * anything about state of ldap_inst from where it was sent. The ldap_inst > @@ -2892,7 +2957,7 @@ update_record(isc_task_t *task, isc_event_t *event) > if (PSEARCH_DEL(pevent->chgtype)) { > log_debug(5, "psearch_update: Removing item from cache (%s)", > pevent->dn); > - } > + } > > /* Get cache instance & clean old record */ > cache = ldap_instance_getcache(inst); > @@ -2916,6 +2981,11 @@ update_record(isc_task_t *task, isc_event_t *event) > /* Destroy rdatalist, it is now in the cache. */ > ldapdb_rdatalist_destroy(mctx, &rdatalist); > } > + > + // !!!!!!!!!!!!!!! Don't forget to ZONE + RECORD in single object > + if (inst->soa_autoincrement) { > + CHECK(increment_soa_serial(mctx, inst, &origin)); > + } > cleanup: > if (result != ISC_R_SUCCESS) > log_error("update_record (psearch) failed for %s. " > -- > 1.7.7.6 > -- Adam Tkac, Red Hat, Inc. From sbose at redhat.com Wed Jun 27 15:59:06 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 Jun 2012 17:59:06 +0200 Subject: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module In-Reply-To: <20120627142907.GD16889@redhat.com> References: <20120627142907.GD16889@redhat.com> Message-ID: <20120627155906.GH29454@localhost.localdomain> On Wed, Jun 27, 2012 at 05:29:07PM +0300, Alexander Bokovoy wrote: > Hi, > > attached patch adds comprehensive error condition handling to SASL bind > callback in ipasam module. The callback is doing keytab-based auth > against FreeIPA LDAP server and original version lacked error checks on > purpose. The patch is working find, but I would like to ask you to consider the following two changes: diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index e41cb96..5e9f63d 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -3166,6 +3166,8 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo struct ipasam_sasl_interact_priv data; int ret; + memset(&data, 0, sizeof(struct ipasam_sasl_interact_priv)); + data.name = (const char*)ipasam_principal; if (data.name == NULL) { DEBUG(0, ("bind_callback: ipasam:principal is not set, cannot use GSSAPI bind\n")); @@ -3309,8 +3311,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, &ldap_state->smbldap_state); if (NT_STATUS_IS_OK(status)) { ldap_state->smbldap_state->bind_callback = bind_callback; - ldap_state->smbldap_state->bind_callback_data = - (void*)lp_parm_const_string(-1, "ipasam", "principal", NULL); + ldap_state->smbldap_state->bind_callback_data = service_principal; } bye, Sumit > > Now it is time to fix the purpose. :) > > -- > / Alexander Bokovoy From sbose at redhat.com Wed Jun 27 15:59:51 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 Jun 2012 17:59:51 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Support requests for DOMAIN$ account for trusted domain in ipasam module In-Reply-To: <20120627143651.GE16889@redhat.com> References: <20120627143651.GE16889@redhat.com> Message-ID: <20120627155951.GI29454@localhost.localdomain> On Wed, Jun 27, 2012 at 05:36:51PM +0300, Alexander Bokovoy wrote: > Hi, > > Windows 2008R2 attempts to authenticate as DOMAIN$ with trust password > when trust is established. Change ipasam module to consider DOMAIN$ when > checking for trusted domain accounts as current code only checks for > DOMAIN. (ending with dot). ACK bye, Sumit > > https://fedorahosted.org/freeipa/ticket/2870 > -- > / Alexander Bokovoy From jcholast at redhat.com Wed Jun 27 16:01:53 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jun 2012 18:01:53 +0200 Subject: [Freeipa-devel] [PATCH][WIP] LDAP encoding redone Message-ID: <4FEB2E71.6040105@redhat.com> Hi, this is the next patch in the input validation & handling series . It changes the way entries are encoded and decoded in the LDAP backend. The patch consists of several changes: * Refactored the Encoder class to be more universally usable. It uses a polymorphic interface, which hopefully makes the encoding code more readable. * Attribute values now use Python data types matching the syntax of the attribute. This removes the need to decode/encode the values from/to raw LDAP values in the CallbackInterface callbacks as well as other parts of IPA. * On command output, attribute values are converted to strings so that the resulting entry is the same as it is without the patch. I don't like this code and I'd like to get rid of at least some parts of it, but I'm not sure how that would affect API compatibility. Removing the special case for boolean values would fix . * Entries are more strictly checked when they are encoded and decoded. Values of multi-value attributes must be lists (not tuples!) of objects of the appropriate python type, values of single-value attributes must be objects of the appropriate python type. This helps detecting data type errors that would previously go unnoticed. * Some parameters use data type that doesn't match the syntax of the according attribute, or are single-value even when the according attribute is multi-value. Values of such parameters wouldn't pass the new strict checking if they were used in attributes without modifications. To remedy this, added a new parameter option attr_convertor, which allows specifying a custom function for converting parameter values to attribute values. Note that this is work in progress, some things may be (and certainly are) broken, there is some low-quality code and docstrings, comments and tests are TBD. Suggestions and comments are welcome. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: jcholast-wip80-ldap-encoding.patch Type: text/x-patch Size: 116148 bytes Desc: not available URL: From pviktori at redhat.com Wed Jun 27 16:01:33 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 27 Jun 2012 18:01:33 +0200 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <4FEB019A.5040603@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> <4FE8B30B.4050005@redhat.com> <4FEB019A.5040603@redhat.com> Message-ID: <4FEB2E5D.8060003@redhat.com> On 06/27/2012 02:50 PM, Martin Kosek wrote: > On 06/25/2012 08:50 PM, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >>>> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>>>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>>>> Martin Kosek wrote: >>>>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>>>> Hello all, >>>>>>>>>> >>>>>>>>>> In a scope of ticket 2511 I would like to implement an ability to >>>>>>>>>> delegate a DNS update permissions to chosen user (or host) without >>>>>>>>>> having to give the user full "Update DNS Entries" privileges, i.e. >>>>>>>>>> allow >>>>>>>>>> him to modify any DNS zone or record. >>>>>>>>>> >>>>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>>>> >>>>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute >>>>>>>>>> in MAY list >>>>>>>>>> 2) Create new DNS commands: >>>>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>> - these commands would add/remove chosen user/host DN to managedBy >>>>>>>>>> attribute in chosen DNS zone >>>>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>>>> >>>>>>>>>> With these steps done, all that an administrator would need to do to >>>>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>>>> command: >>>>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>>>> >>>>>>>>>> The only downside I found so far is that the user would already need to >>>>>>>>>> have "Read DNS Entries" permission assigned, otherwise he would not be >>>>>>>>>> able to actually read DNS entries (allow rules can't take precedence >>>>>>>>>> over deny rule we implemented to deny public access to DNS tree). >>>>>>>>>> >>>>>>>>>> An admin could of course create a special privilege and role with just >>>>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>>>> users/groups, but this looks awkward. Any idea to make this simpler? >>>>>>>>>> Maybe creating a group "dns readers" by default which would allow such >>>>>>>>>> access? >>>>>>>>> >>>>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>>>> "parent[1].managedby#USERDN" ? >>>>>>>>> >>>>>>>>> Simo. >>>>>>>>> >>>>>>>> >>>>>>>> Good idea, I will do that. I will just use >>>>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>>>> record. This way, a selected user will have read/write access to the >>>>>>>> chosen zone only, which is exactly what we want to achieve. >>>>>>> >>>>>>> Yes, this sounds workable to me too. >>>>>>> >>>>>>> rob >>>>>>> >>>>>> >>>>>> There were some second thoughts about the proposed design, which I would >>>>>> like to discuss so that we can eventually accept another (better) >>>>>> solution for this feature. >>>>>> >>>>>> The main concern here was that proposed solution (based on user list in >>>>>> managedBy attribute in DNS zone) is not in line with the rest of >>>>>> permission&privilege architecture in IPA. >>>>>> >>>>>> Here is another idea how to address the feature (I tested it and it >>>>>> would work): >>>>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global access >>>>>> rule (a working patch attached) to avoid current and future issues with >>>>>> extending ACIs (deny rules are evil). >>>>>> >>>>>> 2) Add new Managed Entry Definition and Template to automatically add >>>>>> "Manage DNS zone $idsname" permission. These could be used with standard >>>>>> IPA privileges, roles and thus could be assigned to users, groups, >>>>>> hosts, hostgroups... >>>>>> >>>>>> 3) New DNS zone managedBy attribute won't be manageable by user, but it >>>>>> will hold a DN of the managed Permission entry >>>>>> >>>>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>>>> aci: (targetattr = "*") >>>>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>>>> >>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>> (version 3.0;acl "Add dns entries";allow (add) >>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>> >>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>> >>>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || >>>>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord >>>>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>>>> hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || >>>>>> locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || >>>>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || >>>>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>>>> idnsforwarders") >>>>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update >>>>>> DNS Entries";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>>>>> >>>>>> I needed to add permission DN to the managedBy attribute so that I could >>>>>> create just one set of generic ACIs without having to create a set of >>>>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>>>> permission have a write access to the "aci" attribute. >>>>>> >>>>>> Would this design be better than the previous one? Comments welcome. >>>>> >>>>> Removing Deny ACIs would be great. >>>>> But don't we need a second set of ACIs to allow uber admins to still >>>>> control all zones ? or is that part of current ACIs not going to >>>>> change ? >>>>> >>>>> Simo. >>>>> >>>> >>>> Thanks to the removal of the deny rule, this would be already allowed by >>>> this existing ACI: >>>> >>>> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword >>>> || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || >>>> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >>>> krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference >>>> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >>>> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >>>> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >>>> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >>>> acl "Admin can manage any entry"; allow (all) groupdn = >>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >>> >>> Oh right! >>> I like it even more then :-) >>> >>> Simo. >>> >> >> Yes, this looks like it will work and eliminating a deny rule is a definite plus. >> >> rob > > I have finished a patch based on the second design. IMO it is indeed better - > no deny ACI for DNS and just a standard permission for per-zone access delegation. > > There is just one difference from the proposed design draft: per-zone > permissions are not created automatically by Managed Entry plugin, but rather > manually and only for DNS zones where per-zone access is needed. There is a new > command for that - dnszone-add-permission. > > This will leave permission tree cleaner + we won't have to deal with all > Managed Entry plugin machinery. > > More details can be found in a commit message. > > Martin > In permission_add_noaci.get_options, it would be better to filter out the `permission.aci_attributes`. If you only allow ('all', 'raw', 'permissiontype'), the list will have to be updated whenever a new global option is added. (This would happen for ticket #2732; I'll want to make the 'version' argument explicit for all commands.) Unprivileged users can find out if a zone is defined by trying to delete it. Is this expected behavior? $ ipa dnszone-del idm.lab.bos.redhat.com ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry 'idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. $ ipa dnszone-del does.not.exist ipa: ERROR: does.not.exist: DNS zone not found The patch works well on upgrade. Tomorrow I'll test a fresh install. -- Petr? From abokovoy at redhat.com Wed Jun 27 16:09:03 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 19:09:03 +0300 Subject: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module In-Reply-To: <20120627155906.GH29454@localhost.localdomain> References: <20120627142907.GD16889@redhat.com> <20120627155906.GH29454@localhost.localdomain> Message-ID: <20120627160903.GG16889@redhat.com> On Wed, 27 Jun 2012, Sumit Bose wrote: >On Wed, Jun 27, 2012 at 05:29:07PM +0300, Alexander Bokovoy wrote: >> Hi, >> >> attached patch adds comprehensive error condition handling to SASL bind >> callback in ipasam module. The callback is doing keytab-based auth >> against FreeIPA LDAP server and original version lacked error checks on >> purpose. > >The patch is working find, but I would like to ask you to consider the >following two changes: Yep. Completely overlooked that I've already got the service principal. Thanks! Updated patch attached. Please note that patches 0055 and 0056 should be applied in the reverse order. Sorry for confusion. -- / Alexander Bokovoy -------------- next part -------------- >From 0c8db67c695ef859dcc6da0554ef8babc5a8a165 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 27 Jun 2012 17:11:33 +0300 Subject: [PATCH 13/13] Add error condition handling to the SASL bind callback in ipasam https://fedorahosted.org/freeipa/ticket/2877 --- daemons/ipa-sam/ipa_sam.c | 92 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 80 insertions(+), 12 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index f63ea1899e6eb994c1ef03487e0477dac6c7e504..a4f01ddc2eef22407597e69dab805e0fd19e536f 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -1453,7 +1453,6 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, int ret; uint32_t has_objectclass = 0; NTSTATUS status; - char *inp; if (!search_krb_princ(ldap_state, mem_ctx, princ, base_dn, &entry)) { return false; @@ -3102,9 +3101,6 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s sasl_interact_t *in = NULL; int ret = LDAP_OTHER; struct ipasam_sasl_interact_priv *data = (struct ipasam_sasl_interact_priv*) priv_data; - krb5_context krbctx; - char *outname = NULL; - krb5_error_code krberr; if (!ld) return LDAP_PARAM_ERROR; @@ -3129,10 +3125,40 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s return ret; } +static void bind_callback_cleanup(struct ipasam_sasl_interact_priv *data) +{ + if (!data->context) { + return; + } + + krb5_free_cred_contents(data->context, &data->creds); + + if (data->options) { + krb5_get_init_creds_opt_free(data->context, data->options); + data->options = NULL; + } + + if (data->keytab) { + krb5_kt_close(data->context, data->keytab); + data->keytab = NULL; + } + + if (data->ccache) { + krb5_cc_close(data->context, data->ccache); + data->ccache = NULL; + } + + if (data->principal) { + krb5_free_principal(data->context, data->principal); + data->principal = NULL; + } + + krb5_free_context(data->context); + data->context = NULL; +} + extern const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def); -extern void become_root(); -extern void unbecome_root(); -static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) +static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, void* ipasam_principal) { char *ccache_name = NULL; krb5_error_code rc; @@ -3140,7 +3166,8 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) struct ipasam_sasl_interact_priv data; int ret; - data.name = lp_parm_const_string(-1, "ipasam", "principal", NULL); + memset(&data, 0, sizeof(struct ipasam_sasl_interact_priv)); + data.name = (const char*)ipasam_principal; if (data.name == NULL) { DEBUG(0, ("bind_callback: ipasam:principal is not set, cannot use GSSAPI bind\n")); return LDAP_LOCAL_ERROR; @@ -3149,24 +3176,67 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) data.name_len = strlen(data.name); rc = krb5_init_context(&data.context); + if (rc) { + return LDAP_LOCAL_ERROR; + } rc = krb5_parse_name(data.context, data.name, &data.principal); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_cc_default(data.context, &data.ccache); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_cc_initialize(data.context, data.ccache, data.principal); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_cc_get_full_name(data.context, data.ccache, &ccache_name); + if (rc) { + if (ccache_name) { + krb5_free_string(data.context, ccache_name); + } + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } + rc = krb5_cc_set_default_name(data.context, ccache_name); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_kt_resolve(data.context, "FILE:/etc/samba/samba.keytab", &data.keytab); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_get_init_creds_opt_alloc(data.context, &data.options); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_get_init_creds_opt_set_out_ccache(data.context, data.options, data.ccache); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } rc = krb5_get_init_creds_keytab(data.context, &data.creds, data.principal, data.keytab, 0, NULL, data.options); + if (rc) { + bind_callback_cleanup(&data); + return LDAP_LOCAL_ERROR; + } ret = ldap_sasl_interactive_bind_s(ldap_struct, NULL, "GSSAPI", @@ -3177,10 +3247,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state) DEBUG(0, ("bind_callback: cannot perform interactive SASL bind with GSSAPI\n")); } - krb5_get_init_creds_opt_free(data.context, data.options); - krb5_kt_close(data.context, data.keytab); - krb5_cc_close(data.context, data.ccache); - krb5_free_context(data.context); + bind_callback_cleanup(&data); return ret; } @@ -3243,6 +3310,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, &ldap_state->smbldap_state); if (NT_STATUS_IS_OK(status)) { ldap_state->smbldap_state->bind_callback = bind_callback; + ldap_state->smbldap_state->bind_callback_data = service_principal; } } -- 1.7.10.4 From sbose at redhat.com Wed Jun 27 16:12:05 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 Jun 2012 18:12:05 +0200 Subject: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module In-Reply-To: <20120627160903.GG16889@redhat.com> References: <20120627142907.GD16889@redhat.com> <20120627155906.GH29454@localhost.localdomain> <20120627160903.GG16889@redhat.com> Message-ID: <20120627161205.GJ29454@localhost.localdomain> On Wed, Jun 27, 2012 at 07:09:03PM +0300, Alexander Bokovoy wrote: > On Wed, 27 Jun 2012, Sumit Bose wrote: > >On Wed, Jun 27, 2012 at 05:29:07PM +0300, Alexander Bokovoy wrote: > >>Hi, > >> > >>attached patch adds comprehensive error condition handling to SASL bind > >>callback in ipasam module. The callback is doing keytab-based auth > >>against FreeIPA LDAP server and original version lacked error checks on > >>purpose. > > > >The patch is working find, but I would like to ask you to consider the > >following two changes: > Yep. Completely overlooked that I've already got the service principal. > Thanks! > > Updated patch attached. > > Please note that patches 0055 and 0056 should be applied in the reverse > order. Sorry for confusion. ACK bye, Sumit > > > -- > / Alexander Bokovoy From sbose at redhat.com Wed Jun 27 16:14:29 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 Jun 2012 18:14:29 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120613103749.GH20850@localhost.localdomain> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> Message-ID: <20120627161429.GK29454@localhost.localdomain> On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: > On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: > > On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: > > > On Thu, 07 Jun 2012, Sumit Bose wrote: > > > >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: > > > >>Hi, > > > >> > > > >>these two patches introduce a new extended operation to the IPA server > > > >>which can be used by clients in the IPA domain to obtain information > > > >>about users and groups from trusted domains. Currently this exop is used > > > >>by the sssd sub-domain patch to map user names from a trusted AD domain > > > >>to a SID and back. There is also some code for other kind of requests > > > >>which might become useful in future, e.g. with trusted IPA domain. > > > >> > > > >>I added some unit test and added check for the check unit test framework > > > >>for C (http://check.sourceforge.net/) which is used by sssd as well. I > > > >>modified the spec file that the test is run during the build of the > > > >>packages. I hope this is ok. > > > >> > > > >>The patches depend on the idmap library patch which was ACKed recently > > > >>on sssd-devel and as mentioned before the sub-domain patches on > > > >>sssd-devel can only be fully tested with an IPA server which has these > > > >>patches applied. > > > >> > > > >>Since Alexander is currently rewriting parts of the ipa-adtrust-install > > > >>utility I stand back from adding activation code for the exop to > > > >>ipa-adtrust-install and will send a patch when Alexander's changes are > > > >>available. So currently extdom-extop-conf.ldif has to be loaded manually > > > >>after replacing $SUFFIX to activate the new exop. > > > >> > > > >>bye, > > > >>Sumit > > > > > > > >Please find a rebased version of the patches which work on top of > > > >Alexander's latest series of patches. The patches now also contain the > > > >loading of extdom-extop-conf.ldif and the activation of winbind. > > > Thanks for the rebase. > > > > > > Few comments. > > > > > > 1.The extdom plugin should support IDMAP_BOTH. We do provide user private > > > groups so in our case it should be viewed as preferred output. Thus you > > > would need to add new response type to cover this case. > > > > Currently the plugin only uses winbind to map SIDs to names and back and > > in the returned user data the user private groups are already respected > > by setting the GID to the UID. On the client side sssd handles the > > trusted domains a mpg (magic private group) domains. > > > > > > > > 2. I have tried to look at the plugin description from point of view of > > > a system administrator and I failed to understand what it does: > > > >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" > > > >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" > > > >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" > > > > > > In the ipa-extdom-extop-conf.ldif you have following description: > > > >+nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back > > > Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC? > > > > > > This is a minor point but EXTDOM itself is vague. Maybe we should be more clear > > > and call it 'IPA trusted domain ID mapper' as it really limits itself to > > > only trusted domains? We don't dispatch winbind request if the domain is > > > not found in our list of trusted domains. > > > > I have updated the descriptions. I prefer the EXTDOM prefix because > > there might be future use cases where we might want to get some data > > from other domains without trust. But I'm happy to change it if you like > > a different prefix better. > > > > > > > > 3. Could you please define the oid in ipa_extdom.h so that it could be > > > useful for client code as well? > > > >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" > > > > done > > > > New version attached. > > ah. sorry, forgot to squash in some changes. > > Additionally I moved the binary to the freeipa-server-trust-ad package > to avoid additional dependencies in the freeipa-server package. > > bye, > Sumit > > > > > > > > > 4. Do we have 'check' tool in RHEL6? > > > > yes, current version is check-0.9.8-1.1.el6 > > > > Thank you for the review. > > > > bye, > > Sumit > > > -- > > > / Alexander Bokovoy rebased version with some changes by Alexander attached. bye, Sumit -------------- next part -------------- From 9417ce2513f8013310e4c7361a60660d8ec27dec Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 12 Dec 2011 11:32:06 +0100 Subject: [PATCH] Add configure check for C Unit-Test framework check The framework can be found at http://check.sourceforge.net. --- daemons/configure.ac | 10 ++++++++++ 1 Datei ge?ndert, 10 Zeilen hinzugef?gt(+) diff --git a/daemons/configure.ac b/daemons/configure.ac index deaa47358445fa552f5a9b53c9b65a9550b71d9e..547c907f3c6327507e7b01f7642c7db4a7409391 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -240,6 +240,16 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +dnl --------------------------------------------------------------------------- +dnl - Check for check unit test framework http://check.sourceforge.net/ +dnl --------------------------------------------------------------------------- +PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) +if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' library, you will be unable to run all tests in the 'make check' suite]) +else + AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers])) +fi +AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir -- 1.7.10.2 -------------- next part -------------- From ece83809598c67bc01c41349ecc043f6502d579c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 30 Nov 2011 13:29:10 +0100 Subject: [PATCH] Add external domain extop DS plugin This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back. --- daemons/configure.ac | 19 +- daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 74 +++ .../ipa-extdom-extop/ipa-extdom-extop-conf.ldif | 16 + .../ipa-extdom-extop/ipa_extdom.h | 154 ++++++ .../ipa-extdom-extop/ipa_extdom_common.c | 498 ++++++++++++++++++++ .../ipa-extdom-extop/ipa_extdom_extop.c | 234 +++++++++ .../ipa-extdom-extop/ipa_extdom_tests.c | 203 ++++++++ freeipa.spec.in | 7 + ipaserver/install/adtrustinstance.py | 23 +- ipaserver/install/service.py | 3 +- 11 Dateien ge?ndert, 1225 Zeilen hinzugef?gt(+), 7 Zeilen entfernt(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/README create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c diff --git a/daemons/configure.ac b/daemons/configure.ac index 547c907f3c6327507e7b01f7642c7db4a7409391..8f026883569700fc0cd1c60b314cc87ccdbc8c57 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -237,8 +237,19 @@ PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) PKG_CHECK_MODULES([NDR], [ndr]) PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" +SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +AC_CHECK_HEADERS([samba-4.0/wbclient.h], + , + [AC_MSG_ERROR([samba-4.0/wbclient.h not found])], + [#include + #include ]) +AC_CHECK_LIB([wbclient], + [wbcLookupSid], + [WBCLIENT_LIBS="$SAMBA40EXTRA_LIBPATH -lwbclient"], + [AC_MSG_ERROR([libwbclient does not have wbcLookupSid])], + [$SAMBA40EXTRA_LIBPATH]) +AC_SUBST(WBCLIENT_LIBS) dnl --------------------------------------------------------------------------- dnl - Check for check unit test framework http://check.sourceforge.net/ @@ -251,6 +262,11 @@ else fi AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) +dnl -- dirsrv is needed for the extdom unit tests -- +PKG_CHECK_MODULES([DIRSRV], [dirsrv]) +dnl -- sss_idmap is needed by the extdom exop -- +PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) + dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir dnl --------------------------------------------------------------------------- @@ -320,6 +336,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile + ipa-slapi-plugins/ipa-extdom-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 29b985e69424c9f2ce453ea3607cdb0e936bcce2..01b8bc330bb9525b54ac3e0493e311d2cafb64e7 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -6,6 +6,7 @@ SUBDIRS = \ ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ + ipa-extdom-extop \ ipa-uuid \ ipa-version \ ipa-winsync \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..d93e094b95510cf0ec99b7f7c38ff261c56f310e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -0,0 +1,74 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ + -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WBCLIENT_CFLAGS) \ + $(WARN_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_extdom_extop.la \ + $(NULL) + +libipa_extdom_extop_la_SOURCES = \ + ipa_extdom_extop.c \ + ipa_extdom_common.c \ + $(NULL) + +libipa_extdom_extop_la_LDFLAGS = -avoid-version + +libipa_extdom_extop_la_LIBADD = \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +if HAVE_CHECK +TESTS = extdom_tests +check_PROGRAMS = extdom_tests +endif + +extdom_tests_SOURCES = \ + ipa_extdom_tests.c \ + ipa_extdom_common.c \ + $(NULL) +extdom_tests_CFLAGS = $(CHECK_CFLAGS) +extdom_tests_LDFLAGS = \ + -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \ + $(NULL) +extdom_tests_LDADD = \ + $(CHECK_LIBS) \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(DIRSRV_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-extdom-extop-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + README \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/README b/daemons/ipa-slapi-plugins/ipa-extdom-extop/README new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..ec51ed26f127410901972053c86a49930d217d82 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=ipa_extdom_extop,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: ipa_extdom_extop +nsslapd-pluginpath: libipa_extdom_extop +nsslapd-plugininitfunc: ipa_extdom_init +nsslapd-plugintype: extendedop +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_extdom_extop +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: RedHat +nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h new file mode 100644 index 0000000000000000000000000000000000000000..5c2eeddceb3983fa5793c1a7fa86c5001c47beba --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -0,0 +1,154 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _IPA_EXTDOM_H_ +#define _IPA_EXTDOM_H_ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include + +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" + +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" +#define IPA_EXTDOM_FEATURE_DESC "IPA trusted domain ID mapper" +#define IPA_EXTDOM_PLUGIN_DESC "Support resolving IDs in trusted domains to names and back" + +#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME + +enum input_types { + INP_SID = 1, + INP_NAME, + INP_POSIX_UID, + INP_POSIX_GID +}; + +enum request_types { + REQ_SIMPLE = 1, + REQ_FULL +}; + +enum response_types { + RESP_SID = 1, + RESP_NAME, + RESP_USER, + RESP_GROUP +}; + +struct extdom_req { + enum input_types input_type; + enum request_types request_type; + union { + char *sid; + struct { + char *domain_name; + char *object_name; + } name; + struct { + char *domain_name; + uid_t uid; + } posix_uid; + struct { + char *domain_name; + gid_t gid; + } posix_gid; + } data; +}; + +struct extdom_res { + enum response_types response_type; + union { + char *sid; + struct { + const char *domain_name; + const char *object_name; + } name; + struct { + const char *domain_name; + const char *user_name; + uid_t uid; + gid_t gid; + } user; + struct { + const char *domain_name; + const char *group_name; + gid_t gid; + } group; + } data; +}; + +struct ipa_extdom_ctx { + Slapi_ComponentId *plugin_id; + char *base_dn; +}; + +struct domain_info { + char *flat_name; + char *sid; + char *guid; + struct sss_idmap_ctx *idmap_ctx; +}; + +int parse_request_data(struct berval *req_val, struct extdom_req **_req); +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res); +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res); +int pack_response(struct extdom_res *res, struct berval **ret_val); +#endif /* _IPA_EXTDOM_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c new file mode 100644 index 0000000000000000000000000000000000000000..294b00d50dd76c6541831b5c53bf70a4d377dcc3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -0,0 +1,498 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 /* for asprintf() */ +#endif + +#include +#include + +#include "ipa_extdom.h" +#include "util.h" + +int parse_request_data(struct berval *req_val, struct extdom_req **_req) +{ + BerElement *ber = NULL; + ber_tag_t tag; + ber_int_t input_type; + ber_int_t request_type; + ber_int_t id; + struct extdom_req *req; + +/* We expect the following request: + * ExtdomRequestValue ::= SEQUENCE { + * inputType ENUMERATED { + * sid (1), + * name (2), + * posix uid (3), + * posix gid (3) + * }, + * requestType ENUMERATED { + * simple (1), + * full (2) + * }, + * data InputData + * } + * + * InputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData + * uid PosixUid, + * gid PosixGid + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUid ::= SEQUENCE { + * domain_name OCTET STRING, + * uid INTEGER + * } + * + * PosixGid ::= SEQUENCE { + * domain_name OCTET STRING, + * gid INTEGER + * } + */ + + if (req_val == NULL || req_val->bv_val == NULL || req_val->bv_len == 0) { + return LDAP_PROTOCOL_ERROR; + } + + ber = ber_init(req_val); + if (ber == NULL) { + return LDAP_PROTOCOL_ERROR; + } + + tag = ber_scanf(ber, "{ee", &input_type, &request_type); + if (tag == LBER_ERROR) { + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + + req = calloc(sizeof(struct extdom_req), 1); + if (req == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + req->input_type = input_type; + req->request_type = request_type; + + switch (req->input_type) { + case INP_NAME: + tag = ber_scanf(ber, "{aa}}", &req->data.name.domain_name, + &req->data.name.object_name); + break; + case INP_SID: + tag = ber_scanf(ber, "a}", &req->data.sid); + break; + case INP_POSIX_UID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_uid.domain_name, + &id); + req->data.posix_uid.uid = (uid_t) id; + break; + case INP_POSIX_GID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_gid.domain_name, + &id); + req->data.posix_gid.gid = (gid_t) id; + break; + default: + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + ber_free(ber, 1); + if (tag == LBER_ERROR) { + return LDAP_PROTOCOL_ERROR; + } + + *_req = req; + + return LDAP_SUCCESS; +} + +static void free_domain_info(struct domain_info *domain_info) +{ + if (domain_info == NULL) { + return; + } + + sss_idmap_free(domain_info->idmap_ctx); + slapi_ch_free((void **) &domain_info->guid); + slapi_ch_free((void **) &domain_info->sid); + slapi_ch_free((void **) &domain_info->flat_name); + free(domain_info); +} + +/* TODO: A similar call is used in ipa_cldap_netlogon.c, maybe a candidate for + * a common library */ +static int get_domain_info(struct ipa_extdom_ctx *ctx, const char *domain_name, + struct domain_info **_domain_info) +{ + struct domain_info *domain_info = NULL; + Slapi_PBlock *pb = NULL; + Slapi_Entry **e = NULL; + char *filter = NULL; + int ret; + enum idmap_error_code err; + struct sss_idmap_range range; + + pb = slapi_pblock_new(); + if (pb == NULL) { + return ENOMEM; + } + + ret = asprintf(&filter, "(&(|(cn=%s)(ipaNTTrustPartner=%s)(ipaNTFlatName=%s))(objectclass=ipaNTTrustedDomain))", + domain_name, domain_name, domain_name); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + slapi_search_internal_set_pb(pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, filter, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + if (ret != EOK) { + ret = ENOENT; + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); + if (!e || !e[0] || e[1]) { + /* no matches or too many matches */ + ret = ENOENT; + goto done; + } + + domain_info = calloc(1, sizeof(struct domain_info)); + if (domain_info == NULL) { + ret = ENOMEM; + goto done; + } + + domain_info->guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID"); + domain_info->sid = slapi_entry_attr_get_charptr(e[0], + "ipaNTTrustedDomainSID"); + domain_info->flat_name = slapi_entry_attr_get_charptr(e[0], + "ipaNTFlatName"); + + /* TODO: read range from LDAP server */ + range.min = 200000; + range.max = 400000; + + err = sss_idmap_init(NULL, NULL, NULL, &domain_info->idmap_ctx); + if (err == IDMAP_SUCCESS) { + err = sss_idmap_add_domain(domain_info->idmap_ctx, domain_name, + domain_info->sid, &range); + } + if (err != IDMAP_SUCCESS) { + free_domain_info(domain_info); + ret = EFAULT; + goto done; + } + + *_domain_info = domain_info; + + ret = 0; + +done: + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + free(filter); + return ret; + +} + +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res) +{ + wbcErr werr; + int ret; + struct wbcDomainSid sid; + char *domain_name; + char *name; + enum wbcSidType name_type; + struct domain_info *domain_info = NULL; + + ret = get_domain_info(ctx, req->data.name.domain_name, &domain_info); + if (ret != 0) { + return LDAP_OPERATIONS_ERROR; + } + + switch (req->input_type) { + case INP_SID: + werr = wbcStringToSid(req->data.sid, &sid); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + werr = wbcLookupSid(&sid, &domain_name, &name, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, domain_name, name, &sid, + name_type, res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + case INP_NAME: + werr = wbcLookupName(domain_info->flat_name, + req->data.name.object_name, &sid, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, req->data.name.domain_name, + req->data.name.object_name, &sid, name_type, + res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + default: + ret = LDAP_PROTOCOL_ERROR; + goto done; + } + + ret = LDAP_SUCCESS; + +done: + free_domain_info(domain_info); + + return ret; +} + +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res) +{ + int ret = EFAULT; + int len; + struct extdom_res *res; + uint32_t id; + enum idmap_error_code err; + char sid_str[WBC_SID_STRING_BUFLEN + 1]; + + res = malloc(sizeof(struct extdom_res)); + if (res == NULL) { + return ENOMEM; + } + + switch (req->request_type) { + case REQ_SIMPLE: + switch (req->input_type) { + case INP_SID: + res->response_type = RESP_NAME; + res->data.name.domain_name = domain_name; + res->data.name.object_name = name; + break; + case INP_NAME: + res->response_type = RESP_SID; + + len = wbcSidToStringBuf(sid, sid_str, + WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + res->data.sid = sid_str; + break; + default: + ret = EINVAL; + goto done; + } + break; + case REQ_FULL: + len = wbcSidToStringBuf(sid, sid_str, WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + err = sss_idmap_sid_to_unix(domain_info->idmap_ctx, sid_str, &id); + if (err != IDMAP_SUCCESS) { + ret = EINVAL; + goto done; + } + switch (name_type) { + case WBC_SID_NAME_USER: + res->response_type = RESP_USER; + res->data.user.domain_name = domain_name; + res->data.user.user_name = name; + + res->data.user.uid = (uid_t) id; + + /* We use MPGs for external users */ + res->data.user.gid = (gid_t) id; + break; + case WBC_SID_NAME_DOM_GRP: + res->response_type = RESP_GROUP; + res->data.group.domain_name = domain_name; + res->data.group.group_name = name; + + res->data.group.gid = (gid_t) id; + break; + default: + ret = EINVAL; + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *_res = res; + } else { + free(res); + } + + return ret; +} + +int pack_response(struct extdom_res *res, struct berval **ret_val) +{ + BerElement *ber = NULL; + int ret; + +/* We send to follwing response: + * ExtdomResponseValue ::= SEQUENCE { + * responseType ENUMERATED { + * sid (1), + * name (2), + * posix_user (3), + * posix_group (4) + * }, + * data OutputData + * } + * + * OutputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData, + * user PosixUser, + * group PosixGroup + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUser ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER + * gid INTEGER + * } + * + * PosixGroup ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER + * } + */ + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + switch (res->response_type) { + case RESP_SID: + ret = ber_printf(ber,"{es}", res->response_type, res->data.sid); + break; + case RESP_NAME: + ret = ber_printf(ber,"{e{ss}}", res->response_type, + res->data.name.domain_name, + res->data.name.object_name); + break; + case RESP_USER: + ret = ber_printf(ber,"{e{ssii}}", res->response_type, + res->data.user.domain_name, + res->data.user.user_name, + res->data.user.uid, + res->data.user.gid); + break; + case RESP_GROUP: + ret = ber_printf(ber,"{e{ssi}}", res->response_type, + res->data.group.domain_name, + res->data.group.group_name, + res->data.group.gid); + break; + default: + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ret = ber_flatten(ber, ret_val); + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ber_free(ber, 1); + + return LDAP_SUCCESS; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c new file mode 100644 index 0000000000000000000000000000000000000000..d5a2f604c4a61bda04dd026ace4b53ea5c2c3645 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -0,0 +1,234 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include "ipa_extdom.h" +#include "util.h" + +Slapi_PluginDesc ipa_extdom_plugin_desc = { + IPA_EXTDOM_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_EXTDOM_PLUGIN_DESC +}; + +static char *ipa_extdom_oid_list[] = { + EXOP_EXTDOM_OID, + NULL +}; + +static char *ipa_extdom_name_list[] = { + IPA_EXTDOM_PLUGIN_DESC, + NULL +}; + +static int ipa_extdom_start(Slapi_PBlock *pb) +{ + return LDAP_SUCCESS; +} + +static int ipa_extdom_extop(Slapi_PBlock *pb) +{ + char *oid = NULL; + char *err_msg = NULL; + int rc; + int ret; + struct berval *req_val = NULL; + struct berval *ret_val = NULL; + struct extdom_req *req = NULL; + struct extdom_res *res = NULL; + struct ipa_extdom_ctx *ctx; + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Could not get OID value from request.\n"; + goto done; + } + LOG("Received extended operation request with OID %s\n", oid); + + if (strcasecmp(oid, EXOP_EXTDOM_OID) != 0) { + return SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; + } + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &req_val); + if (ret != 0) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Missing request data.\n"; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Missing plugin context.\n"; + goto done; + } + + ret = parse_request_data(req_val, &req); + if (ret != LDAP_SUCCESS) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Cannot parse request data.\n"; + goto done; + } + + ret = handle_request(ctx, req, &res); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to handle the request.\n"; + goto done; + } + + ret = pack_response(res, &ret_val); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to pack the response.\n"; + goto done; + } + + ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXOP_EXTDOM_OID); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the OID for the response.\n"; + goto done; + } + + ret = slapi_pblock_set( pb, SLAPI_EXT_OP_RET_VALUE, ret_val); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the value for the response.\n"; + goto done; + } + + rc = LDAP_SUCCESS; + +done: + free(req); + free(res); + if (err_msg != NULL) { + LOG(err_msg); + } + slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); + return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; +} + +static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) +{ + struct ipa_extdom_ctx *ctx; + Slapi_Entry *e; + int ret; + + ctx = calloc(1, sizeof(struct ipa_extdom_ctx)); + if (!ctx) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (NULL == ctx->plugin_id)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &e); + if (!e) { + LOG_FATAL("Plugin configuration not found!\n"); + return -1; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(e, "nsslapd-basedn"); + if (!ctx->base_dn) { + LOG_FATAL("Base DN not found in plugin configuration not found!\n"); + return -1; + } + + +done: + if (ret) { + free(ctx); + } else { + *_ctx = ctx; + } + return ret; +} + +int ipa_extdom_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_extdom_ctx *extdom_ctx; + + ret = ipa_extdom_init_ctx(pb, &extdom_ctx); + if (ret) { + LOG_FATAL("Failed ot initialize external domain extended operation.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01); + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *)&ipa_extdom_plugin_desc); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *)ipa_extdom_start); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, + ipa_extdom_oid_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, + ipa_extdom_name_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, + (void *)ipa_extdom_extop); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, extdom_ctx); + } + if (ret) { + LOG("Failed to set plug-in version, function, and OID.\n" ); + return -1; + } + + return 0; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c new file mode 100644 index 0000000000000000000000000000000000000000..acb6ae2844eafe938a293a964efa2afe31e32b9e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c @@ -0,0 +1,203 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include + +#include "ipa_extdom.h" +#include "util.h" + +char req_sid[] = {0x30, 0x11, 0x0a, 0x01, 0x01, 0x0a, 0x01, 0x01, 0x04, 0x09, \ + 0x53, 0x2d, 0x31, 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char req_nam[] = {0x30, 0x16, 0x0a, 0x01, 0x02, 0x0a, 0x01, 0x01, 0x30, 0x0e, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, \ + 0x74, 0x65, 0x73, 0x74}; +char req_uid[] = {0x30, 0x14, 0x0a, 0x01, 0x03, 0x0a, 0x01, 0x01, 0x30, 0x0c, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x02, \ + 0x30, 0x39}; +char req_gid[] = {0x30, 0x15, 0x0a, 0x01, 0x04, 0x0a, 0x01, 0x01, 0x30, 0x0d, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x03, \ + 0x00, 0xd4, 0x31}; + +char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ + 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74}; +char res_uid[] = {0x30, 0x17, 0x0a, 0x01, 0x03, 0x30, 0x12, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74, 0x02, 0x02, 0x30, 0x39}; +char res_gid[] = {0x30, 0x1e, 0x0a, 0x01, 0x04, 0x30, 0x19, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x0a, 0x74, 0x65, 0x73, \ + 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x02, 0x03, 0x00, \ + 0xd4, 0x31}; + +#define TEST_SID "S-1-2-3-4" +#define TEST_DOMAIN_NAME "DOMAIN" + +START_TEST(test_encode) +{ + int ret; + struct extdom_res res; + struct berval *resp_val; + + res.response_type = RESP_SID; + res.data.sid = TEST_SID; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_sid) == resp_val->bv_len && + memcmp(res_sid, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); + + res.response_type = RESP_NAME; + res.data.name.domain_name = TEST_DOMAIN_NAME; + res.data.name.object_name = "test"; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_nam) == resp_val->bv_len && + memcmp(res_nam, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); +} +END_TEST + +START_TEST(test_decode) +{ + struct berval req_val; + struct extdom_req *req; + int ret; + + req_val.bv_val = req_sid; + req_val.bv_len = sizeof(req_sid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, "parse_request_data() failed."); + fail_unless(req->input_type == INP_SID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.sid, "S-1-2-3-4") == 0, + "parse_request_data() returned unexpected sid"); + free(req); + + req_val.bv_val = req_nam; + req_val.bv_len = sizeof(req_nam); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_NAME, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.name.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(strcmp(req->data.name.object_name, "test") == 0, + "parse_request_data() returned unexpected object name"); + free(req); + + req_val.bv_val = req_uid; + req_val.bv_len = sizeof(req_uid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_UID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_uid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_uid.uid == 12345, + "parse_request_data() returned unexpected uid [%d]", + req->data.posix_uid.uid); + free(req); + + req_val.bv_val = req_gid; + req_val.bv_len = sizeof(req_gid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_GID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_gid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_gid.gid == 54321, + "parse_request_data() returned unexpected gid [%d]", + req->data.posix_gid.gid); + free(req); +} +END_TEST + +Suite * ipa_extdom_suite(void) +{ + Suite *s = suite_create("IPA extdom"); + + TCase *tc_core = tcase_create("Core"); + tcase_add_test(tc_core, test_decode); + tcase_add_test(tc_core, test_encode); + /* TODO: add test for create_response() */ + suite_add_tcase(s, tc_core); + + return s; +} + +int main(void) +{ + int number_failed; + + Suite *s = ipa_extdom_suite (); + SRunner *sr = srunner_create (s); + srunner_run_all (sr, CK_VERBOSE); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/freeipa.spec.in b/freeipa.spec.in index b61d93ddacc6e8600fde5388c672de95b09febaf..511d425d179ccfedd3d9ec3606a36c3ac81918e7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,6 +81,8 @@ BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-dns BuildRequires: python-crypto +BuildRequires: check >= 0.9.5 +BuildRequires: libsss_idmap-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -359,6 +361,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -666,6 +669,7 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %{_mandir}/man1/ipa-adtrust-install.1.gz @@ -724,6 +728,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Fri Jun 21 2012 Sumit Bose - 2.99.0-36 +- Add extdom extop plugin + * Fri Jun 21 2012 Rob Crittenden - 2.99.0-35 - Add client requires on libsss-autofs, autofs, libnfsidmap and nfs-utils for configuring automount and NFS. diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 4d417c8d1d15e4e7a799e871f886232cbf888331..b4c2ac0b6d9376ce69b8844fca79612fa2a269fa 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -223,6 +223,12 @@ class ADTRUSTInstance(service.Service): except: pass + def __add_extdom_module(self): + try: + self._ldap_mod("ipa-extdom-extop-conf.ldif", self.sub_dict) + except: + pass + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -354,8 +360,9 @@ class ADTRUSTInstance(service.Service): def __start(self): try: self.start() + ipaservices.service('winbind').start() except: - root_logger.critical("smbd service failed to start") + root_logger.critical("CIFS services failed to start") def __stop(self): self.backup_state("running", self.is_running()) @@ -380,7 +387,12 @@ class ADTRUSTInstance(service.Service): self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.info("ADTRUST Service startup entry already exists.") - pass + + try: + self.ldap_enable('EXTID', self.fqdn, self.dm_password, \ + self.suffix) + except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: + root_logger.info("EXTID Service startup entry already exists.") def __setup_sub_dict(self): self.sub_dict = dict(REALM = self.realm_name, @@ -430,17 +442,18 @@ class ADTRUSTInstance(service.Service): self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) + self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) if not self.no_msdcs: self.step("adding special DNS service records", \ self.__add_dns_service_records) - self.step("restarting Directory Server to take MS PAC and CLDAP changes into account", \ + self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \ self.__restart_dirsrv) self.step("setting SELinux booleans", \ self.__configure_selinux_for_smbd) - self.step("starting smbd", self.__start) + self.step("starting CIFS services", self.__start) - self.start_creation("Configuring smbd:") + self.start_creation("Configuring CIFS:") def uninstall(self): if self.is_configured(): diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a3d09fcd633a851a67ef94b2025f1afb605d3d84..5cc7ae639db3fe2aa3805a90e0902f10f277064c 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -42,7 +42,8 @@ SERVICE_LIST = { 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), - 'ADTRUST':('smb', 60) + 'ADTRUST':('smb', 60), + 'EXTID':('winbind', 70) } def print_msg(message, output_fd=sys.stdout): -- 1.7.10.2 From pvoborni at redhat.com Wed Jun 27 16:19:55 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jun 2012 18:19:55 +0200 Subject: [Freeipa-devel] [PATCH] 163 Refactored association facet to use facet buttons with actions Message-ID: <4FEB32AB.7050409@redhat.com> Association facet was refactored to use new concept of control buttons. It is the last facet type which don't use this concept. It fixes regression introduced by previous refactoring of table facet (delete button was never enabled). https://fedorahosted.org/freeipa/ticket/2876 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0163-Refactored-associatin-facet-to-use-facet-buttons-wit.patch Type: text/x-patch Size: 7867 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 27 16:22:18 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jun 2012 18:22:18 +0200 Subject: [Freeipa-devel] [PATCH] 164 Continuation of removing of not supported command options from Web UI Message-ID: <4FEB333A.2060803@redhat.com> This patch removes following non-existing command options: * all,rights in host_disable * record_type in dns_record_add * all,rights in various xxx_remove_xxx commands used in rule_association_table_field (removing association) https://fedorahosted.org/freeipa/ticket/2878 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0164-Continuation-of-removingi-of-not-supported-command-o.patch Type: text/x-patch Size: 2391 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jun 27 16:27:03 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 19:27:03 +0300 Subject: [Freeipa-devel] [PATCH] Add sidgen postop and task In-Reply-To: <20120625095310.GU29454@localhost.localdomain> References: <20120625095310.GU29454@localhost.localdomain> Message-ID: <20120627162702.GH16889@redhat.com> On Mon, 25 Jun 2012, Sumit Bose wrote: >Hi, > >this patch added support to automatically create SIDs for local objects >as described in ticket https://fedorahosted.org/freeipa/ticket/2825. > >The post-operation plugin adds the SID and if necessary the needed >objectclass for a newly created object. ACK. Works for me in tests. >The directory server task can you used to set SID to existing objects in >one run. Since there were concerns about the amount of replication >traffic this task accepts a parameter 'delay' to let the task pause for >the given number of micro-seconds after an object was changed. I also do >not start the task during ipa-adtrust-install to allow to run the task >at a more appropriate time. I wonder if it is ok to just have an ldif >file as example and explain in the docs how to start the task with >ldapmodify or if a tighter integration is needed. Typically this task >should be called only once after ipa-adtrust-install. We probably would need to make something like 'ipa-task-manage' that would allow listing, enabling, scheduling, and disabling all supported tasks. Something to work on once we have refactored installer/tools infrastructure in 3.1? -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jun 27 16:28:11 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 19:28:11 +0300 Subject: [Freeipa-devel] [PATCH] Filter groups in the PAC In-Reply-To: <20120626082305.GA29454@localhost.localdomain> References: <20120626082305.GA29454@localhost.localdomain> Message-ID: <20120627162811.GI16889@redhat.com> On Tue, 26 Jun 2012, Sumit Bose wrote: >Hi, > >this patch contains the KDC part of the external groups handling. If >group SIDs from the PAC can be found in the ipaExternalGroup objects and >the external groups are member of local groups, the SIDs of the local >groups are added to the PAC. If the PAC this then read by the SSSD pac >responder the user from the PAC is added to the local groups on the >client. ACK. There were code-related comments from Simo yesterday on IRC but it was agreed to solve those in separate patches. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jun 27 16:38:53 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jun 2012 19:38:53 +0300 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120627161429.GK29454@localhost.localdomain> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> <20120627161429.GK29454@localhost.localdomain> Message-ID: <20120627163853.GJ16889@redhat.com> On Wed, 27 Jun 2012, Sumit Bose wrote: >On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: >> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: >> > On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: >> > > On Thu, 07 Jun 2012, Sumit Bose wrote: >> > > >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: >> > > >>Hi, >> > > >> >> > > >>these two patches introduce a new extended operation to the IPA server >> > > >>which can be used by clients in the IPA domain to obtain information >> > > >>about users and groups from trusted domains. Currently this exop is used >> > > >>by the sssd sub-domain patch to map user names from a trusted AD domain >> > > >>to a SID and back. There is also some code for other kind of requests >> > > >>which might become useful in future, e.g. with trusted IPA domain. >> > > >> >> > > >>I added some unit test and added check for the check unit test framework >> > > >>for C (http://check.sourceforge.net/) which is used by sssd as well. I >> > > >>modified the spec file that the test is run during the build of the >> > > >>packages. I hope this is ok. >> > > >> >> > > >>The patches depend on the idmap library patch which was ACKed recently >> > > >>on sssd-devel and as mentioned before the sub-domain patches on >> > > >>sssd-devel can only be fully tested with an IPA server which has these >> > > >>patches applied. >> > > >> >> > > >>Since Alexander is currently rewriting parts of the ipa-adtrust-install >> > > >>utility I stand back from adding activation code for the exop to >> > > >>ipa-adtrust-install and will send a patch when Alexander's changes are >> > > >>available. So currently extdom-extop-conf.ldif has to be loaded manually >> > > >>after replacing $SUFFIX to activate the new exop. >> > > >> >> > > >>bye, >> > > >>Sumit >> > > > >> > > >Please find a rebased version of the patches which work on top of >> > > >Alexander's latest series of patches. The patches now also contain the >> > > >loading of extdom-extop-conf.ldif and the activation of winbind. >> > > Thanks for the rebase. >> > > >> > > Few comments. >> > > >> > > 1.The extdom plugin should support IDMAP_BOTH. We do provide user private >> > > groups so in our case it should be viewed as preferred output. Thus you >> > > would need to add new response type to cover this case. >> > >> > Currently the plugin only uses winbind to map SIDs to names and back and >> > in the returned user data the user private groups are already respected >> > by setting the GID to the UID. On the client side sssd handles the >> > trusted domains a mpg (magic private group) domains. >> > >> > > >> > > 2. I have tried to look at the plugin description from point of view of >> > > a system administrator and I failed to understand what it does: >> > > >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" >> > > >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" >> > > >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended Operation plugin" >> > > >> > > In the ipa-extdom-extop-conf.ldif you have following description: >> > > >+nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back >> > > Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC? >> > > >> > > This is a minor point but EXTDOM itself is vague. Maybe we should be more clear >> > > and call it 'IPA trusted domain ID mapper' as it really limits itself to >> > > only trusted domains? We don't dispatch winbind request if the domain is >> > > not found in our list of trusted domains. >> > >> > I have updated the descriptions. I prefer the EXTDOM prefix because >> > there might be future use cases where we might want to get some data >> > from other domains without trust. But I'm happy to change it if you like >> > a different prefix better. >> > >> > > >> > > 3. Could you please define the oid in ipa_extdom.h so that it could be >> > > useful for client code as well? >> > > >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" >> > >> > done >> > >> > New version attached. >> >> ah. sorry, forgot to squash in some changes. >> >> Additionally I moved the binary to the freeipa-server-trust-ad package >> to avoid additional dependencies in the freeipa-server package. >> >> bye, >> Sumit >> >> > >> > > >> > > 4. Do we have 'check' tool in RHEL6? >> > >> > yes, current version is check-0.9.8-1.1.el6 >> > >> > Thank you for the review. >> > >> > bye, >> > Sumit >> > > -- >> > > / Alexander Bokovoy > >rebased version with some changes by Alexander attached. ACK from my side. Works in tests I've run. -- / Alexander Bokovoy From rcritten at redhat.com Wed Jun 27 17:46:57 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jun 2012 13:46:57 -0400 Subject: [Freeipa-devel] [PATCH] 1030 Fedora 18 compatibility Message-ID: <4FEB4711.9010603@redhat.com> I found a few minor issues when building and installing the master branch on Fedora 18. This patch should address it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1030-f18.patch Type: text/x-diff Size: 1797 bytes Desc: not available URL: From sbose at redhat.com Wed Jun 27 19:19:36 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 Jun 2012 21:19:36 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120626103014.GC29454@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> <20120626103014.GC29454@localhost.localdomain> Message-ID: <20120627191935.GL29454@localhost.localdomain> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > > > > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > > > > > users/groups and users from trusted domains new range objects are > > > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > > > > > > > > > 0022: LDAP schema update > > > > > > > > > > > > ack > > > > > > > > > > > > > 0023: Create a range object during installation fir the local ID range > > > > > > > > > > > > nack, I think we need to find a way to handle adding at least the base > > > > > > range on update. Otherwise an updated server won't be able to have IDs > > > > > > for most of its users. > > > > > > > > > > I fully agree, but since we said that we concentrate on update issues in > > > > > beta2 I wanted to send the version for the fresh install first to allow > > > > > testing. > > > > > > > > The reason I'd like updates is that this patchset can be installed on > > > > top of existing servers for testing w/o having to reinstall from scratch > > > > or manually creating the ipaDomainIDRange object :):) > > > > > > ok, will do. > > > > > > Do you otherwise agree with the patches or is there something I should > > > change while adding the updates? > > > > > > bye, > > > Sumit > > > > > > > > > > > > > > > > > > > > 0024: add primary and secondary RID base to the local range object > > > > > > > during ipa-adtrust-install > > > > > > > > > > > > Not sure if setting the range belongs in the previous patch or this one. > > > > > > > > > > I think it is right here, because a plain IPA server does not need the > > > > > RID related attributes. > > > > > > > > > > > We might decide to ask questions during ipa-adtrust-install if the range > > > > > > is not available, maybe presenting a set of pre-canned choices if we can > > > > > > detect them. > > > > > > > > > > I agree here, too. But as above I would like to handle update issues > > > > > in a second round. > > > > > > > > > > > > > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > > > > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > > > > > falls outside the configured range (either because we failed to detect > > > > > > ranges on upgrade and the user botched the question or because the admin > > > > > > added arbitrary IDs. > > > > > > If a warning we should warn that missing a range that suitably covers > > > > > > these IDs, those users/groups will not be available for the trust. > > > > > > > > > > > > Maybe we should also have a simple ipa command that can list all > > > > > > users/groups that fall outside the ranges as well. > > > > > > > > > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > > > > > range-find' etc. I can add it there. > > > > > > > > > Hi, > > > > this new series of patches add the cli plugin to create the ID ranges > > manually. I'm still working on a detection of the locally used id range > > of an upgrade domain in ipa-adtrust-install and an plugin which rejects > > new ranges which overlaps with existing ones. > > > > bye, > > Sumit > > the attached patch adds a preop plugin which checks for overlaps with > existing ranges. > > bye, > Sumit Finally I added a method to guess and create the initial ID range, if no one is preset, e.g. when updating from an older version of freeIPA. A full series of patches is attached. bye, Sumit -------------- next part -------------- From e38871dc5ca23ac7f43f65c7805509ab3fb3af91 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 11 Jun 2012 18:31:36 +0200 Subject: [PATCH 1/5] Extend LDAP schema The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well. --- install/share/60basev3.ldif | 8 ++++++++ 1 Datei ge?ndert, 8 Zeilen hinzugef?gt(+) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 2c24137b0dc39f215ed0e4b97079ffce0ec630d3..03561d13f45768006eb22e3dc00f41f35944dc56 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -29,6 +29,10 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') attributeTypes: (2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -40,3 +44,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAsso objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT MAY ipaSshPubKey X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) -- 1.7.10.2 -------------- next part -------------- From 3aa34e2be073732bb43cafb1d76801f3572c3c1e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 11:58:41 +0200 Subject: [PATCH 2/5] Add objects for initial ID range --- install/share/bootstrap-template.ldif | 14 ++++++++++++++ install/updates/62-ranges.update | 13 +++++++++++++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 1 + 4 Dateien ge?ndert, 29 Zeilen hinzugef?gt(+) create mode 100644 install/updates/62-ranges.update diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 149b6c9b29c6fd363eb7baccd9648d49c260ff85..ca74bf6fade5f4e0591ee511f96cc3d58542887d 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -409,3 +409,17 @@ objectClass: top objectClass: nsContainer cn: usermap +dn: cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: ranges + +dn: cn=local_id_range,cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaIDrange +objectClass: ipaDomainIDRange +cn: local_id_range +ipaBaseID: $IDSTART +ipaIDRangeSize: $IDRANGE_SIZE diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update new file mode 100644 index 0000000000000000000000000000000000000000..42c1e2a98b8b64164ae9ae0292aa7b91beac2b26 --- /dev/null +++ b/install/updates/62-ranges.update @@ -0,0 +1,13 @@ +dn: cn=schema +add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) + +dn: cn=ranges,cn=etc,$SUFFIX +default: obectClass: top +default: objectClass: nsContainer +default: cn: ranges diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 412630e4e6d13167e2c0ae17c54f8ad84a4797fa..e45690f14c41dbd9eb10b5969ee14a257b8c7883 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 55-pbacmemberof.update \ 60-trusts.update \ 61-trusts-s4u2proxy.update \ + 62-ranges.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fb620a82e0d432d50e6c40ab8a7053ced153965a..93c6b50c274506949d1cdb81ad952141de10dab1 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -313,6 +313,7 @@ class DsInstance(service.Service): IDMAX=self.idmax, HOST=self.fqdn, ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()), GROUP=DS_GROUP, + IDRANGE_SIZE=self.idmax-self.idstart+1 ) def __create_ds_user(self): -- 1.7.10.2 -------------- next part -------------- From 2a71ae1a34cf211bf5f0d8f526f4d740e38ed888 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 17:53:36 +0200 Subject: [PATCH 3/5] Set RID bases for local domain during ipa-adtrust-install --- install/tools/ipa-adtrust-install | 10 +++- ipaserver/install/adtrustinstance.py | 87 +++++++++++++++++++++++++++++++++- 2 Dateien ge?ndert, 95 Zeilen hinzugef?gt(+), 2 Zeilen entfernt(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 49bcf54e7c26c92f246c7612940d441e60a86e1f..6678018e6346d75d5042894cfb833d38079d3f21 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -48,6 +48,12 @@ def parse_options(): parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", default=False, help="Do not create DNS service records " \ "for Windows in managed DNS server") + parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, + help="Start value for mapping UIDs and GIDs to RIDs") + parser.add_option("--secondary-rid-base", dest="secondary_rid_base", + type=int, default=100000000, + help="Start value of the secondary range for mapping " \ + "UIDs and GIDs to RIDs") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") @@ -207,7 +213,9 @@ def main(): api.Backend.ldap2.connect(ccache) smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, - netbios_name, options.no_msdcs) + netbios_name, options.rid_base, options.secondary_rid_base, + options.no_msdcs) + smb.find_local_id_range() smb.create_instance() print """ diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 97a204bbbb9bd4c1990b9498993cb4bc453db6c7..5b7a3165d919882a6a4ddf84721f016339a7b794 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -114,6 +114,8 @@ class ADTRUSTInstance(service.Service): self.cifs_principal = None self.cifs_agent = None self.selinux_booleans = None + self.rid_base = None + self.secondary_rid_base = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -174,6 +176,47 @@ class ADTRUSTInstance(service.Service): except: print "Failed to modify IPA admin group object" + def __add_rid_bases(self): + """ + Add RID bases to the range object for the local ID range. + + TODO: handle missing or multiple ranges more gracefully. + """ + + try: + res = self.admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix, + ldap.SCOPE_ONELEVEL, + "(objectclass=ipaDomainIDRange)") + if len(res) != 1: + root_logger.critical("Found more than one ID range for the " \ + "local domain.") + raise RuntimeError("Too many ID ranges\n") + + if res[0].getValue('ipaBaseRID') or \ + res[0].getValue('ipaSecondaryBaseRID'): + print "RID bases already set, nothing to do" + return + + size = res[0].getValue('ipaIDRangeSize') + if abs(self.rid_base - self.secondary_rid_base) > size: + print "Primary and secondary RID base are too close. " \ + "They have to differ at least by %d." % size + raise RuntimeError("RID bases too close.\n") + + try: + self.admin_conn.modify_s(res[0].dn, + [(ldap.MOD_ADD, "ipaBaseRID", \ + str(self.rid_base)), \ + (ldap.MOD_ADD, "ipaSecondaryBaseRID", \ + str(self.secondary_rid_base))]) + except: + print "Failed to add RID bases to the local range object" + + except errors.NotFound as e: + root_logger.critical("ID range of the local domain not found, " \ + "define it and run again.") + raise e + def __create_samba_domain_object(self): try: @@ -410,12 +453,14 @@ class ADTRUSTInstance(service.Service): FQDN = self.fqdn) def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, - no_msdcs=False, smbd_user="samba"): + rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"): self.fqdn = fqdn self.ip_address = ip_address self.realm_name = realm_name self.domain_name = domain_name self.netbios_name = netbios_name + self.rid_base = rid_base + self.secondary_rid_base = secondary_rid_base self.no_msdcs = no_msdcs self.smbd_user = smbd_user self.suffix = ipautil.realm_to_suffix(self.realm_name) @@ -436,6 +481,45 @@ class ADTRUSTInstance(service.Service): self.__setup_sub_dict() + def find_local_id_range(self): + self.ldap_connect() + + if self.admin_conn.search_s("cn=ranges,cn=etc," + self.suffix, + ldap.SCOPE_ONELEVEL, + "objectclass=ipaDomainIDRange"): + return + + try: + entry = self.admin_conn.getEntry("cn=admins,cn=groups,cn=accounts," \ + + self.suffix, + ldap.SCOPE_BASE) + except errors.NotFound: + raise ValueError("No local ID range and no admins group found.\n" \ + "Add local ID range manually and try again!") + + base_id = int(entry.getValue('gidNumber')) + id_range_size = 200000 + + id_filter = "(&" \ + "(|(objectclass=posixAccount)" \ + "(objectclass=posixGroup)" \ + "(objectclass=ipaIDObject))" \ + "(|(uidNumber<=%d)(uidNumber>=%d)" \ + "(gidNumber<=%d)(gidNumner>=%d)))" % \ + ((base_id - 1), (base_id + id_range_size), + (base_id - 1), (base_id + id_range_size)) + if self.admin_conn.search_s("cn=accounts," + self.suffix, + ldap.SCOPE_SUBTREE, id_filter): + raise ValueError("There are objects with IDs out of the expected" \ + "range.\nAdd local ID range manually and try " \ + "again!") + + entry = ipaldap.Entry("cn=local_id_range,cn=ranges,cn=etc," + self.suffix) + entry.setValue('objectclass', 'ipaDomainIDRange') + entry.setValue('cn', 'local_id_range') + entry.setValue('ipaBaseID', str(base_id)) + entry.setValue('ipaIDRangeSize', str(id_range_size)) + self.admin_conn.addEntry(entry) def create_instance(self): @@ -448,6 +532,7 @@ class ADTRUSTInstance(service.Service): self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) + self.step("adding RID bases", self.__add_rid_bases) self.step("activating CLDAP plugin", self.__add_cldap_module) self.step("activating extdom plugin", self.__add_extdom_module) self.step("activating sidgen plugin and task", self.__add_sidgen_module) -- 1.7.10.2 -------------- next part -------------- From 6c7f6c022aa779a8d648a759d01bf9a55120af55 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 13 Jun 2012 20:58:54 +0200 Subject: [PATCH 4/5] Add CLI for ID ranges --- API.txt | 52 +++++++++++++++++++ ipalib/constants.py | 1 + ipalib/plugins/range.py | 126 +++++++++++++++++++++++++++++++++++++++++++++++ 3 Dateien ge?ndert, 179 Zeilen hinzugef?gt(+) create mode 100644 ipalib/plugins/range.py diff --git a/API.txt b/API.txt index a0c22143dc04b47400003a5fc84a40d1c71a5e82..9d91832d995d605b161c13a5ec915f5d84f1d515 100644 --- a/API.txt +++ b/API.txt @@ -2340,6 +2340,58 @@ option: Str('version?', exclude='webui') output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) +command: range_add +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Int('ipabaseid', attribute=True, cli_name='base_id', multivalue=False, required=True) +option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True) +option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False, required=True) +option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False) +option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (, ), None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('value', , None) +command: range_del +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +output: Output('summary', (, ), None) +output: Output('result', , None) +output: Output('value', , None) +command: range_find +args: 1,12,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', multivalue=False, query=True, required=False) +option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False) +option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False) +option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False) +option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +output: Output('summary', (, ), None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('count', , None) +output: Output('truncated', , None) +command: range_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('rights', autofill=True, default=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (, ), None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('value', , None) command: role_add args: 1,6,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) diff --git a/ipalib/constants.py b/ipalib/constants.py index 8f87a18eef80e9824203aedf50e29e9819ae7c18..c4ba32007f74f0b8ccc6c8c518587dbf76530217 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -104,6 +104,7 @@ DEFAULT_CONFIG = ( ('container_cifsdomains', 'cn=ad,cn=etc'), ('container_trusts', 'cn=trusts'), ('container_adtrusts', 'cn=ad,cn=trusts'), + ('container_ranges', 'cn=ranges,cn=etc'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipalib/plugins/range.py b/ipalib/plugins/range.py new file mode 100644 index 0000000000000000000000000000000000000000..37482b09a6517e3b129249c9937621da17232c8c --- /dev/null +++ b/ipalib/plugins/range.py @@ -0,0 +1,126 @@ +# Authors: +# Sumit Bose +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipalib.plugins.baseldap import * +from ipalib import api, Str, Password, DefaultFrom, _, ngettext, Object +from ipalib.parameters import Enum +from ipalib import Command +from ipalib import errors +from ipapython import ipautil +from ipalib import util + + +__doc__ = _(""" +Manage ID ranges +""") + +class range(LDAPObject): + """ + Range object. + """ + + range_time = ('domain', 'ad', 'ipa') + container_dn = api.env.container_ranges + object_name = ('range') + object_name_plural = ('ranges') + object_class = ['ipaIDrange'] + possible_objectclasses = ['ipadomainidrange', 'ipatrustedaddomainrange'] + default_attributes = ['cn', 'ipabaseid', 'ipaidrangesize', 'ipabaserid', + 'ipasecondarybaserid', 'ipanttrusteddomainsid'] + + label = _('Ranges') + label_singular = _('Range') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Range name'), + primary_key=True, + ), + Int('ipabaseid', + cli_name='base_id', + label=_("First Posix ID of the range"), + ), + Int('ipaidrangesize', + cli_name='range_size', + label=_("Number of IDs in the range"), + ), + Int('ipabaserid', + cli_name='rid_base', + label=_('First RID of the corresponding RID range'), + ), + Int('ipasecondarybaserid?', + cli_name='secondary_rid_base', + label=_('First RID of the secondary RID range'), + ), + Str('ipanttrusteddomainsid?', + cli_name='dom_sid', + label=_('Domain SID of the trusted domain'), + ), + ) + +class range_add(LDAPCreate): + __doc__ = _('Add new ID range.') + + msg_summary = _('Added ID range "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if 'ipanttrusteddomainsid' not in options and \ + 'ipasecondarybaserid' not in options: + raise errors.ValidationError(name=_('Range setup'), + reason=_('Ranges for local domain ' \ + 'must have a secondary RID base')) + + if 'ipanttrusteddomainsid' in options: + entry_attrs['objectclass'].append('ipatrustedaddomainrange') + else: + entry_attrs['objectclass'].append('ipadomainidrange') + + return dn + +class range_del(LDAPDelete): + __doc__ = _('Delete an ID range.') + + msg_summary = _('Deleted ID range "%(value)s"') + +class range_find(LDAPSearch): + __doc__ = _('Search for ranges.') + + msg_summary = ngettext( + '%(count)d range matched', '%(count)d rangess matched', 0 + ) + + # Since all range types are stored within separate containers under + # 'cn=ranges,cn=etc' search can be done on a one-level scope + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + return (filters, base_dn, ldap.SCOPE_ONELEVEL) + +class range_show(LDAPRetrieve): + __doc__ = _('Display information about a range.') + + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + return dn + +api.register(range) +api.register(range_add) +#api.register(range_mod) +api.register(range_del) +api.register(range_find) +api.register(range_show) + -- 1.7.10.2 -------------- next part -------------- From 93dcc6b15130d0250d35458b511e44695ad9e05d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 18 Jun 2012 21:25:31 +0200 Subject: [PATCH 5/5] Add range check preop plugin To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-range-check/Makefile.am | 46 ++ .../ipa-range-check/ipa_range_check.c | 440 ++++++++++++++++++++ .../ipa-range-check/range-check-conf.ldif | 16 + freeipa.spec.in | 2 + ipaserver/install/dsinstance.py | 4 + 7 Dateien ge?ndert, 510 Zeilen hinzugef?gt(+) create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index 76ebaa67f802e20009ef764bdbdcd09cc7937a22..b94673026a2c6b71670a67b1f629d9960d8fad31 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -342,6 +342,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-uuid/Makefile ipa-slapi-plugins/ipa-modrdn/Makefile ipa-slapi-plugins/ipa-sidgen/Makefile + ipa-slapi-plugins/ipa-range-check/Makefile ]) AC_OUTPUT diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 5a3c9e7034020b4f80815e865c2ed0de419264c9..c79e68db112c9d21bcbffba3d00442d2fd20ab3a 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -11,6 +11,7 @@ SUBDIRS = \ ipa-version \ ipa-winsync \ ipa-sidgen \ + ipa-range-check \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..f284b42ff339bc97463260749d948f9aff9f54a4 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am @@ -0,0 +1,46 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_range_check.la \ + $(NULL) + +libipa_range_check_la_SOURCES = \ + ipa_range_check.c \ + $(NULL) + +libipa_range_check_la_LDFLAGS = -avoid-version + +libipa_range_check_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + range-check-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c new file mode 100644 index 0000000000000000000000000000000000000000..499e54a9c4a4c9134a231c0cd09e700390565a14 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -0,0 +1,440 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include +#include +#include +#include + +#include "util.h" + +#define IPA_CN "cn" +#define IPA_BASE_ID "ipaBaseID" +#define IPA_ID_RANGE_SIZE "ipaIDRangeSize" +#define IPA_BASE_RID "ipaBaseRID" +#define IPA_SECONDARY_BASE_RID "ipaSecondaryBaseRID" +#define RANGES_FILTER "objectclass=ipaIDRange" + +#define IPA_PLUGIN_NAME "ipa-range-check" +#define IPA_RANGE_CHECK_FEATURE_DESC "IPA ID range check plugin" +#define IPA_RANGE_CHECK_PLUGIN_DESC "Check if newly added or modified " \ + "ID ranges do not overlap with existing ones" + +Slapi_PluginDesc ipa_range_check_plugin_desc = { + IPA_RANGE_CHECK_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_RANGE_CHECK_PLUGIN_DESC +}; + +struct ipa_range_check_ctx { + Slapi_ComponentId *plugin_id; + const char *base_dn; +}; + +struct range_info { + char *name; + uint32_t base_id; + uint32_t id_range_size; + uint32_t base_rid; + uint32_t secondary_base_rid; +}; + +static int slapi_entry_to_range_info(struct slapi_entry *entry, + struct range_info **_range) +{ + int ret; + unsigned long ul_val; + struct range_info *range = NULL; + + range = calloc(1, sizeof(struct range_info)); + if (range == NULL) { + return ENOMEM; + } + + range->name = slapi_entry_attr_get_charptr(entry, IPA_CN); + if (range->name == NULL) { + return EINVAL; + } + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_ID); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->base_id = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_ID_RANGE_SIZE); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->id_range_size = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_RID); + if (ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->base_rid = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_SECONDARY_BASE_RID); + if (ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->secondary_base_rid = ul_val; + + *_range = range; + ret = 0; + +done: + if (ret != 0) { + free(range); + } + + return ret; +} + +#define IN_RANGE(x,base,size) ( (x) >= (base) && ((x) - (base)) < (size) ) +static bool ranges_overlap(struct range_info *r1, struct range_info *r2) +{ + if (r1->name != NULL && r2->name != NULL && + strcasecmp(r1->name, r2->name) == 0) { + return false; + } + + if (IN_RANGE(r1->base_id, r2->base_id, r2->id_range_size) || + IN_RANGE((r1->base_id + r1->id_range_size - 1), r2->base_id, r2->id_range_size) || + IN_RANGE(r2->base_id, r1->base_id, r1->id_range_size) || + IN_RANGE((r2->base_id + r2->id_range_size - 1), r1->base_id, r1->id_range_size)) { + return true; + } + + return false; +} + +static int ipa_range_check_start(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_range_check_close(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_range_check_pre_op(Slapi_PBlock *pb, int modtype) +{ + int ret; + int is_repl_op; + struct slapi_entry *entry = NULL; + bool free_entry = false; + struct range_info *new_range = NULL; + struct range_info *old_range = NULL; + const char *dn_str; + Slapi_DN *dn = NULL; + struct ipa_range_check_ctx *ctx; + LDAPMod **mods = NULL; + Slapi_PBlock *search_pb = NULL; + int search_result; + Slapi_Entry **search_entries = NULL; + size_t c; + bool overlap = true; + const char *check_attr; + char *errmsg = NULL; + + ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op); + if (ret != 0) { + LOG_FATAL("slapi_pblock_get failed!?\n"); + return LDAP_OPERATIONS_ERROR; + } + + if (is_repl_op) { + LOG("Is replicated operation, nothing to do.\n"); + return LDAP_SUCCESS; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + LOG_FATAL("Missing private plugin context.\n"); + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn_str); + if (ret != 0) { + LOG_FATAL("Missing target DN.\n"); + goto done; + } + + dn = slapi_sdn_new_dn_byref(dn_str); + if (dn == NULL) { + LOG_FATAL("Failed to convert target DN.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + + switch (modtype) { + case LDAP_CHANGETYPE_ADD: + ret = slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &entry); + if (ret != 0) { + LOG_FATAL("Missing entry to add.\n"); + goto done; + } + + /* Check if this is a range object */ + check_attr = slapi_entry_attr_get_charptr(entry, IPA_BASE_ID); + if (check_attr == NULL) { + LOG("Not an ID range object, nothing to do.\n"); + ret = 0; + goto done; + } + + break; + case LDAP_CHANGETYPE_MODIFY: + ret = slapi_search_internal_get_entry(dn, NULL, &entry, + ctx->plugin_id); + if (ret != 0 || entry == NULL) { + LOG_FATAL("Missing entry to modify.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + free_entry = true; + + /* Check if this is a range object */ + check_attr = slapi_entry_attr_get_charptr(entry, IPA_BASE_ID); + if (check_attr == NULL) { + LOG("Not an ID range object, nothing to do.\n"); + ret = 0; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); + if (ret != 0) { + LOG_FATAL("Missing modify values.\n"); + goto done; + } + + ret = slapi_entry_apply_mods(entry, mods); + if (ret != 0) { + LOG_FATAL("Failed to apply modifications.\n"); + goto done; + } + + break; + default: + ret = LDAP_OPERATIONS_ERROR; + LOG_FATAL("Unsupported LDAP operation.\n"); + goto done; + } + + ret = slapi_entry_to_range_info(entry, &new_range); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + + search_pb = slapi_pblock_new(); + if (search_pb == NULL) { + LOG_FATAL("Failed to create new pblock.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_search_internal_set_pb(search_pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, RANGES_FILTER, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + ret = slapi_search_internal_pb(search_pb); + if (ret != 0) { + LOG_FATAL("Starting internal search failed.\n"); + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); + if (ret != 0 || search_result != LDAP_SUCCESS) { + LOG_FATAL("Internal search failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); + if (ret != 0) { + LOG_FATAL("Failed to read searched entries.\n"); + goto done; + } + + if (search_entries == NULL || search_entries[0] == NULL) { + LOG("No existing entries.\n"); + ret = 0; + goto done; + } + + for (c = 0; search_entries[c] != NULL; c++) { + ret = slapi_entry_to_range_info(search_entries[c], &old_range); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + + overlap = ranges_overlap(old_range, new_range); + free(old_range); + old_range = NULL; + if (overlap) { + LOG_FATAL("New range overlaps with existing one.\n"); + ret = LDAP_CONSTRAINT_VIOLATION; + errmsg = "New range overlaps with existing one."; + goto done; + } + } + LOG("No overlaps found.\n"); + + ret = 0; + +done: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + slapi_sdn_free(&dn); + free(old_range); + free(new_range); + if (free_entry) { + slapi_entry_free(entry); + } + + if (ret != 0) { + if (errmsg == NULL) { + errmsg = "Range Check error"; + } + slapi_send_ldap_result(pb, ret, NULL, errmsg, 0, NULL); + } + + return ret; +} + +static int ipa_range_check_mod_pre_op(Slapi_PBlock * pb) +{ + return ipa_range_check_pre_op(pb, LDAP_CHANGETYPE_MODIFY); +} + +static int ipa_range_check_add_pre_op(Slapi_PBlock *pb) +{ + return ipa_range_check_pre_op(pb, LDAP_CHANGETYPE_ADD); +} + +static int ipa_range_check_init_ctx(Slapi_PBlock *pb, + struct ipa_range_check_ctx **_ctx) +{ + struct ipa_range_check_ctx *ctx; + Slapi_Entry *entry; + int ret; + + ctx = calloc(1, sizeof(struct ipa_range_check_ctx)); + if (ctx == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (ctx->plugin_id == NULL)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &entry); + if (entry == NULL) { + LOG_FATAL("Plugin configuration not found!\n"); + ret = EINVAL; + goto done; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(entry, "nsslapd-basedn"); + if (ctx->base_dn == NULL) { + LOG_FATAL("Base DN not found in plugin configuration!\n"); + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret != 0) { + free(ctx); + } else { + *_ctx = ctx; + } + + return ret; +} + +int ipa_range_check_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_range_check_ctx *rc_ctx; + + ret = ipa_range_check_init_ctx(pb, &rc_ctx); + if (ret != 0) { + LOG_FATAL("Failed ot initialize range check plugin.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = 0; + if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + SLAPI_PLUGIN_VERSION_01) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *) ipa_range_check_start) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, + (void *) ipa_range_check_close) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *) &ipa_range_check_plugin_desc) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_MODIFY_FN, + (void *) ipa_range_check_mod_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_ADD_FN, + (void *) ipa_range_check_add_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, rc_ctx) != 0) { + LOG_FATAL("failed to register plugin\n"); + ret = EFAIL; + } + + return ret; +} diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif b/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..6452304f4324a37c8b2b72c95ac623743c7d00b3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=IPA Range-Check,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: IPA Range-Check +nsslapd-pluginpath: libipa_range_check +nsslapd-plugininitfunc: ipa_range_check_init +nsslapd-plugintype: preoperation +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_range_check_version +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: Red Hat, Inc. +nsslapd-plugindescription: IPA Range-Check plugin +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/freeipa.spec.in b/freeipa.spec.in index a868cc0407941445b4fa16addfcc6fd1e55dc650..ef8af3f27b429e369eb0e96fd6391f89231d5801 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -364,6 +364,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_cldap.la rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -640,6 +641,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so %attr(755,root,root) %{plugin_dir}/libipa_lockout.so %attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 93c6b50c274506949d1cdb81ad952141de10dab1..d74ee8987a3387b78ec7203c9b8c70059b35a812 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -240,6 +240,7 @@ class DsInstance(service.Service): self.step("configuring netgroups from hostgroups", self.__host_nis_groups) self.step("creating default Sudo bind user", self.__add_sudo_binduser) self.step("creating default Auto Member layout", self.__add_automember_config) + self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) @@ -788,6 +789,9 @@ class DsInstance(service.Service): def __add_replica_automember_config(self): self._ldap_mod("replica-automember.ldif", self.sub_dict) + def __add_range_check_plugin(self): + self._ldap_mod("range-check-conf.ldif", self.sub_dict) + def replica_populate(self): self.ldap_connect() -- 1.7.10.2 From mkosek at redhat.com Thu Jun 28 07:51:37 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 09:51:37 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Support requests for DOMAIN$ account for trusted domain in ipasam module In-Reply-To: <20120627155951.GI29454@localhost.localdomain> References: <20120627143651.GE16889@redhat.com> <20120627155951.GI29454@localhost.localdomain> Message-ID: <4FEC0D09.5040806@redhat.com> On 06/27/2012 05:59 PM, Sumit Bose wrote: > On Wed, Jun 27, 2012 at 05:36:51PM +0300, Alexander Bokovoy wrote: >> Hi, >> >> Windows 2008R2 attempts to authenticate as DOMAIN$ with trust password >> when trust is established. Change ipasam module to consider DOMAIN$ when >> checking for trusted domain accounts as current code only checks for >> DOMAIN. (ending with dot). > > ACK > > bye, > Sumit > >> >> https://fedorahosted.org/freeipa/ticket/2870 >> -- >> / Alexander Bokovoy > Pushed to master (I just removed one trailing whitespace before that). Martin From mkosek at redhat.com Thu Jun 28 07:51:45 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 09:51:45 +0200 Subject: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module In-Reply-To: <20120627161205.GJ29454@localhost.localdomain> References: <20120627142907.GD16889@redhat.com> <20120627155906.GH29454@localhost.localdomain> <20120627160903.GG16889@redhat.com> <20120627161205.GJ29454@localhost.localdomain> Message-ID: <4FEC0D11.8090703@redhat.com> On 06/27/2012 06:12 PM, Sumit Bose wrote: > On Wed, Jun 27, 2012 at 07:09:03PM +0300, Alexander Bokovoy wrote: >> On Wed, 27 Jun 2012, Sumit Bose wrote: >>> On Wed, Jun 27, 2012 at 05:29:07PM +0300, Alexander Bokovoy wrote: >>>> Hi, >>>> >>>> attached patch adds comprehensive error condition handling to SASL bind >>>> callback in ipasam module. The callback is doing keytab-based auth >>>> against FreeIPA LDAP server and original version lacked error checks on >>>> purpose. >>> >>> The patch is working find, but I would like to ask you to consider the >>> following two changes: >> Yep. Completely overlooked that I've already got the service principal. >> Thanks! >> >> Updated patch attached. >> >> Please note that patches 0055 and 0056 should be applied in the reverse >> order. Sorry for confusion. > > ACK > > bye, > Sumit Pushed to master. Martin From mkosek at redhat.com Thu Jun 28 07:51:52 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 09:51:52 +0200 Subject: [Freeipa-devel] [PATCH] Add sidgen postop and task In-Reply-To: <20120627162702.GH16889@redhat.com> References: <20120625095310.GU29454@localhost.localdomain> <20120627162702.GH16889@redhat.com> Message-ID: <4FEC0D18.9090606@redhat.com> On 06/27/2012 06:27 PM, Alexander Bokovoy wrote: > On Mon, 25 Jun 2012, Sumit Bose wrote: >> Hi, >> >> this patch added support to automatically create SIDs for local objects >> as described in ticket https://fedorahosted.org/freeipa/ticket/2825. >> >> The post-operation plugin adds the SID and if necessary the needed >> objectclass for a newly created object. > ACK. > > Works for me in tests. Pushed to master. Martin From mkosek at redhat.com Thu Jun 28 07:51:58 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 09:51:58 +0200 Subject: [Freeipa-devel] [PATCH] Filter groups in the PAC In-Reply-To: <20120627162811.GI16889@redhat.com> References: <20120626082305.GA29454@localhost.localdomain> <20120627162811.GI16889@redhat.com> Message-ID: <4FEC0D1E.6000001@redhat.com> On 06/27/2012 06:28 PM, Alexander Bokovoy wrote: > On Tue, 26 Jun 2012, Sumit Bose wrote: >> Hi, >> >> this patch contains the KDC part of the external groups handling. If >> group SIDs from the PAC can be found in the ipaExternalGroup objects and >> the external groups are member of local groups, the SIDs of the local >> groups are added to the PAC. If the PAC this then read by the SSSD pac >> responder the user from the PAC is added to the local groups on the >> client. > ACK. There were code-related comments from Simo yesterday on IRC but it > was agreed to solve those in separate patches. > Pushed to master. Martin From mkosek at redhat.com Thu Jun 28 07:52:14 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 09:52:14 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120627163853.GJ16889@redhat.com> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> <20120627161429.GK29454@localhost.localdomain> <20120627163853.GJ16889@redhat.com> Message-ID: <4FEC0D2E.6070503@redhat.com> On 06/27/2012 06:38 PM, Alexander Bokovoy wrote: > On Wed, 27 Jun 2012, Sumit Bose wrote: >> On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: >>> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: >>> > On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: >>> > > On Thu, 07 Jun 2012, Sumit Bose wrote: >>> > > >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: >>> > > >>Hi, >>> > > >> >>> > > >>these two patches introduce a new extended operation to the IPA server >>> > > >>which can be used by clients in the IPA domain to obtain information >>> > > >>about users and groups from trusted domains. Currently this exop is used >>> > > >>by the sssd sub-domain patch to map user names from a trusted AD domain >>> > > >>to a SID and back. There is also some code for other kind of requests >>> > > >>which might become useful in future, e.g. with trusted IPA domain. >>> > > >> >>> > > >>I added some unit test and added check for the check unit test framework >>> > > >>for C (http://check.sourceforge.net/) which is used by sssd as well. I >>> > > >>modified the spec file that the test is run during the build of the >>> > > >>packages. I hope this is ok. >>> > > >> >>> > > >>The patches depend on the idmap library patch which was ACKed recently >>> > > >>on sssd-devel and as mentioned before the sub-domain patches on >>> > > >>sssd-devel can only be fully tested with an IPA server which has these >>> > > >>patches applied. >>> > > >> >>> > > >>Since Alexander is currently rewriting parts of the ipa-adtrust-install >>> > > >>utility I stand back from adding activation code for the exop to >>> > > >>ipa-adtrust-install and will send a patch when Alexander's changes are >>> > > >>available. So currently extdom-extop-conf.ldif has to be loaded manually >>> > > >>after replacing $SUFFIX to activate the new exop. >>> > > >> >>> > > >>bye, >>> > > >>Sumit >>> > > > >>> > > >Please find a rebased version of the patches which work on top of >>> > > >Alexander's latest series of patches. The patches now also contain the >>> > > >loading of extdom-extop-conf.ldif and the activation of winbind. >>> > > Thanks for the rebase. >>> > > >>> > > Few comments. >>> > > >>> > > 1.The extdom plugin should support IDMAP_BOTH. We do provide user private >>> > > groups so in our case it should be viewed as preferred output. Thus you >>> > > would need to add new response type to cover this case. >>> > >>> > Currently the plugin only uses winbind to map SIDs to names and back and >>> > in the returned user data the user private groups are already respected >>> > by setting the GID to the UID. On the client side sssd handles the >>> > trusted domains a mpg (magic private group) domains. >>> > >>> > > >>> > > 2. I have tried to look at the plugin description from point of view of >>> > > a system administrator and I failed to understand what it does: >>> > > >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" >>> > > >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" >>> > > >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended >>> Operation plugin" >>> > > >>> > > In the ipa-extdom-extop-conf.ldif you have following description: >>> > > >+nsslapd-plugindescription: Support resolving IDs in trusted domains to >>> names and back >>> > > Probably it is better to reuse the same description in >>> IPA_EXTDOM_PLUGIN_DESC? >>> > > >>> > > This is a minor point but EXTDOM itself is vague. Maybe we should be >>> more clear >>> > > and call it 'IPA trusted domain ID mapper' as it really limits itself to >>> > > only trusted domains? We don't dispatch winbind request if the domain is >>> > > not found in our list of trusted domains. >>> > >>> > I have updated the descriptions. I prefer the EXTDOM prefix because >>> > there might be future use cases where we might want to get some data >>> > from other domains without trust. But I'm happy to change it if you like >>> > a different prefix better. >>> > >>> > > >>> > > 3. Could you please define the oid in ipa_extdom.h so that it could be >>> > > useful for client code as well? >>> > > >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" >>> > >>> > done >>> > >>> > New version attached. >>> >>> ah. sorry, forgot to squash in some changes. >>> >>> Additionally I moved the binary to the freeipa-server-trust-ad package >>> to avoid additional dependencies in the freeipa-server package. >>> >>> bye, >>> Sumit >>> >>> > >>> > > >>> > > 4. Do we have 'check' tool in RHEL6? >>> > >>> > yes, current version is check-0.9.8-1.1.el6 >>> > >>> > Thank you for the review. >>> > >>> > bye, >>> > Sumit >>> > > -- >>> > > / Alexander Bokovoy >> >> rebased version with some changes by Alexander attached. > ACK from my side. Works in tests I've run. Patch 17 pushed to master. Patch 18 does not apply. I also have one question related to this patch: We added a winbind service to ADTRUSTInstance which is now being configured as a part of ipa-adtrust-install. To make this cleaner, we may want to write winbind's own service.Service class which would do the necessary configuration and could be also better expanded in the future. Martin From mkosek at redhat.com Thu Jun 28 08:35:48 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 10:35:48 +0200 Subject: [Freeipa-devel] [PATCH] 1030 Fedora 18 compatibility In-Reply-To: <4FEB4711.9010603@redhat.com> References: <4FEB4711.9010603@redhat.com> Message-ID: <4FEC1764.2020809@redhat.com> On 06/27/2012 07:46 PM, Rob Crittenden wrote: > I found a few minor issues when building and installing the master branch on > Fedora 18. This patch should address it. > > rob > 1) This will fail for on F17->F18 upgrades, we need to bump VERSION in ipa-rewrite.conf. Besides that, ipa-upgradeconfig needs to be fixed, otherwise it will crash during ipa-rewrite.conf upgrade - ${AUTOREDIR} variable is not set. However, this variable will need to be figured out from current ipa-rewrite.conf contents as it depends on whether the IPA server was installed with --no-ui-redirect or not. 2) Shouldn't we bump tomcat6 version as well since we depend on the tomcat6 fixed in BZ 831464? 3) %changelog entry is missing Martin From william at firstyear.id.au Thu Jun 28 08:37:11 2012 From: william at firstyear.id.au (William Brown) Date: Thu, 28 Jun 2012 18:07:11 +0930 Subject: [Freeipa-devel] Build failure in ipa_sam Message-ID: <4FEC17B7.9070607@firstyear.id.au> Making all in ipa-sam make[4]: Entering directory `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\""/usr"\" -DBINDIR=\""/usr/bin"\" -DLIBDIR=\""/usr/lib64"\" -DLIBEXECDIR=\""/usr/libexec"\" -DDATADIR=\""/usr/share"\" -DLDAPIDIR=\""/var/run"\" -DHAVE_LDAP -I ../../util -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-align -Werror-implicit-function-declaration -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-align -Werror-implicit-function-declaration -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP -MF .deps/ipa_sam.Tpo -c -o ipa_sam.lo ipa_sam.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\"/usr\" -DBINDIR=\"/usr/bin\" -DLIBDIR=\"/usr/lib64\" -DLIBEXECDIR=\"/usr/libexec\" -DDATADIR=\"/usr/share\" -DLDAPIDIR=\"/var/run\" -DHAVE_LDAP -I ../../util -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-align -Werror-implicit-function-declaration -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-align -Werror-implicit-function-declaration -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP -MF .deps/ipa_sam.Tpo -c ipa_sam.c -fPIC -DPIC -o .libs/ipa_sam.o ipa_sam.c:510:17: warning: 'struct unixid' declared inside parameter list [enabled by default] ipa_sam.c:510:17: warning: its scope is only this definition or declaration, which is probably not what you want [enabled by default] ipa_sam.c: In function 'ldapsam_sid_to_id': ipa_sam.c:583:3: error: implicit declaration of function 'unixid_from_gid' [-Werror=implicit-function-declaration] ipa_sam.c:598:2: error: implicit declaration of function 'unixid_from_uid' [-Werror=implicit-function-declaration] ipa_sam.c: In function 'set_krb_princ': ipa_sam.c:1456:8: warning: unused variable 'inp' [-Wunused-variable] ipa_sam.c: In function 'ldap_sasl_interact': ipa_sam.c:3100:18: warning: unused variable 'krberr' [-Wunused-variable] ipa_sam.c:3099:8: warning: unused variable 'outname' [-Wunused-variable] ipa_sam.c:3098:15: warning: unused variable 'krbctx' [-Wunused-variable] ipa_sam.c: At top level: ipa_sam.c:3126:1: warning: function declaration isn't a prototype [-Wstrict-prototypes] ipa_sam.c:3127:1: warning: function declaration isn't a prototype [-Wstrict-prototypes] ipa_sam.c: In function 'bind_callback': ipa_sam.c:3131:18: warning: variable 'rc' set but not used [-Wunused-but-set-variable] ipa_sam.c: In function 'pdb_init_ipasam': ipa_sam.c:3355:27: warning: assignment from incompatible pointer type [enabled by default] cc1: some warnings being treated as errors make[4]: *** [ipa_sam.lo] Error 1 make[4]: Leaving directory `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' make[1]: *** [all] Error 1 make[1]: Leaving directory `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330' error: Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) make: *** [rpms] Error 1 Git master (Not my feature branches) -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 945 bytes Desc: OpenPGP digital signature URL: From abokovoy at redhat.com Thu Jun 28 09:13:22 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Jun 2012 12:13:22 +0300 Subject: [Freeipa-devel] Build failure in ipa_sam In-Reply-To: <4FEC17B7.9070607@firstyear.id.au> References: <4FEC17B7.9070607@firstyear.id.au> Message-ID: <20120628091322.GA6687@redhat.com> On Thu, 28 Jun 2012, William Brown wrote: >Making all in ipa-sam >make[4]: Entering directory >`/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >/bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. >-I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\""/usr"\" >-DBINDIR=\""/usr/bin"\" -DLIBDIR=\""/usr/lib64"\" >-DLIBEXECDIR=\""/usr/libexec"\" -DDATADIR=\""/usr/share"\" >-DLDAPIDIR=\""/var/run"\" -DHAVE_LDAP -I ../../util -Wall -Wshadow >-Wstrict-prototypes -Wpointer-arith -Wcast-align >-Werror-implicit-function-declaration -DWITH_OPENLDAP >-I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >-DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >-DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 > -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >-Wstrict-prototypes -Wpointer-arith -Wcast-align >-Werror-implicit-function-declaration -O2 -g -pipe -Wall >-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >--param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP >-MF .deps/ipa_sam.Tpo -c -o ipa_sam.lo ipa_sam.c >libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I. -I. >-I/usr/include/samba-4.0 -DPREFIX=\"/usr\" -DBINDIR=\"/usr/bin\" >-DLIBDIR=\"/usr/lib64\" -DLIBEXECDIR=\"/usr/libexec\" >-DDATADIR=\"/usr/share\" -DLDAPIDIR=\"/var/run\" -DHAVE_LDAP -I >../../util -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith >-Wcast-align -Werror-implicit-function-declaration -DWITH_OPENLDAP >-I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >-DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >-DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >-I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >-Wstrict-prototypes -Wpointer-arith -Wcast-align >-Werror-implicit-function-declaration -O2 -g -pipe -Wall >-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >--param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP -MF >.deps/ipa_sam.Tpo -c ipa_sam.c -fPIC -DPIC -o .libs/ipa_sam.o >ipa_sam.c:510:17: warning: 'struct unixid' declared inside parameter >list [enabled by default] Missing 'struct unixid' means you don't have newer samba4 packages. >ipa_sam.c:510:17: warning: its scope is only this definition or >declaration, which is probably not what you want [enabled by default] >ipa_sam.c: In function 'ldapsam_sid_to_id': >ipa_sam.c:583:3: error: implicit declaration of function >'unixid_from_gid' [-Werror=implicit-function-declaration] >ipa_sam.c:598:2: error: implicit declaration of function >'unixid_from_uid' [-Werror=implicit-function-declaration] >ipa_sam.c: In function 'set_krb_princ': >ipa_sam.c:1456:8: warning: unused variable 'inp' [-Wunused-variable] >ipa_sam.c: In function 'ldap_sasl_interact': >ipa_sam.c:3100:18: warning: unused variable 'krberr' [-Wunused-variable] >ipa_sam.c:3099:8: warning: unused variable 'outname' [-Wunused-variable] >ipa_sam.c:3098:15: warning: unused variable 'krbctx' [-Wunused-variable] >ipa_sam.c: At top level: >ipa_sam.c:3126:1: warning: function declaration isn't a prototype >[-Wstrict-prototypes] >ipa_sam.c:3127:1: warning: function declaration isn't a prototype >[-Wstrict-prototypes] >ipa_sam.c: In function 'bind_callback': >ipa_sam.c:3131:18: warning: variable 'rc' set but not used >[-Wunused-but-set-variable] >ipa_sam.c: In function 'pdb_init_ipasam': >ipa_sam.c:3355:27: warning: assignment from incompatible pointer type >[enabled by default] >cc1: some warnings being treated as errors >make[4]: *** [ipa_sam.lo] Error 1 >make[4]: Leaving directory >`/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >make[3]: *** [all-recursive] Error 1 >make[3]: Leaving directory >`/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >make[2]: *** [all] Error 2 >make[2]: Leaving directory >`/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >make[1]: *** [all] Error 1 >make[1]: Leaving directory >`/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330' >error: Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) > > >RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >make: *** [rpms] Error 1 > > >Git master (Not my feature branches) Make sure you have at least samba4 beta1 packages installed as required by the freeipa.spec.in file. I have samba4-devel-4.0.0-124beta1.fc17.x86_64 from ipa-devel repo. Also 8ce7330 is not git master HEAD: $ git log --oneline 8ce733..HEAD ac6afd3 Add configure check for C Unit-Test framework check dc3491e Filter groups in the PAC 65ad261 Add sidgen postop and task 6356747 Add error condition handling to the SASL bind callback in ipasam 761cb71 Support requests for DOMAIN$ account for trusted domains in ipasam module db4c946 Defer adding ipa-cifs-delegation-targets until the Updates phase. -- / Alexander Bokovoy From pviktori at redhat.com Thu Jun 28 09:20:44 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 28 Jun 2012 11:20:44 +0200 Subject: [Freeipa-devel] [DRAFT2] Per-domain DNS update permissions In-Reply-To: <4FEB2E5D.8060003@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> <4FE8B30B.4050005@redhat.com> <4FEB019A.5040603@redhat.com> <4FEB2E5D.8060003@redhat.com> Message-ID: <4FEC21EC.4030305@redhat.com> On 06/27/2012 06:01 PM, Petr Viktorin wrote: > On 06/27/2012 02:50 PM, Martin Kosek wrote: >> On 06/25/2012 08:50 PM, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >>>>> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>>>>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>>>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>>>>> Martin Kosek wrote: >>>>>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>>>>> Hello all, >>>>>>>>>>> >>>>>>>>>>> In a scope of ticket 2511 I would like to implement an >>>>>>>>>>> ability to >>>>>>>>>>> delegate a DNS update permissions to chosen user (or host) >>>>>>>>>>> without >>>>>>>>>>> having to give the user full "Update DNS Entries" privileges, >>>>>>>>>>> i.e. >>>>>>>>>>> allow >>>>>>>>>>> him to modify any DNS zone or record. >>>>>>>>>>> >>>>>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>>>>> >>>>>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" >>>>>>>>>>> attribute >>>>>>>>>>> in MAY list >>>>>>>>>>> 2) Create new DNS commands: >>>>>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>> - these commands would add/remove chosen user/host DN to >>>>>>>>>>> managedBy >>>>>>>>>>> attribute in chosen DNS zone >>>>>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>>>>>>>> 3.0;acl >>>>>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>>>>> >>>>>>>>>>> With these steps done, all that an administrator would need >>>>>>>>>>> to do to >>>>>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>>>>> command: >>>>>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>>>>> >>>>>>>>>>> The only downside I found so far is that the user would >>>>>>>>>>> already need to >>>>>>>>>>> have "Read DNS Entries" permission assigned, otherwise he >>>>>>>>>>> would not be >>>>>>>>>>> able to actually read DNS entries (allow rules can't take >>>>>>>>>>> precedence >>>>>>>>>>> over deny rule we implemented to deny public access to DNS >>>>>>>>>>> tree). >>>>>>>>>>> >>>>>>>>>>> An admin could of course create a special privilege and role >>>>>>>>>>> with just >>>>>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>>>>> users/groups, but this looks awkward. Any idea to make this >>>>>>>>>>> simpler? >>>>>>>>>>> Maybe creating a group "dns readers" by default which would >>>>>>>>>>> allow such >>>>>>>>>>> access? >>>>>>>>>> >>>>>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>>>>> "parent[1].managedby#USERDN" ? >>>>>>>>>> >>>>>>>>>> Simo. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Good idea, I will do that. I will just use >>>>>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>>>>> record. This way, a selected user will have read/write access >>>>>>>>> to the >>>>>>>>> chosen zone only, which is exactly what we want to achieve. >>>>>>>> >>>>>>>> Yes, this sounds workable to me too. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> >>>>>>> There were some second thoughts about the proposed design, which >>>>>>> I would >>>>>>> like to discuss so that we can eventually accept another (better) >>>>>>> solution for this feature. >>>>>>> >>>>>>> The main concern here was that proposed solution (based on user >>>>>>> list in >>>>>>> managedBy attribute in DNS zone) is not in line with the rest of >>>>>>> permission&privilege architecture in IPA. >>>>>>> >>>>>>> Here is another idea how to address the feature (I tested it and it >>>>>>> would work): >>>>>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global >>>>>>> access >>>>>>> rule (a working patch attached) to avoid current and future >>>>>>> issues with >>>>>>> extending ACIs (deny rules are evil). >>>>>>> >>>>>>> 2) Add new Managed Entry Definition and Template to automatically >>>>>>> add >>>>>>> "Manage DNS zone $idsname" permission. These could be used with >>>>>>> standard >>>>>>> IPA privileges, roles and thus could be assigned to users, groups, >>>>>>> hosts, hostgroups... >>>>>>> >>>>>>> 3) New DNS zone managedBy attribute won't be manageable by user, >>>>>>> but it >>>>>>> will hold a DN of the managed Permission entry >>>>>>> >>>>>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>>>>> aci: (targetattr = "*") >>>>>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>>>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>>>>> >>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>> (version 3.0;acl "Add dns entries";allow (add) >>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>> >>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>> >>>>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || >>>>>>> dnsttl || >>>>>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || >>>>>>> cnamerecord >>>>>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>>>>> hinforecord || minforecord || afsdbrecord || sigrecord || >>>>>>> keyrecord || >>>>>>> locrecord || nxtrecord || naptrrecord || kxrecord || >>>>>>> certrecord || >>>>>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || >>>>>>> nsecrecord || >>>>>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>>>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>>>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>>>>> idnsforwarders") >>>>>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>> "Update >>>>>>> DNS Entries";allow (write) userattr = >>>>>>> "parent[0,1].managedby#GROUPDN";) >>>>>>> >>>>>>> I needed to add permission DN to the managedBy attribute so that >>>>>>> I could >>>>>>> create just one set of generic ACIs without having to create a >>>>>>> set of >>>>>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>>>>> permission have a write access to the "aci" attribute. >>>>>>> >>>>>>> Would this design be better than the previous one? Comments welcome. >>>>>> >>>>>> Removing Deny ACIs would be great. >>>>>> But don't we need a second set of ACIs to allow uber admins to still >>>>>> control all zones ? or is that part of current ACIs not going to >>>>>> change ? >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> Thanks to the removal of the deny rule, this would be already >>>>> allowed by >>>>> this existing ACI: >>>>> >>>>> aci: (targetattr != "userPassword || krbPrincipalKey || >>>>> sambaLMPassword >>>>> || sambaNTPassword || passwordHistory || krbMKey || >>>>> krbPrincipalName || >>>>> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >>>>> krbPrincipalExpiration || krbPasswordExpiration || >>>>> krbPwdPolicyReference >>>>> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >>>>> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >>>>> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >>>>> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >>>>> acl "Admin can manage any entry"; allow (all) groupdn = >>>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >>>> >>>> Oh right! >>>> I like it even more then :-) >>>> >>>> Simo. >>>> >>> >>> Yes, this looks like it will work and eliminating a deny rule is a >>> definite plus. >>> >>> rob >> >> I have finished a patch based on the second design. IMO it is indeed >> better - >> no deny ACI for DNS and just a standard permission for per-zone access >> delegation. >> >> There is just one difference from the proposed design draft: per-zone >> permissions are not created automatically by Managed Entry plugin, but >> rather >> manually and only for DNS zones where per-zone access is needed. There >> is a new >> command for that - dnszone-add-permission. >> >> This will leave permission tree cleaner + we won't have to deal with all >> Managed Entry plugin machinery. >> >> More details can be found in a commit message. >> >> Martin >> > > In permission_add_noaci.get_options, it would be better to filter out > the `permission.aci_attributes`. If you only allow ('all', 'raw', > 'permissiontype'), the list will have to be updated whenever a new > global option is added. > (This would happen for ticket #2732; I'll want to make the 'version' > argument explicit for all commands.) > > > Unprivileged users can find out if a zone is defined by trying to delete > it. Is this expected behavior? > > $ ipa dnszone-del idm.lab.bos.redhat.com > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to > delete the entry > 'idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. > > $ ipa dnszone-del does.not.exist > ipa: ERROR: does.not.exist: DNS zone not found > > > The patch works well on upgrade. Tomorrow I'll test a fresh install. > One more comment: there is no error message when removing a permission that doesn't exist: $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com ------------------------------------------------------------------ Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" ---------------------------------------------------------------- $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com ------------------------------------------------------------------ Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" ---------------------------------------------------------------- I found no other issues. -- Petr? From william at firstyear.id.au Thu Jun 28 09:59:15 2012 From: william at firstyear.id.au (William Brown) Date: Thu, 28 Jun 2012 19:29:15 +0930 Subject: [Freeipa-devel] Build failure in ipa_sam In-Reply-To: <20120628091322.GA6687@redhat.com> References: <4FEC17B7.9070607@firstyear.id.au> <20120628091322.GA6687@redhat.com> Message-ID: <4FEC2AF3.3090109@firstyear.id.au> On 28/06/12 18:43, Alexander Bokovoy wrote: > On Thu, 28 Jun 2012, William Brown wrote: >> Making all in ipa-sam >> make[4]: Entering directory >> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >> >> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. >> -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\""/usr"\" >> -DBINDIR=\""/usr/bin"\" -DLIBDIR=\""/usr/lib64"\" >> -DLIBEXECDIR=\""/usr/libexec"\" -DDATADIR=\""/usr/share"\" >> -DLDAPIDIR=\""/var/run"\" -DHAVE_LDAP -I ../../util -Wall -Wshadow >> -Wstrict-prototypes -Wpointer-arith -Wcast-align >> -Werror-implicit-function-declaration -DWITH_OPENLDAP >> -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >> -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >> -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >> -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >> -Wstrict-prototypes -Wpointer-arith -Wcast-align >> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >> --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP >> -MF .deps/ipa_sam.Tpo -c -o ipa_sam.lo ipa_sam.c >> libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I. -I. >> -I/usr/include/samba-4.0 -DPREFIX=\"/usr\" -DBINDIR=\"/usr/bin\" >> -DLIBDIR=\"/usr/lib64\" -DLIBEXECDIR=\"/usr/libexec\" >> -DDATADIR=\"/usr/share\" -DLDAPIDIR=\"/var/run\" -DHAVE_LDAP -I >> ../../util -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith >> -Wcast-align -Werror-implicit-function-declaration -DWITH_OPENLDAP >> -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >> -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >> -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >> -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >> -Wstrict-prototypes -Wpointer-arith -Wcast-align >> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >> --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP -MF >> .deps/ipa_sam.Tpo -c ipa_sam.c -fPIC -DPIC -o .libs/ipa_sam.o >> ipa_sam.c:510:17: warning: 'struct unixid' declared inside parameter >> list [enabled by default] > Missing 'struct unixid' means you don't have newer samba4 packages. > >> ipa_sam.c:510:17: warning: its scope is only this definition or >> declaration, which is probably not what you want [enabled by default] >> ipa_sam.c: In function 'ldapsam_sid_to_id': >> ipa_sam.c:583:3: error: implicit declaration of function >> 'unixid_from_gid' [-Werror=implicit-function-declaration] >> ipa_sam.c:598:2: error: implicit declaration of function >> 'unixid_from_uid' [-Werror=implicit-function-declaration] >> ipa_sam.c: In function 'set_krb_princ': >> ipa_sam.c:1456:8: warning: unused variable 'inp' [-Wunused-variable] >> ipa_sam.c: In function 'ldap_sasl_interact': >> ipa_sam.c:3100:18: warning: unused variable 'krberr' [-Wunused-variable] >> ipa_sam.c:3099:8: warning: unused variable 'outname' [-Wunused-variable] >> ipa_sam.c:3098:15: warning: unused variable 'krbctx' [-Wunused-variable] >> ipa_sam.c: At top level: >> ipa_sam.c:3126:1: warning: function declaration isn't a prototype >> [-Wstrict-prototypes] >> ipa_sam.c:3127:1: warning: function declaration isn't a prototype >> [-Wstrict-prototypes] >> ipa_sam.c: In function 'bind_callback': >> ipa_sam.c:3131:18: warning: variable 'rc' set but not used >> [-Wunused-but-set-variable] >> ipa_sam.c: In function 'pdb_init_ipasam': >> ipa_sam.c:3355:27: warning: assignment from incompatible pointer type >> [enabled by default] >> cc1: some warnings being treated as errors >> make[4]: *** [ipa_sam.lo] Error 1 >> make[4]: Leaving directory >> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >> >> make[3]: *** [all-recursive] Error 1 >> make[3]: Leaving directory >> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >> >> make[2]: *** [all] Error 2 >> make[2]: Leaving directory >> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >> >> make[1]: *** [all] Error 1 >> make[1]: Leaving directory >> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330' >> >> error: Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >> >> >> RPM build errors: >> Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >> make: *** [rpms] Error 1 >> >> >> Git master (Not my feature branches) > Make sure you have at least samba4 beta1 packages installed as required > by the > freeipa.spec.in file. I have samba4-devel-4.0.0-124beta1.fc17.x86_64 > from ipa-devel > repo. Is that the repo at: [ipa-devel] name=IPA development $releasever - $basearch baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ enabled=0 gpgcheck=0 > > Also 8ce7330 is not git master HEAD: > $ git log --oneline 8ce733..HEAD > ac6afd3 Add configure check for C Unit-Test framework check > dc3491e Filter groups in the PAC > 65ad261 Add sidgen postop and task > 6356747 Add error condition handling to the SASL bind callback in ipasam > 761cb71 Support requests for DOMAIN$ account for trusted domains in > ipasam module > db4c946 Defer adding ipa-cifs-delegation-targets until the Updates phase. > I know it's not HEAD - I updated it yesterday. I will fetch this in a little while to test. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 945 bytes Desc: OpenPGP digital signature URL: From abokovoy at redhat.com Thu Jun 28 10:05:59 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Jun 2012 13:05:59 +0300 Subject: [Freeipa-devel] Build failure in ipa_sam In-Reply-To: <4FEC2AF3.3090109@firstyear.id.au> References: <4FEC17B7.9070607@firstyear.id.au> <20120628091322.GA6687@redhat.com> <4FEC2AF3.3090109@firstyear.id.au> Message-ID: <20120628100558.GB6687@redhat.com> On Thu, 28 Jun 2012, William Brown wrote: >On 28/06/12 18:43, Alexander Bokovoy wrote: >> On Thu, 28 Jun 2012, William Brown wrote: >>> Making all in ipa-sam >>> make[4]: Entering directory >>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >>> >>> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. >>> -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\""/usr"\" >>> -DBINDIR=\""/usr/bin"\" -DLIBDIR=\""/usr/lib64"\" >>> -DLIBEXECDIR=\""/usr/libexec"\" -DDATADIR=\""/usr/share"\" >>> -DLDAPIDIR=\""/var/run"\" -DHAVE_LDAP -I ../../util -Wall -Wshadow >>> -Wstrict-prototypes -Wpointer-arith -Wcast-align >>> -Werror-implicit-function-declaration -DWITH_OPENLDAP >>> -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >>> -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >>> -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >>> -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >>> -Wstrict-prototypes -Wpointer-arith -Wcast-align >>> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >>> --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP >>> -MF .deps/ipa_sam.Tpo -c -o ipa_sam.lo ipa_sam.c >>> libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I. -I. >>> -I/usr/include/samba-4.0 -DPREFIX=\"/usr\" -DBINDIR=\"/usr/bin\" >>> -DLIBDIR=\"/usr/lib64\" -DLIBEXECDIR=\"/usr/libexec\" >>> -DDATADIR=\"/usr/share\" -DLDAPIDIR=\"/var/run\" -DHAVE_LDAP -I >>> ../../util -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith >>> -Wcast-align -Werror-implicit-function-declaration -DWITH_OPENLDAP >>> -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >>> -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >>> -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >>> -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >>> -Wstrict-prototypes -Wpointer-arith -Wcast-align >>> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >>> --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP -MF >>> .deps/ipa_sam.Tpo -c ipa_sam.c -fPIC -DPIC -o .libs/ipa_sam.o >>> ipa_sam.c:510:17: warning: 'struct unixid' declared inside parameter >>> list [enabled by default] >> Missing 'struct unixid' means you don't have newer samba4 packages. >> >>> ipa_sam.c:510:17: warning: its scope is only this definition or >>> declaration, which is probably not what you want [enabled by default] >>> ipa_sam.c: In function 'ldapsam_sid_to_id': >>> ipa_sam.c:583:3: error: implicit declaration of function >>> 'unixid_from_gid' [-Werror=implicit-function-declaration] >>> ipa_sam.c:598:2: error: implicit declaration of function >>> 'unixid_from_uid' [-Werror=implicit-function-declaration] >>> ipa_sam.c: In function 'set_krb_princ': >>> ipa_sam.c:1456:8: warning: unused variable 'inp' [-Wunused-variable] >>> ipa_sam.c: In function 'ldap_sasl_interact': >>> ipa_sam.c:3100:18: warning: unused variable 'krberr' [-Wunused-variable] >>> ipa_sam.c:3099:8: warning: unused variable 'outname' [-Wunused-variable] >>> ipa_sam.c:3098:15: warning: unused variable 'krbctx' [-Wunused-variable] >>> ipa_sam.c: At top level: >>> ipa_sam.c:3126:1: warning: function declaration isn't a prototype >>> [-Wstrict-prototypes] >>> ipa_sam.c:3127:1: warning: function declaration isn't a prototype >>> [-Wstrict-prototypes] >>> ipa_sam.c: In function 'bind_callback': >>> ipa_sam.c:3131:18: warning: variable 'rc' set but not used >>> [-Wunused-but-set-variable] >>> ipa_sam.c: In function 'pdb_init_ipasam': >>> ipa_sam.c:3355:27: warning: assignment from incompatible pointer type >>> [enabled by default] >>> cc1: some warnings being treated as errors >>> make[4]: *** [ipa_sam.lo] Error 1 >>> make[4]: Leaving directory >>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >>> >>> make[3]: *** [all-recursive] Error 1 >>> make[3]: Leaving directory >>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >>> >>> make[2]: *** [all] Error 2 >>> make[2]: Leaving directory >>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >>> >>> make[1]: *** [all] Error 1 >>> make[1]: Leaving directory >>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330' >>> >>> error: Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >>> >>> >>> RPM build errors: >>> Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >>> make: *** [rpms] Error 1 >>> >>> >>> Git master (Not my feature branches) >> Make sure you have at least samba4 beta1 packages installed as required >> by the >> freeipa.spec.in file. I have samba4-devel-4.0.0-124beta1.fc17.x86_64 >> from ipa-devel >> repo. > >Is that the repo at: > >[ipa-devel] >name=IPA development $releasever - $basearch >baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ >enabled=0 >gpgcheck=0 Yes. Note that FreeIPA git master is only working on F17 with packages from the ipa-devel repo. -- / Alexander Bokovoy From sbose at redhat.com Thu Jun 28 10:19:07 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 Jun 2012 12:19:07 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <4FEC0D2E.6070503@redhat.com> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> <20120627161429.GK29454@localhost.localdomain> <20120627163853.GJ16889@redhat.com> <4FEC0D2E.6070503@redhat.com> Message-ID: <20120628101907.GN29454@localhost.localdomain> On Thu, Jun 28, 2012 at 09:52:14AM +0200, Martin Kosek wrote: > On 06/27/2012 06:38 PM, Alexander Bokovoy wrote: > > On Wed, 27 Jun 2012, Sumit Bose wrote: > >> On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: > >>> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: > >>> > On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: > >>> > > On Thu, 07 Jun 2012, Sumit Bose wrote: > >>> > > >On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: > >>> > > >>Hi, > >>> > > >> > >>> > > >>these two patches introduce a new extended operation to the IPA server > >>> > > >>which can be used by clients in the IPA domain to obtain information > >>> > > >>about users and groups from trusted domains. Currently this exop is used > >>> > > >>by the sssd sub-domain patch to map user names from a trusted AD domain > >>> > > >>to a SID and back. There is also some code for other kind of requests > >>> > > >>which might become useful in future, e.g. with trusted IPA domain. > >>> > > >> > >>> > > >>I added some unit test and added check for the check unit test framework > >>> > > >>for C (http://check.sourceforge.net/) which is used by sssd as well. I > >>> > > >>modified the spec file that the test is run during the build of the > >>> > > >>packages. I hope this is ok. > >>> > > >> > >>> > > >>The patches depend on the idmap library patch which was ACKed recently > >>> > > >>on sssd-devel and as mentioned before the sub-domain patches on > >>> > > >>sssd-devel can only be fully tested with an IPA server which has these > >>> > > >>patches applied. > >>> > > >> > >>> > > >>Since Alexander is currently rewriting parts of the ipa-adtrust-install > >>> > > >>utility I stand back from adding activation code for the exop to > >>> > > >>ipa-adtrust-install and will send a patch when Alexander's changes are > >>> > > >>available. So currently extdom-extop-conf.ldif has to be loaded manually > >>> > > >>after replacing $SUFFIX to activate the new exop. > >>> > > >> > >>> > > >>bye, > >>> > > >>Sumit > >>> > > > > >>> > > >Please find a rebased version of the patches which work on top of > >>> > > >Alexander's latest series of patches. The patches now also contain the > >>> > > >loading of extdom-extop-conf.ldif and the activation of winbind. > >>> > > Thanks for the rebase. > >>> > > > >>> > > Few comments. > >>> > > > >>> > > 1.The extdom plugin should support IDMAP_BOTH. We do provide user private > >>> > > groups so in our case it should be viewed as preferred output. Thus you > >>> > > would need to add new response type to cover this case. > >>> > > >>> > Currently the plugin only uses winbind to map SIDs to names and back and > >>> > in the returned user data the user private groups are already respected > >>> > by setting the GID to the UID. On the client side sssd handles the > >>> > trusted domains a mpg (magic private group) domains. > >>> > > >>> > > > >>> > > 2. I have tried to look at the plugin description from point of view of > >>> > > a system administrator and I failed to understand what it does: > >>> > > >+#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" > >>> > > >+#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" > >>> > > >+#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended > >>> Operation plugin" > >>> > > > >>> > > In the ipa-extdom-extop-conf.ldif you have following description: > >>> > > >+nsslapd-plugindescription: Support resolving IDs in trusted domains to > >>> names and back > >>> > > Probably it is better to reuse the same description in > >>> IPA_EXTDOM_PLUGIN_DESC? > >>> > > > >>> > > This is a minor point but EXTDOM itself is vague. Maybe we should be > >>> more clear > >>> > > and call it 'IPA trusted domain ID mapper' as it really limits itself to > >>> > > only trusted domains? We don't dispatch winbind request if the domain is > >>> > > not found in our list of trusted domains. > >>> > > >>> > I have updated the descriptions. I prefer the EXTDOM prefix because > >>> > there might be future use cases where we might want to get some data > >>> > from other domains without trust. But I'm happy to change it if you like > >>> > a different prefix better. > >>> > > >>> > > > >>> > > 3. Could you please define the oid in ipa_extdom.h so that it could be > >>> > > useful for client code as well? > >>> > > >+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" > >>> > > >>> > done > >>> > > >>> > New version attached. > >>> > >>> ah. sorry, forgot to squash in some changes. > >>> > >>> Additionally I moved the binary to the freeipa-server-trust-ad package > >>> to avoid additional dependencies in the freeipa-server package. > >>> > >>> bye, > >>> Sumit > >>> > >>> > > >>> > > > >>> > > 4. Do we have 'check' tool in RHEL6? > >>> > > >>> > yes, current version is check-0.9.8-1.1.el6 > >>> > > >>> > Thank you for the review. > >>> > > >>> > bye, > >>> > Sumit > >>> > > -- > >>> > > / Alexander Bokovoy > >> > >> rebased version with some changes by Alexander attached. > > ACK from my side. Works in tests I've run. > > Patch 17 pushed to master. > > Patch 18 does not apply. I also have one question related to this patch: a rebased version is attached. > > We added a winbind service to ADTRUSTInstance which is now being configured as > a part of ipa-adtrust-install. To make this cleaner, we may want to write > winbind's own service.Service class which would do the necessary configuration > and could be also better expanded in the future. Currently none of the configuration steps are done exclusively for winbind, e.g. winbind will use the same credential as the smbd to access the directory server. I would agree to create an class for winbind if it turns out that we have to add special winbind options, but for now we only need to start the winbind process. bye, Sumit > > Martin -------------- next part -------------- From 811e25ba1e162a863be408eb23692d6c6ef3f442 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 30 Nov 2011 13:29:10 +0100 Subject: [PATCH] Add external domain extop DS plugin This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back. --- daemons/configure.ac | 19 +- daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 74 +++ .../ipa-extdom-extop/ipa-extdom-extop-conf.ldif | 16 + .../ipa-extdom-extop/ipa_extdom.h | 154 ++++++ .../ipa-extdom-extop/ipa_extdom_common.c | 498 ++++++++++++++++++++ .../ipa-extdom-extop/ipa_extdom_extop.c | 234 +++++++++ .../ipa-extdom-extop/ipa_extdom_tests.c | 203 ++++++++ freeipa.spec.in | 7 + ipaserver/install/adtrustinstance.py | 23 +- ipaserver/install/service.py | 3 +- 11 Dateien ge?ndert, 1225 Zeilen hinzugef?gt(+), 7 Zeilen entfernt(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/README create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c diff --git a/daemons/configure.ac b/daemons/configure.ac index 9ee77e471e674733497e1053aae4574d39f4841b..76ebaa67f802e20009ef764bdbdcd09cc7937a22 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -237,8 +237,19 @@ PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) PKG_CHECK_MODULES([NDR], [ndr]) PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba" +SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" AC_SUBST(SAMBA40EXTRA_LIBPATH) +AC_CHECK_HEADERS([samba-4.0/wbclient.h], + , + [AC_MSG_ERROR([samba-4.0/wbclient.h not found])], + [#include + #include ]) +AC_CHECK_LIB([wbclient], + [wbcLookupSid], + [WBCLIENT_LIBS="$SAMBA40EXTRA_LIBPATH -lwbclient"], + [AC_MSG_ERROR([libwbclient does not have wbcLookupSid])], + [$SAMBA40EXTRA_LIBPATH]) +AC_SUBST(WBCLIENT_LIBS) dnl --------------------------------------------------------------------------- dnl - Check for check unit test framework http://check.sourceforge.net/ @@ -251,6 +262,11 @@ else fi AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) +dnl -- dirsrv is needed for the extdom unit tests -- +PKG_CHECK_MODULES([DIRSRV], [dirsrv]) +dnl -- sss_idmap is needed by the extdom exop -- +PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) + dnl --------------------------------------------------------------------------- dnl - Set the data install directory since we don't use pkgdatadir dnl --------------------------------------------------------------------------- @@ -320,6 +336,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile + ipa-slapi-plugins/ipa-extdom-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile ipa-slapi-plugins/ipa-uuid/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 58df1a0981ff4f0f12aec84b4706ae3879bdec07..5a3c9e7034020b4f80815e865c2ed0de419264c9 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -6,6 +6,7 @@ SUBDIRS = \ ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ + ipa-extdom-extop \ ipa-uuid \ ipa-version \ ipa-winsync \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..d93e094b95510cf0ec99b7f7c38ff261c56f310e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -0,0 +1,74 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ + -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WBCLIENT_CFLAGS) \ + $(WARN_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_extdom_extop.la \ + $(NULL) + +libipa_extdom_extop_la_SOURCES = \ + ipa_extdom_extop.c \ + ipa_extdom_common.c \ + $(NULL) + +libipa_extdom_extop_la_LDFLAGS = -avoid-version + +libipa_extdom_extop_la_LIBADD = \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +if HAVE_CHECK +TESTS = extdom_tests +check_PROGRAMS = extdom_tests +endif + +extdom_tests_SOURCES = \ + ipa_extdom_tests.c \ + ipa_extdom_common.c \ + $(NULL) +extdom_tests_CFLAGS = $(CHECK_CFLAGS) +extdom_tests_LDFLAGS = \ + -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \ + $(NULL) +extdom_tests_LDADD = \ + $(CHECK_LIBS) \ + $(LDAP_LIBS) \ + $(WBCLIENT_LIBS) \ + $(DIRSRV_LIBS) \ + $(SSSIDMAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-extdom-extop-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + README \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/README b/daemons/ipa-slapi-plugins/ipa-extdom-extop/README new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..ec51ed26f127410901972053c86a49930d217d82 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa-extdom-extop-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=ipa_extdom_extop,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: ipa_extdom_extop +nsslapd-pluginpath: libipa_extdom_extop +nsslapd-plugininitfunc: ipa_extdom_init +nsslapd-plugintype: extendedop +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_extdom_extop +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: RedHat +nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h new file mode 100644 index 0000000000000000000000000000000000000000..5c2eeddceb3983fa5793c1a7fa86c5001c47beba --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -0,0 +1,154 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _IPA_EXTDOM_H_ +#define _IPA_EXTDOM_H_ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include + +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" + +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" +#define IPA_EXTDOM_FEATURE_DESC "IPA trusted domain ID mapper" +#define IPA_EXTDOM_PLUGIN_DESC "Support resolving IDs in trusted domains to names and back" + +#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME + +enum input_types { + INP_SID = 1, + INP_NAME, + INP_POSIX_UID, + INP_POSIX_GID +}; + +enum request_types { + REQ_SIMPLE = 1, + REQ_FULL +}; + +enum response_types { + RESP_SID = 1, + RESP_NAME, + RESP_USER, + RESP_GROUP +}; + +struct extdom_req { + enum input_types input_type; + enum request_types request_type; + union { + char *sid; + struct { + char *domain_name; + char *object_name; + } name; + struct { + char *domain_name; + uid_t uid; + } posix_uid; + struct { + char *domain_name; + gid_t gid; + } posix_gid; + } data; +}; + +struct extdom_res { + enum response_types response_type; + union { + char *sid; + struct { + const char *domain_name; + const char *object_name; + } name; + struct { + const char *domain_name; + const char *user_name; + uid_t uid; + gid_t gid; + } user; + struct { + const char *domain_name; + const char *group_name; + gid_t gid; + } group; + } data; +}; + +struct ipa_extdom_ctx { + Slapi_ComponentId *plugin_id; + char *base_dn; +}; + +struct domain_info { + char *flat_name; + char *sid; + char *guid; + struct sss_idmap_ctx *idmap_ctx; +}; + +int parse_request_data(struct berval *req_val, struct extdom_req **_req); +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res); +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res); +int pack_response(struct extdom_res *res, struct berval **ret_val); +#endif /* _IPA_EXTDOM_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c new file mode 100644 index 0000000000000000000000000000000000000000..294b00d50dd76c6541831b5c53bf70a4d377dcc3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -0,0 +1,498 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 /* for asprintf() */ +#endif + +#include +#include + +#include "ipa_extdom.h" +#include "util.h" + +int parse_request_data(struct berval *req_val, struct extdom_req **_req) +{ + BerElement *ber = NULL; + ber_tag_t tag; + ber_int_t input_type; + ber_int_t request_type; + ber_int_t id; + struct extdom_req *req; + +/* We expect the following request: + * ExtdomRequestValue ::= SEQUENCE { + * inputType ENUMERATED { + * sid (1), + * name (2), + * posix uid (3), + * posix gid (3) + * }, + * requestType ENUMERATED { + * simple (1), + * full (2) + * }, + * data InputData + * } + * + * InputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData + * uid PosixUid, + * gid PosixGid + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUid ::= SEQUENCE { + * domain_name OCTET STRING, + * uid INTEGER + * } + * + * PosixGid ::= SEQUENCE { + * domain_name OCTET STRING, + * gid INTEGER + * } + */ + + if (req_val == NULL || req_val->bv_val == NULL || req_val->bv_len == 0) { + return LDAP_PROTOCOL_ERROR; + } + + ber = ber_init(req_val); + if (ber == NULL) { + return LDAP_PROTOCOL_ERROR; + } + + tag = ber_scanf(ber, "{ee", &input_type, &request_type); + if (tag == LBER_ERROR) { + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + + req = calloc(sizeof(struct extdom_req), 1); + if (req == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + req->input_type = input_type; + req->request_type = request_type; + + switch (req->input_type) { + case INP_NAME: + tag = ber_scanf(ber, "{aa}}", &req->data.name.domain_name, + &req->data.name.object_name); + break; + case INP_SID: + tag = ber_scanf(ber, "a}", &req->data.sid); + break; + case INP_POSIX_UID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_uid.domain_name, + &id); + req->data.posix_uid.uid = (uid_t) id; + break; + case INP_POSIX_GID: + tag = ber_scanf(ber, "{ai}}", &req->data.posix_gid.domain_name, + &id); + req->data.posix_gid.gid = (gid_t) id; + break; + default: + ber_free(ber, 1); + return LDAP_PROTOCOL_ERROR; + } + ber_free(ber, 1); + if (tag == LBER_ERROR) { + return LDAP_PROTOCOL_ERROR; + } + + *_req = req; + + return LDAP_SUCCESS; +} + +static void free_domain_info(struct domain_info *domain_info) +{ + if (domain_info == NULL) { + return; + } + + sss_idmap_free(domain_info->idmap_ctx); + slapi_ch_free((void **) &domain_info->guid); + slapi_ch_free((void **) &domain_info->sid); + slapi_ch_free((void **) &domain_info->flat_name); + free(domain_info); +} + +/* TODO: A similar call is used in ipa_cldap_netlogon.c, maybe a candidate for + * a common library */ +static int get_domain_info(struct ipa_extdom_ctx *ctx, const char *domain_name, + struct domain_info **_domain_info) +{ + struct domain_info *domain_info = NULL; + Slapi_PBlock *pb = NULL; + Slapi_Entry **e = NULL; + char *filter = NULL; + int ret; + enum idmap_error_code err; + struct sss_idmap_range range; + + pb = slapi_pblock_new(); + if (pb == NULL) { + return ENOMEM; + } + + ret = asprintf(&filter, "(&(|(cn=%s)(ipaNTTrustPartner=%s)(ipaNTFlatName=%s))(objectclass=ipaNTTrustedDomain))", + domain_name, domain_name, domain_name); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + slapi_search_internal_set_pb(pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, filter, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + if (ret != EOK) { + ret = ENOENT; + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); + if (!e || !e[0] || e[1]) { + /* no matches or too many matches */ + ret = ENOENT; + goto done; + } + + domain_info = calloc(1, sizeof(struct domain_info)); + if (domain_info == NULL) { + ret = ENOMEM; + goto done; + } + + domain_info->guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID"); + domain_info->sid = slapi_entry_attr_get_charptr(e[0], + "ipaNTTrustedDomainSID"); + domain_info->flat_name = slapi_entry_attr_get_charptr(e[0], + "ipaNTFlatName"); + + /* TODO: read range from LDAP server */ + range.min = 200000; + range.max = 400000; + + err = sss_idmap_init(NULL, NULL, NULL, &domain_info->idmap_ctx); + if (err == IDMAP_SUCCESS) { + err = sss_idmap_add_domain(domain_info->idmap_ctx, domain_name, + domain_info->sid, &range); + } + if (err != IDMAP_SUCCESS) { + free_domain_info(domain_info); + ret = EFAULT; + goto done; + } + + *_domain_info = domain_info; + + ret = 0; + +done: + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + free(filter); + return ret; + +} + +int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct extdom_res **res) +{ + wbcErr werr; + int ret; + struct wbcDomainSid sid; + char *domain_name; + char *name; + enum wbcSidType name_type; + struct domain_info *domain_info = NULL; + + ret = get_domain_info(ctx, req->data.name.domain_name, &domain_info); + if (ret != 0) { + return LDAP_OPERATIONS_ERROR; + } + + switch (req->input_type) { + case INP_SID: + werr = wbcStringToSid(req->data.sid, &sid); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + werr = wbcLookupSid(&sid, &domain_name, &name, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, domain_name, name, &sid, + name_type, res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + case INP_NAME: + werr = wbcLookupName(domain_info->flat_name, + req->data.name.object_name, &sid, &name_type); + if (!WBC_ERROR_IS_OK(werr)) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = create_response(req, domain_info, req->data.name.domain_name, + req->data.name.object_name, &sid, name_type, + res); + if (ret != 0) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + break; + default: + ret = LDAP_PROTOCOL_ERROR; + goto done; + } + + ret = LDAP_SUCCESS; + +done: + free_domain_info(domain_info); + + return ret; +} + +int create_response(struct extdom_req *req, struct domain_info *domain_info, + const char *domain_name, + const char *name, struct wbcDomainSid *sid, + enum wbcSidType name_type, struct extdom_res **_res) +{ + int ret = EFAULT; + int len; + struct extdom_res *res; + uint32_t id; + enum idmap_error_code err; + char sid_str[WBC_SID_STRING_BUFLEN + 1]; + + res = malloc(sizeof(struct extdom_res)); + if (res == NULL) { + return ENOMEM; + } + + switch (req->request_type) { + case REQ_SIMPLE: + switch (req->input_type) { + case INP_SID: + res->response_type = RESP_NAME; + res->data.name.domain_name = domain_name; + res->data.name.object_name = name; + break; + case INP_NAME: + res->response_type = RESP_SID; + + len = wbcSidToStringBuf(sid, sid_str, + WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + res->data.sid = sid_str; + break; + default: + ret = EINVAL; + goto done; + } + break; + case REQ_FULL: + len = wbcSidToStringBuf(sid, sid_str, WBC_SID_STRING_BUFLEN); + if (len + 1 > WBC_SID_STRING_BUFLEN) { + ret = EINVAL; + goto done; + } + + err = sss_idmap_sid_to_unix(domain_info->idmap_ctx, sid_str, &id); + if (err != IDMAP_SUCCESS) { + ret = EINVAL; + goto done; + } + switch (name_type) { + case WBC_SID_NAME_USER: + res->response_type = RESP_USER; + res->data.user.domain_name = domain_name; + res->data.user.user_name = name; + + res->data.user.uid = (uid_t) id; + + /* We use MPGs for external users */ + res->data.user.gid = (gid_t) id; + break; + case WBC_SID_NAME_DOM_GRP: + res->response_type = RESP_GROUP; + res->data.group.domain_name = domain_name; + res->data.group.group_name = name; + + res->data.group.gid = (gid_t) id; + break; + default: + ret = EINVAL; + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *_res = res; + } else { + free(res); + } + + return ret; +} + +int pack_response(struct extdom_res *res, struct berval **ret_val) +{ + BerElement *ber = NULL; + int ret; + +/* We send to follwing response: + * ExtdomResponseValue ::= SEQUENCE { + * responseType ENUMERATED { + * sid (1), + * name (2), + * posix_user (3), + * posix_group (4) + * }, + * data OutputData + * } + * + * OutputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData, + * user PosixUser, + * group PosixGroup + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUser ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER + * gid INTEGER + * } + * + * PosixGroup ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER + * } + */ + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + switch (res->response_type) { + case RESP_SID: + ret = ber_printf(ber,"{es}", res->response_type, res->data.sid); + break; + case RESP_NAME: + ret = ber_printf(ber,"{e{ss}}", res->response_type, + res->data.name.domain_name, + res->data.name.object_name); + break; + case RESP_USER: + ret = ber_printf(ber,"{e{ssii}}", res->response_type, + res->data.user.domain_name, + res->data.user.user_name, + res->data.user.uid, + res->data.user.gid); + break; + case RESP_GROUP: + ret = ber_printf(ber,"{e{ssi}}", res->response_type, + res->data.group.domain_name, + res->data.group.group_name, + res->data.group.gid); + break; + default: + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ret = ber_flatten(ber, ret_val); + if (ret == -1) { + ber_free(ber, 1); + return LDAP_OPERATIONS_ERROR; + } + + ber_free(ber, 1); + + return LDAP_SUCCESS; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c new file mode 100644 index 0000000000000000000000000000000000000000..d5a2f604c4a61bda04dd026ace4b53ea5c2c3645 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -0,0 +1,234 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include "ipa_extdom.h" +#include "util.h" + +Slapi_PluginDesc ipa_extdom_plugin_desc = { + IPA_EXTDOM_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_EXTDOM_PLUGIN_DESC +}; + +static char *ipa_extdom_oid_list[] = { + EXOP_EXTDOM_OID, + NULL +}; + +static char *ipa_extdom_name_list[] = { + IPA_EXTDOM_PLUGIN_DESC, + NULL +}; + +static int ipa_extdom_start(Slapi_PBlock *pb) +{ + return LDAP_SUCCESS; +} + +static int ipa_extdom_extop(Slapi_PBlock *pb) +{ + char *oid = NULL; + char *err_msg = NULL; + int rc; + int ret; + struct berval *req_val = NULL; + struct berval *ret_val = NULL; + struct extdom_req *req = NULL; + struct extdom_res *res = NULL; + struct ipa_extdom_ctx *ctx; + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Could not get OID value from request.\n"; + goto done; + } + LOG("Received extended operation request with OID %s\n", oid); + + if (strcasecmp(oid, EXOP_EXTDOM_OID) != 0) { + return SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; + } + + ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &req_val); + if (ret != 0) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Missing request data.\n"; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Missing plugin context.\n"; + goto done; + } + + ret = parse_request_data(req_val, &req); + if (ret != LDAP_SUCCESS) { + rc = LDAP_UNWILLING_TO_PERFORM; + err_msg = "Cannot parse request data.\n"; + goto done; + } + + ret = handle_request(ctx, req, &res); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to handle the request.\n"; + goto done; + } + + ret = pack_response(res, &ret_val); + if (ret != LDAP_SUCCESS) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to pack the response.\n"; + goto done; + } + + ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXOP_EXTDOM_OID); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the OID for the response.\n"; + goto done; + } + + ret = slapi_pblock_set( pb, SLAPI_EXT_OP_RET_VALUE, ret_val); + if (ret != 0) { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to set the value for the response.\n"; + goto done; + } + + rc = LDAP_SUCCESS; + +done: + free(req); + free(res); + if (err_msg != NULL) { + LOG(err_msg); + } + slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); + return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; +} + +static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) +{ + struct ipa_extdom_ctx *ctx; + Slapi_Entry *e; + int ret; + + ctx = calloc(1, sizeof(struct ipa_extdom_ctx)); + if (!ctx) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (NULL == ctx->plugin_id)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &e); + if (!e) { + LOG_FATAL("Plugin configuration not found!\n"); + return -1; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(e, "nsslapd-basedn"); + if (!ctx->base_dn) { + LOG_FATAL("Base DN not found in plugin configuration not found!\n"); + return -1; + } + + +done: + if (ret) { + free(ctx); + } else { + *_ctx = ctx; + } + return ret; +} + +int ipa_extdom_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_extdom_ctx *extdom_ctx; + + ret = ipa_extdom_init_ctx(pb, &extdom_ctx); + if (ret) { + LOG_FATAL("Failed ot initialize external domain extended operation.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01); + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *)&ipa_extdom_plugin_desc); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *)ipa_extdom_start); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, + ipa_extdom_oid_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, + ipa_extdom_name_list); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, + (void *)ipa_extdom_extop); + } + if (!ret) { + ret = slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, extdom_ctx); + } + if (ret) { + LOG("Failed to set plug-in version, function, and OID.\n" ); + return -1; + } + + return 0; +} diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c new file mode 100644 index 0000000000000000000000000000000000000000..acb6ae2844eafe938a293a964efa2afe31e32b9e --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_tests.c @@ -0,0 +1,203 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include + +#include "ipa_extdom.h" +#include "util.h" + +char req_sid[] = {0x30, 0x11, 0x0a, 0x01, 0x01, 0x0a, 0x01, 0x01, 0x04, 0x09, \ + 0x53, 0x2d, 0x31, 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char req_nam[] = {0x30, 0x16, 0x0a, 0x01, 0x02, 0x0a, 0x01, 0x01, 0x30, 0x0e, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, \ + 0x74, 0x65, 0x73, 0x74}; +char req_uid[] = {0x30, 0x14, 0x0a, 0x01, 0x03, 0x0a, 0x01, 0x01, 0x30, 0x0c, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x02, \ + 0x30, 0x39}; +char req_gid[] = {0x30, 0x15, 0x0a, 0x01, 0x04, 0x0a, 0x01, 0x01, 0x30, 0x0d, \ + 0x04, 0x06, 0x44, 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x02, 0x03, \ + 0x00, 0xd4, 0x31}; + +char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ + 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; +char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74}; +char res_uid[] = {0x30, 0x17, 0x0a, 0x01, 0x03, 0x30, 0x12, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x04, 0x74, 0x65, 0x73, \ + 0x74, 0x02, 0x02, 0x30, 0x39}; +char res_gid[] = {0x30, 0x1e, 0x0a, 0x01, 0x04, 0x30, 0x19, 0x04, 0x06, 0x44, \ + 0x4f, 0x4d, 0x41, 0x49, 0x4e, 0x04, 0x0a, 0x74, 0x65, 0x73, \ + 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x02, 0x03, 0x00, \ + 0xd4, 0x31}; + +#define TEST_SID "S-1-2-3-4" +#define TEST_DOMAIN_NAME "DOMAIN" + +START_TEST(test_encode) +{ + int ret; + struct extdom_res res; + struct berval *resp_val; + + res.response_type = RESP_SID; + res.data.sid = TEST_SID; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_sid) == resp_val->bv_len && + memcmp(res_sid, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); + + res.response_type = RESP_NAME; + res.data.name.domain_name = TEST_DOMAIN_NAME; + res.data.name.object_name = "test"; + + ret = pack_response(&res, &resp_val); + + fail_unless(ret == LDAP_SUCCESS, "pack_response() failed."); + fail_unless(sizeof(res_nam) == resp_val->bv_len && + memcmp(res_nam, resp_val->bv_val, resp_val->bv_len) == 0, + "Unexpected BER blob."); + ber_memfree(resp_val); +} +END_TEST + +START_TEST(test_decode) +{ + struct berval req_val; + struct extdom_req *req; + int ret; + + req_val.bv_val = req_sid; + req_val.bv_len = sizeof(req_sid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, "parse_request_data() failed."); + fail_unless(req->input_type == INP_SID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.sid, "S-1-2-3-4") == 0, + "parse_request_data() returned unexpected sid"); + free(req); + + req_val.bv_val = req_nam; + req_val.bv_len = sizeof(req_nam); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_NAME, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.name.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(strcmp(req->data.name.object_name, "test") == 0, + "parse_request_data() returned unexpected object name"); + free(req); + + req_val.bv_val = req_uid; + req_val.bv_len = sizeof(req_uid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_UID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_uid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_uid.uid == 12345, + "parse_request_data() returned unexpected uid [%d]", + req->data.posix_uid.uid); + free(req); + + req_val.bv_val = req_gid; + req_val.bv_len = sizeof(req_gid); + + ret = parse_request_data(&req_val, &req); + + fail_unless(ret == LDAP_SUCCESS, + "parse_request_data() failed."); + fail_unless(req->input_type == INP_POSIX_GID, + "parse_request_data() returned unexpected input type"); + fail_unless(req->request_type == REQ_SIMPLE, + "parse_request_data() returned unexpected request type"); + fail_unless(strcmp(req->data.posix_gid.domain_name, "DOMAIN") == 0, + "parse_request_data() returned unexpected domain name"); + fail_unless(req->data.posix_gid.gid == 54321, + "parse_request_data() returned unexpected gid [%d]", + req->data.posix_gid.gid); + free(req); +} +END_TEST + +Suite * ipa_extdom_suite(void) +{ + Suite *s = suite_create("IPA extdom"); + + TCase *tc_core = tcase_create("Core"); + tcase_add_test(tc_core, test_decode); + tcase_add_test(tc_core, test_encode); + /* TODO: add test for create_response() */ + suite_add_tcase(s, tc_core); + + return s; +} + +int main(void) +{ + int number_failed; + + Suite *s = ipa_extdom_suite (); + SRunner *sr = srunner_create (s); + srunner_run_all (sr, CK_VERBOSE); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/freeipa.spec.in b/freeipa.spec.in index 32fe64578bf8bd6a6d02a4fc08e46649076650a6..72ac0e7a2ad139aba1fd7b4ecc94f961a6743ab4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,6 +81,8 @@ BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-dns BuildRequires: python-crypto +BuildRequires: check >= 0.9.5 +BuildRequires: libsss_idmap-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -361,6 +363,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -668,6 +671,7 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen.so @@ -728,6 +732,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Fri Jun 21 2012 Sumit Bose - 2.99.0-36 +- Add extdom extop plugin + * Fri Jun 21 2012 Rob Crittenden - 2.99.0-35 - Add client requires on libsss-autofs, autofs, libnfsidmap and nfs-utils for configuring automount and NFS. diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index ba2e6ef5dfe1b2ff6f588adf5ec53882e0f81d9b..967b54e25e46033019a52e51b0e0b916714aac34 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -230,6 +230,12 @@ class ADTRUSTInstance(service.Service): except: pass + def __add_extdom_module(self): + try: + self._ldap_mod("ipa-extdom-extop-conf.ldif", self.sub_dict) + except: + pass + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -361,8 +367,9 @@ class ADTRUSTInstance(service.Service): def __start(self): try: self.start() + ipaservices.service('winbind').start() except: - root_logger.critical("smbd service failed to start") + root_logger.critical("CIFS services failed to start") def __stop(self): self.backup_state("running", self.is_running()) @@ -387,7 +394,12 @@ class ADTRUSTInstance(service.Service): self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.info("ADTRUST Service startup entry already exists.") - pass + + try: + self.ldap_enable('EXTID', self.fqdn, self.dm_password, \ + self.suffix) + except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: + root_logger.info("EXTID Service startup entry already exists.") def __setup_sub_dict(self): self.sub_dict = dict(REALM = self.realm_name, @@ -438,17 +450,18 @@ class ADTRUSTInstance(service.Service): self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) self.step("activating sidgen plugin and task", self.__add_sidgen_module) + self.step("activating extdom plugin", self.__add_extdom_module) self.step("configuring smbd to start on boot", self.__enable) if not self.no_msdcs: self.step("adding special DNS service records", \ self.__add_dns_service_records) - self.step("restarting Directory Server to take MS PAC and CLDAP changes into account", \ + self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \ self.__restart_dirsrv) self.step("setting SELinux booleans", \ self.__configure_selinux_for_smbd) - self.step("starting smbd", self.__start) + self.step("starting CIFS services", self.__start) - self.start_creation("Configuring smbd:") + self.start_creation("Configuring CIFS:") def uninstall(self): if self.is_configured(): diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a3d09fcd633a851a67ef94b2025f1afb605d3d84..5cc7ae639db3fe2aa3805a90e0902f10f277064c 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -42,7 +42,8 @@ SERVICE_LIST = { 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), - 'ADTRUST':('smb', 60) + 'ADTRUST':('smb', 60), + 'EXTID':('winbind', 70) } def print_msg(message, output_fd=sys.stdout): -- 1.7.10.2 From mkosek at redhat.com Thu Jun 28 10:53:54 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 12:53:54 +0200 Subject: [Freeipa-devel] [PATCH] Per-domain DNS update permissions In-Reply-To: <4FEC21EC.4030305@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> <4FE8B30B.4050005@redhat.com> <4FEB019A.5040603@redhat.com> <4FEB2E5D.8060003@redhat.com> <4FEC21EC.4030305@redhat.com> Message-ID: <4FEC37C2.6020203@redhat.com> On 06/28/2012 11:20 AM, Petr Viktorin wrote: > On 06/27/2012 06:01 PM, Petr Viktorin wrote: >> On 06/27/2012 02:50 PM, Martin Kosek wrote: >>> On 06/25/2012 08:50 PM, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >>>>>> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>>>>>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>>>>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>>>>>> Martin Kosek wrote: >>>>>>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>>>>>> Hello all, >>>>>>>>>>>> >>>>>>>>>>>> In a scope of ticket 2511 I would like to implement an >>>>>>>>>>>> ability to >>>>>>>>>>>> delegate a DNS update permissions to chosen user (or host) >>>>>>>>>>>> without >>>>>>>>>>>> having to give the user full "Update DNS Entries" privileges, >>>>>>>>>>>> i.e. >>>>>>>>>>>> allow >>>>>>>>>>>> him to modify any DNS zone or record. >>>>>>>>>>>> >>>>>>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>>>>>> >>>>>>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" >>>>>>>>>>>> attribute >>>>>>>>>>>> in MAY list >>>>>>>>>>>> 2) Create new DNS commands: >>>>>>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>>> - these commands would add/remove chosen user/host DN to >>>>>>>>>>>> managedBy >>>>>>>>>>>> attribute in chosen DNS zone >>>>>>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>>>>>>>>> 3.0;acl >>>>>>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>>>>>> >>>>>>>>>>>> With these steps done, all that an administrator would need >>>>>>>>>>>> to do to >>>>>>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>>>>>> command: >>>>>>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>>>>>> >>>>>>>>>>>> The only downside I found so far is that the user would >>>>>>>>>>>> already need to >>>>>>>>>>>> have "Read DNS Entries" permission assigned, otherwise he >>>>>>>>>>>> would not be >>>>>>>>>>>> able to actually read DNS entries (allow rules can't take >>>>>>>>>>>> precedence >>>>>>>>>>>> over deny rule we implemented to deny public access to DNS >>>>>>>>>>>> tree). >>>>>>>>>>>> >>>>>>>>>>>> An admin could of course create a special privilege and role >>>>>>>>>>>> with just >>>>>>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>>>>>> users/groups, but this looks awkward. Any idea to make this >>>>>>>>>>>> simpler? >>>>>>>>>>>> Maybe creating a group "dns readers" by default which would >>>>>>>>>>>> allow such >>>>>>>>>>>> access? >>>>>>>>>>> >>>>>>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>>>>>> "parent[1].managedby#USERDN" ? >>>>>>>>>>> >>>>>>>>>>> Simo. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Good idea, I will do that. I will just use >>>>>>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>>>>>> record. This way, a selected user will have read/write access >>>>>>>>>> to the >>>>>>>>>> chosen zone only, which is exactly what we want to achieve. >>>>>>>>> >>>>>>>>> Yes, this sounds workable to me too. >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>> >>>>>>>> There were some second thoughts about the proposed design, which >>>>>>>> I would >>>>>>>> like to discuss so that we can eventually accept another (better) >>>>>>>> solution for this feature. >>>>>>>> >>>>>>>> The main concern here was that proposed solution (based on user >>>>>>>> list in >>>>>>>> managedBy attribute in DNS zone) is not in line with the rest of >>>>>>>> permission&privilege architecture in IPA. >>>>>>>> >>>>>>>> Here is another idea how to address the feature (I tested it and it >>>>>>>> would work): >>>>>>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global >>>>>>>> access >>>>>>>> rule (a working patch attached) to avoid current and future >>>>>>>> issues with >>>>>>>> extending ACIs (deny rules are evil). >>>>>>>> >>>>>>>> 2) Add new Managed Entry Definition and Template to automatically >>>>>>>> add >>>>>>>> "Manage DNS zone $idsname" permission. These could be used with >>>>>>>> standard >>>>>>>> IPA privileges, roles and thus could be assigned to users, groups, >>>>>>>> hosts, hostgroups... >>>>>>>> >>>>>>>> 3) New DNS zone managedBy attribute won't be manageable by user, >>>>>>>> but it >>>>>>>> will hold a DN of the managed Permission entry >>>>>>>> >>>>>>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>>>>>> aci: (targetattr = "*") >>>>>>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>>>>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>>>>>> >>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>>> (version 3.0;acl "Add dns entries";allow (add) >>>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>>> >>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>>> >>>>>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || >>>>>>>> dnsttl || >>>>>>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || >>>>>>>> cnamerecord >>>>>>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>>>>>> hinforecord || minforecord || afsdbrecord || sigrecord || >>>>>>>> keyrecord || >>>>>>>> locrecord || nxtrecord || naptrrecord || kxrecord || >>>>>>>> certrecord || >>>>>>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || >>>>>>>> nsecrecord || >>>>>>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>>>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>>>>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>>>>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>>>>>> idnsforwarders") >>>>>>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>>> "Update >>>>>>>> DNS Entries";allow (write) userattr = >>>>>>>> "parent[0,1].managedby#GROUPDN";) >>>>>>>> >>>>>>>> I needed to add permission DN to the managedBy attribute so that >>>>>>>> I could >>>>>>>> create just one set of generic ACIs without having to create a >>>>>>>> set of >>>>>>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>>>>>> permission have a write access to the "aci" attribute. >>>>>>>> >>>>>>>> Would this design be better than the previous one? Comments welcome. >>>>>>> >>>>>>> Removing Deny ACIs would be great. >>>>>>> But don't we need a second set of ACIs to allow uber admins to still >>>>>>> control all zones ? or is that part of current ACIs not going to >>>>>>> change ? >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> Thanks to the removal of the deny rule, this would be already >>>>>> allowed by >>>>>> this existing ACI: >>>>>> >>>>>> aci: (targetattr != "userPassword || krbPrincipalKey || >>>>>> sambaLMPassword >>>>>> || sambaNTPassword || passwordHistory || krbMKey || >>>>>> krbPrincipalName || >>>>>> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >>>>>> krbPrincipalExpiration || krbPasswordExpiration || >>>>>> krbPwdPolicyReference >>>>>> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >>>>>> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >>>>>> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >>>>>> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >>>>>> acl "Admin can manage any entry"; allow (all) groupdn = >>>>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >>>>> >>>>> Oh right! >>>>> I like it even more then :-) >>>>> >>>>> Simo. >>>>> >>>> >>>> Yes, this looks like it will work and eliminating a deny rule is a >>>> definite plus. >>>> >>>> rob >>> >>> I have finished a patch based on the second design. IMO it is indeed >>> better - >>> no deny ACI for DNS and just a standard permission for per-zone access >>> delegation. >>> >>> There is just one difference from the proposed design draft: per-zone >>> permissions are not created automatically by Managed Entry plugin, but >>> rather >>> manually and only for DNS zones where per-zone access is needed. There >>> is a new >>> command for that - dnszone-add-permission. >>> >>> This will leave permission tree cleaner + we won't have to deal with all >>> Managed Entry plugin machinery. >>> >>> More details can be found in a commit message. >>> >>> Martin >>> >> >> In permission_add_noaci.get_options, it would be better to filter out >> the `permission.aci_attributes`. If you only allow ('all', 'raw', >> 'permissiontype'), the list will have to be updated whenever a new >> global option is added. >> (This would happen for ticket #2732; I'll want to make the 'version' >> argument explicit for all commands.) Right, I fixed the option generation to rather simply filter out ACI attribute list we already have available. >> >> >> Unprivileged users can find out if a zone is defined by trying to delete >> it. Is this expected behavior? >> >> $ ipa dnszone-del idm.lab.bos.redhat.com >> ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to >> delete the entry >> 'idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. >> >> $ ipa dnszone-del does.not.exist >> ipa: ERROR: does.not.exist: DNS zone not found Yeah, that's true. Not sure if we can do much about it, that's how LDAP behaves. But since no actual record value is returned to the user he could only try to brute-force the LDAP structure. This should not hurt, he could as well try to brute force the DNS records via DNS queries which would even give him more information. Bottom line is that I think that current ACIs are right, but I can be convinced with a better solution... >> >> >> The patch works well on upgrade. Tomorrow I'll test a fresh install. >> > > One more comment: there is no error message when removing a permission that > doesn't exist: > > $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com > ------------------------------------------------------------------ > Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" > ---------------------------------------------------------------- > $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com > ------------------------------------------------------------------ > Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" > ---------------------------------------------------------------- > > I found no other issues. > Fixed: # ipa dnszone-remove-permission example.com ------------------------------------------------------- Removed system permission "Manage DNS zone example.com" ------------------------------------------------------- # ipa dnszone-remove-permission example.com ipa: ERROR: Manage DNS zone example.com: permission not found Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-277-3-per-domain-dns-record-permissions.patch Type: text/x-patch Size: 36415 bytes Desc: not available URL: From william at firstyear.id.au Thu Jun 28 11:08:23 2012 From: william at firstyear.id.au (William Brown) Date: Thu, 28 Jun 2012 20:38:23 +0930 Subject: [Freeipa-devel] [SOLVED] Build failure in ipa_sam In-Reply-To: <20120628100558.GB6687@redhat.com> References: <4FEC17B7.9070607@firstyear.id.au> <20120628091322.GA6687@redhat.com> <4FEC2AF3.3090109@firstyear.id.au> <20120628100558.GB6687@redhat.com> Message-ID: <4FEC3B27.1040201@firstyear.id.au> On 28/06/12 19:35, Alexander Bokovoy wrote: > On Thu, 28 Jun 2012, William Brown wrote: >> On 28/06/12 18:43, Alexander Bokovoy wrote: >>> On Thu, 28 Jun 2012, William Brown wrote: >>>> Making all in ipa-sam >>>> make[4]: Entering directory >>>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >>>> >>>> >>>> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. >>>> -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\""/usr"\" >>>> -DBINDIR=\""/usr/bin"\" -DLIBDIR=\""/usr/lib64"\" >>>> -DLIBEXECDIR=\""/usr/libexec"\" -DDATADIR=\""/usr/share"\" >>>> -DLDAPIDIR=\""/var/run"\" -DHAVE_LDAP -I ../../util -Wall -Wshadow >>>> -Wstrict-prototypes -Wpointer-arith -Wcast-align >>>> -Werror-implicit-function-declaration -DWITH_OPENLDAP >>>> -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >>>> -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >>>> -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >>>> -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >>>> -Wstrict-prototypes -Wpointer-arith -Wcast-align >>>> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >>>> --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP >>>> -MF .deps/ipa_sam.Tpo -c -o ipa_sam.lo ipa_sam.c >>>> libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I. -I. >>>> -I/usr/include/samba-4.0 -DPREFIX=\"/usr\" -DBINDIR=\"/usr/bin\" >>>> -DLIBDIR=\"/usr/lib64\" -DLIBEXECDIR=\"/usr/libexec\" >>>> -DDATADIR=\"/usr/share\" -DLDAPIDIR=\"/var/run\" -DHAVE_LDAP -I >>>> ../../util -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith >>>> -Wcast-align -Werror-implicit-function-declaration -DWITH_OPENLDAP >>>> -I/usr/include/nspr4 -I/usr/include/nss3 -DUSE_OPENLDAP >>>> -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 >>>> -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -I/usr/include/samba-4.0 >>>> -I/usr/include/nspr4 -I/usr/include/nss3 -Wall -Wshadow >>>> -Wstrict-prototypes -Wpointer-arith -Wcast-align >>>> -Werror-implicit-function-declaration -O2 -g -pipe -Wall >>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >>>> --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ipa_sam.lo -MD -MP >>>> -MF >>>> .deps/ipa_sam.Tpo -c ipa_sam.c -fPIC -DPIC -o .libs/ipa_sam.o >>>> ipa_sam.c:510:17: warning: 'struct unixid' declared inside parameter >>>> list [enabled by default] >>> Missing 'struct unixid' means you don't have newer samba4 packages. >>> >>>> ipa_sam.c:510:17: warning: its scope is only this definition or >>>> declaration, which is probably not what you want [enabled by default] >>>> ipa_sam.c: In function 'ldapsam_sid_to_id': >>>> ipa_sam.c:583:3: error: implicit declaration of function >>>> 'unixid_from_gid' [-Werror=implicit-function-declaration] >>>> ipa_sam.c:598:2: error: implicit declaration of function >>>> 'unixid_from_uid' [-Werror=implicit-function-declaration] >>>> ipa_sam.c: In function 'set_krb_princ': >>>> ipa_sam.c:1456:8: warning: unused variable 'inp' [-Wunused-variable] >>>> ipa_sam.c: In function 'ldap_sasl_interact': >>>> ipa_sam.c:3100:18: warning: unused variable 'krberr' >>>> [-Wunused-variable] >>>> ipa_sam.c:3099:8: warning: unused variable 'outname' >>>> [-Wunused-variable] >>>> ipa_sam.c:3098:15: warning: unused variable 'krbctx' >>>> [-Wunused-variable] >>>> ipa_sam.c: At top level: >>>> ipa_sam.c:3126:1: warning: function declaration isn't a prototype >>>> [-Wstrict-prototypes] >>>> ipa_sam.c:3127:1: warning: function declaration isn't a prototype >>>> [-Wstrict-prototypes] >>>> ipa_sam.c: In function 'bind_callback': >>>> ipa_sam.c:3131:18: warning: variable 'rc' set but not used >>>> [-Wunused-but-set-variable] >>>> ipa_sam.c: In function 'pdb_init_ipasam': >>>> ipa_sam.c:3355:27: warning: assignment from incompatible pointer type >>>> [enabled by default] >>>> cc1: some warnings being treated as errors >>>> make[4]: *** [ipa_sam.lo] Error 1 >>>> make[4]: Leaving directory >>>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons/ipa-sam' >>>> >>>> >>>> make[3]: *** [all-recursive] Error 1 >>>> make[3]: Leaving directory >>>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >>>> >>>> >>>> make[2]: *** [all] Error 2 >>>> make[2]: Leaving directory >>>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330/daemons' >>>> >>>> >>>> make[1]: *** [all] Error 1 >>>> make[1]: Leaving directory >>>> `/home/william/development/freeipa/rpmbuild/BUILD/freeipa-2.99.0GIT8ce7330' >>>> >>>> >>>> error: Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >>>> >>>> >>>> RPM build errors: >>>> Bad exit status from /var/tmp/rpm-tmp.tskROb (%build) >>>> make: *** [rpms] Error 1 >>>> >>>> >>>> Git master (Not my feature branches) >>> Make sure you have at least samba4 beta1 packages installed as required >>> by the >>> freeipa.spec.in file. I have samba4-devel-4.0.0-124beta1.fc17.x86_64 >>> from ipa-devel >>> repo. >> >> Is that the repo at: >> >> [ipa-devel] >> name=IPA development $releasever - $basearch >> baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ >> >> enabled=0 >> gpgcheck=0 > Yes. > > Note that FreeIPA git master is only working on F17 with packages from the > ipa-devel repo. > Yep I'm on f17. Updated ipa-devel, working now. Thanks. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 945 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Thu Jun 28 11:09:27 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 13:09:27 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <20120628101907.GN29454@localhost.localdomain> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> <20120627161429.GK29454@localhost.localdomain> <20120627163853.GJ16889@redhat.com> <4FEC0D2E.6070503@redhat.com> <20120628101907.GN29454@localhost.localdomain> Message-ID: <4FEC3B67.4060104@redhat.com> On 06/28/2012 12:19 PM, Sumit Bose wrote: > On Thu, Jun 28, 2012 at 09:52:14AM +0200, Martin Kosek wrote: >> On 06/27/2012 06:38 PM, Alexander Bokovoy wrote: >>> On Wed, 27 Jun 2012, Sumit Bose wrote: >>>> On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: >>>>> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: >>>>>> On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: >>>>>>> On Thu, 07 Jun 2012, Sumit Bose wrote: >>>>>>>> On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> these two patches introduce a new extended operation to the IPA server >>>>>>>>> which can be used by clients in the IPA domain to obtain information >>>>>>>>> about users and groups from trusted domains. Currently this exop is used >>>>>>>>> by the sssd sub-domain patch to map user names from a trusted AD domain >>>>>>>>> to a SID and back. There is also some code for other kind of requests >>>>>>>>> which might become useful in future, e.g. with trusted IPA domain. >>>>>>>>> >>>>>>>>> I added some unit test and added check for the check unit test framework >>>>>>>>> for C (http://check.sourceforge.net/) which is used by sssd as well. I >>>>>>>>> modified the spec file that the test is run during the build of the >>>>>>>>> packages. I hope this is ok. >>>>>>>>> >>>>>>>>> The patches depend on the idmap library patch which was ACKed recently >>>>>>>>> on sssd-devel and as mentioned before the sub-domain patches on >>>>>>>>> sssd-devel can only be fully tested with an IPA server which has these >>>>>>>>> patches applied. >>>>>>>>> >>>>>>>>> Since Alexander is currently rewriting parts of the ipa-adtrust-install >>>>>>>>> utility I stand back from adding activation code for the exop to >>>>>>>>> ipa-adtrust-install and will send a patch when Alexander's changes are >>>>>>>>> available. So currently extdom-extop-conf.ldif has to be loaded manually >>>>>>>>> after replacing $SUFFIX to activate the new exop. >>>>>>>>> >>>>>>>>> bye, >>>>>>>>> Sumit >>>>>>>> >>>>>>>> Please find a rebased version of the patches which work on top of >>>>>>>> Alexander's latest series of patches. The patches now also contain the >>>>>>>> loading of extdom-extop-conf.ldif and the activation of winbind. >>>>>>> Thanks for the rebase. >>>>>>> >>>>>>> Few comments. >>>>>>> >>>>>>> 1.The extdom plugin should support IDMAP_BOTH. We do provide user private >>>>>>> groups so in our case it should be viewed as preferred output. Thus you >>>>>>> would need to add new response type to cover this case. >>>>>> >>>>>> Currently the plugin only uses winbind to map SIDs to names and back and >>>>>> in the returned user data the user private groups are already respected >>>>>> by setting the GID to the UID. On the client side sssd handles the >>>>>> trusted domains a mpg (magic private group) domains. >>>>>> >>>>>>> >>>>>>> 2. I have tried to look at the plugin description from point of view of >>>>>>> a system administrator and I failed to understand what it does: >>>>>>>> +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" >>>>>>>> +#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" >>>>>>>> +#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended >>>>> Operation plugin" >>>>>>> >>>>>>> In the ipa-extdom-extop-conf.ldif you have following description: >>>>>>>> +nsslapd-plugindescription: Support resolving IDs in trusted domains to >>>>> names and back >>>>>>> Probably it is better to reuse the same description in >>>>> IPA_EXTDOM_PLUGIN_DESC? >>>>>>> >>>>>>> This is a minor point but EXTDOM itself is vague. Maybe we should be >>>>> more clear >>>>>>> and call it 'IPA trusted domain ID mapper' as it really limits itself to >>>>>>> only trusted domains? We don't dispatch winbind request if the domain is >>>>>>> not found in our list of trusted domains. >>>>>> >>>>>> I have updated the descriptions. I prefer the EXTDOM prefix because >>>>>> there might be future use cases where we might want to get some data >>>>>> from other domains without trust. But I'm happy to change it if you like >>>>>> a different prefix better. >>>>>> >>>>>>> >>>>>>> 3. Could you please define the oid in ipa_extdom.h so that it could be >>>>>>> useful for client code as well? >>>>>>>> +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" >>>>>> >>>>>> done >>>>>> >>>>>> New version attached. >>>>> >>>>> ah. sorry, forgot to squash in some changes. >>>>> >>>>> Additionally I moved the binary to the freeipa-server-trust-ad package >>>>> to avoid additional dependencies in the freeipa-server package. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> >>>>>>> >>>>>>> 4. Do we have 'check' tool in RHEL6? >>>>>> >>>>>> yes, current version is check-0.9.8-1.1.el6 >>>>>> >>>>>> Thank you for the review. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>>>> -- >>>>>>> / Alexander Bokovoy >>>> >>>> rebased version with some changes by Alexander attached. >>> ACK from my side. Works in tests I've run. >> >> Patch 17 pushed to master. >> >> Patch 18 does not apply. I also have one question related to this patch: > > a rebased version is attached. > >> >> We added a winbind service to ADTRUSTInstance which is now being configured as >> a part of ipa-adtrust-install. To make this cleaner, we may want to write >> winbind's own service.Service class which would do the necessary configuration >> and could be also better expanded in the future. > > Currently none of the configuration steps are done exclusively for > winbind, e.g. winbind will use the same credential as the smbd to access > the directory server. I would agree to create an class for winbind if it > turns out that we have to add special winbind options, but for now we > only need to start the winbind process. Ok, lets keep current setup and expand when needed. I also did few installation tests with your patch, everything worked fine. So ACK #2, pushed to master. Martin From mkosek at redhat.com Thu Jun 28 11:51:28 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 13:51:28 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <4FEC3B67.4060104@redhat.com> References: <20120323125234.GU2301@localhost.localdomain> <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> <20120627161429.GK29454@localhost.localdomain> <20120627163853.GJ16889@redhat.com> <4FEC0D2E.6070503@redhat.com> <20120628101907.GN29454@localhost.localdomain> <4FEC3B67.4060104@redhat.com> Message-ID: <4FEC4540.6030006@redhat.com> On 06/28/2012 01:09 PM, Martin Kosek wrote: > On 06/28/2012 12:19 PM, Sumit Bose wrote: >> On Thu, Jun 28, 2012 at 09:52:14AM +0200, Martin Kosek wrote: >>> On 06/27/2012 06:38 PM, Alexander Bokovoy wrote: >>>> On Wed, 27 Jun 2012, Sumit Bose wrote: >>>>> On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: >>>>>> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: >>>>>>> On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: >>>>>>>> On Thu, 07 Jun 2012, Sumit Bose wrote: >>>>>>>>> On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> these two patches introduce a new extended operation to the IPA server >>>>>>>>>> which can be used by clients in the IPA domain to obtain information >>>>>>>>>> about users and groups from trusted domains. Currently this exop is used >>>>>>>>>> by the sssd sub-domain patch to map user names from a trusted AD domain >>>>>>>>>> to a SID and back. There is also some code for other kind of requests >>>>>>>>>> which might become useful in future, e.g. with trusted IPA domain. >>>>>>>>>> >>>>>>>>>> I added some unit test and added check for the check unit test framework >>>>>>>>>> for C (http://check.sourceforge.net/) which is used by sssd as well. I >>>>>>>>>> modified the spec file that the test is run during the build of the >>>>>>>>>> packages. I hope this is ok. >>>>>>>>>> >>>>>>>>>> The patches depend on the idmap library patch which was ACKed recently >>>>>>>>>> on sssd-devel and as mentioned before the sub-domain patches on >>>>>>>>>> sssd-devel can only be fully tested with an IPA server which has these >>>>>>>>>> patches applied. >>>>>>>>>> >>>>>>>>>> Since Alexander is currently rewriting parts of the ipa-adtrust-install >>>>>>>>>> utility I stand back from adding activation code for the exop to >>>>>>>>>> ipa-adtrust-install and will send a patch when Alexander's changes are >>>>>>>>>> available. So currently extdom-extop-conf.ldif has to be loaded manually >>>>>>>>>> after replacing $SUFFIX to activate the new exop. >>>>>>>>>> >>>>>>>>>> bye, >>>>>>>>>> Sumit >>>>>>>>> >>>>>>>>> Please find a rebased version of the patches which work on top of >>>>>>>>> Alexander's latest series of patches. The patches now also contain the >>>>>>>>> loading of extdom-extop-conf.ldif and the activation of winbind. >>>>>>>> Thanks for the rebase. >>>>>>>> >>>>>>>> Few comments. >>>>>>>> >>>>>>>> 1.The extdom plugin should support IDMAP_BOTH. We do provide user private >>>>>>>> groups so in our case it should be viewed as preferred output. Thus you >>>>>>>> would need to add new response type to cover this case. >>>>>>> >>>>>>> Currently the plugin only uses winbind to map SIDs to names and back and >>>>>>> in the returned user data the user private groups are already respected >>>>>>> by setting the GID to the UID. On the client side sssd handles the >>>>>>> trusted domains a mpg (magic private group) domains. >>>>>>> >>>>>>>> >>>>>>>> 2. I have tried to look at the plugin description from point of view of >>>>>>>> a system administrator and I failed to understand what it does: >>>>>>>>> +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" >>>>>>>>> +#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" >>>>>>>>> +#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended >>>>>> Operation plugin" >>>>>>>> >>>>>>>> In the ipa-extdom-extop-conf.ldif you have following description: >>>>>>>>> +nsslapd-plugindescription: Support resolving IDs in trusted domains to >>>>>> names and back >>>>>>>> Probably it is better to reuse the same description in >>>>>> IPA_EXTDOM_PLUGIN_DESC? >>>>>>>> >>>>>>>> This is a minor point but EXTDOM itself is vague. Maybe we should be >>>>>> more clear >>>>>>>> and call it 'IPA trusted domain ID mapper' as it really limits itself to >>>>>>>> only trusted domains? We don't dispatch winbind request if the domain is >>>>>>>> not found in our list of trusted domains. >>>>>>> >>>>>>> I have updated the descriptions. I prefer the EXTDOM prefix because >>>>>>> there might be future use cases where we might want to get some data >>>>>>> from other domains without trust. But I'm happy to change it if you like >>>>>>> a different prefix better. >>>>>>> >>>>>>>> >>>>>>>> 3. Could you please define the oid in ipa_extdom.h so that it could be >>>>>>>> useful for client code as well? >>>>>>>>> +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" >>>>>>> >>>>>>> done >>>>>>> >>>>>>> New version attached. >>>>>> >>>>>> ah. sorry, forgot to squash in some changes. >>>>>> >>>>>> Additionally I moved the binary to the freeipa-server-trust-ad package >>>>>> to avoid additional dependencies in the freeipa-server package. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>>> >>>>>>> >>>>>>>> >>>>>>>> 4. Do we have 'check' tool in RHEL6? >>>>>>> >>>>>>> yes, current version is check-0.9.8-1.1.el6 >>>>>>> >>>>>>> Thank you for the review. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>>>> -- >>>>>>>> / Alexander Bokovoy >>>>> >>>>> rebased version with some changes by Alexander attached. >>>> ACK from my side. Works in tests I've run. >>> >>> Patch 17 pushed to master. >>> >>> Patch 18 does not apply. I also have one question related to this patch: >> >> a rebased version is attached. >> >>> >>> We added a winbind service to ADTRUSTInstance which is now being configured as >>> a part of ipa-adtrust-install. To make this cleaner, we may want to write >>> winbind's own service.Service class which would do the necessary configuration >>> and could be also better expanded in the future. >> >> Currently none of the configuration steps are done exclusively for >> winbind, e.g. winbind will use the same credential as the smbd to access >> the directory server. I would agree to create an class for winbind if it >> turns out that we have to add special winbind options, but for now we >> only need to start the winbind process. > > Ok, lets keep current setup and expand when needed. I also did few installation > tests with your patch, everything worked fine. > > So ACK #2, pushed to master. > > Martin There was a missing Requires for libsss_idmap on freeipa-server-trust-ad package. Fixed and pushed as a one-liner (attached). Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-280-add-missing-libsss_idmap-requires-on-freeipa-server-.patch Type: text/x-patch Size: 768 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jun 28 12:16:51 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Jun 2012 15:16:51 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120627141930.GC16889@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> <20120627141930.GC16889@redhat.com> Message-ID: <20120628121651.GC6687@redhat.com> On Wed, 27 Jun 2012, Alexander Bokovoy wrote: > On Wed, 27 Jun 2012, Petr Viktorin wrote: >> On 06/27/2012 12:36 PM, Sumit Bose wrote: >>> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>> On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>>> Hi Alexander, >>>>>> >>>>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>>> Hi! >>>>>>> >>>>>>> Attached is the patch to support external group membership for trusted >>>>>>> domains. This is needed to get proper group membership with the work >>>>>>> Sumit and Jan are doing on both IPA and SSSD sides. >>>>>>> >>>>>>> We already have ipaExternalGroup class that includes ipaExternalMember >>>>>>> attribute (multivalued case-insensitive string). The group that has >>>>>>> ipaExternalGroup object class will have to be non-POSIX and >>>>>>> ipaExternalMember >>>>>>> attribute will contain security identifiers (SIDs) of members from >>>>>>> trusted domains. >>>>>>> >>>>>>> The patch takes care of three things: >>>>>>> 1. Extends 'ipa group-add' with --external option to add >>>>>>> ipaExternalGroup object class to a new group >>>>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV argument >>>>>>> to specify SIDs >>>>>>> 3. Modifies 'ipa group-del-member' to allow removing external members. >>>>>> >>>>>> thank you for the patch, it works as expected, but I have a few >>>>>> comments: >>>>>> >>>>>> - there is a trailing whitespace at the end of the "This means we can't >>>>>> check the correctness of a trusted domain SIDs" line >>>>>> - when using ipa group-add-member with --external there are still prompt >>>>>> for [member user] and [member group], can those be suppressed? >>>>>> - with ipa group-mod --posix it is possible to add the posxiGroup >>>>>> objectclass together with a GID to the extern group object. This >>>>>> should result in an error and also the other way round, adding >>>>>> --external to Posix groups. >>>>> Updated patch is attached. It fixes whitespace and group-mod. >>>> New revision. >>> >>> Thank you. This version works well in my tests, so ACK. >>> >>> It would be nice if someone can have a short look at the changes to >>> baseldap.py to see if there are any unexpected side effects. >>> >>> bye, >>> Sumit >>> >> >> >> I'm concerned about this: >> >> membername = entry[0].lower() >> member_dn = api.Object[membertype].get_dn(membername) >> if membername not in external_entries and \ >> + entry[0] not in external_entries and \ >> member_dn not in members: >> >> Do you want to do a case-insensitive compare here? In that case it >> would be better to do: >> >> lowercase_external_entries = set(e.lower() for e in external_entries) >> if membername not in lowercase_external_entries ... >> >> instead of comparing the lowercased entry and the entry itself to >> the original list. >> The `in` operator is also faster on a set. > Given that this list going to be short (~dozen members in most cases) it > is affordable to produce new set. I'll change it. > >> You should also update the `elif membername in external_entries` >> block below this one. >> There's a similar situation in remove_external_post_callback. >> >> Anyway, if you ran into a situation where the `entry[0] not in >> external_entries` check is needed, there should be a test for it. > Originally this callback was forcing all references to lower case before > comparing. This was applied both to existing and truly external > references. However, for external references we cannot guarantee that > lower case is the right one -- and, indeed, with SIDs one has to follow > SID format which is S-1-* so lowcasing the value is not possible as that > value will be used by SSSD and other sides (DCERPC requests) which don't > expect it to break the format. > > Thus I tried to keep the format. > > I've added several tests: > 1. Create group with external membership > 2. Attempt to convert posix group to external one > 3. Attempt to convert external group to posix > 4. Attempt to add external member to it. > 5. Delete external membership group to avoid disturbing other tests > (group-find, etc) that depend on number of groups. > > In the #4 I'm only checking that we are getting exceptions -- > either ValidationError or NotFound. You can't do more without setting up > the full trust. > > Even to do that I had to introduce new type of checkers -- checkers that > can be activated with a 'expected' attribute being a callable in a > declarative test definition in xmlrpc tests. This is an easiest way > to deal with multiple exceptions -- just define a lambda that tests > various conditions and let it be executed by the checker. > >> I think something is rotten with add_external_post_callback: it's >> defined as add_external_post_callback(... *keys, **options), but >> invariably called as add_external_post_callback(... keys, >> options). That existed before the patch, though, so I guess it >> warrants a separate ticket. >> >> >> I also have a few obligatory style nitpicks. >> >> For line continuation, instead of backslashes: >> >> if membername not in external_entries and \ >> entry[0] not in external_entries and \ >> member_dn not in members: >> >> we prefer parentheses: >> >> if (membername not in external_entries and >> entry[0] not in external_entries and >> member_dn not in members): > Don't shoot the follower, it is what was there before me. :) > > Fixed. > >> Instead of: >> >> normalize = True >> if 'external_callback_normalize' in options: >> normalize = options['external_callback_normalize'] >> >> you can use: >> >> options.get('external_callback_normalize', True) > Fixed. > >> >> And in group.py: >> >> - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >> - 'sudorule'], >> + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], >> >> Our style guide limits lines to 80 characters. Not much of IPA >> follows that rule currently, but I don't see a reason for a change >> that *only* breaks the rule. > I find it unreadable when a single element of a list is on the separate > line and also doesn't follow logical identation for its level. > > New patch is attached. And revised patch after review on IRC with Petr. -- / Alexander Bokovoy -------------- next part -------------- >From cb1b797bfe3e99c0ea8545b503539e3ff9ddc47b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 Jun 2012 16:08:33 +0300 Subject: [PATCH 10/13] Add support for external group members When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 --- API.txt | 12 ++-- ipalib/errors.py | 50 +++++++++++++++ ipalib/plugins/baseldap.py | 23 ++++--- ipalib/plugins/group.py | 108 ++++++++++++++++++++++++++++++-- ipalib/plugins/trust.py | 4 ++ ipaserver/dcerpc.py | 93 ++++++++++++++++++++++++--- tests/test_xmlrpc/objectclasses.py | 2 + tests/test_xmlrpc/test_group_plugin.py | 65 +++++++++++++++++++ tests/test_xmlrpc/test_user_plugin.py | 12 ++-- tests/test_xmlrpc/xmlrpc_test.py | 14 +++++ 10 files changed, 354 insertions(+), 29 deletions(-) diff --git a/API.txt b/API.txt index 9d91832d995d605b161c13a5ec915f5d84f1d515..ccae47a947c180c0c85658bc393a0d38d4b32c0d 100644 --- a/API.txt +++ b/API.txt @@ -1196,13 +1196,14 @@ output: Output('total', , None) output: Output('count', , None) output: Output('summary', (, ), None) command: group_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Int('gidnumber', attribute=True, cli_name='gid', minvalue=1, multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1210,8 +1211,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_add_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1265,7 +1267,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: group_mod -args: 1,11,3 +args: 1,12,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gid', minvalue=1, multivalue=False, required=False) @@ -1274,6 +1276,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Flag('rights', autofill=True, default=False) option: Flag('posix', autofill=True, cli_name='posix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1282,8 +1285,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_remove_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') diff --git a/ipalib/errors.py b/ipalib/errors.py index 407d9f7dbcf79c47193a3087fe6efbc50728c903..c25560b8e9270a65feb5d9866f6dcc99e39675ef 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1277,6 +1277,56 @@ class SingleMatchExpected(ExecutionError): format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') +class AlreadyExternalGroup(ExecutionError): + """ + **4028** Raised when a group is already an external member group + + For example: + + >>> raise AlreadyExternalGroup + Traceback (most recent call last): + ... + AlreadyExternalGroup: This group already allows external members + + """ + + errno = 4028 + format = _('This group already allows external members') + +class ExternalGroupViolation(ExecutionError): + """ + **4029** Raised when a group is already an external member group + and an attempt is made to use it as posix group + + For example: + + >>> raise ExternalGroupViolation + Traceback (most recent call last): + ... + ExternalGroupViolation: This group cannot be posix because it is external + + """ + + errno = 4029 + format = _('This group cannot be posix because it is external') + +class PosixGroupViolation(ExecutionError): + """ + **4030** Raised when a group is already a posix group + and cannot be converted to external + + For example: + + >>> raise PosixGroupViolation + Traceback (most recent call last): + ... + PosixGroupViolation: This is already a posix group and cannot be converted to external one + + """ + + errno = 4030 + format = _('This is already a posix group and cannot be converted to external one') + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a30863bcc536e1746bf5b338a4e42448..b841435fdcb5e28195fd38a6792233fdc4b7e32a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,23 +362,29 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = options.get('external_callback_normalize', True) # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: (dn, entry_attrs_) = ldap.get_entry(dn, [externalattr]) members = entry_attrs.get(memberattr, []) external_entries = entry_attrs_.get(externalattr, []) + lc_external_entries = set(e.lower() for e in external_entries) failed_entries = [] for entry in failed[memberattr][membertype]: membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) - if membername not in external_entries and \ - member_dn not in members: + if (membername not in lc_external_entries and + member_dn not in members): # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) + lc_external_entries.add(membername) completed_external += 1 - elif membername in external_entries and \ - member_dn not in members: + elif (membername in lc_external_entries and + member_dn not in members): # Already an external member, reset the error message msg = unicode(errors.AlreadyGroupMember().message) newerror = (entry[0], msg) @@ -409,8 +415,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 65657363a463fb0ccb07133c9c84e17b15ffee42..74bea1700f16803af25c3df10a17bd7e20e37942 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,12 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" Groups of users @@ -83,11 +89,11 @@ class group(LDAPObject): object_name_plural = _('groups') object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' - possible_objectclasses = ['posixGroup', 'mepManagedEntry'] + possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', - 'memberindirect', 'memberofindirect', + 'memberindirect', 'memberofindirect', 'ipaexternalmember', ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -139,10 +145,22 @@ class group_add(LDAPCreate): doc=_('Create as a non-POSIX group'), default=False, ), + Flag('external', + cli_name='external', + doc=_('Allow adding external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if not options['nonposix']: + # As both 'external' and 'nonposix' options have default= set for + # them, they will always be present in options dict, thus we can + # safely reference the values + if options['external']: + entry_attrs['objectclass'].append('ipaexternalgroup') + if 'gidnumber' in options: + raise errors.RequirementError(name='gid') + elif not options['nonposix']: entry_attrs['objectclass'].append('posixgroup') if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 @@ -194,11 +212,18 @@ class group_mod(LDAPUpdate): cli_name='posix', doc=_('change to a POSIX group'), ), + Flag('external', + cli_name='external', + doc=_('change to support external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - if options['posix'] or 'gidnumber' in options: + if ('posix' in options and options['posix']) or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.ExternalGroupViolation() if 'posixgroup' in old_entry_attrs['objectclass']: if options['posix']: raise errors.AlreadyPosixGroup() @@ -207,6 +232,15 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external']: + (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'posixgroup' in old_entry_attrs['objectclass']: + raise errors.PosixGroupViolation() + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.AlreadyExternalGroup() + else: + old_entry_attrs['objectclass'].append('ipaexternalgroup') + entry_attrs['objectclass'] = old_entry_attrs['objectclass'] # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') @@ -274,12 +308,64 @@ api.register(group_show) class group_add_member(LDAPAddMember): __doc__ = _('Add members to a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('AD Trust'), + reason=_('''Cannot perform external member validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + failed_sids.append((sid, 'Not a trusted domain SID')) + if len(sids) == 0: + raise errors.ValidationError(name=_('external member'), + error=_('values are not recognized as valid SIDs from trusted domain')) + restore = [] + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = add_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options, external_callback_normalize=False) + failed['member']['group'] = restore + failed_sids + return result + api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) @@ -290,6 +376,20 @@ class group_remove_member(LDAPRemoveMember): label=_(u'group'), container=protected_group_name) return dn + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + sids = options['ipaexternalmember'] + restore = list() + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = remove_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options) + failed['member']['group'] = restore + return result + api.register(group_remove_member) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 71ca23abae393fff68e366bba96050deba3d3281..40bd93e654c0365ad202abfd82e84345583459dd 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -171,6 +171,10 @@ class trust_add(LDAPCreate): realm_server = options['realm_server'] trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) + if not trustinstance.configured: + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3bc8b63af3f416cc45cb75c76fd7b9587f367e3e..07e40c2d35b41a2665232f3e6d853b47aef707bb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -58,6 +58,79 @@ class ExtendedDNControl(_ldap.controls.RequestControl): def encodeControlValue(self): return '0\x03\x02\x01\x01' +class DomainValidator(object): + ATTR_FLATNAME = 'ipantflatname' + ATTR_SID = 'ipantsecurityidentifier' + ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' + + def __init__(self, api): + self.api = api + self.ldap = self.api.Backend.ldap2 + self.domain = None + self.flatname = None + self.dn = None + self.sid = None + self._domains = None + + def is_configured(self): + cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + try: + (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME, self.ATTR_SID]) + self.flatname = entry_attrs[self.ATTR_FLATNAME][0] + self.sid = entry_attrs[self.ATTR_SID][0] + self.dn = dn + self.domain = self.api.env.domain + except errors.NotFound, e: + return False + return True + + def get_trusted_domains(self): + cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn) + try: + search_kw = {'objectClass': 'ipaNTTrustedDomain'} + filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=unicode(cn_trust), + attrs_list=[self.ATTR_TRUSTED_SID, 'dn']) + + return entries + except errors.NotFound, e: + return [] + + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False + class TrustDomainInstance(object): def __init__(self, hostname, creds=None): @@ -247,20 +320,18 @@ class TrustDomainInstance(object): self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) class TrustDomainJoins(object): - ATTR_FLATNAME = 'ipantflatname' - def __init__(self, api): self.api = api self.local_domain = None self.remote_domain = None - self.ldap = self.api.Backend.ldap2 - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) - (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME]) - self.local_flatname = entry_attrs[self.ATTR_FLATNAME][0] - self.local_dn = dn + domain_validator = DomainValidator(api) + self.configured = domain_validator.is_configured() - self.__populate_local_domain() + if self.configured: + self.local_flatname = domain_validator.flatname + self.local_dn = domain_validator.dn + self.__populate_local_domain() def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -308,6 +379,9 @@ class TrustDomainJoins(object): self.remote_domain = rd def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) @@ -317,6 +391,9 @@ class TrustDomainJoins(object): return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_passwd=None) self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain) diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index a036b34dee195619ce4f2d5e557dae2d5069c700..ed3f73dbe9b92b6f138657766b15f7838b59279f 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -45,6 +45,8 @@ group = [ u'ipaobject', ] +externalgroup = group + [u'ipaexternalgroup'] + host = [ u'ipasshhost', u'ipaSshGroupOfPubKeys', diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 9597992c5d0644cf13fea5ca2a030f49e4f600be..08cf74185bb7f30211cf94e80174e7c5853e30ca 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -28,11 +28,18 @@ from ipalib.dn import * group1 = u'testgroup1' group2 = u'testgroup2' +group3 = u'testgroup3' renamedgroup1 = u'testgroup' user1 = u'tuser1' invalidgroup1=u'+tgroup1' +# When adding external SID member to a group we can't test +# it fully due to possibly missing Samba 4 python bindings +# and/or not configured AD trusts. Thus, we'll use incorrect +# SID value to merely test that proper exceptions are raised +external_sid1=u'S-1-1-123456-789-1' + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) @@ -40,6 +47,7 @@ class test_group(Declarative): cleanup_commands = [ ('group_del', [group1], {}), ('group_del', [group2], {}), + ('group_del', [group3], {}), ('user_del', [user1], {}), ] @@ -373,6 +381,63 @@ class test_group(Declarative): ), ), + ############### + # test external SID members for group3: + dict( + desc='Create external %r' % group3, + command=( + 'group_add', [group3], dict(description=u'Test desc 3',external=True) + ), + expected=dict( + value=group3, + summary=u'Added group "testgroup3"', + result=dict( + cn=[group3], + description=[u'Test desc 3'], + objectclass=objectclasses.externalgroup, + ipauniqueid=[fuzzy_uuid], + dn=lambda x: DN(x) == get_group_dn(group3), + ), + ), + ), + + + dict( + desc='Convert posix group %r to support external membership' % (group2), + command=( + 'group_mod', [group2], dict(external=True) + ), + expected=errors.PosixGroupViolation(), + ), + + + dict( + desc='Convert external members group %r to posix' % (group3), + command=( + 'group_mod', [group3], dict(posix=True) + ), + expected=errors.ExternalGroupViolation(), + ), + + + dict( + desc='Add external member %r to %r' % (external_sid1, group3), + command=( + 'group_add_member', [group3], dict(ipaexternalmember=external_sid1) + ), + expected=lambda x, output: type(x) == errors.ValidationError or type(x) == errors.NotFound, + ), + + + dict( + desc='Remove group %r with external membership' % (group3), + command=('group_del', [group3], {}), + expected=dict( + result=dict(failed=u''), + value=group3, + summary=u'Deleted group "testgroup3"', + ), + ), ############### diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 355a4cbbbbd1a758885c50b8f2450444cff23fd6..b257a90a3550b6933f2d4945b1ae34ceb229090b 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -1059,7 +1059,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipahomesrootdir=u'/other-home'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1107,7 +1107,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipahomesrootdir=u'/home'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1125,7 +1125,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultloginshell=u'/usr/bin/ipython'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1172,7 +1172,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultloginshell=u'/bin/sh'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1245,7 +1245,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultprimarygroup=group1), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1328,7 +1328,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultprimarygroup=u'ipausers'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py index c279107b3e0955cd453612bfe0feeb63225d7904..cfba35fc5d814a7d6b70dbccff891afe1d18598b 100644 --- a/tests/test_xmlrpc/xmlrpc_test.py +++ b/tests/test_xmlrpc/xmlrpc_test.py @@ -260,6 +260,8 @@ class Declarative(XMLRPC_test): raise nose.SkipTest('%r not in api.Command' % cmd) if isinstance(expected, errors.PublicError): self.check_exception(nice, cmd, args, options, expected) + elif hasattr(expected, '__call__'): + self.check_callable(nice, cmd, args, options, expected) else: self.check_output(nice, cmd, args, options, expected, extra_check) @@ -285,6 +287,18 @@ class Declarative(XMLRPC_test): # For now just compare the strings assert_deepequal(expected.strerror, e.strerror) + def check_callable(self, nice, cmd, args, options, expected): + output = dict() + e = None + try: + output = api.Command[cmd](*args, **options) + except StandardError, e: + pass + if not expected(e, output): + raise AssertionError( + UNEXPECTED % (cmd, args, options, e.__class__.__name__, e) + ) + def check_output(self, nice, cmd, args, options, expected, extra_check): got = api.Command[cmd](*args, **options) assert_deepequal(expected, got, nice) -- 1.7.10.4 From sbose at redhat.com Thu Jun 28 12:19:21 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 Jun 2012 14:19:21 +0200 Subject: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin In-Reply-To: <4FEC4540.6030006@redhat.com> References: <20120607092729.GM8124@localhost.localdomain> <20120611144617.GR25726@redhat.com> <20120613102642.GG20850@localhost.localdomain> <20120613103749.GH20850@localhost.localdomain> <20120627161429.GK29454@localhost.localdomain> <20120627163853.GJ16889@redhat.com> <4FEC0D2E.6070503@redhat.com> <20120628101907.GN29454@localhost.localdomain> <4FEC3B67.4060104@redhat.com> <4FEC4540.6030006@redhat.com> Message-ID: <20120628121921.GO29454@localhost.localdomain> On Thu, Jun 28, 2012 at 01:51:28PM +0200, Martin Kosek wrote: > On 06/28/2012 01:09 PM, Martin Kosek wrote: > > On 06/28/2012 12:19 PM, Sumit Bose wrote: > >> On Thu, Jun 28, 2012 at 09:52:14AM +0200, Martin Kosek wrote: > >>> On 06/27/2012 06:38 PM, Alexander Bokovoy wrote: > >>>> On Wed, 27 Jun 2012, Sumit Bose wrote: > >>>>> On Wed, Jun 13, 2012 at 12:37:49PM +0200, Sumit Bose wrote: > >>>>>> On Wed, Jun 13, 2012 at 12:26:43PM +0200, Sumit Bose wrote: > >>>>>>> On Mon, Jun 11, 2012 at 05:46:17PM +0300, Alexander Bokovoy wrote: > >>>>>>>> On Thu, 07 Jun 2012, Sumit Bose wrote: > >>>>>>>>> On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote: > >>>>>>>>>> Hi, > >>>>>>>>>> > >>>>>>>>>> these two patches introduce a new extended operation to the IPA server > >>>>>>>>>> which can be used by clients in the IPA domain to obtain information > >>>>>>>>>> about users and groups from trusted domains. Currently this exop is used > >>>>>>>>>> by the sssd sub-domain patch to map user names from a trusted AD domain > >>>>>>>>>> to a SID and back. There is also some code for other kind of requests > >>>>>>>>>> which might become useful in future, e.g. with trusted IPA domain. > >>>>>>>>>> > >>>>>>>>>> I added some unit test and added check for the check unit test framework > >>>>>>>>>> for C (http://check.sourceforge.net/) which is used by sssd as well. I > >>>>>>>>>> modified the spec file that the test is run during the build of the > >>>>>>>>>> packages. I hope this is ok. > >>>>>>>>>> > >>>>>>>>>> The patches depend on the idmap library patch which was ACKed recently > >>>>>>>>>> on sssd-devel and as mentioned before the sub-domain patches on > >>>>>>>>>> sssd-devel can only be fully tested with an IPA server which has these > >>>>>>>>>> patches applied. > >>>>>>>>>> > >>>>>>>>>> Since Alexander is currently rewriting parts of the ipa-adtrust-install > >>>>>>>>>> utility I stand back from adding activation code for the exop to > >>>>>>>>>> ipa-adtrust-install and will send a patch when Alexander's changes are > >>>>>>>>>> available. So currently extdom-extop-conf.ldif has to be loaded manually > >>>>>>>>>> after replacing $SUFFIX to activate the new exop. > >>>>>>>>>> > >>>>>>>>>> bye, > >>>>>>>>>> Sumit > >>>>>>>>> > >>>>>>>>> Please find a rebased version of the patches which work on top of > >>>>>>>>> Alexander's latest series of patches. The patches now also contain the > >>>>>>>>> loading of extdom-extop-conf.ldif and the activation of winbind. > >>>>>>>> Thanks for the rebase. > >>>>>>>> > >>>>>>>> Few comments. > >>>>>>>> > >>>>>>>> 1.The extdom plugin should support IDMAP_BOTH. We do provide user private > >>>>>>>> groups so in our case it should be viewed as preferred output. Thus you > >>>>>>>> would need to add new response type to cover this case. > >>>>>>> > >>>>>>> Currently the plugin only uses winbind to map SIDs to names and back and > >>>>>>> in the returned user data the user private groups are already respected > >>>>>>> by setting the GID to the UID. On the client side sssd handles the > >>>>>>> trusted domains a mpg (magic private group) domains. > >>>>>>> > >>>>>>>> > >>>>>>>> 2. I have tried to look at the plugin description from point of view of > >>>>>>>> a system administrator and I failed to understand what it does: > >>>>>>>>> +#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop" > >>>>>>>>> +#define IPA_EXTDOM_FEATURE_DESC "IPA EXTDOM ID mapper" > >>>>>>>>> +#define IPA_EXTDOM_PLUGIN_DESC "IPA EXTDOM ID mapper Extended > >>>>>> Operation plugin" > >>>>>>>> > >>>>>>>> In the ipa-extdom-extop-conf.ldif you have following description: > >>>>>>>>> +nsslapd-plugindescription: Support resolving IDs in trusted domains to > >>>>>> names and back > >>>>>>>> Probably it is better to reuse the same description in > >>>>>> IPA_EXTDOM_PLUGIN_DESC? > >>>>>>>> > >>>>>>>> This is a minor point but EXTDOM itself is vague. Maybe we should be > >>>>>> more clear > >>>>>>>> and call it 'IPA trusted domain ID mapper' as it really limits itself to > >>>>>>>> only trusted domains? We don't dispatch winbind request if the domain is > >>>>>>>> not found in our list of trusted domains. > >>>>>>> > >>>>>>> I have updated the descriptions. I prefer the EXTDOM prefix because > >>>>>>> there might be future use cases where we might want to get some data > >>>>>>> from other domains without trust. But I'm happy to change it if you like > >>>>>>> a different prefix better. > >>>>>>> > >>>>>>>> > >>>>>>>> 3. Could you please define the oid in ipa_extdom.h so that it could be > >>>>>>>> useful for client code as well? > >>>>>>>>> +#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" > >>>>>>> > >>>>>>> done > >>>>>>> > >>>>>>> New version attached. > >>>>>> > >>>>>> ah. sorry, forgot to squash in some changes. > >>>>>> > >>>>>> Additionally I moved the binary to the freeipa-server-trust-ad package > >>>>>> to avoid additional dependencies in the freeipa-server package. > >>>>>> > >>>>>> bye, > >>>>>> Sumit > >>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> 4. Do we have 'check' tool in RHEL6? > >>>>>>> > >>>>>>> yes, current version is check-0.9.8-1.1.el6 > >>>>>>> > >>>>>>> Thank you for the review. > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>>>> -- > >>>>>>>> / Alexander Bokovoy > >>>>> > >>>>> rebased version with some changes by Alexander attached. > >>>> ACK from my side. Works in tests I've run. > >>> > >>> Patch 17 pushed to master. > >>> > >>> Patch 18 does not apply. I also have one question related to this patch: > >> > >> a rebased version is attached. > >> > >>> > >>> We added a winbind service to ADTRUSTInstance which is now being configured as > >>> a part of ipa-adtrust-install. To make this cleaner, we may want to write > >>> winbind's own service.Service class which would do the necessary configuration > >>> and could be also better expanded in the future. > >> > >> Currently none of the configuration steps are done exclusively for > >> winbind, e.g. winbind will use the same credential as the smbd to access > >> the directory server. I would agree to create an class for winbind if it > >> turns out that we have to add special winbind options, but for now we > >> only need to start the winbind process. > > > > Ok, lets keep current setup and expand when needed. I also did few installation > > tests with your patch, everything worked fine. > > > > So ACK #2, pushed to master. > > > > Martin > > There was a missing Requires for libsss_idmap on freeipa-server-trust-ad package. > > Fixed and pushed as a one-liner (attached). Thank you. bye, Sumit > > Martin From sbose at redhat.com Thu Jun 28 12:28:12 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 Jun 2012 14:28:12 +0200 Subject: [Freeipa-devel] [PATCH] Filter groups in the PAC In-Reply-To: <20120627162811.GI16889@redhat.com> References: <20120626082305.GA29454@localhost.localdomain> <20120627162811.GI16889@redhat.com> Message-ID: <20120628122812.GP29454@localhost.localdomain> On Wed, Jun 27, 2012 at 07:28:11PM +0300, Alexander Bokovoy wrote: > On Tue, 26 Jun 2012, Sumit Bose wrote: > >Hi, > > > >this patch contains the KDC part of the external groups handling. If > >group SIDs from the PAC can be found in the ipaExternalGroup objects and > >the external groups are member of local groups, the SIDs of the local > >groups are added to the PAC. If the PAC this then read by the SSSD pac > >responder the user from the PAC is added to the local groups on the > >client. > ACK. There were code-related comments from Simo yesterday on IRC but it > was agreed to solve those in separate patches. Thank you for the review, I created https://fedorahosted.org/freeipa/ticket/2881 for the discussed performance improvements. bye, Sumit > > -- > / Alexander Bokovoy From pviktori at redhat.com Thu Jun 28 12:35:00 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 28 Jun 2012 14:35:00 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120628121651.GC6687@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> <20120627141930.GC16889@redhat.com> <20120628121651.GC6687@redhat.com> Message-ID: <4FEC4F74.4060006@redhat.com> On 06/28/2012 02:16 PM, Alexander Bokovoy wrote: > On Wed, 27 Jun 2012, Alexander Bokovoy wrote: >> On Wed, 27 Jun 2012, Petr Viktorin wrote: >>> On 06/27/2012 12:36 PM, Sumit Bose wrote: >>>> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>> On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>>>> Hi Alexander, >>>>>>> >>>>>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>>>> Hi! >>>>>>>> >>>>>>>> Attached is the patch to support external group membership for >>>>>>>> trusted >>>>>>>> domains. This is needed to get proper group membership with the >>>>>>>> work >>>>>>>> Sumit and Jan are doing on both IPA and SSSD sides. >>>>>>>> >>>>>>>> We already have ipaExternalGroup class that includes >>>>>>>> ipaExternalMember >>>>>>>> attribute (multivalued case-insensitive string). The group that has >>>>>>>> ipaExternalGroup object class will have to be non-POSIX and >>>>>>>> ipaExternalMember >>>>>>>> attribute will contain security identifiers (SIDs) of members from >>>>>>>> trusted domains. >>>>>>>> >>>>>>>> The patch takes care of three things: >>>>>>>> 1. Extends 'ipa group-add' with --external option to add >>>>>>>> ipaExternalGroup object class to a new group >>>>>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV >>>>>>>> argument >>>>>>>> to specify SIDs >>>>>>>> 3. Modifies 'ipa group-del-member' to allow removing external >>>>>>>> members. >>>>>>> >>>>>>> thank you for the patch, it works as expected, but I have a few >>>>>>> comments: >>>>>>> >>>>>>> - there is a trailing whitespace at the end of the "This means we >>>>>>> can't >>>>>>> check the correctness of a trusted domain SIDs" line >>>>>>> - when using ipa group-add-member with --external there are still >>>>>>> prompt >>>>>>> for [member user] and [member group], can those be suppressed? >>>>>>> - with ipa group-mod --posix it is possible to add the posxiGroup >>>>>>> objectclass together with a GID to the extern group object. This >>>>>>> should result in an error and also the other way round, adding >>>>>>> --external to Posix groups. >>>>>> Updated patch is attached. It fixes whitespace and group-mod. >>>>> New revision. >>>> >>>> Thank you. This version works well in my tests, so ACK. >>>> >>>> It would be nice if someone can have a short look at the changes to >>>> baseldap.py to see if there are any unexpected side effects. >>>> >>>> bye, >>>> Sumit >>>> >>> >>> >>> I'm concerned about this: >>> >>> membername = entry[0].lower() >>> member_dn = api.Object[membertype].get_dn(membername) >>> if membername not in external_entries and \ >>> + entry[0] not in external_entries and \ >>> member_dn not in members: >>> >>> Do you want to do a case-insensitive compare here? In that case it >>> would be better to do: >>> >>> lowercase_external_entries = set(e.lower() for e in external_entries) >>> if membername not in lowercase_external_entries ... >>> >>> instead of comparing the lowercased entry and the entry itself to the >>> original list. >>> The `in` operator is also faster on a set. >> Given that this list going to be short (~dozen members in most cases) it >> is affordable to produce new set. I'll change it. >> >>> You should also update the `elif membername in external_entries` >>> block below this one. >>> There's a similar situation in remove_external_post_callback. >>> >>> Anyway, if you ran into a situation where the `entry[0] not in >>> external_entries` check is needed, there should be a test for it. >> Originally this callback was forcing all references to lower case before >> comparing. This was applied both to existing and truly external >> references. However, for external references we cannot guarantee that >> lower case is the right one -- and, indeed, with SIDs one has to follow >> SID format which is S-1-* so lowcasing the value is not possible as that >> value will be used by SSSD and other sides (DCERPC requests) which don't >> expect it to break the format. >> >> Thus I tried to keep the format. >> >> I've added several tests: >> 1. Create group with external membership >> 2. Attempt to convert posix group to external one >> 3. Attempt to convert external group to posix >> 4. Attempt to add external member to it. >> 5. Delete external membership group to avoid disturbing other tests >> (group-find, etc) that depend on number of groups. >> >> In the #4 I'm only checking that we are getting exceptions -- >> either ValidationError or NotFound. You can't do more without setting up >> the full trust. >> >> Even to do that I had to introduce new type of checkers -- checkers that >> can be activated with a 'expected' attribute being a callable in a >> declarative test definition in xmlrpc tests. This is an easiest way >> to deal with multiple exceptions -- just define a lambda that tests >> various conditions and let it be executed by the checker. >> >>> I think something is rotten with add_external_post_callback: it's >>> defined as add_external_post_callback(... *keys, **options), but >>> invariably called as add_external_post_callback(... keys, options). >>> That existed before the patch, though, so I guess it warrants a >>> separate ticket. >>> >>> >>> I also have a few obligatory style nitpicks. >>> >>> For line continuation, instead of backslashes: >>> >>> if membername not in external_entries and \ >>> entry[0] not in external_entries and \ >>> member_dn not in members: >>> >>> we prefer parentheses: >>> >>> if (membername not in external_entries and >>> entry[0] not in external_entries and >>> member_dn not in members): >> Don't shoot the follower, it is what was there before me. :) >> >> Fixed. >> >>> Instead of: >>> >>> normalize = True >>> if 'external_callback_normalize' in options: >>> normalize = options['external_callback_normalize'] >>> >>> you can use: >>> >>> options.get('external_callback_normalize', True) >> Fixed. >> >>> >>> And in group.py: >>> >>> - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>> - 'sudorule'], >>> + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>> 'sudorule'], >>> >>> Our style guide limits lines to 80 characters. Not much of IPA >>> follows that rule currently, but I don't see a reason for a change >>> that *only* breaks the rule. >> I find it unreadable when a single element of a list is on the separate >> line and also doesn't follow logical identation for its level. >> >> New patch is attached. > And revised patch after review on IRC with Petr. > I'm definitely not a fan of adding new magic to the test suite, but we couldn't find a better way to check for one of two errors that didn't involve rewriting the Declarative tests. So, with this patch, the 'expected' value of a test can be a callable, in which case it's called with two arguments (exception, output) and must return true for the test to pass. There are still some failures in test_cmdline/test_cli.py, caused by the "external" flag added to group-add. Otherwise the patch works fine. -- Petr? From abokovoy at redhat.com Thu Jun 28 12:58:14 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Jun 2012 15:58:14 +0300 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <4FEC4F74.4060006@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> <20120627141930.GC16889@redhat.com> <20120628121651.GC6687@redhat.com> <4FEC4F74.4060006@redhat.com> Message-ID: <20120628125814.GD6687@redhat.com> On Thu, 28 Jun 2012, Petr Viktorin wrote: >On 06/28/2012 02:16 PM, Alexander Bokovoy wrote: >>On Wed, 27 Jun 2012, Alexander Bokovoy wrote: >>>On Wed, 27 Jun 2012, Petr Viktorin wrote: >>>>On 06/27/2012 12:36 PM, Sumit Bose wrote: >>>>>On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>>>>>On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>>>On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>>>>>Hi Alexander, >>>>>>>> >>>>>>>>On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>>>>>Hi! >>>>>>>>> >>>>>>>>>Attached is the patch to support external group membership for >>>>>>>>>trusted >>>>>>>>>domains. This is needed to get proper group membership with the >>>>>>>>>work >>>>>>>>>Sumit and Jan are doing on both IPA and SSSD sides. >>>>>>>>> >>>>>>>>>We already have ipaExternalGroup class that includes >>>>>>>>>ipaExternalMember >>>>>>>>>attribute (multivalued case-insensitive string). The group that has >>>>>>>>>ipaExternalGroup object class will have to be non-POSIX and >>>>>>>>>ipaExternalMember >>>>>>>>>attribute will contain security identifiers (SIDs) of members from >>>>>>>>>trusted domains. >>>>>>>>> >>>>>>>>>The patch takes care of three things: >>>>>>>>>1. Extends 'ipa group-add' with --external option to add >>>>>>>>> ipaExternalGroup object class to a new group >>>>>>>>>2. Modifies 'ipa group-add-member' to accept --external CSV >>>>>>>>>argument >>>>>>>>> to specify SIDs >>>>>>>>>3. Modifies 'ipa group-del-member' to allow removing external >>>>>>>>>members. >>>>>>>> >>>>>>>>thank you for the patch, it works as expected, but I have a few >>>>>>>>comments: >>>>>>>> >>>>>>>>- there is a trailing whitespace at the end of the "This means we >>>>>>>>can't >>>>>>>>check the correctness of a trusted domain SIDs" line >>>>>>>>- when using ipa group-add-member with --external there are still >>>>>>>>prompt >>>>>>>>for [member user] and [member group], can those be suppressed? >>>>>>>>- with ipa group-mod --posix it is possible to add the posxiGroup >>>>>>>>objectclass together with a GID to the extern group object. This >>>>>>>>should result in an error and also the other way round, adding >>>>>>>>--external to Posix groups. >>>>>>>Updated patch is attached. It fixes whitespace and group-mod. >>>>>>New revision. >>>>> >>>>>Thank you. This version works well in my tests, so ACK. >>>>> >>>>>It would be nice if someone can have a short look at the changes to >>>>>baseldap.py to see if there are any unexpected side effects. >>>>> >>>>>bye, >>>>>Sumit >>>>> >>>> >>>> >>>>I'm concerned about this: >>>> >>>> membername = entry[0].lower() >>>> member_dn = api.Object[membertype].get_dn(membername) >>>> if membername not in external_entries and \ >>>>+ entry[0] not in external_entries and \ >>>> member_dn not in members: >>>> >>>>Do you want to do a case-insensitive compare here? In that case it >>>>would be better to do: >>>> >>>> lowercase_external_entries = set(e.lower() for e in external_entries) >>>> if membername not in lowercase_external_entries ... >>>> >>>>instead of comparing the lowercased entry and the entry itself to the >>>>original list. >>>>The `in` operator is also faster on a set. >>>Given that this list going to be short (~dozen members in most cases) it >>>is affordable to produce new set. I'll change it. >>> >>>>You should also update the `elif membername in external_entries` >>>>block below this one. >>>>There's a similar situation in remove_external_post_callback. >>>> >>>>Anyway, if you ran into a situation where the `entry[0] not in >>>>external_entries` check is needed, there should be a test for it. >>>Originally this callback was forcing all references to lower case before >>>comparing. This was applied both to existing and truly external >>>references. However, for external references we cannot guarantee that >>>lower case is the right one -- and, indeed, with SIDs one has to follow >>>SID format which is S-1-* so lowcasing the value is not possible as that >>>value will be used by SSSD and other sides (DCERPC requests) which don't >>>expect it to break the format. >>> >>>Thus I tried to keep the format. >>> >>>I've added several tests: >>>1. Create group with external membership >>>2. Attempt to convert posix group to external one >>>3. Attempt to convert external group to posix >>>4. Attempt to add external member to it. >>>5. Delete external membership group to avoid disturbing other tests >>> (group-find, etc) that depend on number of groups. >>> >>>In the #4 I'm only checking that we are getting exceptions -- >>>either ValidationError or NotFound. You can't do more without setting up >>>the full trust. >>> >>>Even to do that I had to introduce new type of checkers -- checkers that >>>can be activated with a 'expected' attribute being a callable in a >>>declarative test definition in xmlrpc tests. This is an easiest way >>>to deal with multiple exceptions -- just define a lambda that tests >>>various conditions and let it be executed by the checker. >>> >>>>I think something is rotten with add_external_post_callback: it's >>>>defined as add_external_post_callback(... *keys, **options), but >>>>invariably called as add_external_post_callback(... keys, options). >>>>That existed before the patch, though, so I guess it warrants a >>>>separate ticket. >>>> >>>> >>>>I also have a few obligatory style nitpicks. >>>> >>>>For line continuation, instead of backslashes: >>>> >>>> if membername not in external_entries and \ >>>> entry[0] not in external_entries and \ >>>> member_dn not in members: >>>> >>>>we prefer parentheses: >>>> >>>> if (membername not in external_entries and >>>> entry[0] not in external_entries and >>>> member_dn not in members): >>>Don't shoot the follower, it is what was there before me. :) >>> >>>Fixed. >>> >>>>Instead of: >>>> >>>> normalize = True >>>> if 'external_callback_normalize' in options: >>>> normalize = options['external_callback_normalize'] >>>> >>>>you can use: >>>> >>>> options.get('external_callback_normalize', True) >>>Fixed. >>> >>>> >>>>And in group.py: >>>> >>>>- 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>>>- 'sudorule'], >>>>+ 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>>>'sudorule'], >>>> >>>>Our style guide limits lines to 80 characters. Not much of IPA >>>>follows that rule currently, but I don't see a reason for a change >>>>that *only* breaks the rule. >>>I find it unreadable when a single element of a list is on the separate >>>line and also doesn't follow logical identation for its level. >>> >>>New patch is attached. >>And revised patch after review on IRC with Petr. >> > >I'm definitely not a fan of adding new magic to the test suite, but >we couldn't find a better way to check for one of two errors that >didn't involve rewriting the Declarative tests. > >So, with this patch, the 'expected' value of a test can be a >callable, in which case it's called with two arguments (exception, >output) and must return true for the test to pass. > > >There are still some failures in test_cmdline/test_cli.py, caused by >the "external" flag added to group-add. Otherwise the patch works >fine. Fixed these too. New patch attached. Thanks for the thorough review! -- / Alexander Bokovoy -------------- next part -------------- >From 82abe2c105caf6da53517a567a2482235128b51a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 Jun 2012 16:08:33 +0300 Subject: [PATCH 10/13] Add support for external group members When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 --- API.txt | 12 ++-- ipalib/errors.py | 50 +++++++++++++++ ipalib/plugins/baseldap.py | 23 ++++--- ipalib/plugins/group.py | 108 ++++++++++++++++++++++++++++++-- ipalib/plugins/trust.py | 4 ++ ipaserver/dcerpc.py | 93 ++++++++++++++++++++++++--- tests/test_cmdline/test_cli.py | 4 ++ tests/test_xmlrpc/objectclasses.py | 2 + tests/test_xmlrpc/test_group_plugin.py | 65 +++++++++++++++++++ tests/test_xmlrpc/test_user_plugin.py | 12 ++-- tests/test_xmlrpc/xmlrpc_test.py | 14 +++++ 11 files changed, 358 insertions(+), 29 deletions(-) diff --git a/API.txt b/API.txt index 9d91832d995d605b161c13a5ec915f5d84f1d515..ccae47a947c180c0c85658bc393a0d38d4b32c0d 100644 --- a/API.txt +++ b/API.txt @@ -1196,13 +1196,14 @@ output: Output('total', , None) output: Output('count', , None) output: Output('summary', (, ), None) command: group_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Int('gidnumber', attribute=True, cli_name='gid', minvalue=1, multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1210,8 +1211,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_add_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1265,7 +1267,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: group_mod -args: 1,11,3 +args: 1,12,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gid', minvalue=1, multivalue=False, required=False) @@ -1274,6 +1276,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Flag('rights', autofill=True, default=False) option: Flag('posix', autofill=True, cli_name='posix', default=False) +option: Flag('external', autofill=True, cli_name='external', default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1282,8 +1285,9 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: group_remove_member -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='group_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Str('ipaexternalmember*', cli_name='external', csv=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') diff --git a/ipalib/errors.py b/ipalib/errors.py index 407d9f7dbcf79c47193a3087fe6efbc50728c903..c25560b8e9270a65feb5d9866f6dcc99e39675ef 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1277,6 +1277,56 @@ class SingleMatchExpected(ExecutionError): format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') +class AlreadyExternalGroup(ExecutionError): + """ + **4028** Raised when a group is already an external member group + + For example: + + >>> raise AlreadyExternalGroup + Traceback (most recent call last): + ... + AlreadyExternalGroup: This group already allows external members + + """ + + errno = 4028 + format = _('This group already allows external members') + +class ExternalGroupViolation(ExecutionError): + """ + **4029** Raised when a group is already an external member group + and an attempt is made to use it as posix group + + For example: + + >>> raise ExternalGroupViolation + Traceback (most recent call last): + ... + ExternalGroupViolation: This group cannot be posix because it is external + + """ + + errno = 4029 + format = _('This group cannot be posix because it is external') + +class PosixGroupViolation(ExecutionError): + """ + **4030** Raised when a group is already a posix group + and cannot be converted to external + + For example: + + >>> raise PosixGroupViolation + Traceback (most recent call last): + ... + PosixGroupViolation: This is already a posix group and cannot be converted to external one + + """ + + errno = 4030 + format = _('This is already a posix group and cannot be converted to external one') + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a30863bcc536e1746bf5b338a4e42448..b841435fdcb5e28195fd38a6792233fdc4b7e32a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,23 +362,29 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = options.get('external_callback_normalize', True) # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: (dn, entry_attrs_) = ldap.get_entry(dn, [externalattr]) members = entry_attrs.get(memberattr, []) external_entries = entry_attrs_.get(externalattr, []) + lc_external_entries = set(e.lower() for e in external_entries) failed_entries = [] for entry in failed[memberattr][membertype]: membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) - if membername not in external_entries and \ - member_dn not in members: + if (membername not in lc_external_entries and + member_dn not in members): # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) + lc_external_entries.add(membername) completed_external += 1 - elif membername in external_entries and \ - member_dn not in members: + elif (membername in lc_external_entries and + member_dn not in members): # Already an external member, reset the error message msg = unicode(errors.AlreadyGroupMember().message) newerror = (entry[0], msg) @@ -409,8 +415,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 65657363a463fb0ccb07133c9c84e17b15ffee42..74bea1700f16803af25c3df10a17bd7e20e37942 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,12 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" Groups of users @@ -83,11 +89,11 @@ class group(LDAPObject): object_name_plural = _('groups') object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' - possible_objectclasses = ['posixGroup', 'mepManagedEntry'] + possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', - 'memberindirect', 'memberofindirect', + 'memberindirect', 'memberofindirect', 'ipaexternalmember', ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -139,10 +145,22 @@ class group_add(LDAPCreate): doc=_('Create as a non-POSIX group'), default=False, ), + Flag('external', + cli_name='external', + doc=_('Allow adding external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if not options['nonposix']: + # As both 'external' and 'nonposix' options have default= set for + # them, they will always be present in options dict, thus we can + # safely reference the values + if options['external']: + entry_attrs['objectclass'].append('ipaexternalgroup') + if 'gidnumber' in options: + raise errors.RequirementError(name='gid') + elif not options['nonposix']: entry_attrs['objectclass'].append('posixgroup') if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 @@ -194,11 +212,18 @@ class group_mod(LDAPUpdate): cli_name='posix', doc=_('change to a POSIX group'), ), + Flag('external', + cli_name='external', + doc=_('change to support external non-IPA members from trusted domains'), + default=False, + ), ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - if options['posix'] or 'gidnumber' in options: + if ('posix' in options and options['posix']) or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.ExternalGroupViolation() if 'posixgroup' in old_entry_attrs['objectclass']: if options['posix']: raise errors.AlreadyPosixGroup() @@ -207,6 +232,15 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external']: + (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) + if 'posixgroup' in old_entry_attrs['objectclass']: + raise errors.PosixGroupViolation() + if 'ipaexternalgroup' in old_entry_attrs['objectclass']: + raise errors.AlreadyExternalGroup() + else: + old_entry_attrs['objectclass'].append('ipaexternalgroup') + entry_attrs['objectclass'] = old_entry_attrs['objectclass'] # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') @@ -274,12 +308,64 @@ api.register(group_show) class group_add_member(LDAPAddMember): __doc__ = _('Add members to a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('AD Trust'), + reason=_('''Cannot perform external member validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + failed_sids.append((sid, 'Not a trusted domain SID')) + if len(sids) == 0: + raise errors.ValidationError(name=_('external member'), + error=_('values are not recognized as valid SIDs from trusted domain')) + restore = [] + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = add_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options, external_callback_normalize=False) + failed['member']['group'] = restore + failed_sids + return result + api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + takes_options = ( + Str('ipaexternalmember*', + cli_name='external', + label=_('External member'), + doc=_('comma-separated SIDs of members of a trusted domain'), + csv=True, + flags=['no_create', 'no_update', 'no_search'], + ), + ) + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) @@ -290,6 +376,20 @@ class group_remove_member(LDAPRemoveMember): label=_(u'group'), container=protected_group_name) return dn + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + result = (completed, dn) + if 'ipaexternalmember' in options: + sids = options['ipaexternalmember'] + restore = list() + if 'member' in failed and 'group' in failed['member']: + restore = failed['member']['group'] + failed['member']['group'] = list((id,id) for id in sids) + result = remove_external_post_callback('member', 'group', 'ipaexternalmember', + ldap, completed, failed, dn, entry_attrs, + keys, options) + failed['member']['group'] = restore + return result + api.register(group_remove_member) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 71ca23abae393fff68e366bba96050deba3d3281..40bd93e654c0365ad202abfd82e84345583459dd 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -171,6 +171,10 @@ class trust_add(LDAPCreate): realm_server = options['realm_server'] trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) + if not trustinstance.configured: + raise errors.NotFound(name=_('AD Trust setup'), + reason=_('''Cannot perform join operation without own domain configured. + Make sure you have run ipa-adtrust-install on the IPA server first''')) # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3bc8b63af3f416cc45cb75c76fd7b9587f367e3e..07e40c2d35b41a2665232f3e6d853b47aef707bb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -58,6 +58,79 @@ class ExtendedDNControl(_ldap.controls.RequestControl): def encodeControlValue(self): return '0\x03\x02\x01\x01' +class DomainValidator(object): + ATTR_FLATNAME = 'ipantflatname' + ATTR_SID = 'ipantsecurityidentifier' + ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' + + def __init__(self, api): + self.api = api + self.ldap = self.api.Backend.ldap2 + self.domain = None + self.flatname = None + self.dn = None + self.sid = None + self._domains = None + + def is_configured(self): + cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + try: + (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME, self.ATTR_SID]) + self.flatname = entry_attrs[self.ATTR_FLATNAME][0] + self.sid = entry_attrs[self.ATTR_SID][0] + self.dn = dn + self.domain = self.api.env.domain + except errors.NotFound, e: + return False + return True + + def get_trusted_domains(self): + cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn) + try: + search_kw = {'objectClass': 'ipaNTTrustedDomain'} + filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=unicode(cn_trust), + attrs_list=[self.ATTR_TRUSTED_SID, 'dn']) + + return entries + except errors.NotFound, e: + return [] + + def is_trusted_sid_valid(self, sid): + if not self.domain: + # our domain is not configured or self.is_configured() never run + # reject SIDs as we can't check correctness of them + return False + # Parse sid string to see if it is really in a SID format + try: + test_sid = security.dom_sid(sid) + except TypeError: + return False + (dom, sid_rid) = test_sid.split() + sid_dom = str(dom) + # Now we have domain prefix of the sid as sid_dom string and can + # analyze it against known prefixes + if sid_dom.find(security.SID_NT_AUTHORITY) != 0: + # Ignore any potential SIDs that are not S-1-5-* + return False + if sid_dom.find(self.sid) == 0: + # A SID from our own domain cannot be treated as trusted domain's SID + return False + # At this point we have SID_NT_AUTHORITY family SID and really need to + # check it against prefixes of domain SIDs we trust to + if not self._domains: + self._domains = self.get_trusted_domains() + if len(self._domains) == 0: + # Our domain is configured but no trusted domains are configured + # This means we can't check the correctness of a trusted domain SIDs + return False + # We have non-zero list of trusted domains and have to go through them + # one by one and check their sids as prefixes + for (dn, domaininfo) in self._domains: + if sid_dom.find(domaininfo[self.ATTR_TRUSTED_SID][0]) == 0: + return True + return False + class TrustDomainInstance(object): def __init__(self, hostname, creds=None): @@ -247,20 +320,18 @@ class TrustDomainInstance(object): self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) class TrustDomainJoins(object): - ATTR_FLATNAME = 'ipantflatname' - def __init__(self, api): self.api = api self.local_domain = None self.remote_domain = None - self.ldap = self.api.Backend.ldap2 - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) - (dn, entry_attrs) = self.ldap.get_entry(unicode(cn_trust_local), [self.ATTR_FLATNAME]) - self.local_flatname = entry_attrs[self.ATTR_FLATNAME][0] - self.local_dn = dn + domain_validator = DomainValidator(api) + self.configured = domain_validator.is_configured() - self.__populate_local_domain() + if self.configured: + self.local_flatname = domain_validator.flatname + self.local_dn = domain_validator.dn + self.__populate_local_domain() def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -308,6 +379,9 @@ class TrustDomainJoins(object): self.remote_domain = rd def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) @@ -317,6 +391,9 @@ class TrustDomainJoins(object): return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + if not self.configured: + return None + self.__populate_remote_domain(realm, realm_server, realm_passwd=None) self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain) diff --git a/tests/test_cmdline/test_cli.py b/tests/test_cmdline/test_cli.py index d961f8725b5e4360b6c2298f3fddd3589cbb310d..06c6124bb1d3ac57add9e44d1754238063039c6d 100644 --- a/tests/test_cmdline/test_cli.py +++ b/tests/test_cmdline/test_cli.py @@ -66,6 +66,7 @@ class TestCLIParsing(object): cn=u'tgroup1', description=u'Test group', nonposix=False, + external=False, raw=False, all=False, version=API_VERSION) @@ -88,6 +89,7 @@ class TestCLIParsing(object): cn=u'tgroup1', description=u'Test group', nonposix=True, + external=False, raw=False, all=False, version=API_VERSION) @@ -99,6 +101,7 @@ class TestCLIParsing(object): description=u'Test group', gidnumber=u'1234', nonposix=False, + external=False, raw=False, all=False, version=API_VERSION) @@ -109,6 +112,7 @@ class TestCLIParsing(object): cn=u'tgroup1', description=u'Test group', nonposix=False, + external=False, raw=False, all=False, version=API_VERSION) diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index a036b34dee195619ce4f2d5e557dae2d5069c700..ed3f73dbe9b92b6f138657766b15f7838b59279f 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -45,6 +45,8 @@ group = [ u'ipaobject', ] +externalgroup = group + [u'ipaexternalgroup'] + host = [ u'ipasshhost', u'ipaSshGroupOfPubKeys', diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 9597992c5d0644cf13fea5ca2a030f49e4f600be..08cf74185bb7f30211cf94e80174e7c5853e30ca 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -28,11 +28,18 @@ from ipalib.dn import * group1 = u'testgroup1' group2 = u'testgroup2' +group3 = u'testgroup3' renamedgroup1 = u'testgroup' user1 = u'tuser1' invalidgroup1=u'+tgroup1' +# When adding external SID member to a group we can't test +# it fully due to possibly missing Samba 4 python bindings +# and/or not configured AD trusts. Thus, we'll use incorrect +# SID value to merely test that proper exceptions are raised +external_sid1=u'S-1-1-123456-789-1' + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) @@ -40,6 +47,7 @@ class test_group(Declarative): cleanup_commands = [ ('group_del', [group1], {}), ('group_del', [group2], {}), + ('group_del', [group3], {}), ('user_del', [user1], {}), ] @@ -373,6 +381,63 @@ class test_group(Declarative): ), ), + ############### + # test external SID members for group3: + dict( + desc='Create external %r' % group3, + command=( + 'group_add', [group3], dict(description=u'Test desc 3',external=True) + ), + expected=dict( + value=group3, + summary=u'Added group "testgroup3"', + result=dict( + cn=[group3], + description=[u'Test desc 3'], + objectclass=objectclasses.externalgroup, + ipauniqueid=[fuzzy_uuid], + dn=lambda x: DN(x) == get_group_dn(group3), + ), + ), + ), + + + dict( + desc='Convert posix group %r to support external membership' % (group2), + command=( + 'group_mod', [group2], dict(external=True) + ), + expected=errors.PosixGroupViolation(), + ), + + + dict( + desc='Convert external members group %r to posix' % (group3), + command=( + 'group_mod', [group3], dict(posix=True) + ), + expected=errors.ExternalGroupViolation(), + ), + + + dict( + desc='Add external member %r to %r' % (external_sid1, group3), + command=( + 'group_add_member', [group3], dict(ipaexternalmember=external_sid1) + ), + expected=lambda x, output: type(x) == errors.ValidationError or type(x) == errors.NotFound, + ), + + + dict( + desc='Remove group %r with external membership' % (group3), + command=('group_del', [group3], {}), + expected=dict( + result=dict(failed=u''), + value=group3, + summary=u'Deleted group "testgroup3"', + ), + ), ############### diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 355a4cbbbbd1a758885c50b8f2450444cff23fd6..b257a90a3550b6933f2d4945b1ae34ceb229090b 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -1059,7 +1059,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipahomesrootdir=u'/other-home'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1107,7 +1107,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipahomesrootdir=u'/home'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1125,7 +1125,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultloginshell=u'/usr/bin/ipython'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1172,7 +1172,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultloginshell=u'/bin/sh'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1245,7 +1245,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultprimarygroup=group1), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( @@ -1328,7 +1328,7 @@ class test_user(Declarative): command=( 'config_mod', [], dict(ipadefaultprimarygroup=u'ipausers'), ), - expected=lambda x: True, + expected=lambda x, output: x is None, ), dict( diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py index c279107b3e0955cd453612bfe0feeb63225d7904..cfba35fc5d814a7d6b70dbccff891afe1d18598b 100644 --- a/tests/test_xmlrpc/xmlrpc_test.py +++ b/tests/test_xmlrpc/xmlrpc_test.py @@ -260,6 +260,8 @@ class Declarative(XMLRPC_test): raise nose.SkipTest('%r not in api.Command' % cmd) if isinstance(expected, errors.PublicError): self.check_exception(nice, cmd, args, options, expected) + elif hasattr(expected, '__call__'): + self.check_callable(nice, cmd, args, options, expected) else: self.check_output(nice, cmd, args, options, expected, extra_check) @@ -285,6 +287,18 @@ class Declarative(XMLRPC_test): # For now just compare the strings assert_deepequal(expected.strerror, e.strerror) + def check_callable(self, nice, cmd, args, options, expected): + output = dict() + e = None + try: + output = api.Command[cmd](*args, **options) + except StandardError, e: + pass + if not expected(e, output): + raise AssertionError( + UNEXPECTED % (cmd, args, options, e.__class__.__name__, e) + ) + def check_output(self, nice, cmd, args, options, expected, extra_check): got = api.Command[cmd](*args, **options) assert_deepequal(expected, got, nice) -- 1.7.10.4 From pviktori at redhat.com Thu Jun 28 13:20:16 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 28 Jun 2012 15:20:16 +0200 Subject: [Freeipa-devel] [PATCH] Per-domain DNS update permissions In-Reply-To: <4FEC37C2.6020203@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> <4FE8B30B.4050005@redhat.com> <4FEB019A.5040603@redhat.com> <4FEB2E5D.8060003@redhat.com> <4FEC21EC.4030305@redhat.com> <4FEC37C2.6020203@redhat.com> Message-ID: <4FEC5A10.3000206@redhat.com> On 06/28/2012 12:53 PM, Martin Kosek wrote: > On 06/28/2012 11:20 AM, Petr Viktorin wrote: >> On 06/27/2012 06:01 PM, Petr Viktorin wrote: >>> On 06/27/2012 02:50 PM, Martin Kosek wrote: >>>> On 06/25/2012 08:50 PM, Rob Crittenden wrote: >>>>> Simo Sorce wrote: >>>>>> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >>>>>>> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>>>>>>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>>>>>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>>>>>>> Martin Kosek wrote: >>>>>>>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>>>>>>> Hello all, >>>>>>>>>>>>> >>>>>>>>>>>>> In a scope of ticket 2511 I would like to implement an >>>>>>>>>>>>> ability to >>>>>>>>>>>>> delegate a DNS update permissions to chosen user (or host) >>>>>>>>>>>>> without >>>>>>>>>>>>> having to give the user full "Update DNS Entries" privileges, >>>>>>>>>>>>> i.e. >>>>>>>>>>>>> allow >>>>>>>>>>>>> him to modify any DNS zone or record. >>>>>>>>>>>>> >>>>>>>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>>>>>>> >>>>>>>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" >>>>>>>>>>>>> attribute >>>>>>>>>>>>> in MAY list >>>>>>>>>>>>> 2) Create new DNS commands: >>>>>>>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>>>> - these commands would add/remove chosen user/host DN to >>>>>>>>>>>>> managedBy >>>>>>>>>>>>> attribute in chosen DNS zone >>>>>>>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>>>>>>>>>> 3.0;acl >>>>>>>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>>>>>>> >>>>>>>>>>>>> With these steps done, all that an administrator would need >>>>>>>>>>>>> to do to >>>>>>>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>>>>>>> command: >>>>>>>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>>>>>>> >>>>>>>>>>>>> The only downside I found so far is that the user would >>>>>>>>>>>>> already need to >>>>>>>>>>>>> have "Read DNS Entries" permission assigned, otherwise he >>>>>>>>>>>>> would not be >>>>>>>>>>>>> able to actually read DNS entries (allow rules can't take >>>>>>>>>>>>> precedence >>>>>>>>>>>>> over deny rule we implemented to deny public access to DNS >>>>>>>>>>>>> tree). >>>>>>>>>>>>> >>>>>>>>>>>>> An admin could of course create a special privilege and role >>>>>>>>>>>>> with just >>>>>>>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>>>>>>> users/groups, but this looks awkward. Any idea to make this >>>>>>>>>>>>> simpler? >>>>>>>>>>>>> Maybe creating a group "dns readers" by default which would >>>>>>>>>>>>> allow such >>>>>>>>>>>>> access? >>>>>>>>>>>> >>>>>>>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>>>>>>> "parent[1].managedby#USERDN" ? >>>>>>>>>>>> >>>>>>>>>>>> Simo. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Good idea, I will do that. I will just use >>>>>>>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>>>>>>> record. This way, a selected user will have read/write access >>>>>>>>>>> to the >>>>>>>>>>> chosen zone only, which is exactly what we want to achieve. >>>>>>>>>> >>>>>>>>>> Yes, this sounds workable to me too. >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>> >>>>>>>>> There were some second thoughts about the proposed design, which >>>>>>>>> I would >>>>>>>>> like to discuss so that we can eventually accept another (better) >>>>>>>>> solution for this feature. >>>>>>>>> >>>>>>>>> The main concern here was that proposed solution (based on user >>>>>>>>> list in >>>>>>>>> managedBy attribute in DNS zone) is not in line with the rest of >>>>>>>>> permission&privilege architecture in IPA. >>>>>>>>> >>>>>>>>> Here is another idea how to address the feature (I tested it and it >>>>>>>>> would work): >>>>>>>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global >>>>>>>>> access >>>>>>>>> rule (a working patch attached) to avoid current and future >>>>>>>>> issues with >>>>>>>>> extending ACIs (deny rules are evil). >>>>>>>>> >>>>>>>>> 2) Add new Managed Entry Definition and Template to automatically >>>>>>>>> add >>>>>>>>> "Manage DNS zone $idsname" permission. These could be used with >>>>>>>>> standard >>>>>>>>> IPA privileges, roles and thus could be assigned to users, groups, >>>>>>>>> hosts, hostgroups... >>>>>>>>> >>>>>>>>> 3) New DNS zone managedBy attribute won't be manageable by user, >>>>>>>>> but it >>>>>>>>> will hold a DN of the managed Permission entry >>>>>>>>> >>>>>>>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>>>>>>> aci: (targetattr = "*") >>>>>>>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>>>>>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>>>>>>> >>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>>>> (version 3.0;acl "Add dns entries";allow (add) >>>>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>>>> >>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>>>> >>>>>>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || >>>>>>>>> dnsttl || >>>>>>>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || >>>>>>>>> cnamerecord >>>>>>>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>>>>>>> hinforecord || minforecord || afsdbrecord || sigrecord || >>>>>>>>> keyrecord || >>>>>>>>> locrecord || nxtrecord || naptrrecord || kxrecord || >>>>>>>>> certrecord || >>>>>>>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || >>>>>>>>> nsecrecord || >>>>>>>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>>>>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>>>>>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>>>>>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>>>>>>> idnsforwarders") >>>>>>>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>>>> "Update >>>>>>>>> DNS Entries";allow (write) userattr = >>>>>>>>> "parent[0,1].managedby#GROUPDN";) >>>>>>>>> >>>>>>>>> I needed to add permission DN to the managedBy attribute so that >>>>>>>>> I could >>>>>>>>> create just one set of generic ACIs without having to create a >>>>>>>>> set of >>>>>>>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>>>>>>> permission have a write access to the "aci" attribute. >>>>>>>>> >>>>>>>>> Would this design be better than the previous one? Comments welcome. >>>>>>>> >>>>>>>> Removing Deny ACIs would be great. >>>>>>>> But don't we need a second set of ACIs to allow uber admins to still >>>>>>>> control all zones ? or is that part of current ACIs not going to >>>>>>>> change ? >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> >>>>>>> Thanks to the removal of the deny rule, this would be already >>>>>>> allowed by >>>>>>> this existing ACI: >>>>>>> >>>>>>> aci: (targetattr != "userPassword || krbPrincipalKey || >>>>>>> sambaLMPassword >>>>>>> || sambaNTPassword || passwordHistory || krbMKey || >>>>>>> krbPrincipalName || >>>>>>> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >>>>>>> krbPrincipalExpiration || krbPasswordExpiration || >>>>>>> krbPwdPolicyReference >>>>>>> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >>>>>>> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >>>>>>> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >>>>>>> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >>>>>>> acl "Admin can manage any entry"; allow (all) groupdn = >>>>>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >>>>>> >>>>>> Oh right! >>>>>> I like it even more then :-) >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> Yes, this looks like it will work and eliminating a deny rule is a >>>>> definite plus. >>>>> >>>>> rob >>>> >>>> I have finished a patch based on the second design. IMO it is indeed >>>> better - >>>> no deny ACI for DNS and just a standard permission for per-zone access >>>> delegation. >>>> >>>> There is just one difference from the proposed design draft: per-zone >>>> permissions are not created automatically by Managed Entry plugin, but >>>> rather >>>> manually and only for DNS zones where per-zone access is needed. There >>>> is a new >>>> command for that - dnszone-add-permission. >>>> >>>> This will leave permission tree cleaner + we won't have to deal with all >>>> Managed Entry plugin machinery. >>>> >>>> More details can be found in a commit message. >>>> >>>> Martin >>>> >>> >>> In permission_add_noaci.get_options, it would be better to filter out >>> the `permission.aci_attributes`. If you only allow ('all', 'raw', >>> 'permissiontype'), the list will have to be updated whenever a new >>> global option is added. >>> (This would happen for ticket #2732; I'll want to make the 'version' >>> argument explicit for all commands.) > > Right, I fixed the option generation to rather simply filter out ACI attribute > list we already have available. > >>> >>> >>> Unprivileged users can find out if a zone is defined by trying to delete >>> it. Is this expected behavior? >>> >>> $ ipa dnszone-del idm.lab.bos.redhat.com >>> ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to >>> delete the entry >>> 'idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. >>> >>> $ ipa dnszone-del does.not.exist >>> ipa: ERROR: does.not.exist: DNS zone not found > > Yeah, that's true. Not sure if we can do much about it, that's how LDAP > behaves. But since no actual record value is returned to the user he could only > try to brute-force the LDAP structure. This should not hurt, he could as well > try to brute force the DNS records via DNS queries which would even give him > more information. > > Bottom line is that I think that current ACIs are right, but I can be convinced > with a better solution... > >>> >>> >>> The patch works well on upgrade. Tomorrow I'll test a fresh install. >>> >> >> One more comment: there is no error message when removing a permission that >> doesn't exist: >> >> $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com >> ------------------------------------------------------------------ >> Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" >> ---------------------------------------------------------------- >> $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com >> ------------------------------------------------------------------ >> Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" >> ---------------------------------------------------------------- >> >> I found no other issues. >> > > Fixed: > # ipa dnszone-remove-permission example.com > ------------------------------------------------------- > Removed system permission "Manage DNS zone example.com" > ------------------------------------------------------- > # ipa dnszone-remove-permission example.com > ipa: ERROR: Manage DNS zone example.com: permission not found > > Martin > ACK -- Petr? From mkosek at redhat.com Thu Jun 28 13:29:17 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 15:29:17 +0200 Subject: [Freeipa-devel] [PATCH] Per-domain DNS update permissions In-Reply-To: <4FEC5A10.3000206@redhat.com> References: <1339766543.12383.48.camel@priserak> <1339769714.32038.0.camel@willson.li.ssimo.org> <1340000969.7024.2.camel@balmora.brq.redhat.com> <4FDF4B2F.8020401@redhat.com> <4FE446D1.1040101@redhat.com> <1340367792.32038.400.camel@willson.li.ssimo.org> <4FE46451.2010509@redhat.com> <1340369998.32038.404.camel@willson.li.ssimo.org> <4FE8B30B.4050005@redhat.com> <4FEB019A.5040603@redhat.com> <4FEB2E5D.8060003@redhat.com> <4FEC21EC.4030305@redhat.com> <4FEC37C2.6020203@redhat.com> <4FEC5A10.3000206@redhat.com> Message-ID: <4FEC5C2D.7070307@redhat.com> On 06/28/2012 03:20 PM, Petr Viktorin wrote: > On 06/28/2012 12:53 PM, Martin Kosek wrote: >> On 06/28/2012 11:20 AM, Petr Viktorin wrote: >>> On 06/27/2012 06:01 PM, Petr Viktorin wrote: >>>> On 06/27/2012 02:50 PM, Martin Kosek wrote: >>>>> On 06/25/2012 08:50 PM, Rob Crittenden wrote: >>>>>> Simo Sorce wrote: >>>>>>> On Fri, 2012-06-22 at 14:25 +0200, Martin Kosek wrote: >>>>>>>> On 06/22/2012 02:23 PM, Simo Sorce wrote: >>>>>>>>> On Fri, 2012-06-22 at 12:20 +0200, Martin Kosek wrote: >>>>>>>>>> On 06/18/2012 05:37 PM, Rob Crittenden wrote: >>>>>>>>>>> Martin Kosek wrote: >>>>>>>>>>>> On Fri, 2012-06-15 at 10:15 -0400, Simo Sorce wrote: >>>>>>>>>>>>> On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: >>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> In a scope of ticket 2511 I would like to implement an >>>>>>>>>>>>>> ability to >>>>>>>>>>>>>> delegate a DNS update permissions to chosen user (or host) >>>>>>>>>>>>>> without >>>>>>>>>>>>>> having to give the user full "Update DNS Entries" privileges, >>>>>>>>>>>>>> i.e. >>>>>>>>>>>>>> allow >>>>>>>>>>>>>> him to modify any DNS zone or record. >>>>>>>>>>>>>> >>>>>>>>>>>>>> So far, this is what I would like to do (comments welcome): >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) Create new objectclass "idnsManagedZone" with "managedBy" >>>>>>>>>>>>>> attribute >>>>>>>>>>>>>> in MAY list >>>>>>>>>>>>>> 2) Create new DNS commands: >>>>>>>>>>>>>> a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>>>>> b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] >>>>>>>>>>>>>> - these commands would add/remove chosen user/host DN to >>>>>>>>>>>>>> managedBy >>>>>>>>>>>>>> attribute in chosen DNS zone >>>>>>>>>>>>>> 3) Add new generic ACIs to cn=dns,$SUFFIX: >>>>>>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>>>>>>>>>>> 3.0;acl >>>>>>>>>>>>>> "Users and hosts can add DNS entries";allow (add) userattr = >>>>>>>>>>>>>> "parent[1].managedby#USERDN";) >>>>>>>>>>>>>> ... add similar ACIs for UPDATE, REMOVE access >>>>>>>>>>>>>> >>>>>>>>>>>>>> With these steps done, all that an administrator would need >>>>>>>>>>>>>> to do to >>>>>>>>>>>>>> delegate a management of a DNS zone "example.com" is to run this >>>>>>>>>>>>>> command: >>>>>>>>>>>>>> $ ipa dnszone-add-managedby example.com --users=fbar >>>>>>>>>>>>>> >>>>>>>>>>>>>> The only downside I found so far is that the user would >>>>>>>>>>>>>> already need to >>>>>>>>>>>>>> have "Read DNS Entries" permission assigned, otherwise he >>>>>>>>>>>>>> would not be >>>>>>>>>>>>>> able to actually read DNS entries (allow rules can't take >>>>>>>>>>>>>> precedence >>>>>>>>>>>>>> over deny rule we implemented to deny public access to DNS >>>>>>>>>>>>>> tree). >>>>>>>>>>>>>> >>>>>>>>>>>>>> An admin could of course create a special privilege and role >>>>>>>>>>>>>> with just >>>>>>>>>>>>>> "Read DNS Entries" permission and then assign it to relevant >>>>>>>>>>>>>> users/groups, but this looks awkward. Any idea to make this >>>>>>>>>>>>>> simpler? >>>>>>>>>>>>>> Maybe creating a group "dns readers" by default which would >>>>>>>>>>>>>> allow such >>>>>>>>>>>>>> access? >>>>>>>>>>>>> >>>>>>>>>>>>> Change the deny rule to deny to everyone except the user in >>>>>>>>>>>>> "parent[1].managedby#USERDN" ? >>>>>>>>>>>>> >>>>>>>>>>>>> Simo. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Good idea, I will do that. I will just use >>>>>>>>>>>> "parent[0,1].managedby#USERDN" so that user can also read the zone >>>>>>>>>>>> record. This way, a selected user will have read/write access >>>>>>>>>>>> to the >>>>>>>>>>>> chosen zone only, which is exactly what we want to achieve. >>>>>>>>>>> >>>>>>>>>>> Yes, this sounds workable to me too. >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> There were some second thoughts about the proposed design, which >>>>>>>>>> I would >>>>>>>>>> like to discuss so that we can eventually accept another (better) >>>>>>>>>> solution for this feature. >>>>>>>>>> >>>>>>>>>> The main concern here was that proposed solution (based on user >>>>>>>>>> list in >>>>>>>>>> managedBy attribute in DNS zone) is not in line with the rest of >>>>>>>>>> permission&privilege architecture in IPA. >>>>>>>>>> >>>>>>>>>> Here is another idea how to address the feature (I tested it and it >>>>>>>>>> would work): >>>>>>>>>> 1) Get rid of the deny rule on cn=dns,$SUFFIX by modifying global >>>>>>>>>> access >>>>>>>>>> rule (a working patch attached) to avoid current and future >>>>>>>>>> issues with >>>>>>>>>> extending ACIs (deny rules are evil). >>>>>>>>>> >>>>>>>>>> 2) Add new Managed Entry Definition and Template to automatically >>>>>>>>>> add >>>>>>>>>> "Manage DNS zone $idsname" permission. These could be used with >>>>>>>>>> standard >>>>>>>>>> IPA privileges, roles and thus could be assigned to users, groups, >>>>>>>>>> hosts, hostgroups... >>>>>>>>>> >>>>>>>>>> 3) New DNS zone managedBy attribute won't be manageable by user, >>>>>>>>>> but it >>>>>>>>>> will hold a DN of the managed Permission entry >>>>>>>>>> >>>>>>>>>> 4) Add the following ACIs to cn=dns,$SUFFIX: >>>>>>>>>> aci: (targetattr = "*") >>>>>>>>>> (version 3.0; acl "Read DNS entries"; allow (read,search,compare) >>>>>>>>>> userattr = "parent[0,1].managedby#GROUPDN";) >>>>>>>>>> >>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>>>>> (version 3.0;acl "Add dns entries";allow (add) >>>>>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>>>>> >>>>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX") >>>>>>>>>> (version 3.0;acl "Remove DNS entries";allow (delete) >>>>>>>>>> userattr = "parent[1].managedby#GROUPDN";) >>>>>>>>>> >>>>>>>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || >>>>>>>>>> dnsttl || >>>>>>>>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || >>>>>>>>>> cnamerecord >>>>>>>>>> || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || >>>>>>>>>> hinforecord || minforecord || afsdbrecord || sigrecord || >>>>>>>>>> keyrecord || >>>>>>>>>> locrecord || nxtrecord || naptrrecord || kxrecord || >>>>>>>>>> certrecord || >>>>>>>>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || >>>>>>>>>> nsecrecord || >>>>>>>>>> idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>>>>>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>>>>>>>> idnssoaminimum || idnsupdatepolicy || idnsallowquery || >>>>>>>>>> idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || >>>>>>>>>> idnsforwarders") >>>>>>>>>> (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>>>>>>> "Update >>>>>>>>>> DNS Entries";allow (write) userattr = >>>>>>>>>> "parent[0,1].managedby#GROUPDN";) >>>>>>>>>> >>>>>>>>>> I needed to add permission DN to the managedBy attribute so that >>>>>>>>>> I could >>>>>>>>>> create just one set of generic ACIs without having to create a >>>>>>>>>> set of >>>>>>>>>> ACIs for every new zone and thus let users with "Update DNS entries" >>>>>>>>>> permission have a write access to the "aci" attribute. >>>>>>>>>> >>>>>>>>>> Would this design be better than the previous one? Comments welcome. >>>>>>>>> >>>>>>>>> Removing Deny ACIs would be great. >>>>>>>>> But don't we need a second set of ACIs to allow uber admins to still >>>>>>>>> control all zones ? or is that part of current ACIs not going to >>>>>>>>> change ? >>>>>>>>> >>>>>>>>> Simo. >>>>>>>>> >>>>>>>> >>>>>>>> Thanks to the removal of the deny rule, this would be already >>>>>>>> allowed by >>>>>>>> this existing ACI: >>>>>>>> >>>>>>>> aci: (targetattr != "userPassword || krbPrincipalKey || >>>>>>>> sambaLMPassword >>>>>>>> || sambaNTPassword || passwordHistory || krbMKey || >>>>>>>> krbPrincipalName || >>>>>>>> krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || >>>>>>>> krbPrincipalExpiration || krbPasswordExpiration || >>>>>>>> krbPwdPolicyReference >>>>>>>> || krbPrincipalType || krbPwdHistory || krbLastPwdChange || >>>>>>>> krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || >>>>>>>> krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || >>>>>>>> ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; >>>>>>>> acl "Admin can manage any entry"; allow (all) groupdn = >>>>>>>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >>>>>>> >>>>>>> Oh right! >>>>>>> I like it even more then :-) >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> Yes, this looks like it will work and eliminating a deny rule is a >>>>>> definite plus. >>>>>> >>>>>> rob >>>>> >>>>> I have finished a patch based on the second design. IMO it is indeed >>>>> better - >>>>> no deny ACI for DNS and just a standard permission for per-zone access >>>>> delegation. >>>>> >>>>> There is just one difference from the proposed design draft: per-zone >>>>> permissions are not created automatically by Managed Entry plugin, but >>>>> rather >>>>> manually and only for DNS zones where per-zone access is needed. There >>>>> is a new >>>>> command for that - dnszone-add-permission. >>>>> >>>>> This will leave permission tree cleaner + we won't have to deal with all >>>>> Managed Entry plugin machinery. >>>>> >>>>> More details can be found in a commit message. >>>>> >>>>> Martin >>>>> >>>> >>>> In permission_add_noaci.get_options, it would be better to filter out >>>> the `permission.aci_attributes`. If you only allow ('all', 'raw', >>>> 'permissiontype'), the list will have to be updated whenever a new >>>> global option is added. >>>> (This would happen for ticket #2732; I'll want to make the 'version' >>>> argument explicit for all commands.) >> >> Right, I fixed the option generation to rather simply filter out ACI attribute >> list we already have available. >> >>>> >>>> >>>> Unprivileged users can find out if a zone is defined by trying to delete >>>> it. Is this expected behavior? >>>> >>>> $ ipa dnszone-del idm.lab.bos.redhat.com >>>> ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to >>>> delete the entry >>>> 'idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. >>>> >>>> >>>> $ ipa dnszone-del does.not.exist >>>> ipa: ERROR: does.not.exist: DNS zone not found >> >> Yeah, that's true. Not sure if we can do much about it, that's how LDAP >> behaves. But since no actual record value is returned to the user he could only >> try to brute-force the LDAP structure. This should not hurt, he could as well >> try to brute force the DNS records via DNS queries which would even give him >> more information. >> >> Bottom line is that I think that current ACIs are right, but I can be convinced >> with a better solution... >> >>>> >>>> >>>> The patch works well on upgrade. Tomorrow I'll test a fresh install. >>>> >>> >>> One more comment: there is no error message when removing a permission that >>> doesn't exist: >>> >>> $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com >>> ------------------------------------------------------------------ >>> Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" >>> ---------------------------------------------------------------- >>> $ ./ipa dnszone_remove_permission idm.lab.bos.redhat.com >>> ------------------------------------------------------------------ >>> Removed system permission "Manage DNS zone idm.lab.bos.redhat.com" >>> ---------------------------------------------------------------- >>> >>> I found no other issues. >>> >> >> Fixed: >> # ipa dnszone-remove-permission example.com >> ------------------------------------------------------- >> Removed system permission "Manage DNS zone example.com" >> ------------------------------------------------------- >> # ipa dnszone-remove-permission example.com >> ipa: ERROR: Manage DNS zone example.com: permission not found >> >> Martin >> > > ACK > Pushed to master. Martin From pvoborni at redhat.com Thu Jun 28 13:59:46 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jun 2012 15:59:46 +0200 Subject: [Freeipa-devel] [PATCH] 162 Web UI password is going to expire in n days notification In-Reply-To: <4FEB19B6.2070408@redhat.com> References: <4FE9CB2A.70704@redhat.com> <4FEA67CB.2060205@redhat.com> <4FEB19B6.2070408@redhat.com> Message-ID: <4FEC6352.10505@redhat.com> On 06/27/2012 04:33 PM, Petr Vobornik wrote: > On 06/27/2012 03:54 AM, Endi Sukma Dewata wrote: >> On 6/26/2012 9:46 AM, Petr Vobornik wrote: >>> This is patch is more like a draft. >>> >>> I'm not sure where to display the 'password is going to expire' >>> notification. >>> >>> I was deciding between: >>> 1) red bold text in Web UI header >>> 2) popup dialog after Web UI initialization >>> >>> I don't like unwanted pop-up dialogs so I used first option. >> >> If we only support 1 short message I'd prefer option #1. Some users >> might not want to reset the password immediately, so they need to be >> constantly reminded about the password expiration. >> >> If the message is too long, or we want to support multiple messages (not >> just for password expiration), we can show a message icon like in the >> upper right corner of Fedora desktop. When you click it it will open a >> dialog box listing all messages. In this dialog you can delete each >> message. The icon will disappear only if there's no message left. >> >>> I didn't make a 'password reset link' because it is done in user's >>> detail page and a link there is right next to this notification. >> >> I'd say the message should include a link, something like this: >> >> Your password will expire in n days. [Reset your password]. >> >> The link is important because: >> >> * Without the link the message doesn't tell you what to do or how >> to reset the password. >> * Users might not realize that the [Logged In As: ] is a link >> that can bring them to their profile page. >> * Even if they're in the right page, they might not know there's a >> reset password link in the action panel. >> >> The [Reset your password] link can open the Password Reset dialog for >> the current user, regardless of the current page. To avoid confusion the >> dialog probably should be changed to show the username of the user being >> updated. >> >> What do you think? >> > > I like it. > > I'll add the reset link next to the message. If we encounter more cases > we can moved it to the notification icon functionality. > > I found more non-existing options used and also #2876. I'll return to > this ticket when I fix these regression. > Here's an updated version. It displays the warning with reset link next to it. I slightly modified user_password_dialog to be usable alone. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0162-1-Web-UI-password-is-going-to-expire-in-n-days-notific.patch Type: text/x-patch Size: 15706 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 28 14:07:02 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jun 2012 16:07:02 +0200 Subject: [Freeipa-devel] [PATCH] 165 Display loginas information only after login Message-ID: <4FEC6506.7050205@redhat.com> Message 'Logged in as: user at FREEIPA.ORG' was displayed before user was logged in. It was wrong. Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more user at FREEIPA.ORG :) . https://fedorahosted.org/freeipa/ticket/2882 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0165-Display-loginas-information-only-after-login.patch Type: text/x-patch Size: 2004 bytes Desc: not available URL: From pviktori at redhat.com Thu Jun 28 14:50:36 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 28 Jun 2012 16:50:36 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <20120628125814.GD6687@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> <20120627141930.GC16889@redhat.com> <20120628121651.GC6687@redhat.com> <4FEC4F74.4060006@redhat.com> <20120628125814.GD6687@redhat.com> Message-ID: <4FEC6F3C.8050703@redhat.com> On 06/28/2012 02:58 PM, Alexander Bokovoy wrote: > On Thu, 28 Jun 2012, Petr Viktorin wrote: >> On 06/28/2012 02:16 PM, Alexander Bokovoy wrote: >>> On Wed, 27 Jun 2012, Alexander Bokovoy wrote: >>>> On Wed, 27 Jun 2012, Petr Viktorin wrote: >>>>> On 06/27/2012 12:36 PM, Sumit Bose wrote: >>>>>> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>>>>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>>>> On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>>>>>> Hi Alexander, >>>>>>>>> >>>>>>>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>>>>>> Hi! >>>>>>>>>> >>>>>>>>>> Attached is the patch to support external group membership for >>>>>>>>>> trusted >>>>>>>>>> domains. This is needed to get proper group membership with the >>>>>>>>>> work >>>>>>>>>> Sumit and Jan are doing on both IPA and SSSD sides. >>>>>>>>>> >>>>>>>>>> We already have ipaExternalGroup class that includes >>>>>>>>>> ipaExternalMember >>>>>>>>>> attribute (multivalued case-insensitive string). The group >>>>>>>>>> that has >>>>>>>>>> ipaExternalGroup object class will have to be non-POSIX and >>>>>>>>>> ipaExternalMember >>>>>>>>>> attribute will contain security identifiers (SIDs) of members >>>>>>>>>> from >>>>>>>>>> trusted domains. >>>>>>>>>> >>>>>>>>>> The patch takes care of three things: >>>>>>>>>> 1. Extends 'ipa group-add' with --external option to add >>>>>>>>>> ipaExternalGroup object class to a new group >>>>>>>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV >>>>>>>>>> argument >>>>>>>>>> to specify SIDs >>>>>>>>>> 3. Modifies 'ipa group-del-member' to allow removing external >>>>>>>>>> members. >>>>>>>>> >>>>>>>>> thank you for the patch, it works as expected, but I have a few >>>>>>>>> comments: >>>>>>>>> >>>>>>>>> - there is a trailing whitespace at the end of the "This means we >>>>>>>>> can't >>>>>>>>> check the correctness of a trusted domain SIDs" line >>>>>>>>> - when using ipa group-add-member with --external there are still >>>>>>>>> prompt >>>>>>>>> for [member user] and [member group], can those be suppressed? >>>>>>>>> - with ipa group-mod --posix it is possible to add the posxiGroup >>>>>>>>> objectclass together with a GID to the extern group object. This >>>>>>>>> should result in an error and also the other way round, adding >>>>>>>>> --external to Posix groups. >>>>>>>> Updated patch is attached. It fixes whitespace and group-mod. >>>>>>> New revision. >>>>>> >>>>>> Thank you. This version works well in my tests, so ACK. >>>>>> >>>>>> It would be nice if someone can have a short look at the changes to >>>>>> baseldap.py to see if there are any unexpected side effects. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>>> >>>>> >>>>> >>>>> I'm concerned about this: >>>>> >>>>> membername = entry[0].lower() >>>>> member_dn = api.Object[membertype].get_dn(membername) >>>>> if membername not in external_entries and \ >>>>> + entry[0] not in external_entries and \ >>>>> member_dn not in members: >>>>> >>>>> Do you want to do a case-insensitive compare here? In that case it >>>>> would be better to do: >>>>> >>>>> lowercase_external_entries = set(e.lower() for e in external_entries) >>>>> if membername not in lowercase_external_entries ... >>>>> >>>>> instead of comparing the lowercased entry and the entry itself to the >>>>> original list. >>>>> The `in` operator is also faster on a set. >>>> Given that this list going to be short (~dozen members in most >>>> cases) it >>>> is affordable to produce new set. I'll change it. >>>> >>>>> You should also update the `elif membername in external_entries` >>>>> block below this one. >>>>> There's a similar situation in remove_external_post_callback. >>>>> >>>>> Anyway, if you ran into a situation where the `entry[0] not in >>>>> external_entries` check is needed, there should be a test for it. >>>> Originally this callback was forcing all references to lower case >>>> before >>>> comparing. This was applied both to existing and truly external >>>> references. However, for external references we cannot guarantee that >>>> lower case is the right one -- and, indeed, with SIDs one has to follow >>>> SID format which is S-1-* so lowcasing the value is not possible as >>>> that >>>> value will be used by SSSD and other sides (DCERPC requests) which >>>> don't >>>> expect it to break the format. >>>> >>>> Thus I tried to keep the format. >>>> >>>> I've added several tests: >>>> 1. Create group with external membership >>>> 2. Attempt to convert posix group to external one >>>> 3. Attempt to convert external group to posix >>>> 4. Attempt to add external member to it. >>>> 5. Delete external membership group to avoid disturbing other tests >>>> (group-find, etc) that depend on number of groups. >>>> >>>> In the #4 I'm only checking that we are getting exceptions -- >>>> either ValidationError or NotFound. You can't do more without >>>> setting up >>>> the full trust. >>>> >>>> Even to do that I had to introduce new type of checkers -- checkers >>>> that >>>> can be activated with a 'expected' attribute being a callable in a >>>> declarative test definition in xmlrpc tests. This is an easiest way >>>> to deal with multiple exceptions -- just define a lambda that tests >>>> various conditions and let it be executed by the checker. >>>> >>>>> I think something is rotten with add_external_post_callback: it's >>>>> defined as add_external_post_callback(... *keys, **options), but >>>>> invariably called as add_external_post_callback(... keys, options). >>>>> That existed before the patch, though, so I guess it warrants a >>>>> separate ticket. >>>>> >>>>> >>>>> I also have a few obligatory style nitpicks. >>>>> >>>>> For line continuation, instead of backslashes: >>>>> >>>>> if membername not in external_entries and \ >>>>> entry[0] not in external_entries and \ >>>>> member_dn not in members: >>>>> >>>>> we prefer parentheses: >>>>> >>>>> if (membername not in external_entries and >>>>> entry[0] not in external_entries and >>>>> member_dn not in members): >>>> Don't shoot the follower, it is what was there before me. :) >>>> >>>> Fixed. >>>> >>>>> Instead of: >>>>> >>>>> normalize = True >>>>> if 'external_callback_normalize' in options: >>>>> normalize = options['external_callback_normalize'] >>>>> >>>>> you can use: >>>>> >>>>> options.get('external_callback_normalize', True) >>>> Fixed. >>>> >>>>> >>>>> And in group.py: >>>>> >>>>> - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>>>> - 'sudorule'], >>>>> + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>>>> 'sudorule'], >>>>> >>>>> Our style guide limits lines to 80 characters. Not much of IPA >>>>> follows that rule currently, but I don't see a reason for a change >>>>> that *only* breaks the rule. >>>> I find it unreadable when a single element of a list is on the separate >>>> line and also doesn't follow logical identation for its level. >>>> >>>> New patch is attached. >>> And revised patch after review on IRC with Petr. >>> >> >> I'm definitely not a fan of adding new magic to the test suite, but we >> couldn't find a better way to check for one of two errors that didn't >> involve rewriting the Declarative tests. >> >> So, with this patch, the 'expected' value of a test can be a callable, >> in which case it's called with two arguments (exception, output) and >> must return true for the test to pass. >> >> >> There are still some failures in test_cmdline/test_cli.py, caused by >> the "external" flag added to group-add. Otherwise the patch works fine. > Fixed these too. New patch attached. > > Thanks for the thorough review! > ACK for the Python part, please push. Thank you for the patch! -- Petr? From mkosek at redhat.com Thu Jun 28 14:54:53 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 16:54:53 +0200 Subject: [Freeipa-devel] [PATCH] External group membership for trusted domains In-Reply-To: <4FEC6F3C.8050703@redhat.com> References: <20120621152602.GA28689@redhat.com> <20120625105914.GX29454@localhost.localdomain> <20120625130652.GC5935@redhat.com> <20120627095656.GB16889@redhat.com> <20120627103605.GG29454@localhost.localdomain> <4FEAEFAB.2080604@redhat.com> <20120627141930.GC16889@redhat.com> <20120628121651.GC6687@redhat.com> <4FEC4F74.4060006@redhat.com> <20120628125814.GD6687@redhat.com> <4FEC6F3C.8050703@redhat.com> Message-ID: <4FEC703D.7040904@redhat.com> On 06/28/2012 04:50 PM, Petr Viktorin wrote: > On 06/28/2012 02:58 PM, Alexander Bokovoy wrote: >> On Thu, 28 Jun 2012, Petr Viktorin wrote: >>> On 06/28/2012 02:16 PM, Alexander Bokovoy wrote: >>>> On Wed, 27 Jun 2012, Alexander Bokovoy wrote: >>>>> On Wed, 27 Jun 2012, Petr Viktorin wrote: >>>>>> On 06/27/2012 12:36 PM, Sumit Bose wrote: >>>>>>> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: >>>>>>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote: >>>>>>>>> On Mon, 25 Jun 2012, Sumit Bose wrote: >>>>>>>>>> Hi Alexander, >>>>>>>>>> >>>>>>>>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: >>>>>>>>>>> Hi! >>>>>>>>>>> >>>>>>>>>>> Attached is the patch to support external group membership for >>>>>>>>>>> trusted >>>>>>>>>>> domains. This is needed to get proper group membership with the >>>>>>>>>>> work >>>>>>>>>>> Sumit and Jan are doing on both IPA and SSSD sides. >>>>>>>>>>> >>>>>>>>>>> We already have ipaExternalGroup class that includes >>>>>>>>>>> ipaExternalMember >>>>>>>>>>> attribute (multivalued case-insensitive string). The group >>>>>>>>>>> that has >>>>>>>>>>> ipaExternalGroup object class will have to be non-POSIX and >>>>>>>>>>> ipaExternalMember >>>>>>>>>>> attribute will contain security identifiers (SIDs) of members >>>>>>>>>>> from >>>>>>>>>>> trusted domains. >>>>>>>>>>> >>>>>>>>>>> The patch takes care of three things: >>>>>>>>>>> 1. Extends 'ipa group-add' with --external option to add >>>>>>>>>>> ipaExternalGroup object class to a new group >>>>>>>>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV >>>>>>>>>>> argument >>>>>>>>>>> to specify SIDs >>>>>>>>>>> 3. Modifies 'ipa group-del-member' to allow removing external >>>>>>>>>>> members. >>>>>>>>>> >>>>>>>>>> thank you for the patch, it works as expected, but I have a few >>>>>>>>>> comments: >>>>>>>>>> >>>>>>>>>> - there is a trailing whitespace at the end of the "This means we >>>>>>>>>> can't >>>>>>>>>> check the correctness of a trusted domain SIDs" line >>>>>>>>>> - when using ipa group-add-member with --external there are still >>>>>>>>>> prompt >>>>>>>>>> for [member user] and [member group], can those be suppressed? >>>>>>>>>> - with ipa group-mod --posix it is possible to add the posxiGroup >>>>>>>>>> objectclass together with a GID to the extern group object. This >>>>>>>>>> should result in an error and also the other way round, adding >>>>>>>>>> --external to Posix groups. >>>>>>>>> Updated patch is attached. It fixes whitespace and group-mod. >>>>>>>> New revision. >>>>>>> >>>>>>> Thank you. This version works well in my tests, so ACK. >>>>>>> >>>>>>> It would be nice if someone can have a short look at the changes to >>>>>>> baseldap.py to see if there are any unexpected side effects. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>>> >>>>>> >>>>>> >>>>>> I'm concerned about this: >>>>>> >>>>>> membername = entry[0].lower() >>>>>> member_dn = api.Object[membertype].get_dn(membername) >>>>>> if membername not in external_entries and \ >>>>>> + entry[0] not in external_entries and \ >>>>>> member_dn not in members: >>>>>> >>>>>> Do you want to do a case-insensitive compare here? In that case it >>>>>> would be better to do: >>>>>> >>>>>> lowercase_external_entries = set(e.lower() for e in external_entries) >>>>>> if membername not in lowercase_external_entries ... >>>>>> >>>>>> instead of comparing the lowercased entry and the entry itself to the >>>>>> original list. >>>>>> The `in` operator is also faster on a set. >>>>> Given that this list going to be short (~dozen members in most >>>>> cases) it >>>>> is affordable to produce new set. I'll change it. >>>>> >>>>>> You should also update the `elif membername in external_entries` >>>>>> block below this one. >>>>>> There's a similar situation in remove_external_post_callback. >>>>>> >>>>>> Anyway, if you ran into a situation where the `entry[0] not in >>>>>> external_entries` check is needed, there should be a test for it. >>>>> Originally this callback was forcing all references to lower case >>>>> before >>>>> comparing. This was applied both to existing and truly external >>>>> references. However, for external references we cannot guarantee that >>>>> lower case is the right one -- and, indeed, with SIDs one has to follow >>>>> SID format which is S-1-* so lowcasing the value is not possible as >>>>> that >>>>> value will be used by SSSD and other sides (DCERPC requests) which >>>>> don't >>>>> expect it to break the format. >>>>> >>>>> Thus I tried to keep the format. >>>>> >>>>> I've added several tests: >>>>> 1. Create group with external membership >>>>> 2. Attempt to convert posix group to external one >>>>> 3. Attempt to convert external group to posix >>>>> 4. Attempt to add external member to it. >>>>> 5. Delete external membership group to avoid disturbing other tests >>>>> (group-find, etc) that depend on number of groups. >>>>> >>>>> In the #4 I'm only checking that we are getting exceptions -- >>>>> either ValidationError or NotFound. You can't do more without >>>>> setting up >>>>> the full trust. >>>>> >>>>> Even to do that I had to introduce new type of checkers -- checkers >>>>> that >>>>> can be activated with a 'expected' attribute being a callable in a >>>>> declarative test definition in xmlrpc tests. This is an easiest way >>>>> to deal with multiple exceptions -- just define a lambda that tests >>>>> various conditions and let it be executed by the checker. >>>>> >>>>>> I think something is rotten with add_external_post_callback: it's >>>>>> defined as add_external_post_callback(... *keys, **options), but >>>>>> invariably called as add_external_post_callback(... keys, options). >>>>>> That existed before the patch, though, so I guess it warrants a >>>>>> separate ticket. >>>>>> >>>>>> >>>>>> I also have a few obligatory style nitpicks. >>>>>> >>>>>> For line continuation, instead of backslashes: >>>>>> >>>>>> if membername not in external_entries and \ >>>>>> entry[0] not in external_entries and \ >>>>>> member_dn not in members: >>>>>> >>>>>> we prefer parentheses: >>>>>> >>>>>> if (membername not in external_entries and >>>>>> entry[0] not in external_entries and >>>>>> member_dn not in members): >>>>> Don't shoot the follower, it is what was there before me. :) >>>>> >>>>> Fixed. >>>>> >>>>>> Instead of: >>>>>> >>>>>> normalize = True >>>>>> if 'external_callback_normalize' in options: >>>>>> normalize = options['external_callback_normalize'] >>>>>> >>>>>> you can use: >>>>>> >>>>>> options.get('external_callback_normalize', True) >>>>> Fixed. >>>>> >>>>>> >>>>>> And in group.py: >>>>>> >>>>>> - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>>>>> - 'sudorule'], >>>>>> + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', >>>>>> 'sudorule'], >>>>>> >>>>>> Our style guide limits lines to 80 characters. Not much of IPA >>>>>> follows that rule currently, but I don't see a reason for a change >>>>>> that *only* breaks the rule. >>>>> I find it unreadable when a single element of a list is on the separate >>>>> line and also doesn't follow logical identation for its level. >>>>> >>>>> New patch is attached. >>>> And revised patch after review on IRC with Petr. >>>> >>> >>> I'm definitely not a fan of adding new magic to the test suite, but we >>> couldn't find a better way to check for one of two errors that didn't >>> involve rewriting the Declarative tests. >>> >>> So, with this patch, the 'expected' value of a test can be a callable, >>> in which case it's called with two arguments (exception, output) and >>> must return true for the test to pass. >>> >>> >>> There are still some failures in test_cmdline/test_cli.py, caused by >>> the "external" flag added to group-add. Otherwise the patch works fine. >> Fixed these too. New patch attached. >> >> Thanks for the thorough review! >> > > ACK for the Python part, please push. > Thank you for the patch! > Pushed to master. Martin From mkosek at redhat.com Thu Jun 28 15:07:00 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 17:07:00 +0200 Subject: [Freeipa-devel] [PATCH] [WIP] 281 Enable SOA serial autoincrement Message-ID: <4FEC7314.9030508@redhat.com> This patch enables currently developed SOA serial autoincrement feature in bind-dyndb-ldap. The patch may be updated if any assumptions about this feature are changed (or somebody finds a bug). --- SOA serial autoincrement is a requirement for major DNS features, e.g. zone transfers or DNSSEC. Enable it by default in named.conf both for new and upgraded installations. Name of the bind-dyndb-ldap option is "serial_autoincrement". >From now on, idnsSOAserial attribute also has to be put to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Exclude list has to be updated both for new replication agreements and the current ones. https://fedorahosted.org/freeipa/ticket/2554 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-281-enable-soa-serial-autoincrement.patch Type: text/x-patch Size: 19545 bytes Desc: not available URL: From jdennis at redhat.com Thu Jun 28 18:50:33 2012 From: jdennis at redhat.com (John Dennis) Date: Thu, 28 Jun 2012 14:50:33 -0400 Subject: [Freeipa-devel] test_changepw is failing on master Message-ID: <4FECA779.6050601@redhat.com> tests/test_ipaserver/test_changepw.py is failing on master. Could someone who is familiar with the code take a look and see what's wrong. Thanks, John ====================================================================== FAIL: tests.test_ipaserver.test_changepw.test_changepw.test_invalid_auth ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/jdennis/src/freeipa.ref/tests/test_ipaserver/test_changepw.py", line 86, in test_invalid_auth assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'invalid-password') File "/home/jdennis/src/freeipa.ref/tests/util.py", line 107, in assert_equal assert val1 == val2, '%r != %r' % (val1, val2) AssertionError: 'error' != 'invalid-password' ====================================================================== FAIL: tests.test_ipaserver.test_changepw.test_changepw.test_pwpolicy_error ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/jdennis/src/freeipa.ref/tests/test_ipaserver/test_changepw.py", line 95, in test_pwpolicy_error assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'policy-error') File "/home/jdennis/src/freeipa.ref/tests/util.py", line 107, in assert_equal assert val1 == val2, '%r != %r' % (val1, val2) AssertionError: 'error' != 'policy-error' ====================================================================== FAIL: tests.test_ipaserver.test_changepw.test_changepw.test_pwpolicy_success ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/jdennis/src/freeipa.ref/tests/test_ipaserver/test_changepw.py", line 106, in test_pwpolicy_success assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'ok') File "/home/jdennis/src/freeipa.ref/tests/util.py", line 107, in assert_equal assert val1 == val2, '%r != %r' % (val1, val2) AssertionError: 'error' != 'ok' ---------------------------------------------------------------------- Ran 4 tests in 31.398s FAILED (failures=3) ====================================================================== FAILED under '/usr/bin/python2.7' -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Jun 28 19:30:15 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jun 2012 14:30:15 -0500 Subject: [Freeipa-devel] [PATCH] 163 Refactored association facet to use facet buttons with actions In-Reply-To: <4FEB32AB.7050409@redhat.com> References: <4FEB32AB.7050409@redhat.com> Message-ID: <4FECB0C7.2080601@redhat.com> On 6/27/2012 11:19 AM, Petr Vobornik wrote: > Association facet was refactored to use new concept of control buttons. > It is the last facet type which don't use this concept. > It fixes regression introduced by previous refactoring of table facet > (delete button was never enabled). > > https://fedorahosted.org/freeipa/ticket/2876 ACK. -- Endi S. Dewata From edewata at redhat.com Thu Jun 28 19:30:40 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jun 2012 14:30:40 -0500 Subject: [Freeipa-devel] [PATCH] 164 Continuation of removing of not supported command options from Web UI In-Reply-To: <4FEB333A.2060803@redhat.com> References: <4FEB333A.2060803@redhat.com> Message-ID: <4FECB0E0.4090506@redhat.com> On 6/27/2012 11:22 AM, Petr Vobornik wrote: > This patch removes following non-existing command options: > * all,rights in host_disable > * record_type in dns_record_add > * all,rights in various xxx_remove_xxx commands used in > rule_association_table_field (removing association) > > https://fedorahosted.org/freeipa/ticket/2878 ACK. -- Endi S. Dewata From edewata at redhat.com Thu Jun 28 20:35:18 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jun 2012 15:35:18 -0500 Subject: [Freeipa-devel] [PATCH] 162 Web UI password is going to expire in n days notification In-Reply-To: <4FEC6352.10505@redhat.com> References: <4FE9CB2A.70704@redhat.com> <4FEA67CB.2060205@redhat.com> <4FEB19B6.2070408@redhat.com> <4FEC6352.10505@redhat.com> Message-ID: <4FECC006.9070608@redhat.com> On 6/28/2012 8:59 AM, Petr Vobornik wrote: > On 06/27/2012 04:33 PM, Petr Vobornik wrote: >> On 06/27/2012 03:54 AM, Endi Sukma Dewata wrote: >>> On 6/26/2012 9:46 AM, Petr Vobornik wrote: >>>> This is patch is more like a draft. >>>> >>>> I'm not sure where to display the 'password is going to expire' >>>> notification. >>>> >>>> I was deciding between: >>>> 1) red bold text in Web UI header >>>> 2) popup dialog after Web UI initialization >>>> >>>> I don't like unwanted pop-up dialogs so I used first option. >>> >>> If we only support 1 short message I'd prefer option #1. Some users >>> might not want to reset the password immediately, so they need to be >>> constantly reminded about the password expiration. >>> >>> If the message is too long, or we want to support multiple messages (not >>> just for password expiration), we can show a message icon like in the >>> upper right corner of Fedora desktop. When you click it it will open a >>> dialog box listing all messages. In this dialog you can delete each >>> message. The icon will disappear only if there's no message left. >>> >>>> I didn't make a 'password reset link' because it is done in user's >>>> detail page and a link there is right next to this notification. >>> >>> I'd say the message should include a link, something like this: >>> >>> Your password will expire in n days. [Reset your password]. >>> >>> The link is important because: >>> >>> * Without the link the message doesn't tell you what to do or how >>> to reset the password. >>> * Users might not realize that the [Logged In As: ] is a link >>> that can bring them to their profile page. >>> * Even if they're in the right page, they might not know there's a >>> reset password link in the action panel. >>> >>> The [Reset your password] link can open the Password Reset dialog for >>> the current user, regardless of the current page. To avoid confusion the >>> dialog probably should be changed to show the username of the user being >>> updated. >>> >>> What do you think? >>> >> >> I like it. >> >> I'll add the reset link next to the message. If we encounter more cases >> we can moved it to the notification icon functionality. >> >> I found more non-existing options used and also #2876. I'll return to >> this ticket when I fix these regression. >> > Here's an updated version. > > It displays the warning with reset link next to it. I slightly modified > user_password_dialog to be usable alone. ACK. I have some suggestions below. The reset link probably should be blue to be consistent with the other links, but maybe it doesn't go well with dark background. Or you can make the link red (and the whole message clickable) to make sure it's clear that it's part of the error message, not a permanent part of the UI like the "Logged in as". Or make the link message more explicit: "Click here to reset your password." When you reset the password, a confirmation dialog will appear on top of the password reset dialog. I think in general we should avoid nesting dialog. So the password dialog should be closed first then open the confirmation/error dialog. The password dialog can be reopened if something goes wrong. Btw, the style of the confirmation dialog is different from the other dialog. Is this intentional? One thing I noticed also, when you login with expired password, after you reset the password it will briefly show the login page again before showing the UI. I think the login dialog should close immediately once you click the button. -- Endi S. Dewata From edewata at redhat.com Thu Jun 28 20:47:27 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jun 2012 15:47:27 -0500 Subject: [Freeipa-devel] [PATCH] 165 Display loginas information only after login In-Reply-To: <4FEC6506.7050205@redhat.com> References: <4FEC6506.7050205@redhat.com> Message-ID: <4FECC2DF.4030200@redhat.com> On 6/28/2012 9:07 AM, Petr Vobornik wrote: > Message 'Logged in as: user at FREEIPA.ORG' was displayed before user was > logged in. It was wrong. > > Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So > no more user at FREEIPA.ORG :) . > > https://fedorahosted.org/freeipa/ticket/2882 It might be better to use visibility instead of display to reserve the space. Right now the password expiration warning will initially appear on the right, then shift to the left when the "Logged in as" appears. -- Endi S. Dewata From mkosek at redhat.com Fri Jun 29 06:44:40 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jun 2012 08:44:40 +0200 Subject: [Freeipa-devel] test_changepw is failing on master In-Reply-To: <4FECA779.6050601@redhat.com> References: <4FECA779.6050601@redhat.com> Message-ID: <1340952280.13966.2.camel@priserak> This is most likely caused by old SELinux policy for which I reported a bug and which should be resolved by now. You could confirm this in /var/log/audit/audit.log. What is a version of your selinux-policy package? I retested this issue with selinux-policy-3.10.0-132.fc17.noarch and it worked for me without any error. If this is not a SELinux failure, /var/log/httpd/error_log should contain more information about what failed. Thanks, Martin On Thu, 2012-06-28 at 14:50 -0400, John Dennis wrote: > tests/test_ipaserver/test_changepw.py is failing on master. Could > someone who is familiar with the code take a look and see what's wrong. > > Thanks, > > John > > ====================================================================== > > > > FAIL: tests.test_ipaserver.test_changepw.test_changepw.test_invalid_auth > > > > ---------------------------------------------------------------------- > > > > Traceback (most recent call last): > > > > File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in > runTest > > > self.test(*self.arg) > > > > File > "/home/jdennis/src/freeipa.ref/tests/test_ipaserver/test_changepw.py", > line 86, in test_invalid_auth > > > assert_equal(response.getheader('X-IPA-Pwchange-Result'), > 'invalid-password') > > > File "/home/jdennis/src/freeipa.ref/tests/util.py", line 107, in > assert_equal > > > assert val1 == val2, '%r != %r' % (val1, val2) > > > > AssertionError: 'error' != 'invalid-password' > > > > > > > > ====================================================================== > > > > FAIL: > tests.test_ipaserver.test_changepw.test_changepw.test_pwpolicy_error > > > > ---------------------------------------------------------------------- > > > > Traceback (most recent call last): > > > > File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in > runTest > > > self.test(*self.arg) > > > > File > "/home/jdennis/src/freeipa.ref/tests/test_ipaserver/test_changepw.py", > line 95, in test_pwpolicy_error > > > assert_equal(response.getheader('X-IPA-Pwchange-Result'), > 'policy-error') > > > File "/home/jdennis/src/freeipa.ref/tests/util.py", line 107, in > assert_equal > > > assert val1 == val2, '%r != %r' % (val1, val2) > > > > AssertionError: 'error' != 'policy-error' > > > > > > > > ====================================================================== > > > > FAIL: > tests.test_ipaserver.test_changepw.test_changepw.test_pwpolicy_success > > > > ---------------------------------------------------------------------- > > > > Traceback (most recent call last): > > > > File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in > runTest > > > self.test(*self.arg) > > > > File > "/home/jdennis/src/freeipa.ref/tests/test_ipaserver/test_changepw.py", > line 106, in test_pwpolicy_success > > > assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'ok') > > > > File "/home/jdennis/src/freeipa.ref/tests/util.py", line 107, in > assert_equal > > > assert val1 == val2, '%r != %r' % (val1, val2) > > > > AssertionError: 'error' != 'ok' > > > > > > > > ---------------------------------------------------------------------- > > > > Ran 4 tests in 31.398s > > > > > > > > FAILED (failures=3) > > > > ====================================================================== > > > > FAILED under '/usr/bin/python2.7' > From sbose at redhat.com Fri Jun 29 09:03:02 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 Jun 2012 11:03:02 +0200 Subject: [Freeipa-devel] [PATCH] Use lower case names in LDAP to meet freeIPA convention Message-ID: <20120629090302.GB922@localhost.localdomain> Hi, Alexander discovered that the sidgen plugin does not add the objectclasses with lower case as expected by other freeIPA components. The patch sets all LDAP names to lower case to be on the safe side. bye, Sumit -------------- next part -------------- From f8aca6c3516a34490a14c864c70f2b4bbaf58041 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 29 Jun 2012 10:58:04 +0200 Subject: [PATCH] Use lower case names in LDAP to meet freeIPA convention --- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 22 ++++++++++----------- 1 Datei ge?ndert, 11 Zeilen hinzugef?gt(+), 11 Zeilen entfernt(-) diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h index 2c488435a03fe8bfc36ce7e4396e87d5b488e1c1..cfb624bde5750d406d631cb1c250c08d1a4366a2 100644 --- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h @@ -42,17 +42,17 @@ #define OBJECTCLASS "objectclass" #define IPA_OBJECT "ipaobject" -#define MEP_MANAGED_ENTRY "mepManagedEntry" -#define UID_NUMBER "uidNumber" -#define GID_NUMBER "gidNumber" -#define IPA_SID "ipaNTSecurityIdentifier" -#define DOM_ATTRS_FILTER OBJECTCLASS"=ipaNTDomainAttrs" -#define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipaDomainIDRange" -#define POSIX_ACCOUNT "posixAccount" -#define POSIX_GROUP "posixGroup" -#define IPA_ID_OBJECT "ipaIDObject" -#define IPANT_USER_ATTRS "ipaNTUserAttrs" -#define IPANT_GROUP_ATTRS "ipaNTGroupAttrs" +#define MEP_MANAGED_ENTRY "mepmanagedentry" +#define UID_NUMBER "uidnumber" +#define GID_NUMBER "gidnumber" +#define IPA_SID "ipantsecurityidentifier" +#define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs" +#define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange" +#define POSIX_ACCOUNT "posixaccount" +#define POSIX_GROUP "posixgroup" +#define IPA_ID_OBJECT "ipaidobject" +#define IPANT_USER_ATTRS "ipantuserattrs" +#define IPANT_GROUP_ATTRS "ipantgroupattrs" #define IPA_DNA_MAGIC 999 -- 1.7.10.2 From abokovoy at redhat.com Fri Jun 29 09:13:56 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 12:13:56 +0300 Subject: [Freeipa-devel] [PATCH] Use lower case names in LDAP to meet freeIPA convention In-Reply-To: <20120629090302.GB922@localhost.localdomain> References: <20120629090302.GB922@localhost.localdomain> Message-ID: <20120629091356.GH6687@redhat.com> On Fri, 29 Jun 2012, Sumit Bose wrote: >Hi, > >Alexander discovered that the sidgen plugin does not add the >objectclasses with lower case as expected by other freeIPA components. >The patch sets all LDAP names to lower case to be on the safe side. ACK. -- / Alexander Bokovoy From mkosek at redhat.com Fri Jun 29 10:02:04 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jun 2012 12:02:04 +0200 Subject: [Freeipa-devel] [PATCH] Use lower case names in LDAP to meet freeIPA convention In-Reply-To: <20120629091356.GH6687@redhat.com> References: <20120629090302.GB922@localhost.localdomain> <20120629091356.GH6687@redhat.com> Message-ID: <1340964124.18691.0.camel@priserak> On Fri, 2012-06-29 at 12:13 +0300, Alexander Bokovoy wrote: > On Fri, 29 Jun 2012, Sumit Bose wrote: > >Hi, > > > >Alexander discovered that the sidgen plugin does not add the > >objectclasses with lower case as expected by other freeIPA components. > >The patch sets all LDAP names to lower case to be on the safe side. > ACK. > Pushed to master. Martin From pvoborni at redhat.com Fri Jun 29 10:05:28 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Jun 2012 12:05:28 +0200 Subject: [Freeipa-devel] [PATCH] 164 Continuation of removing of not supported command options from Web UI In-Reply-To: <4FECB0E0.4090506@redhat.com> References: <4FEB333A.2060803@redhat.com> <4FECB0E0.4090506@redhat.com> Message-ID: <4FED7DE8.50801@redhat.com> On 06/28/2012 09:30 PM, Endi Sukma Dewata wrote: > On 6/27/2012 11:22 AM, Petr Vobornik wrote: >> This patch removes following non-existing command options: >> * all,rights in host_disable >> * record_type in dns_record_add >> * all,rights in various xxx_remove_xxx commands used in >> rule_association_table_field (removing association) >> >> https://fedorahosted.org/freeipa/ticket/2878 > > ACK. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Fri Jun 29 10:05:39 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Jun 2012 12:05:39 +0200 Subject: [Freeipa-devel] [PATCH] 163 Refactored association facet to use facet buttons with actions In-Reply-To: <4FECB0C7.2080601@redhat.com> References: <4FEB32AB.7050409@redhat.com> <4FECB0C7.2080601@redhat.com> Message-ID: <4FED7DF3.6090408@redhat.com> On 06/28/2012 09:30 PM, Endi Sukma Dewata wrote: > On 6/27/2012 11:19 AM, Petr Vobornik wrote: >> Association facet was refactored to use new concept of control buttons. >> It is the last facet type which don't use this concept. >> It fixes regression introduced by previous refactoring of table facet >> (delete button was never enabled). >> >> https://fedorahosted.org/freeipa/ticket/2876 > > ACK. > Pushed to master. -- Petr Vobornik From pvoborni at redhat.com Fri Jun 29 10:36:10 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Jun 2012 12:36:10 +0200 Subject: [Freeipa-devel] [PATCH] 162 Web UI password is going to expire in n days notification In-Reply-To: <4FECC006.9070608@redhat.com> References: <4FE9CB2A.70704@redhat.com> <4FEA67CB.2060205@redhat.com> <4FEB19B6.2070408@redhat.com> <4FEC6352.10505@redhat.com> <4FECC006.9070608@redhat.com> Message-ID: <4FED851A.6070704@redhat.com> On 06/28/2012 10:35 PM, Endi Sukma Dewata wrote: > > ACK. I have some suggestions below. Pushed to master. > > The reset link probably should be blue to be consistent with the other > links, but maybe it doesn't go well with dark background. Or you can > make the link red (and the whole message clickable) to make sure it's > clear that it's part of the error message, not a permanent part of the > UI like the "Logged in as". Or make the link message more explicit: > "Click here to reset your password." I tried the blue and indeed it doesn't go well with dark background. I will think about the other options. > > When you reset the password, a confirmation dialog will appear on top of > the password reset dialog. I think in general we should avoid nesting > dialog. So the password dialog should be closed first then open the > confirmation/error dialog. The password dialog can be reopened if > something goes wrong. Also same type of dialog is used for validation. And I completely agree we should change it. In gnome shell you have to move mouse a lot. Also it pauses execution of scripts so page can't update on the background when user is reading the message. https://fedorahosted.org/freeipa/ticket/2884 > > Btw, the style of the confirmation dialog is different from the other > dialog. Is this intentional? It's plain JavaScript alert dialog. I looked in git log and it's there from the beginning. > > One thing I noticed also, when you login with expired password, after > you reset the password it will briefly show the login page again before > showing the UI. I think the login dialog should close immediately once > you click the button. > In my environment it's usually so fast I can't notice it. I have to try it on slower machine or in vm to see how annoying it can be. -- Petr Vobornik From pviktori at redhat.com Fri Jun 29 11:46:18 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 29 Jun 2012 13:46:18 +0200 Subject: [Freeipa-devel] [PATCH] 0067 Explicitly filter options that permission-{add, mod} passes to aci-{add, mod} Message-ID: <4FED958A.2010504@redhat.com> The permission commands were not filtering their options properly before passing them to the underlying ACI commands. This upset the new input validation when --addattr/--setattr was used. This patch adds a filter that only lets options listed in aci_attributes through to the ACI commands. https://fedorahosted.org/freeipa/ticket/2885 -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0067-Explicitly-filter-options-that-permission-add-mod-pa.patch Type: text/x-patch Size: 7055 bytes Desc: not available URL: From sbose at redhat.com Fri Jun 29 12:17:32 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 Jun 2012 14:17:32 +0200 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120627191935.GL29454@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> <20120626103014.GC29454@localhost.localdomain> <20120627191935.GL29454@localhost.localdomain> Message-ID: <20120629121731.GC922@localhost.localdomain> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: > On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: > > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: > > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: > > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: > > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > > > > > > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > > > > > > users/groups and users from trusted domains new range objects are > > > > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > > > > > > > > > > > 0022: LDAP schema update > > > > > > > > > > > > > > ack > > > > > > > > > > > > > > > 0023: Create a range object during installation fir the local ID range > > > > > > > > > > > > > > nack, I think we need to find a way to handle adding at least the base > > > > > > > range on update. Otherwise an updated server won't be able to have IDs > > > > > > > for most of its users. > > > > > > > > > > > > I fully agree, but since we said that we concentrate on update issues in > > > > > > beta2 I wanted to send the version for the fresh install first to allow > > > > > > testing. > > > > > > > > > > The reason I'd like updates is that this patchset can be installed on > > > > > top of existing servers for testing w/o having to reinstall from scratch > > > > > or manually creating the ipaDomainIDRange object :):) > > > > > > > > ok, will do. > > > > > > > > Do you otherwise agree with the patches or is there something I should > > > > change while adding the updates? > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > 0024: add primary and secondary RID base to the local range object > > > > > > > > during ipa-adtrust-install > > > > > > > > > > > > > > Not sure if setting the range belongs in the previous patch or this one. > > > > > > > > > > > > I think it is right here, because a plain IPA server does not need the > > > > > > RID related attributes. > > > > > > > > > > > > > We might decide to ask questions during ipa-adtrust-install if the range > > > > > > > is not available, maybe presenting a set of pre-canned choices if we can > > > > > > > detect them. > > > > > > > > > > > > I agree here, too. But as above I would like to handle update issues > > > > > > in a second round. > > > > > > > > > > > > > > > > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > > > > > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > > > > > > falls outside the configured range (either because we failed to detect > > > > > > > ranges on upgrade and the user botched the question or because the admin > > > > > > > added arbitrary IDs. > > > > > > > If a warning we should warn that missing a range that suitably covers > > > > > > > these IDs, those users/groups will not be available for the trust. > > > > > > > > > > > > > > Maybe we should also have a simple ipa command that can list all > > > > > > > users/groups that fall outside the ranges as well. > > > > > > > > > > > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > > > > > > range-find' etc. I can add it there. > > > > > > > > > > > > Hi, > > > > > > this new series of patches add the cli plugin to create the ID ranges > > > manually. I'm still working on a detection of the locally used id range > > > of an upgrade domain in ipa-adtrust-install and an plugin which rejects > > > new ranges which overlaps with existing ones. > > > > > > bye, > > > Sumit > > > > the attached patch adds a preop plugin which checks for overlaps with > > existing ranges. > > > > bye, > > Sumit > > Finally I added a method to guess and create the initial ID range, if no > one is preset, e.g. when updating from an older version of freeIPA. A > full series of patches is attached. > > bye, > Sumit This version of patches fixes review comments by Alexander and also adds some test for the range CLI plugin which were kindly provided by Alexander. bye, Sumit -------------- next part -------------- From 4418d6508477e68b23f3e58e79af55b97aae6051 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 11 Jun 2012 18:31:36 +0200 Subject: [PATCH 1/5] Extend LDAP schema The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well. --- install/share/60basev3.ldif | 8 ++++++++ 1 Datei ge?ndert, 8 Zeilen hinzugef?gt(+) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 2c24137b0dc39f215ed0e4b97079ffce0ec630d3..03561d13f45768006eb22e3dc00f41f35944dc56 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -29,6 +29,10 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') attributeTypes: (2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -40,3 +44,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAsso objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT MAY ipaSshPubKey X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) -- 1.7.10.2 -------------- next part -------------- From 92ead2bc9cebb3db5859ea129a8ee3fb8f8aa4ba Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 11:58:41 +0200 Subject: [PATCH 2/5] Add objects for initial ID range --- install/share/bootstrap-template.ldif | 14 ++++++++++++++ install/updates/62-ranges.update | 13 +++++++++++++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 1 + 4 Dateien ge?ndert, 29 Zeilen hinzugef?gt(+) create mode 100644 install/updates/62-ranges.update diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 149b6c9b29c6fd363eb7baccd9648d49c260ff85..ece48f80fef7e6162d723c93407895202dabfad9 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -409,3 +409,17 @@ objectClass: top objectClass: nsContainer cn: usermap +dn: cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: ranges + +dn: cn=$REALM_id_range,cn=ranges,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaIDrange +objectClass: ipaDomainIDRange +cn: $REALM_id_range +ipaBaseID: $IDSTART +ipaIDRangeSize: $IDRANGE_SIZE diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update new file mode 100644 index 0000000000000000000000000000000000000000..42c1e2a98b8b64164ae9ae0292aa7b91beac2b26 --- /dev/null +++ b/install/updates/62-ranges.update @@ -0,0 +1,13 @@ +dn: cn=schema +add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) + +dn: cn=ranges,cn=etc,$SUFFIX +default: obectClass: top +default: objectClass: nsContainer +default: cn: ranges diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 412630e4e6d13167e2c0ae17c54f8ad84a4797fa..e45690f14c41dbd9eb10b5969ee14a257b8c7883 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 55-pbacmemberof.update \ 60-trusts.update \ 61-trusts-s4u2proxy.update \ + 62-ranges.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fb620a82e0d432d50e6c40ab8a7053ced153965a..93c6b50c274506949d1cdb81ad952141de10dab1 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -313,6 +313,7 @@ class DsInstance(service.Service): IDMAX=self.idmax, HOST=self.fqdn, ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()), GROUP=DS_GROUP, + IDRANGE_SIZE=self.idmax-self.idstart+1 ) def __create_ds_user(self): -- 1.7.10.2 -------------- next part -------------- From db6922f8ff0cea05bb8f7217df373a6fd6ebc856 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Jun 2012 17:53:36 +0200 Subject: [PATCH 3/5] Set RID bases for local domain during ipa-adtrust-install --- install/tools/ipa-adtrust-install | 10 +++- ipaserver/install/adtrustinstance.py | 88 +++++++++++++++++++++++++++++++++- 2 Dateien ge?ndert, 96 Zeilen hinzugef?gt(+), 2 Zeilen entfernt(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 49bcf54e7c26c92f246c7612940d441e60a86e1f..6678018e6346d75d5042894cfb833d38079d3f21 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -48,6 +48,12 @@ def parse_options(): parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", default=False, help="Do not create DNS service records " \ "for Windows in managed DNS server") + parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, + help="Start value for mapping UIDs and GIDs to RIDs") + parser.add_option("--secondary-rid-base", dest="secondary_rid_base", + type=int, default=100000000, + help="Start value of the secondary range for mapping " \ + "UIDs and GIDs to RIDs") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") @@ -207,7 +213,9 @@ def main(): api.Backend.ldap2.connect(ccache) smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, - netbios_name, options.no_msdcs) + netbios_name, options.rid_base, options.secondary_rid_base, + options.no_msdcs) + smb.find_local_id_range() smb.create_instance() print """ diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 967b54e25e46033019a52e51b0e0b916714aac34..9646f7e7b1dc7e9954b681550d3ffa7a54a6f139 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -114,6 +114,8 @@ class ADTRUSTInstance(service.Service): self.cifs_principal = None self.cifs_agent = None self.selinux_booleans = None + self.rid_base = None + self.secondary_rid_base = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -174,6 +176,47 @@ class ADTRUSTInstance(service.Service): except: print "Failed to modify IPA admin group object" + def __add_rid_bases(self): + """ + Add RID bases to the range object for the local ID range. + + TODO: handle missing or multiple ranges more gracefully. + """ + + try: + res = self.admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix, + ldap.SCOPE_ONELEVEL, + "(objectclass=ipaDomainIDRange)") + if len(res) != 1: + root_logger.critical("Found more than one ID range for the " \ + "local domain.") + raise RuntimeError("Too many ID ranges\n") + + if res[0].getValue('ipaBaseRID') or \ + res[0].getValue('ipaSecondaryBaseRID'): + print "RID bases already set, nothing to do" + return + + size = res[0].getValue('ipaIDRangeSize') + if abs(self.rid_base - self.secondary_rid_base) > size: + print "Primary and secondary RID base are too close. " \ + "They have to differ at least by %d." % size + raise RuntimeError("RID bases too close.\n") + + try: + self.admin_conn.modify_s(res[0].dn, + [(ldap.MOD_ADD, "ipaBaseRID", \ + str(self.rid_base)), \ + (ldap.MOD_ADD, "ipaSecondaryBaseRID", \ + str(self.secondary_rid_base))]) + except: + print "Failed to add RID bases to the local range object" + + except errors.NotFound as e: + root_logger.critical("ID range of the local domain not found, " \ + "define it and run again.") + raise e + def __create_samba_domain_object(self): try: @@ -410,12 +453,14 @@ class ADTRUSTInstance(service.Service): FQDN = self.fqdn) def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, - no_msdcs=False, smbd_user="samba"): + rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"): self.fqdn = fqdn self.ip_address = ip_address self.realm_name = realm_name self.domain_name = domain_name self.netbios_name = netbios_name + self.rid_base = rid_base + self.secondary_rid_base = secondary_rid_base self.no_msdcs = no_msdcs self.smbd_user = smbd_user self.suffix = ipautil.realm_to_suffix(self.realm_name) @@ -436,6 +481,46 @@ class ADTRUSTInstance(service.Service): self.__setup_sub_dict() + def find_local_id_range(self): + self.ldap_connect() + + if self.admin_conn.search_s("cn=ranges,cn=etc," + self.suffix, + ldap.SCOPE_ONELEVEL, + "objectclass=ipaDomainIDRange"): + return + + try: + entry = self.admin_conn.getEntry("cn=admins,cn=groups,cn=accounts," \ + + self.suffix, + ldap.SCOPE_BASE) + except errors.NotFound: + raise ValueError("No local ID range and no admins group found.\n" \ + "Add local ID range manually and try again!") + + base_id = int(entry.getValue('gidNumber')) + id_range_size = 200000 + + id_filter = "(&" \ + "(|(objectclass=posixAccount)" \ + "(objectclass=posixGroup)" \ + "(objectclass=ipaIDObject))" \ + "(|(uidNumber<=%d)(uidNumber>=%d)" \ + "(gidNumber<=%d)(gidNumner>=%d)))" % \ + ((base_id - 1), (base_id + id_range_size), + (base_id - 1), (base_id + id_range_size)) + if self.admin_conn.search_s("cn=accounts," + self.suffix, + ldap.SCOPE_SUBTREE, id_filter): + raise ValueError("There are objects with IDs out of the expected" \ + "range.\nAdd local ID range manually and try " \ + "again!") + + entry = ipaldap.Entry("cn=%s_id_range,cn=ranges,cn=etc,%s" % \ + (self.realm_name, self.suffix)) + entry.setValue('objectclass', 'ipaDomainIDRange') + entry.setValue('cn', ('%s_id_range' % self.realm_name)) + entry.setValue('ipaBaseID', str(base_id)) + entry.setValue('ipaIDRangeSize', str(id_range_size)) + self.admin_conn.addEntry(entry) def create_instance(self): @@ -448,6 +533,7 @@ class ADTRUSTInstance(service.Service): self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) + self.step("adding RID bases", self.__add_rid_bases) self.step("activating CLDAP plugin", self.__add_cldap_module) self.step("activating sidgen plugin and task", self.__add_sidgen_module) self.step("activating extdom plugin", self.__add_extdom_module) -- 1.7.10.2 -------------- next part -------------- From 4b4833f119f733713bee3acff2881bc830f5a942 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 13 Jun 2012 20:58:54 +0200 Subject: [PATCH 4/5] Add CLI for ID ranges --- API.txt | 52 ++++++++++++++++++ ipalib/constants.py | 1 + ipalib/plugins/range.py | 140 +++++++++++++++++++++++++++++++++++++++++++++++ test_range_plugin.py | 79 ++++++++++++++++++++++++++ 4 Dateien ge?ndert, 272 Zeilen hinzugef?gt(+) create mode 100644 ipalib/plugins/range.py create mode 100644 test_range_plugin.py diff --git a/API.txt b/API.txt index daaa14025452417c4c52f4fa5050357b4f6df4e4..6f4d23340bf7d38b6b4227ce113e5d462b2ae1d4 100644 --- a/API.txt +++ b/API.txt @@ -2367,6 +2367,58 @@ option: Str('version?', exclude='webui') output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) +command: range_add +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Int('ipabaseid', attribute=True, cli_name='base_id', multivalue=False, required=True) +option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True) +option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False, required=True) +option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False) +option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (, ), None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('value', , None) +command: range_del +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +output: Output('summary', (, ), None) +output: Output('result', , None) +output: Output('value', , None) +command: range_find +args: 1,12,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', multivalue=False, query=True, required=False) +option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False) +option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False) +option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False) +option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +output: Output('summary', (, ), None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('count', , None) +output: Output('truncated', , None) +command: range_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('rights', autofill=True, default=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (, ), None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('value', , None) command: role_add args: 1,6,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) diff --git a/ipalib/constants.py b/ipalib/constants.py index 8f87a18eef80e9824203aedf50e29e9819ae7c18..c4ba32007f74f0b8ccc6c8c518587dbf76530217 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -104,6 +104,7 @@ DEFAULT_CONFIG = ( ('container_cifsdomains', 'cn=ad,cn=etc'), ('container_trusts', 'cn=trusts'), ('container_adtrusts', 'cn=ad,cn=trusts'), + ('container_ranges', 'cn=ranges,cn=etc'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipalib/plugins/range.py b/ipalib/plugins/range.py new file mode 100644 index 0000000000000000000000000000000000000000..4448aad818ea4c9065c387e11035e165d52e4328 --- /dev/null +++ b/ipalib/plugins/range.py @@ -0,0 +1,140 @@ +# Authors: +# Sumit Bose +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipalib.plugins.baseldap import * +from ipalib import api, Str, Password, DefaultFrom, _, ngettext, Object +from ipalib.parameters import Enum +from ipalib import Command +from ipalib import errors +from ipapython import ipautil +from ipalib import util + + +__doc__ = _(""" +Manage ID ranges +""") + +class range(LDAPObject): + """ + Range object. + """ + + range_type = ('domain', 'ad', 'ipa') + container_dn = api.env.container_ranges + object_name = ('range') + object_name_plural = ('ranges') + object_class = ['ipaIDrange'] + possible_objectclasses = ['ipadomainidrange', 'ipatrustedaddomainrange'] + default_attributes = ['cn', 'ipabaseid', 'ipaidrangesize', 'ipabaserid', + 'ipasecondarybaserid', 'ipanttrusteddomainsid', + 'iparangetype'] + + label = _('Ranges') + label_singular = _('Range') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Range name'), + primary_key=True, + ), + Int('ipabaseid', + cli_name='base_id', + label=_("First Posix ID of the range"), + ), + Int('ipaidrangesize', + cli_name='range_size', + label=_("Number of IDs in the range"), + ), + Int('ipabaserid', + cli_name='rid_base', + label=_('First RID of the corresponding RID range'), + ), + Int('ipasecondarybaserid?', + cli_name='secondary_rid_base', + label=_('First RID of the secondary RID range'), + ), + Str('ipanttrusteddomainsid?', + cli_name='dom_sid', + label=_('Domain SID of the trusted domain'), + ), + Str('iparangetype?', + label=_('Range type'), + flags=['no_option'], + ) + ) + +class range_add(LDAPCreate): + __doc__ = _('Add new ID range.') + + msg_summary = _('Added ID range "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if ('ipanttrusteddomainsid' not in options and + 'ipasecondarybaserid' not in options): + raise errors.ValidationError(name=_('Range setup'), + error=_('Ranges for local domain ' \ + 'must have a secondary RID base')) + + if 'ipanttrusteddomainsid' in options: + entry_attrs['objectclass'].append('ipatrustedaddomainrange') + else: + entry_attrs['objectclass'].append('ipadomainidrange') + + return dn + +class range_del(LDAPDelete): + __doc__ = _('Delete an ID range.') + + msg_summary = _('Deleted ID range "%(value)s"') + +class range_find(LDAPSearch): + __doc__ = _('Search for ranges.') + + msg_summary = ngettext( + '%(count)d range matched', '%(count)d ranges matched', 0 + ) + + # Since all range types are stored within separate containers under + # 'cn=ranges,cn=etc' search can be done on a one-level scope + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + return (filters, base_dn, ldap.SCOPE_ONELEVEL) + +class range_show(LDAPRetrieve): + __doc__ = _('Display information about a range.') + + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + attrs_list.append('objectclass') + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + if 'ipatrustedaddomainrange' in entry_attrs['objectclass']: + entry_attrs['iparangetype']=(u'Active Directory domain range') + else: + entry_attrs['iparangetype']=(u'local domain range') + del entry_attrs['objectclass'] + return dn + +api.register(range) +api.register(range_add) +#api.register(range_mod) +api.register(range_del) +api.register(range_find) +api.register(range_show) + diff --git a/test_range_plugin.py b/test_range_plugin.py new file mode 100644 index 0000000000000000000000000000000000000000..162cc55d7384c2cb14537a5ee092ac65a4a6d99d --- /dev/null +++ b/test_range_plugin.py @@ -0,0 +1,79 @@ +# Authors: +# Alexander Bokovoy +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +Test the `ipalib/plugins/range.py` module, and XML-RPC in general. +""" + +from ipalib import api, errors, _ +from tests.util import assert_equal, Fuzzy +from xmlrpc_test import Declarative +from ipalib.dn import * + +testrange1 = u't-range-1' + +class test_range(Declarative): + cleanup_commands = [ + ('range_del', [testrange1], {}), + ] + + tests = [ + dict( + desc='Create range %r' % (testrange1), + command=('range_add', [testrange1], + dict(ipabaseid=900000, ipaidrangesize=99999, + ipabaserid=1000, ipasecondarybaserid=20000)), + expected=dict( + result=dict( + dn=lambda x: DN(x) == \ + DN(('cn',testrange1),('cn','ranges'),('cn','etc'), + api.env.basedn), + cn=[testrange1], + objectclass=[u'ipaIDrange', u'ipadomainidrange'], + ipabaseid=[u'900000'], + ipabaserid=[u'1000'], + ipasecondarybaserid=[u'20000'], + ipaidrangesize=[u'99999'] + ), + value=testrange1, + summary=u'Added ID range "%s"' % (testrange1), + ), + ), + + dict( + desc='Retrieve range %r' % (testrange1), + command=('range_show', [testrange1], dict()), + expected=dict( + result=dict( + dn=lambda x: DN(x) == \ + DN(('cn',testrange1),('cn','ranges'),('cn','etc'), + api.env.basedn), + cn=[testrange1], + ipabaseid=[u'900000'], + ipabaserid=[u'1000'], + ipasecondarybaserid=[u'20000'], + ipaidrangesize=[u'99999'], + iparangetype=u'local domain range', + ), + value=testrange1, + summary=None, + ), + ), + + ] -- 1.7.10.2 -------------- next part -------------- From c584c84c996c52dd845981f7de875b98a543771a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 18 Jun 2012 21:25:31 +0200 Subject: [PATCH 5/5] Add range check preop plugin To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-range-check/Makefile.am | 46 ++ .../ipa-range-check/ipa_range_check.c | 440 ++++++++++++++++++++ .../ipa-range-check/range-check-conf.ldif | 16 + freeipa.spec.in | 2 + ipaserver/install/dsinstance.py | 4 + 7 Dateien ge?ndert, 510 Zeilen hinzugef?gt(+) create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c create mode 100644 daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index 76ebaa67f802e20009ef764bdbdcd09cc7937a22..b94673026a2c6b71670a67b1f629d9960d8fad31 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -342,6 +342,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-uuid/Makefile ipa-slapi-plugins/ipa-modrdn/Makefile ipa-slapi-plugins/ipa-sidgen/Makefile + ipa-slapi-plugins/ipa-range-check/Makefile ]) AC_OUTPUT diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 5a3c9e7034020b4f80815e865c2ed0de419264c9..c79e68db112c9d21bcbffba3d00442d2fd20ab3a 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -11,6 +11,7 @@ SUBDIRS = \ ipa-version \ ipa-winsync \ ipa-sidgen \ + ipa-range-check \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..f284b42ff339bc97463260749d948f9aff9f54a4 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am @@ -0,0 +1,46 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_range_check.la \ + $(NULL) + +libipa_range_check_la_SOURCES = \ + ipa_range_check.c \ + $(NULL) + +libipa_range_check_la_LDFLAGS = -avoid-version + +libipa_range_check_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + range-check-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c new file mode 100644 index 0000000000000000000000000000000000000000..499e54a9c4a4c9134a231c0cd09e700390565a14 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -0,0 +1,440 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Sumit Bose + * + * Copyright (C) 2011 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include +#include +#include +#include + +#include "util.h" + +#define IPA_CN "cn" +#define IPA_BASE_ID "ipaBaseID" +#define IPA_ID_RANGE_SIZE "ipaIDRangeSize" +#define IPA_BASE_RID "ipaBaseRID" +#define IPA_SECONDARY_BASE_RID "ipaSecondaryBaseRID" +#define RANGES_FILTER "objectclass=ipaIDRange" + +#define IPA_PLUGIN_NAME "ipa-range-check" +#define IPA_RANGE_CHECK_FEATURE_DESC "IPA ID range check plugin" +#define IPA_RANGE_CHECK_PLUGIN_DESC "Check if newly added or modified " \ + "ID ranges do not overlap with existing ones" + +Slapi_PluginDesc ipa_range_check_plugin_desc = { + IPA_RANGE_CHECK_FEATURE_DESC, + "FreeIPA project", + "FreeIPA/1.0", + IPA_RANGE_CHECK_PLUGIN_DESC +}; + +struct ipa_range_check_ctx { + Slapi_ComponentId *plugin_id; + const char *base_dn; +}; + +struct range_info { + char *name; + uint32_t base_id; + uint32_t id_range_size; + uint32_t base_rid; + uint32_t secondary_base_rid; +}; + +static int slapi_entry_to_range_info(struct slapi_entry *entry, + struct range_info **_range) +{ + int ret; + unsigned long ul_val; + struct range_info *range = NULL; + + range = calloc(1, sizeof(struct range_info)); + if (range == NULL) { + return ENOMEM; + } + + range->name = slapi_entry_attr_get_charptr(entry, IPA_CN); + if (range->name == NULL) { + return EINVAL; + } + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_ID); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->base_id = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_ID_RANGE_SIZE); + if (ul_val == 0 || ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->id_range_size = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_RID); + if (ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->base_rid = ul_val; + + ul_val = slapi_entry_attr_get_ulong(entry, IPA_SECONDARY_BASE_RID); + if (ul_val >= UINT32_MAX) { + ret = ERANGE; + goto done; + } + range->secondary_base_rid = ul_val; + + *_range = range; + ret = 0; + +done: + if (ret != 0) { + free(range); + } + + return ret; +} + +#define IN_RANGE(x,base,size) ( (x) >= (base) && ((x) - (base)) < (size) ) +static bool ranges_overlap(struct range_info *r1, struct range_info *r2) +{ + if (r1->name != NULL && r2->name != NULL && + strcasecmp(r1->name, r2->name) == 0) { + return false; + } + + if (IN_RANGE(r1->base_id, r2->base_id, r2->id_range_size) || + IN_RANGE((r1->base_id + r1->id_range_size - 1), r2->base_id, r2->id_range_size) || + IN_RANGE(r2->base_id, r1->base_id, r1->id_range_size) || + IN_RANGE((r2->base_id + r2->id_range_size - 1), r1->base_id, r1->id_range_size)) { + return true; + } + + return false; +} + +static int ipa_range_check_start(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_range_check_close(Slapi_PBlock *pb) +{ + return 0; +} + +static int ipa_range_check_pre_op(Slapi_PBlock *pb, int modtype) +{ + int ret; + int is_repl_op; + struct slapi_entry *entry = NULL; + bool free_entry = false; + struct range_info *new_range = NULL; + struct range_info *old_range = NULL; + const char *dn_str; + Slapi_DN *dn = NULL; + struct ipa_range_check_ctx *ctx; + LDAPMod **mods = NULL; + Slapi_PBlock *search_pb = NULL; + int search_result; + Slapi_Entry **search_entries = NULL; + size_t c; + bool overlap = true; + const char *check_attr; + char *errmsg = NULL; + + ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op); + if (ret != 0) { + LOG_FATAL("slapi_pblock_get failed!?\n"); + return LDAP_OPERATIONS_ERROR; + } + + if (is_repl_op) { + LOG("Is replicated operation, nothing to do.\n"); + return LDAP_SUCCESS; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx); + if (ret != 0) { + LOG_FATAL("Missing private plugin context.\n"); + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn_str); + if (ret != 0) { + LOG_FATAL("Missing target DN.\n"); + goto done; + } + + dn = slapi_sdn_new_dn_byref(dn_str); + if (dn == NULL) { + LOG_FATAL("Failed to convert target DN.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + + switch (modtype) { + case LDAP_CHANGETYPE_ADD: + ret = slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &entry); + if (ret != 0) { + LOG_FATAL("Missing entry to add.\n"); + goto done; + } + + /* Check if this is a range object */ + check_attr = slapi_entry_attr_get_charptr(entry, IPA_BASE_ID); + if (check_attr == NULL) { + LOG("Not an ID range object, nothing to do.\n"); + ret = 0; + goto done; + } + + break; + case LDAP_CHANGETYPE_MODIFY: + ret = slapi_search_internal_get_entry(dn, NULL, &entry, + ctx->plugin_id); + if (ret != 0 || entry == NULL) { + LOG_FATAL("Missing entry to modify.\n"); + ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + free_entry = true; + + /* Check if this is a range object */ + check_attr = slapi_entry_attr_get_charptr(entry, IPA_BASE_ID); + if (check_attr == NULL) { + LOG("Not an ID range object, nothing to do.\n"); + ret = 0; + goto done; + } + + ret = slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); + if (ret != 0) { + LOG_FATAL("Missing modify values.\n"); + goto done; + } + + ret = slapi_entry_apply_mods(entry, mods); + if (ret != 0) { + LOG_FATAL("Failed to apply modifications.\n"); + goto done; + } + + break; + default: + ret = LDAP_OPERATIONS_ERROR; + LOG_FATAL("Unsupported LDAP operation.\n"); + goto done; + } + + ret = slapi_entry_to_range_info(entry, &new_range); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + + search_pb = slapi_pblock_new(); + if (search_pb == NULL) { + LOG_FATAL("Failed to create new pblock.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_search_internal_set_pb(search_pb, ctx->base_dn, + LDAP_SCOPE_SUBTREE, RANGES_FILTER, + NULL, 0, NULL, NULL, ctx->plugin_id, 0); + + ret = slapi_search_internal_pb(search_pb); + if (ret != 0) { + LOG_FATAL("Starting internal search failed.\n"); + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); + if (ret != 0 || search_result != LDAP_SUCCESS) { + LOG_FATAL("Internal search failed.\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); + if (ret != 0) { + LOG_FATAL("Failed to read searched entries.\n"); + goto done; + } + + if (search_entries == NULL || search_entries[0] == NULL) { + LOG("No existing entries.\n"); + ret = 0; + goto done; + } + + for (c = 0; search_entries[c] != NULL; c++) { + ret = slapi_entry_to_range_info(search_entries[c], &old_range); + if (ret != 0) { + LOG_FATAL("Failed to convert LDAP entry to range struct.\n"); + goto done; + } + + overlap = ranges_overlap(old_range, new_range); + free(old_range); + old_range = NULL; + if (overlap) { + LOG_FATAL("New range overlaps with existing one.\n"); + ret = LDAP_CONSTRAINT_VIOLATION; + errmsg = "New range overlaps with existing one."; + goto done; + } + } + LOG("No overlaps found.\n"); + + ret = 0; + +done: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + slapi_sdn_free(&dn); + free(old_range); + free(new_range); + if (free_entry) { + slapi_entry_free(entry); + } + + if (ret != 0) { + if (errmsg == NULL) { + errmsg = "Range Check error"; + } + slapi_send_ldap_result(pb, ret, NULL, errmsg, 0, NULL); + } + + return ret; +} + +static int ipa_range_check_mod_pre_op(Slapi_PBlock * pb) +{ + return ipa_range_check_pre_op(pb, LDAP_CHANGETYPE_MODIFY); +} + +static int ipa_range_check_add_pre_op(Slapi_PBlock *pb) +{ + return ipa_range_check_pre_op(pb, LDAP_CHANGETYPE_ADD); +} + +static int ipa_range_check_init_ctx(Slapi_PBlock *pb, + struct ipa_range_check_ctx **_ctx) +{ + struct ipa_range_check_ctx *ctx; + Slapi_Entry *entry; + int ret; + + ctx = calloc(1, sizeof(struct ipa_range_check_ctx)); + if (ctx == NULL) { + return LDAP_OPERATIONS_ERROR; + } + + ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id); + if ((ret != 0) || (ctx->plugin_id == NULL)) { + LOG_FATAL("Could not get identity or identity was NULL\n"); + if (ret == 0) { + ret = -1; + } + goto done; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &entry); + if (entry == NULL) { + LOG_FATAL("Plugin configuration not found!\n"); + ret = EINVAL; + goto done; + } + + ctx->base_dn = slapi_entry_attr_get_charptr(entry, "nsslapd-basedn"); + if (ctx->base_dn == NULL) { + LOG_FATAL("Base DN not found in plugin configuration!\n"); + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret != 0) { + free(ctx); + } else { + *_ctx = ctx; + } + + return ret; +} + +int ipa_range_check_init(Slapi_PBlock *pb) +{ + int ret; + struct ipa_range_check_ctx *rc_ctx; + + ret = ipa_range_check_init_ctx(pb, &rc_ctx); + if (ret != 0) { + LOG_FATAL("Failed ot initialize range check plugin.\n"); + /* do not cause DS to stop, simply do nothing */ + return 0; + } + + ret = 0; + if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + SLAPI_PLUGIN_VERSION_01) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *) ipa_range_check_start) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, + (void *) ipa_range_check_close) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *) &ipa_range_check_plugin_desc) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_MODIFY_FN, + (void *) ipa_range_check_mod_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_ADD_FN, + (void *) ipa_range_check_add_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, rc_ctx) != 0) { + LOG_FATAL("failed to register plugin\n"); + ret = EFAIL; + } + + return ret; +} diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif b/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..6452304f4324a37c8b2b72c95ac623743c7d00b3 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-range-check/range-check-conf.ldif @@ -0,0 +1,16 @@ +dn: cn=IPA Range-Check,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsSlapdPlugin +objectclass: extensibleObject +cn: IPA Range-Check +nsslapd-pluginpath: libipa_range_check +nsslapd-plugininitfunc: ipa_range_check_init +nsslapd-plugintype: preoperation +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_range_check_version +nsslapd-pluginversion: 1.0 +nsslapd-pluginvendor: Red Hat, Inc. +nsslapd-plugindescription: IPA Range-Check plugin +nsslapd-plugin-depends-on-type: database +nsslapd-basedn: $SUFFIX diff --git a/freeipa.spec.in b/freeipa.spec.in index f7b115202bc8086ba26b25fbe1848fb4ad1fec2a..b0f3cee99a4398ee248a48e2f5c99363dcc642ef 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -365,6 +365,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_cldap.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -641,6 +642,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so %attr(755,root,root) %{plugin_dir}/libipa_lockout.so %attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 93c6b50c274506949d1cdb81ad952141de10dab1..d74ee8987a3387b78ec7203c9b8c70059b35a812 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -240,6 +240,7 @@ class DsInstance(service.Service): self.step("configuring netgroups from hostgroups", self.__host_nis_groups) self.step("creating default Sudo bind user", self.__add_sudo_binduser) self.step("creating default Auto Member layout", self.__add_automember_config) + self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) @@ -788,6 +789,9 @@ class DsInstance(service.Service): def __add_replica_automember_config(self): self._ldap_mod("replica-automember.ldif", self.sub_dict) + def __add_range_check_plugin(self): + self._ldap_mod("range-check-conf.ldif", self.sub_dict) + def replica_populate(self): self.ldap_connect() -- 1.7.10.2 From abokovoy at redhat.com Fri Jun 29 12:52:15 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 15:52:15 +0300 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120629121731.GC922@localhost.localdomain> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> <20120626103014.GC29454@localhost.localdomain> <20120627191935.GL29454@localhost.localdomain> <20120629121731.GC922@localhost.localdomain> Message-ID: <20120629125215.GI6687@redhat.com> On Fri, 29 Jun 2012, Sumit Bose wrote: >On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: >> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: >> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: >> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: >> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: >> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: >> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: >> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: >> > > > > > > > >> > > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local >> > > > > > > > users/groups and users from trusted domains new range objects are >> > > > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. >> > > > > > > > >> > > > > > > > 0022: LDAP schema update >> > > > > > > >> > > > > > > ack >> > > > > > > >> > > > > > > > 0023: Create a range object during installation fir the local ID range >> > > > > > > >> > > > > > > nack, I think we need to find a way to handle adding at least the base >> > > > > > > range on update. Otherwise an updated server won't be able to have IDs >> > > > > > > for most of its users. >> > > > > > >> > > > > > I fully agree, but since we said that we concentrate on update issues in >> > > > > > beta2 I wanted to send the version for the fresh install first to allow >> > > > > > testing. >> > > > > >> > > > > The reason I'd like updates is that this patchset can be installed on >> > > > > top of existing servers for testing w/o having to reinstall from scratch >> > > > > or manually creating the ipaDomainIDRange object :):) >> > > > >> > > > ok, will do. >> > > > >> > > > Do you otherwise agree with the patches or is there something I should >> > > > change while adding the updates? >> > > > >> > > > bye, >> > > > Sumit >> > > > >> > > > > >> > > > > > > >> > > > > > > > 0024: add primary and secondary RID base to the local range object >> > > > > > > > during ipa-adtrust-install >> > > > > > > >> > > > > > > Not sure if setting the range belongs in the previous patch or this one. >> > > > > > >> > > > > > I think it is right here, because a plain IPA server does not need the >> > > > > > RID related attributes. >> > > > > > >> > > > > > > We might decide to ask questions during ipa-adtrust-install if the range >> > > > > > > is not available, maybe presenting a set of pre-canned choices if we can >> > > > > > > detect them. >> > > > > > >> > > > > > I agree here, too. But as above I would like to handle update issues >> > > > > > in a second round. >> > > > > > >> > > > > > > >> > > > > > > Finally I think we need to do a search with uid/gidNmber < base and >> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect any ID the >> > > > > > > falls outside the configured range (either because we failed to detect >> > > > > > > ranges on upgrade and the user botched the question or because the admin >> > > > > > > added arbitrary IDs. >> > > > > > > If a warning we should warn that missing a range that suitably covers >> > > > > > > these IDs, those users/groups will not be available for the trust. >> > > > > > > >> > > > > > > Maybe we should also have a simple ipa command that can list all >> > > > > > > users/groups that fall outside the ranges as well. >> > > > > > >> > > > > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa >> > > > > > range-find' etc. I can add it there. >> > > > > > >> > > >> > > Hi, >> > > >> > > this new series of patches add the cli plugin to create the ID ranges >> > > manually. I'm still working on a detection of the locally used id range >> > > of an upgrade domain in ipa-adtrust-install and an plugin which rejects >> > > new ranges which overlaps with existing ones. >> > > >> > > bye, >> > > Sumit >> > >> > the attached patch adds a preop plugin which checks for overlaps with >> > existing ranges. >> > >> > bye, >> > Sumit >> >> Finally I added a method to guess and create the initial ID range, if no >> one is preset, e.g. when updating from an older version of freeIPA. A >> full series of patches is attached. >> >> bye, >> Sumit > >This version of patches fixes review comments by Alexander and also adds >some test for the range CLI plugin which were kindly provided by >Alexander. ACK -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jun 29 12:57:24 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 15:57:24 +0300 Subject: [Freeipa-devel] [PATCH] 0067 Explicitly filter options that permission-{add, mod} passes to aci-{add, mod} In-Reply-To: <4FED958A.2010504@redhat.com> References: <4FED958A.2010504@redhat.com> Message-ID: <20120629125724.GJ6687@redhat.com> On Fri, 29 Jun 2012, Petr Viktorin wrote: >The permission commands were not filtering their options properly >before passing them to the underlying ACI commands. This upset the >new input validation when --addattr/--setattr was used. > >This patch adds a filter that only lets options listed in >aci_attributes through to the ACI commands. > >https://fedorahosted.org/freeipa/ticket/2885 ACK. -- / Alexander Bokovoy From rcritten at redhat.com Fri Jun 29 15:07:12 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 11:07:12 -0400 Subject: [Freeipa-devel] [PATCH] 1030 Fedora 18 compatibility In-Reply-To: <4FEC1764.2020809@redhat.com> References: <4FEB4711.9010603@redhat.com> <4FEC1764.2020809@redhat.com> Message-ID: <4FEDC4A0.3070800@redhat.com> Martin Kosek wrote: > On 06/27/2012 07:46 PM, Rob Crittenden wrote: >> I found a few minor issues when building and installing the master branch on >> Fedora 18. This patch should address it. >> >> rob >> > > 1) This will fail for on F17->F18 upgrades, we need to bump VERSION in > ipa-rewrite.conf. > > Besides that, ipa-upgradeconfig needs to be fixed, otherwise it will crash > during ipa-rewrite.conf upgrade - ${AUTOREDIR} variable is not set. > > However, this variable will need to be figured out from current > ipa-rewrite.conf contents as it depends on whether the IPA server was installed > with --no-ui-redirect or not. > > 2) Shouldn't we bump tomcat6 version as well since we depend on the tomcat6 > fixed in BZ 831464? > > 3) %changelog entry is missing > > Martin > This should do it rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1030-2-f18.patch Type: text/x-diff Size: 4502 bytes Desc: not available URL: From simo at redhat.com Fri Jun 29 17:46:11 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2012 13:46:11 -0400 Subject: [Freeipa-devel] DHCP support - Request for review In-Reply-To: <4FEB0B64.7020604@firstyear.id.au> References: <4FEB0B64.7020604@firstyear.id.au> Message-ID: <1340991971.14199.16.camel@willson.li.ssimo.org> On Wed, 2012-06-27 at 23:02 +0930, William Brown wrote: > Hi, > > I have been working on adding support for FreeIPA to support > configuration storage for ISC-DHCP 4.X servers. I have added the schema > which is included at installation, added the template / empty files that > will be filled in and used for the installation and created the ipalib > plugin for this. At this stage, this feature is still far from done. I > would appreciate a review of the work I have done to ensure I am on the > right track. Hi William, the approach seem fine, however I am a bit concerned about the default dhcp schema. Maybe we can catch over IRC and hash out a bit how we are going to see this working in large networks. > I would like to know if there is a better way to add ACLs than by > manually updating ldap by hand (IE, using the ACL libraries) (See > /install/share/dhcpd.ldif). Basic ACIs are added that way at install, you should actually modify the default install ldif I think and create an .update file for when we upgrade servers. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jun 29 17:52:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 13:52:55 -0400 Subject: [Freeipa-devel] [PATCH] 1014 configurable service timeout In-Reply-To: <4FEB0B0D.1000206@redhat.com> References: <4FB3F267.2070104@redhat.com> <4FB6AAF6.9080800@redhat.com> <4FBE2654.4030207@redhat.com> <4FBE560E.1080108@redhat.com> <1338293075.30643.52.camel@balmora.brq.redhat.com> <4FC4DDBB.7070902@redhat.com> <4FEB0B0D.1000206@redhat.com> Message-ID: <4FEDEB77.2010307@redhat.com> Martin Kosek wrote: > On 05/29/2012 04:31 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Thu, 2012-05-24 at 11:38 -0400, Rob Crittenden wrote: >>>> Petr Viktorin wrote: >>>>> On 05/18/2012 10:03 PM, Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> A hardcoded timeout was used in ipactl for service restarts, set rather >>>>>>> low. A separate timeout was hardcoded into the installer. >>>>>>> >>>>>>> I centralized them into a single timeout, configurable in the standard >>>>>>> way in /etc/ipa/*.conf. >>>>>>> >>>>>>> On install it will always default to 120 seconds and remain there unless >>>>>>> changed in default.conf (not replicated either). >>>>>>> >>>>>>> I tested this on systemd systems and sysV systems and it works ok for >>>>>>> me. You'll also want to double-check that this works when other 389-ds >>>>>>> instances are installed. >>>>>>> >>>>>>> Getting the naming of instances right was a bit tricky. >>>>>> >>>>>> Noticed a problem on upgrades and fixed that. Updated patch attached. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>> >>>>> Please rebase the patch onto current master. >>>>> >>>>> >>>> >>>> Done >>> >>> This is a good start. I just found few places where I found that the >>> remaining wait function calls are redundant: >>> >>> 1) install/tools/ipactl: >>> >>> if lurl.urlscheme == 'ldapi': >>> - wait_for_open_socket(lurl.hostport, timeout=6) >>> + wait_for_open_socket(lurl.hostport, >>> timeout=api.env.startup_timeout) >>> else: >>> (host,port) = lurl.hostport.split(':') >>> - wait_for_open_ports(host, [int(port)], timeout=6) >>> + wait_for_open_ports(host, [int(port)], >>> timeout=api.env.startup_timeout) >>> >>> Aren't these calls redundant? We already wait for ports when dirsrv is >>> started (dirsrv.start()) or restarted (dirsrv.restart()). >> >> It is redundant in some cases but there are some calls we make where this is >> used to determine the availability of the service. This call is needed. >> >>> 2) ipaserver/install/replication.py: >>> - installutils.wait_for_open_ports('localhost', [389, 636], 300) >>> + ipautil.wait_for_open_ports('localhost', [389, 636], 300) >>> >>> Isn't this now redundant? Port check should be done in service restart. >> >> Yes, looks like this call can go. >> >>> 3) ipaserver/install/plugins/updateclient.py: >>> >>> - installutils.wait_for_open_socket(socket_name) >>> + wait_for_open_socket(socket_name) >>> >>> Also seems redundant, dirsrv should be already up as it was restarted >>> via our Service framework. Though we only check for ports in the Service >>> framework, I wonder if this is enough and we can be sure that when ports >>> are up, the LDAPI socket is also up. >> >> No, sockets and ports are separate, particularly when updating. In fact, we >> disable the ports so a wait_for_port() will always fail which is why I added >> the wait flag. This may be a case I missed with upgrades. Let me test upgrades >> again... >> >> rob > > I think we want to either send a revised patch to this ticket to get it to Beta > 1 or to defer it to some future version... > > Martin > Here is a rebased patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1014-4-timeout.patch Type: text/x-diff Size: 72619 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 29 19:00:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 15:00:23 -0400 Subject: [Freeipa-devel] [PATCH] [WIP] 281 Enable SOA serial autoincrement In-Reply-To: <4FEC7314.9030508@redhat.com> References: <4FEC7314.9030508@redhat.com> Message-ID: <4FEDFB47.40504@redhat.com> Martin Kosek wrote: > This patch enables currently developed SOA serial autoincrement feature in > bind-dyndb-ldap. The patch may be updated if any assumptions about this feature > are changed (or somebody finds a bug). > > --- > > SOA serial autoincrement is a requirement for major DNS features, > e.g. zone transfers or DNSSEC. Enable it by default in named.conf > both for new and upgraded installations. Name of the bind-dyndb-ldap > option is "serial_autoincrement". > >>From now on, idnsSOAserial attribute also has to be put to > replication agreement exclude list as serial will be incremented > on each DNS server separately and won't be shared. Exclude list > has to be updated both for new replication agreements and the > current ones. > > https://fedorahosted.org/freeipa/ticket/2554 What version of bind/bind-dyndb-ldap is needed for serial_autoincrement? rob From rcritten at redhat.com Fri Jun 29 19:07:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 15:07:03 -0400 Subject: [Freeipa-devel] [PATCH][WIP] LDAP encoding redone In-Reply-To: <4FEB2E71.6040105@redhat.com> References: <4FEB2E71.6040105@redhat.com> Message-ID: <4FEDFCD7.7030507@redhat.com> Jan Cholasta wrote: > Hi, > > this is the next patch in the input validation & handling series > . It changes the way > entries are encoded and decoded in the LDAP backend. > > The patch consists of several changes: > > * Refactored the Encoder class to be more universally usable. It uses > a polymorphic interface, which hopefully makes the encoding code more > readable. > > * Attribute values now use Python data types matching the syntax of > the attribute. This removes the need to decode/encode the values from/to > raw LDAP values in the CallbackInterface callbacks as well as other > parts of IPA. > > * On command output, attribute values are converted to strings so > that the resulting entry is the same as it is without the patch. I don't > like this code and I'd like to get rid of at least some parts of it, but > I'm not sure how that would affect API compatibility. Removing the > special case for boolean values would fix > . > > * Entries are more strictly checked when they are encoded and > decoded. Values of multi-value attributes must be lists (not tuples!) of > objects of the appropriate python type, values of single-value > attributes must be objects of the appropriate python type. This helps > detecting data type errors that would previously go unnoticed. > > * Some parameters use data type that doesn't match the syntax of the > according attribute, or are single-value even when the according > attribute is multi-value. Values of such parameters wouldn't pass the > new strict checking if they were used in attributes without > modifications. To remedy this, added a new parameter option > attr_convertor, which allows specifying a custom function for converting > parameter values to attribute values. > > Note that this is work in progress, some things may be (and certainly > are) broken, there is some low-quality code and docstrings, comments and > tests are TBD. > > Suggestions and comments are welcome. > > Honza I haven't tried this yet, but this change jumped out at me: if attr not in ('aciname', 'group', 'memberof', 'nsaccountlock', 'subtree', 'targetgroup', 'type') and self.obj is not None and attr in self.obj.params and 'virtual_attribute' not in self.obj.params[attr].flags: Why exclude this subset of attributes? Is the big block of code adding to __call__ meant to maintain backwards compatibility? This seems to make lists out of a lot of things that weren't previously lists. Is that to satisfy the schema? rob From rcritten at redhat.com Fri Jun 29 19:16:39 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 15:16:39 -0400 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <20120629125215.GI6687@redhat.com> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> <20120626103014.GC29454@localhost.localdomain> <20120627191935.GL29454@localhost.localdomain> <20120629121731.GC922@localhost.localdomain> <20120629125215.GI6687@redhat.com> Message-ID: <4FEDFF17.6030300@redhat.com> Alexander Bokovoy wrote: > On Fri, 29 Jun 2012, Sumit Bose wrote: >> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: >>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: >>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: >>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: >>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: >>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: >>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: >>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: >>> > > > > > > > >>> > > > > > > > to keep track of the different ranges we use for >>> UIDs/GIDs for local >>> > > > > > > > users/groups and users from trusted domains new range >>> objects are >>> > > > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. >>> > > > > > > > >>> > > > > > > > 0022: LDAP schema update >>> > > > > > > >>> > > > > > > ack >>> > > > > > > >>> > > > > > > > 0023: Create a range object during installation fir the >>> local ID range >>> > > > > > > >>> > > > > > > nack, I think we need to find a way to handle adding at >>> least the base >>> > > > > > > range on update. Otherwise an updated server won't be >>> able to have IDs >>> > > > > > > for most of its users. >>> > > > > > >>> > > > > > I fully agree, but since we said that we concentrate on >>> update issues in >>> > > > > > beta2 I wanted to send the version for the fresh install >>> first to allow >>> > > > > > testing. >>> > > > > >>> > > > > The reason I'd like updates is that this patchset can be >>> installed on >>> > > > > top of existing servers for testing w/o having to reinstall >>> from scratch >>> > > > > or manually creating the ipaDomainIDRange object :):) >>> > > > >>> > > > ok, will do. >>> > > > >>> > > > Do you otherwise agree with the patches or is there something I >>> should >>> > > > change while adding the updates? >>> > > > >>> > > > bye, >>> > > > Sumit >>> > > > >>> > > > > >>> > > > > > > >>> > > > > > > > 0024: add primary and secondary RID base to the local >>> range object >>> > > > > > > > during ipa-adtrust-install >>> > > > > > > >>> > > > > > > Not sure if setting the range belongs in the previous >>> patch or this one. >>> > > > > > >>> > > > > > I think it is right here, because a plain IPA server does >>> not need the >>> > > > > > RID related attributes. >>> > > > > > >>> > > > > > > We might decide to ask questions during >>> ipa-adtrust-install if the range >>> > > > > > > is not available, maybe presenting a set of pre-canned >>> choices if we can >>> > > > > > > detect them. >>> > > > > > >>> > > > > > I agree here, too. But as above I would like to handle >>> update issues >>> > > > > > in a second round. >>> > > > > > >>> > > > > > > >>> > > > > > > Finally I think we need to do a search with uid/gidNmber >>> < base and >>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect >>> any ID the >>> > > > > > > falls outside the configured range (either because we >>> failed to detect >>> > > > > > > ranges on upgrade and the user botched the question or >>> because the admin >>> > > > > > > added arbitrary IDs. >>> > > > > > > If a warning we should warn that missing a range that >>> suitably covers >>> > > > > > > these IDs, those users/groups will not be available for >>> the trust. >>> > > > > > > >>> > > > > > > Maybe we should also have a simple ipa command that can >>> list all >>> > > > > > > users/groups that fall outside the ranges as well. >>> > > > > > >>> > > > > > I'm working on the ranges cli plugin to allow 'ipa >>> range-add', 'ipa >>> > > > > > range-find' etc. I can add it there. >>> > > > > > >>> > > >>> > > Hi, >>> > > >>> > > this new series of patches add the cli plugin to create the ID >>> ranges >>> > > manually. I'm still working on a detection of the locally used id >>> range >>> > > of an upgrade domain in ipa-adtrust-install and an plugin which >>> rejects >>> > > new ranges which overlaps with existing ones. >>> > > >>> > > bye, >>> > > Sumit >>> > >>> > the attached patch adds a preop plugin which checks for overlaps with >>> > existing ranges. >>> > >>> > bye, >>> > Sumit >>> >>> Finally I added a method to guess and create the initial ID range, if no >>> one is preset, e.g. when updating from an older version of freeIPA. A >>> full series of patches is attached. >>> >>> bye, >>> Sumit >> >> This version of patches fixes review comments by Alexander and also adds >> some test for the range CLI plugin which were kindly provided by >> Alexander. > ACK > These patches aren't applying for me. rob From rcritten at redhat.com Fri Jun 29 20:38:37 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 16:38:37 -0400 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <4FEDFF17.6030300@redhat.com> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> <20120626103014.GC29454@localhost.localdomain> <20120627191935.GL29454@localhost.localdomain> <20120629121731.GC922@localhost.localdomain> <20120629125215.GI6687@redhat.com> <4FEDFF17.6030300@redhat.com> Message-ID: <4FEE124D.4090401@redhat.com> Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Fri, 29 Jun 2012, Sumit Bose wrote: >>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: >>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: >>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: >>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: >>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: >>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: >>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: >>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: >>>> > > > > > > > >>>> > > > > > > > to keep track of the different ranges we use for >>>> UIDs/GIDs for local >>>> > > > > > > > users/groups and users from trusted domains new range >>>> objects are >>>> > > > > > > > introduced which are stored below >>>> cn=range,cn=etc,$SUFFIX. >>>> > > > > > > > >>>> > > > > > > > 0022: LDAP schema update >>>> > > > > > > >>>> > > > > > > ack >>>> > > > > > > >>>> > > > > > > > 0023: Create a range object during installation fir the >>>> local ID range >>>> > > > > > > >>>> > > > > > > nack, I think we need to find a way to handle adding at >>>> least the base >>>> > > > > > > range on update. Otherwise an updated server won't be >>>> able to have IDs >>>> > > > > > > for most of its users. >>>> > > > > > >>>> > > > > > I fully agree, but since we said that we concentrate on >>>> update issues in >>>> > > > > > beta2 I wanted to send the version for the fresh install >>>> first to allow >>>> > > > > > testing. >>>> > > > > >>>> > > > > The reason I'd like updates is that this patchset can be >>>> installed on >>>> > > > > top of existing servers for testing w/o having to reinstall >>>> from scratch >>>> > > > > or manually creating the ipaDomainIDRange object :):) >>>> > > > >>>> > > > ok, will do. >>>> > > > >>>> > > > Do you otherwise agree with the patches or is there something I >>>> should >>>> > > > change while adding the updates? >>>> > > > >>>> > > > bye, >>>> > > > Sumit >>>> > > > >>>> > > > > >>>> > > > > > > >>>> > > > > > > > 0024: add primary and secondary RID base to the local >>>> range object >>>> > > > > > > > during ipa-adtrust-install >>>> > > > > > > >>>> > > > > > > Not sure if setting the range belongs in the previous >>>> patch or this one. >>>> > > > > > >>>> > > > > > I think it is right here, because a plain IPA server does >>>> not need the >>>> > > > > > RID related attributes. >>>> > > > > > >>>> > > > > > > We might decide to ask questions during >>>> ipa-adtrust-install if the range >>>> > > > > > > is not available, maybe presenting a set of pre-canned >>>> choices if we can >>>> > > > > > > detect them. >>>> > > > > > >>>> > > > > > I agree here, too. But as above I would like to handle >>>> update issues >>>> > > > > > in a second round. >>>> > > > > > >>>> > > > > > > >>>> > > > > > > Finally I think we need to do a search with uid/gidNmber >>>> < base and >>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect >>>> any ID the >>>> > > > > > > falls outside the configured range (either because we >>>> failed to detect >>>> > > > > > > ranges on upgrade and the user botched the question or >>>> because the admin >>>> > > > > > > added arbitrary IDs. >>>> > > > > > > If a warning we should warn that missing a range that >>>> suitably covers >>>> > > > > > > these IDs, those users/groups will not be available for >>>> the trust. >>>> > > > > > > >>>> > > > > > > Maybe we should also have a simple ipa command that can >>>> list all >>>> > > > > > > users/groups that fall outside the ranges as well. >>>> > > > > > >>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa >>>> range-add', 'ipa >>>> > > > > > range-find' etc. I can add it there. >>>> > > > > > >>>> > > >>>> > > Hi, >>>> > > >>>> > > this new series of patches add the cli plugin to create the ID >>>> ranges >>>> > > manually. I'm still working on a detection of the locally used id >>>> range >>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which >>>> rejects >>>> > > new ranges which overlaps with existing ones. >>>> > > >>>> > > bye, >>>> > > Sumit >>>> > >>>> > the attached patch adds a preop plugin which checks for overlaps with >>>> > existing ranges. >>>> > >>>> > bye, >>>> > Sumit >>>> >>>> Finally I added a method to guess and create the initial ID range, >>>> if no >>>> one is preset, e.g. when updating from an older version of freeIPA. A >>>> full series of patches is attached. >>>> >>>> bye, >>>> Sumit >>> >>> This version of patches fixes review comments by Alexander and also adds >>> some test for the range CLI plugin which were kindly provided by >>> Alexander. >> ACK >> > > These patches aren't applying for me. > > rob Hmm. Pulled a fresh tree and they imported fine. pushed to master rob From jdennis at redhat.com Fri Jun 29 21:27:41 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 29 Jun 2012 17:27:41 -0400 Subject: [Freeipa-devel] please use DN objects Message-ID: <4FEE1DCD.2070905@redhat.com> I just saw a commit that had things like this in it: admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix, Please don't form DN's using string formatting! We've had DN objects in the code for a long time now, please use them, string formatting is not guaranteed to be correct with respect to DN's. The correct method would have been [1]: admin_conn.search_s(str(DN(('cn','ranges'),('cn', 'etc'), self.suffix))) [1] The use of str() on a DN will no longer be needed when my DN work is checked in because all ldap methods will take DN objects natively. Another possible way to have used a DN would be this less preferred method: admin_conn.search_s(str(DN("cn=ranges,cn=etc", self.suffix))) Why is this less preferred? Because if sometime later someone decides to parameterize one of the items in the string they might make the following mistake: admin_conn.search_s(str(DN("cn=%s,cn=etc" % my_range, self.suffix))) And now we've just reintroduced string formatting into something we previously carefully expunged string formatting from! Whereas if the preferred format was used the programmer would likely have done the correct thing, namely: admin_conn.search_s(str(DN(('cn',my_range),('cn', 'etc'), self.suffix))) A good way to think of DN's is as a sequence of attribute/value pairs because that's what they are [2]. The preferred form makes that explicit and helps to prevent future mistakes. A DN object will automatically generate a properly escaped string from it's sequence of RDN's (i.e. the attribute/value pairs mentioned above [2]) when it's finally passed into the ldap library. [2] Technically a DN is a sequence of RDN's and a RDN is an unordered set of AVA's. But in most cases an RDN is a simple attribute/value pair. If you want to think of DN's as a sequence of attribute/value pairs it's a valid mental shortcut, just be aware there is the possibility for greater complexity. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Jun 29 21:28:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 17:28:43 -0400 Subject: [Freeipa-devel] [PATCH] 0056 Framework for admin/install tools, with ipa-ldap-updater In-Reply-To: <4FE8619B.5080608@redhat.com> References: <4FCCCC8B.1030903@redhat.com> <4FDF38AC.1000508@redhat.com> <4FE1F73E.6000003@redhat.com> <4FE86109.8030900@redhat.com> <4FE8619B.5080608@redhat.com> Message-ID: <4FEE1E0B.8030804@redhat.com> Petr Viktorin wrote: > On 06/25/2012 03:00 PM, Petr Viktorin wrote: >> On 06/20/2012 06:15 PM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> On 06/04/2012 04:56 PM, Petr Viktorin wrote: >>>>> Currently, FreeIPA's install/admin scripts are long pieces of code >>>>> that aren't very reusable, importable, or testable. >>>>> They have been extended over time with features such as logging and >>>>> error handling, but since each tool was extended individually, there >>>>> is much inconsistency and code duplication. >>>>> This patch starts a framework which the admin tools can use, and >>>>> converts ipa-ldap-updater to use the framework. >>>>> >>>>> In an earlier patch I found that improving a particular >>>>> functionality in >>>>> all the commands is not workable, so I want to tackle this one tool >>>>> at a >>>>> time. >>>>> I'm starting with ipa-ldap-updater, because it's pretty small, doesn't >>>>> use DNs (I don't want conflicts with John's work), and has the >>>>> interesting --upgrade option. >>>>> >>>>> >>>>> The framework does these tasks: >>>>> - Parse options >>>>> - Select tool to run (see below) >>>>> - Validate options >>>>> - Set up logging >>>>> - Run the tool code >>>>> - Handle any errors >>>>> - Log success/failure >>>>> >>>>> The base class has some defaults for these that the tools can >>>>> extend/override. >>>>> >>>>> >>>>> To handle the case where one script does two different things >>>>> (ipa-ldap-updater with/without --upgrade, or ipa-server-install >>>>> with/without --uninstall), I want to split the tool in two classes >>>>> rather than have repeated ifs in the code. >>>>> This meant that option parsing (and initializing the parser) has to be >>>>> done before creating an instance of the tool. I use a factory >>>>> classmethod. >>>>> >>>>> >>>>> I put the admintool base class in ipapython/ as it should be useful >>>>> for >>>>> ipa-client-install as well. >>>>> >>>>> >>>>> >>>>> First part of the work for: >>>>> https://fedorahosted.org/freeipa/ticket/2652 >>>>> >>>>> >>>> >>>> Attaching rebased patch. >>> >>> I gather you want people to be calling run_cli() in their admin tools. >>> Should main() be made private then? I could see someone getting confused >>> and using main instead, which would work, but then the return value >>> might not do the right thing. >>> >>> Or maybe just drop run_cli and have main exit with sys.exit()? >> >> I don't see why running a command as a Python function should be >> discouraged. In fact it could even help -- for example logging could >> only be set up once, so if we call, say, ipa-ldap-updater from >> ipa-server-install, all related logs would go to a single file. >> A C-style main (taking a list of arguments and returning the exit >> status) is a good thing for modularity and testability. >> The `run_cli` method is just a convenient shortcut for the usual usage, >> so the calling modules can be as small as possible. >> >> If people get confused and call main instead of run_cli, they need to >> manually pass in sys.argv. I think this is enough of a warning that >> their assumptions aren't right. >> To make it even clearer I've removed the possibility to pass None as >> argv to main() and have it auto-filled. >> >> Some relevant reading: >> http://www.artima.com/weblogs/viewpost.jsp?thread=4829 (old but still >> valid) >> http://en.wikipedia.org/wiki/Main_function#Python >> >>> It isn't correctly handling the case of an update not found: >>> >>> ipa : INFO Parsing file ad >>> [Errno 2] No such file or directory: 'ad' >>> ipa : INFO File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in >>> execute >>> self.run() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", >>> >>> line >>> 180, in run >>> modified = ld.update(self.files) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>> line 828, in update >>> sys.exit(1) >>> >>> ipa : INFO The ipa-ldap-updater command failed, exception: SystemExit: 1 >> >> I've added validation for missing files, and improved the error message >> ldapupdate raises (for cases the validation doesn't catch, like passing >> directories or unreadable files). >> Ideally ldapupdate would not try to handle the error itself, but that >> code is used in more places that I don't want to break, so I'm leaving >> the extraneous print in. >> >>> Running in test mode with the attached update doesn't seem to work >>> either. There is nothing special about this file, just something I had >>> lying around: >>> >>> ipa : INFO File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 151, in >>> execute >>> self.run() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", >>> >>> line >>> 184, in run >>> 'Update complete, changes to be made, test mode', 2) >>> >>> ipa : INFO The ipa-ldap-updater command failed, exception: ScriptError: >>> Update complete, changes to be made, test mode >>> ipa : ERROR Update complete, changes to be made, test mode >>> >>> ipa : ERROR None >> >> Fixed. >> >>> The unit tests still pass which is good. >>> >>> With ipa-ldap-updater the return value is a bit strange. All the updates >>> themselves can fail for one reason or another and the command can still >>> consider this a success (it may fail because a feature is not enabled, >>> for example). Still, the success message displayed at the end is a bit >>> jarring when the updates themselves aren't applied. Here is a snippet >>> when running ad.update live: >>> >>> ipa : INFO New entry: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >>> ipa : DEBUG --------------------------------------------- >>> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >>> ipa : DEBUG add: 'account' to objectClass, current value [] >>> ipa : DEBUG add: updated value [u'account'] >>> ipa : DEBUG --------------------------------------------- >>> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >>> ipa : DEBUG objectClass: >>> ipa : DEBUG account >>> ipa : DEBUG add: 'adtrust' to uid, current value [] >>> ipa : DEBUG add: updated value [u'adtrust'] >>> ipa : DEBUG --------------------------------------------- >>> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >>> ipa : DEBUG objectClass: >>> ipa : DEBUG account >>> ipa : DEBUG uid: >>> ipa : DEBUG adtrust >>> ipa : DEBUG --------------------------------------------- >>> ipa : DEBUG Final value >>> ipa : DEBUG dn: uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >>> ipa : DEBUG objectClass: >>> ipa : DEBUG account >>> ipa : DEBUG uid: >>> ipa : DEBUG adtrust >>> ipa : INFO Parent DN of uid=adtrust,cn=notfound,cn=etc,dc=greyoak,dc=com >>> may not exist, cannot create the entry >>> ipa : INFO The ipa-ldap-updater command was successful >>> [root at pinto freeipa]# echo $? >>> 0 >>> >>> This may be contrasting just because it is a contrived case. The command >>> rval is separate from whether the updates all applied, so maybe this >>> is ok. >> >> The current ipa-ldap-updater also works this way, so this should go in a >> separate ticket. >> I worry that changing the return value could make installations fail, >> for example. >> >>> rob >> >> >> Thanks for the review! >> > > Once again, this time with the patch. Almost there. When running in test mode and an update that would be applied should return 2. rob From sbose at redhat.com Fri Jun 29 21:31:54 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 Jun 2012 23:31:54 +0200 Subject: [Freeipa-devel] please use DN objects In-Reply-To: <4FEE1DCD.2070905@redhat.com> References: <4FEE1DCD.2070905@redhat.com> Message-ID: <20120629213154.GE922@localhost.localdomain> On Fri, Jun 29, 2012 at 05:27:41PM -0400, John Dennis wrote: > I just saw a commit that had things like this in it: > > admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix, > > Please don't form DN's using string formatting! > > We've had DN objects in the code for a long time now, please use > them, string formatting is not guaranteed to be correct with respect > to DN's. > > The correct method would have been [1]: > > admin_conn.search_s(str(DN(('cn','ranges'),('cn', 'etc'), self.suffix))) ah, sorry, I will fix this first on Monday morning. bye, Sumit > > [1] The use of str() on a DN will no longer be needed when my DN > work is checked in because all ldap methods will take DN objects > natively. > > Another possible way to have used a DN would be this less preferred method: > > admin_conn.search_s(str(DN("cn=ranges,cn=etc", self.suffix))) > > Why is this less preferred? Because if sometime later someone > decides to parameterize one of the items in the string they might > make the following mistake: > > admin_conn.search_s(str(DN("cn=%s,cn=etc" % my_range, self.suffix))) > > And now we've just reintroduced string formatting into something we > previously carefully expunged string formatting from! Whereas if the > preferred format was used the programmer would likely have done the > correct thing, namely: > > admin_conn.search_s(str(DN(('cn',my_range),('cn', 'etc'), self.suffix))) > > A good way to think of DN's is as a sequence of attribute/value > pairs because that's what they are [2]. The preferred form makes > that explicit and helps to prevent future mistakes. A DN object will > automatically generate a properly escaped string from it's sequence > of RDN's (i.e. the attribute/value pairs mentioned above [2]) when > it's finally passed into the ldap library. > > [2] Technically a DN is a sequence of RDN's and a RDN is an > unordered set of AVA's. But in most cases an RDN is a simple > attribute/value pair. If you want to think of DN's as a sequence of > attribute/value pairs it's a valid mental shortcut, just be aware > there is the possibility for greater complexity. > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Fri Jun 29 22:01:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 18:01:51 -0400 Subject: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges In-Reply-To: <4FEE124D.4090401@redhat.com> References: <20120613191726.GI20850@localhost.localdomain> <1339634303.8230.634.camel@willson.li.ssimo.org> <20120614103538.GJ20850@localhost.localdomain> <1339674880.8230.674.camel@willson.li.ssimo.org> <20120614122501.GK20850@localhost.localdomain> <20120617194720.GB29454@localhost.localdomain> <20120626103014.GC29454@localhost.localdomain> <20120627191935.GL29454@localhost.localdomain> <20120629121731.GC922@localhost.localdomain> <20120629125215.GI6687@redhat.com> <4FEDFF17.6030300@redhat.com> <4FEE124D.4090401@redhat.com> Message-ID: <4FEE25CF.5070302@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On Fri, 29 Jun 2012, Sumit Bose wrote: >>>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: >>>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: >>>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: >>>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: >>>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: >>>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: >>>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: >>>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: >>>>> > > > > > > > >>>>> > > > > > > > to keep track of the different ranges we use for >>>>> UIDs/GIDs for local >>>>> > > > > > > > users/groups and users from trusted domains new range >>>>> objects are >>>>> > > > > > > > introduced which are stored below >>>>> cn=range,cn=etc,$SUFFIX. >>>>> > > > > > > > >>>>> > > > > > > > 0022: LDAP schema update >>>>> > > > > > > >>>>> > > > > > > ack >>>>> > > > > > > >>>>> > > > > > > > 0023: Create a range object during installation fir the >>>>> local ID range >>>>> > > > > > > >>>>> > > > > > > nack, I think we need to find a way to handle adding at >>>>> least the base >>>>> > > > > > > range on update. Otherwise an updated server won't be >>>>> able to have IDs >>>>> > > > > > > for most of its users. >>>>> > > > > > >>>>> > > > > > I fully agree, but since we said that we concentrate on >>>>> update issues in >>>>> > > > > > beta2 I wanted to send the version for the fresh install >>>>> first to allow >>>>> > > > > > testing. >>>>> > > > > >>>>> > > > > The reason I'd like updates is that this patchset can be >>>>> installed on >>>>> > > > > top of existing servers for testing w/o having to reinstall >>>>> from scratch >>>>> > > > > or manually creating the ipaDomainIDRange object :):) >>>>> > > > >>>>> > > > ok, will do. >>>>> > > > >>>>> > > > Do you otherwise agree with the patches or is there something I >>>>> should >>>>> > > > change while adding the updates? >>>>> > > > >>>>> > > > bye, >>>>> > > > Sumit >>>>> > > > >>>>> > > > > >>>>> > > > > > > >>>>> > > > > > > > 0024: add primary and secondary RID base to the local >>>>> range object >>>>> > > > > > > > during ipa-adtrust-install >>>>> > > > > > > >>>>> > > > > > > Not sure if setting the range belongs in the previous >>>>> patch or this one. >>>>> > > > > > >>>>> > > > > > I think it is right here, because a plain IPA server does >>>>> not need the >>>>> > > > > > RID related attributes. >>>>> > > > > > >>>>> > > > > > > We might decide to ask questions during >>>>> ipa-adtrust-install if the range >>>>> > > > > > > is not available, maybe presenting a set of pre-canned >>>>> choices if we can >>>>> > > > > > > detect them. >>>>> > > > > > >>>>> > > > > > I agree here, too. But as above I would like to handle >>>>> update issues >>>>> > > > > > in a second round. >>>>> > > > > > >>>>> > > > > > > >>>>> > > > > > > Finally I think we need to do a search with uid/gidNmber >>>>> < base and >>>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect >>>>> any ID the >>>>> > > > > > > falls outside the configured range (either because we >>>>> failed to detect >>>>> > > > > > > ranges on upgrade and the user botched the question or >>>>> because the admin >>>>> > > > > > > added arbitrary IDs. >>>>> > > > > > > If a warning we should warn that missing a range that >>>>> suitably covers >>>>> > > > > > > these IDs, those users/groups will not be available for >>>>> the trust. >>>>> > > > > > > >>>>> > > > > > > Maybe we should also have a simple ipa command that can >>>>> list all >>>>> > > > > > > users/groups that fall outside the ranges as well. >>>>> > > > > > >>>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa >>>>> range-add', 'ipa >>>>> > > > > > range-find' etc. I can add it there. >>>>> > > > > > >>>>> > > >>>>> > > Hi, >>>>> > > >>>>> > > this new series of patches add the cli plugin to create the ID >>>>> ranges >>>>> > > manually. I'm still working on a detection of the locally used id >>>>> range >>>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which >>>>> rejects >>>>> > > new ranges which overlaps with existing ones. >>>>> > > >>>>> > > bye, >>>>> > > Sumit >>>>> > >>>>> > the attached patch adds a preop plugin which checks for overlaps >>>>> with >>>>> > existing ranges. >>>>> > >>>>> > bye, >>>>> > Sumit >>>>> >>>>> Finally I added a method to guess and create the initial ID range, >>>>> if no >>>>> one is preset, e.g. when updating from an older version of freeIPA. A >>>>> full series of patches is attached. >>>>> >>>>> bye, >>>>> Sumit >>>> >>>> This version of patches fixes review comments by Alexander and also >>>> adds >>>> some test for the range CLI plugin which were kindly provided by >>>> Alexander. >>> ACK >>> >> >> These patches aren't applying for me. >> >> rob > > Hmm. Pulled a fresh tree and they imported fine. > > pushed to master > > rob I had only pushed 22-24 before, pushed 25 and 29 as well. rob