404 Not Found

From mrniranjan at fedoraproject.org Mon Jun 1 04:33:25 2015 From: mrniranjan at fedoraproject.org (Niranjan) Date: Mon, 1 Jun 2015 10:03:25 +0530 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of BaseException Message-ID: <20150601043325.GA5783@mniranja.pnq.redhat.com> Greetings, I would like to present patch for replacing StandardError exception with Exception class in ipapython/adminutil.py. Also replacing BaseException class with Exception class. Though the use of StandardError is many places. I would like to start with ipapython/adminutil.py This is my first patch. Please let me know if my approach on this is correct. Regards Niranjan -------------- next part -------------- From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 From: Niranjan Mallapadi Date: Mon, 1 Jun 2015 09:41:05 +0530 Subject: [PATCH] Use Exception class instead of BaseException 1. Replace BaseException with Exception class. 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) 3 .From python3.0 use of , is not recommended, instead use "as" keyword (PEP 3110) Signed-off-by: Niranjan Mallapadi --- ipapython/admintool.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ipapython/admintool.py b/ipapython/admintool.py index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..891232b9f387182ac5dbfb279a6f666805261ba1 100644 --- a/ipapython/admintool.py +++ b/ipapython/admintool.py @@ -32,7 +32,7 @@ from ipapython import config from ipapython import ipa_log_manager -class ScriptError(StandardError): +class ScriptError(Exception): """An exception that records an error message and a return value """ def __init__(self, msg='', rval=1): @@ -169,13 +169,20 @@ class AdminTool(object): self.ask_for_options() self.setup_logging() return_value = self.run() - except BaseException, exception: + except Exception as exception: traceback = sys.exc_info()[2] error_message, return_value = self.handle_error(exception) if return_value: self.log_failure(error_message, return_value, exception, traceback) return return_value + except SystemExit as exception: + traceback = sys.exc_info()[2] + error_message, return_value = self.handle_error(exception) + if return_value: + self.log_failure(error_message, return_value, exception, + traceback) + return return_value self.log_success() return return_value -- 1.9.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 311 bytes Desc: not available URL: From ftweedal at redhat.com Mon Jun 1 04:40:27 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 1 Jun 2015 14:40:27 +1000 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> Message-ID: <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> New version of patch; ``{host,service}-show --out=FILE`` now writes all certs to FILE. Rebased on latest master. Thanks, Fraser On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: > Updated patch attached. Notably restores/adds revocation behaviour > to host-mod and service-mod. > > Thanks, > Fraser > > On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: > > On 27/05/15 15:53, Fraser Tweedale wrote: > > >This patch adds supports for multiple user / host certificates. No > > >schema change is needed ('usercertificate' attribute is already > > >multi-value). The revoke-previous-cert behaviour of host-mod and > > >user-mod has been removed but revocation behaviour of -del and > > >-disable is preserved. > > > > > >The latest profiles/caacl patchset (0001..0013 v5) depends on this > > >patch for correct cert-request behaviour. > > > > > >There is one design question (or maybe more, let me know): the > > >`--out=FILENAME' option to {host,service} show saves ONE certificate > > >to the named file. I propose to either: > > > > > >a) write all certs, suffixing suggested filename with either a > > > sequential numerical index, e.g. "cert.pem" becomes > > > "cert.pem.1", "cert.pem.2", and so on; or > > > > > >b) as above, but suffix with serial number and, if there are > > > different issues, some issuer-identifying information. > > > > > >Let me know your thoughts. > > > > > >Thanks, > > >Fraser > > > > > > > > Is there a possible way how to store certificates into one file? > > I read about possibilities to have multiple certs in one .pem file, but I'm > > not cert guru :) > > > > I personally vote for serial number in case there are multiple certificates, > > if ^ is no possible. > > > > > > 1) > > + if len(certs) > 0: > > > > please use only, > > if certs: > > > > 2) > > You need to re-generate API/ACI.txt in this patch > > > > 3) > > syntax error: > > + for dercert in certs_der > > > > > > 4) > > command > > ipa user-mod ca_user --certificate= > > > > removes the current certificate from the LDAP, by design. > > Should be the old certificate(s) revoked? You removed that part in the code. > > > > only the --addattr='usercertificate=' appends new value there > > > > -- > > Martin Basti > > -------------- next part -------------- From edc7108a6b22fbc74b449b4b71d5c9541191cb7c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 27 May 2015 08:02:08 -0400 Subject: [PATCH] Support multiple host and service certificates Update the framework to support multiple host and service certificates. host-mod and service-mod revoke existing certificates that are not included in the modified entry. Using addattr=certificate=... will result in no certificates being revoked. The existing behaviour of host-disable, host-del, service-disable and service-del (revoke existing certificate) is preserved but now applies to all certificates in the host or service entry. Also update host-show and service-show to write all the principal's certificates to the file given by the ``--out=FILE`` option. Part of: http://www.freeipa.org/page/V4/User_Certificates --- API.txt | 10 ++--- ipalib/plugins/host.py | 106 +++++++++++++++++++++++++--------------------- ipalib/plugins/service.py | 93 +++++++++++++++++++++++++--------------- 3 files changed, 120 insertions(+), 89 deletions(-) diff --git a/API.txt b/API.txt index da69f32de5c12c0d85a7d61d9027385aa3c0ee05..3cfcf34939a58d6888de8f0a7a6ef0c7779c993e 100644 --- a/API.txt +++ b/API.txt @@ -1812,7 +1812,7 @@ option: Str('nsosversion', attribute=True, cli_name='os', multivalue=False, requ option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') -option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Str('userpassword', attribute=True, cli_name='password', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -1935,7 +1935,7 @@ option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) -option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Str('userpassword', attribute=True, autofill=False, cli_name='password', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -1966,7 +1966,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('updatedns?', autofill=True, default=False) -option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Str('userpassword', attribute=True, autofill=False, cli_name='password', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -3584,7 +3584,7 @@ option: Bool('ipakrbrequirespreauth', attribute=False, cli_name='requires_pre_au option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') -option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -3702,7 +3702,7 @@ option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') -option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index c47439743da45b8629d1b2afbd210d87591784ce..2ad1aaada69bd9c6a768e0fd3290217d63b652ea 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -493,7 +493,7 @@ class host(LDAPObject): label=_('Random password'), flags=('no_create', 'no_update', 'no_search', 'virtual_attribute'), ), - Bytes('usercertificate?', validate_certificate, + Bytes('usercertificate*', validate_certificate, cli_name='certificate', label=_('Certificate'), doc=_('Base-64 encoded server certificate'), @@ -640,11 +640,11 @@ class host_add(LDAPCreate): entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) - cert = options.get('usercertificate') - if cert: - cert = x509.normalize_certificate(cert) + certs = options.get('usercertificate', []) + certs_der = map(x509.normalize_certificate, certs) + for cert in certs_der: x509.verify_cert_subject(ldap, keys[-1], cert) - entry_attrs['usercertificate'] = cert + entry_attrs['usercertificate'] = certs_der entry_attrs['managedby'] = dn entry_attrs['objectclass'].append('ieee802device') entry_attrs['objectclass'].append('ipasshhost') @@ -786,8 +786,7 @@ class host_del(LDAPDelete): entry_attrs = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) - cert = entry_attrs.single_value.get('usercertificate') - if cert: + for cert in entry_attrs.get('usercertificate', []): cert = x509.normalize_certificate(cert) try: serial = unicode(x509.get_serial_number(cert, x509.DER)) @@ -864,39 +863,42 @@ class host_mod(LDAPUpdate): if 'krbprincipalaux' not in obj_classes: obj_classes.append('krbprincipalaux') entry_attrs['objectclass'] = obj_classes - cert = x509.normalize_certificate(entry_attrs.get('usercertificate')) - if cert: - if self.api.Command.ca_is_enabled()['result']: - x509.verify_cert_subject(ldap, keys[-1], cert) - entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) - oldcert = entry_attrs_old.single_value.get('usercertificate') - if oldcert: - oldcert = x509.normalize_certificate(oldcert) + + # verify certificates + certs = entry_attrs.get('usercertificate') or [] + certs_der = map(x509.normalize_certificate, certs) + for cert in certs_der: + x509.verify_cert_subject(ldap, keys[-1], cert) + + # revoke removed certificates + if self.api.Command.ca_is_enabled()['result']: + entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) + old_certs = entry_attrs_old.get('usercertificate', []) + removed_certs = set(old_certs) - set(certs) + removed_certs_der = map(x509.normalize_certificate, removed_certs) + for cert in removed_certs_der: + try: + serial = unicode(x509.get_serial_number(cert, x509.DER)) try: - serial = x509.get_serial_number(oldcert, x509.DER) - serial = unicode(serial) - try: - result = api.Command['cert_show'](serial)['result'] - if 'revocation_reason' not in result: - try: - api.Command['cert_revoke']( - serial, revocation_reason=4) - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except NSPRError, nsprerr: - if nsprerr.errno == -8183: - # If we can't decode the cert them proceed with - # modifying the host. - self.log.info("Problem decoding certificate %s" % - nsprerr.args[1]) - else: - raise nsprerr - - entry_attrs['usercertificate'] = cert + result = api.Command['cert_show'](serial)['result'] + if 'revocation_reason' not in result: + try: + api.Command['cert_revoke']( + serial, revocation_reason=4) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except NSPRError, nsprerr: + if nsprerr.errno == -8183: + # If we can't decode the cert them proceed with + # modifying the host. + self.log.info("Problem decoding certificate %s" % + nsprerr.args[1]) + else: + raise nsprerr if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) @@ -1093,8 +1095,14 @@ class host_show(LDAPRetrieve): util.check_writable_file(options['out']) result = super(host_show, self).forward(*keys, **options) if 'usercertificate' in result['result']: - x509.write_certificate(result['result']['usercertificate'][0], options['out']) - result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + x509.write_certificate_list( + result['result']['usercertificate'], + options['out'] + ) + result['summary'] = ( + _('Certificate(s) stored in file \'%(file)s\'') + % dict(file=options['out']) + ) return result else: raise errors.NoCertificateError(entry=keys[-1]) @@ -1148,10 +1156,9 @@ class host_disable(LDAPQuery): entry_attrs = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) - cert = entry_attrs.single_value.get('usercertificate') - if cert: - if self.api.Command.ca_is_enabled()['result']: - cert = x509.normalize_certificate(cert) + if self.api.Command.ca_is_enabled()['result']: + certs = entry_attrs.get('usercertificate', []) + for cert in map(x509.normalize_certificate, certs): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -1175,10 +1182,11 @@ class host_disable(LDAPQuery): else: raise nsprerr - # Remove the usercertificate altogether - entry_attrs['usercertificate'] = None - ldap.update_entry(entry_attrs) - done_work = True + if certs: + # Remove the usercertificate altogether + entry_attrs['usercertificate'] = None + ldap.update_entry(entry_attrs) + done_work = True self.obj.get_password_attributes(ldap, dn, entry_attrs) if entry_attrs['has_keytab']: diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index b37dc7b4bf56b69df204fd29e9487f1390197bbe..668e016bd9f56fa75f791355fb9d8d3bd02f8f1a 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -437,7 +437,7 @@ class service(LDAPObject): primary_key=True, normalizer=lambda value: normalize_principal(value), ), - Bytes('usercertificate?', validate_certificate, + Bytes('usercertificate*', validate_certificate, cli_name='certificate', label=_('Certificate'), doc=_('Base-64 encoded server certificate'), @@ -503,11 +503,11 @@ class service_add(LDAPCreate): self.obj.validate_ipakrbauthzdata(entry_attrs) - cert = options.get('usercertificate') - if cert: - dercert = x509.normalize_certificate(cert) + certs = options.get('usercertificate', []) + certs_der = map(x509.normalize_certificate, certs) + for dercert in certs_der: x509.verify_cert_subject(ldap, hostname, dercert) - entry_attrs['usercertificate'] = dercert + entry_attrs['usercertificate'] = certs_der if not options.get('force', False): # We know the host exists if we've gotten this far but we @@ -555,9 +555,7 @@ class service_del(LDAPDelete): entry_attrs = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) - cert = entry_attrs.get('usercertificate') - if cert: - cert = cert[0] + for cert in entry_attrs.get('usercertificate', []): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -597,25 +595,43 @@ class service_mod(LDAPUpdate): self.obj.validate_ipakrbauthzdata(entry_attrs) - if 'usercertificate' in options: - (service, hostname, realm) = split_principal(keys[-1]) - cert = options.get('usercertificate') - if cert: - dercert = x509.normalize_certificate(cert) - x509.verify_cert_subject(ldap, hostname, dercert) + (service, hostname, realm) = split_principal(keys[-1]) + + # verify certificates + certs = options.get('usercertificate') or [] + certs_der = map(x509.normalize_certificate, certs) + for dercert in certs_der: + x509.verify_cert_subject(ldap, hostname, dercert) + + # revoke removed certificates + if self.api.Command.ca_is_enabled()['result']: + entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) + old_certs = entry_attrs_old.get('usercertificate', []) + removed_certs = set(old_certs) - set(certs) + removed_certs_der = map(x509.normalize_certificate, removed_certs) + for cert in removed_certs_der: try: - entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - if 'usercertificate' in entry_attrs_old: - # FIXME: what to do here? do we revoke the old cert? - fmt = 'entry already has a certificate, serial number: %s' % ( - x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER) - ) - raise errors.GenericError(format=fmt) - entry_attrs['usercertificate'] = dercert - else: - entry_attrs['usercertificate'] = None + serial = unicode(x509.get_serial_number(cert, x509.DER)) + try: + result = api.Command['cert_show'](serial)['result'] + if 'revocation_reason' not in result: + try: + api.Command['cert_revoke']( + serial, revocation_reason=4) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except NSPRError, nsprerr: + if nsprerr.errno == -8183: + # If we can't decode the cert them proceed with + # modifying the host. + self.log.info("Problem decoding certificate %s" % + nsprerr.args[1]) + else: + raise nsprerr update_krbticketflags(ldap, entry_attrs, attrs_list, options, True) @@ -695,8 +711,14 @@ class service_show(LDAPRetrieve): util.check_writable_file(options['out']) result = super(service_show, self).forward(*keys, **options) if 'usercertificate' in result['result']: - x509.write_certificate(result['result']['usercertificate'][0], options['out']) - result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + x509.write_certificate_list( + result['result']['usercertificate'], + options['out'] + ) + result['summary'] = ( + _('Certificate(s) stored in file \'%(file)s\'') + % dict(file=options['out']) + ) return result else: raise errors.NoCertificateError(entry=keys[-1]) @@ -815,9 +837,9 @@ class service_disable(LDAPQuery): # See if we do any work at all here and if not raise an exception done_work = False - if 'usercertificate' in entry_attrs: - if self.api.Command.ca_is_enabled()['result']: - cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0]) + if self.api.Command.ca_is_enabled()['result']: + certs = entry_attrs.get('usercertificate', []) + for cert in map(x509.normalize_certificate, certs): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -839,10 +861,11 @@ class service_disable(LDAPQuery): else: raise nsprerr - # Remove the usercertificate altogether - entry_attrs['usercertificate'] = None - ldap.update_entry(entry_attrs) - done_work = True + if len(certs) > 0: + # Remove the usercertificate altogether + entry_attrs['usercertificate'] = None + ldap.update_entry(entry_attrs) + done_work = True self.obj.get_password_attributes(ldap, dn, entry_attrs) if entry_attrs['has_keytab']: -- 2.1.0 From ftweedal at redhat.com Mon Jun 1 07:10:58 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 1 Jun 2015 17:10:58 +1000 Subject: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs In-Reply-To: <55684792.3070006@redhat.com> References: <555DCC96.2050001@redhat.com> <555DD031.8070302@redhat.com> <555DD39C.3070103@redhat.com> <20150526155930.GI13469@dhcp-40-8.bne.redhat.com> <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> Message-ID: <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: > On 05/29/2015 11:21 AM, Martin Basti wrote: > >On 29/05/15 06:17, Fraser Tweedale wrote: > >>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > >>>On 28/05/15 11:48, Martin Basti wrote: > >>>>On 27/05/15 16:04, Fraser Tweedale wrote: > >>>>>Hello all, > >>>>> > >>>>>Fresh certificate management patchset; Changelog: > >>>>> > >>>>>- Now depends on patch freeipa-ftweedal-0014 for correct > >>>>>cert-request behaviour with host and service principals. > >>>>> > >>>>>- Updated Dogtag dependency to 10.2.4-1. Should should be in > >>>>>f22 soon, but for f22 right now or for f21, please grab from my > >>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > >>>>> > >>>>> Martin^1 could you please add to the quasi-official freeipa > >>>>> copr? SRPM lives at > >>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > >>>>> > >>>>>- cert-request now verifies that for user principals, CSR CN > >>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's > >>>>>email address, if either of those is present. > >>>>> > >>>>>- Fixed one or two other sneaky little bugs. > >>>>> > >>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > >>>>>>Hi all, > >>>>>> > >>>>>>Please find attached the latest certificate management > >>>>>>patchset, which introduces the `caacl' plugin and various fixes > >>>>>>and improvement to earlier patches. > >>>>>> > >>>>>>One important change to earlier patches is reverting the name > >>>>>>of the default profile to 'caIPAserviceCert' and using the > >>>>>>existing instance of this profile on upgrade (but not install) > >>>>>>in case it has been modified. > >>>>>> > >>>>>>Other notes: > >>>>>> > >>>>>>- Still have changes in ipa-server-install (fewer lines now, > >>>>>>though) > >>>>>> > >>>>>>- Still have the ugly import hack. It is not a high priority > >>>>>>for me, i.e. I think it should wait until after alpha > >>>>>> > >>>>>>- Still need to update 'service' and 'host' plugins to support > >>>>>>multiple certificates. (The userCertificate attribute schema > >>>>>>itself is multi-valued, so there are no schema issues here) > >>>>>> > >>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and > >>>>>>supporting multiple profiles for hosts and services (which > >>>>>>requires changes to framework only, not schema). [1]: > >>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > >>>>>> > >>>>>>Happy reviewing! I am pleased with the initial cut of the > >>>>>>caacl plugin but I'm sure you will find some things to be fixed > >>>>>>:) > >>>>>> > >>>>>>Cheers, Fraser > >>>>[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com > >>>>--ip-address 10.34.78.94 Directory Manager (existing master) > >>>>password: > >>>> > >>>>Preparing replica for vm-094.example.com from vm-093.example.com > >>>>Creating SSL certificate for the Directory Server not well-formed > >>>>(invalid token): line 2, column 14 > >>>> > >>>>I cannot create replica file. It work on the upgraded server, > >>>>but it doesn't work on the newly installed server. I'm not sure > >>>>if this causes your patches which modifies the ca-installer, or > >>>>the newer version of dogtag. > >>>> > >>>>Or if there was any other changes in master, I will continue to > >>>>investigate with new RPM from master branch. > >>>> > >>>>Martin^2 > >>>> > >>>ipa-replica-prepare works for: * master branch * master branch + > >>>pki-ca 10.2.4-1 > >>> > >>>So something in your patches is breaking it > >>> > >>>Martin^2 > >>> > >>Martin, master + my patches with pki 10.2.4-1 is working for me on > >>f21 and f22. Can you provide ipa-replica-prepare --debug output and > >>Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) > >> > >>Thanks, > >>Fraser > >I can not reproduce it today. And I already recycled the VMs from yesterday. :-( > > > > In that case I would suggest ACKing&pushing the patch and fixing the bug if > it comes again. The tree may now be a bit unstable, given the number of > patches going in. > > My main motivation here is to unblock Fraser. > > Thanks, > Martin Rebased patchset attached; no other changes. -------------- next part -------------- From acaea3d9a352a905f1af6e39c2f745c6ea6bf596 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 20 Apr 2015 23:20:19 -0400 Subject: [PATCH 01/13] Install CA with LDAP profiles backend Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 --- freeipa.spec.in | 6 +++--- ipaserver/install/cainstance.py | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 09dd66eec71cec714a31a42809c940ac08a5a84e..2f259234945be874aede64ca7c3ce04bdf467b64 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,7 +92,7 @@ BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0b1-3 BuildRequires: openssl-devel BuildRequires: p11-kit-devel -BuildRequires: pki-base >= 10.2.1-0.1 +BuildRequires: pki-base >= 10.2.4-1 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder @@ -135,8 +135,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.1-0.2 -Requires: pki-kra >= 10.2.1-0.1 +Requires: pki-ca >= 10.2.4-1 +Requires: pki-kra >= 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5133940687204b615eec56b6a89542ddd5617539..030c9f12daba4b38b748da8940e38d3cf2109788 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -503,6 +503,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_restart_configured_instance", "False") config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) + config.set("CA", "pki_profiles_in_ldap", "True") # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) -- 2.1.0 -------------- next part -------------- From f2e73c6c3d4d144c61dcc33acd3c6c452cce0ba2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Apr 2015 02:24:10 -0400 Subject: [PATCH 02/13] Add schema for certificate profiles The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/share/60certificate-profiles.ldif | 3 +++ install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 12 ++++++++++++ ipaserver/install/dsinstance.py | 1 + 4 files changed, 17 insertions(+) create mode 100644 install/share/60certificate-profiles.ldif diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif new file mode 100644 index 0000000000000000000000000000000000000000..f1281949e53386e5bfe8b35e0c15858c693c5467 --- /dev/null +++ b/install/share/60certificate-profiles.ldif @@ -0,0 +1,3 @@ +dn: cn=schema +attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 8d336690f184025f8199ed1d2c57d8274f0d3886..f44772b20c173c6fe43503716f40454f6f6b6f11 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,6 +16,7 @@ app_DATA = \ 60basev3.ldif \ 60ipadns.ldif \ 60ipapk11.ldif \ + 60certificate-profiles.ldif \ 61kerberos-ipav3.ldif \ 65ipacertstore.ldif \ 65ipasudo.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..c5d4bad8b80640881f4631e4873a12c82b0ea48a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -429,3 +429,15 @@ cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE ipaRangeType: ipa-local + +dn: cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 064a2ab1db61b465638a77e13e1d9ea43b1cce63..2acab13f247ed18a750f0e1cbbd98f4e63718c03 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -57,6 +57,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif", "60basev3.ldif", "60ipapk11.ldif", "60ipadns.ldif", + "60certificate-profiles.ldif", "61kerberos-ipav3.ldif", "65ipacertstore.ldif", "65ipasudo.ldif", -- 2.1.0 -------------- next part -------------- From 25aa35625ce960c11e8418e4eb52af402f3f2a29 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Apr 2015 06:07:58 -0400 Subject: [PATCH 03/13] ipa-pki-proxy: provide access to profiles REST API Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/conf/ipa-pki-proxy.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 5d21156848f3b5ddf14c42d92a26a30a9f94af36..366ca15a1868758547f9f1d3334fddba38793083 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 5 - DO NOT REMOVE THIS LINE +# VERSION 6 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -11,7 +11,7 @@ ProxyRequests Off # matches for admin port and installer - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -26,5 +26,13 @@ ProxyRequests Off ProxyPassReverse ajp://localhost:$DOGTAG_PORT +# matches for REST API + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT + + # Only enable this on servers that are not generating a CRL ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] -- 2.1.0 -------------- next part -------------- From 60157cfa998a852dffedbf0d9758e14592f0be4b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 23:50:41 -0400 Subject: [PATCH 04/13] Add ACL to allow CA agent to modify profiles Part of: https://fedorahosted.org/freeipa/ticket/57 --- ipaserver/install/cainstance.py | 29 +++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 11 +++++++++++ 2 files changed, 40 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 030c9f12daba4b38b748da8940e38d3cf2109788..871581b4afc5df854b9a090ef51bb0ad3b3871ee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,6 +469,7 @@ class CAInstance(DogtagInstance): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -940,6 +941,10 @@ class CAInstance(DogtagInstance): conn.unbind() + def __configure_profiles_acl(self): + """Allow the Certificate Manager Agents group to modify profiles.""" + configure_profiles_acl() + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db @@ -1825,6 +1830,30 @@ def update_people_entry(dercert): return True +def configure_profiles_acl(): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + updated = False + + dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) + rule = ( + 'certServer.profile.configuration:read,modify:allow (read,modify) ' + 'group="Certificate Manager Agents":' + 'Certificate Manager agents may modify (create/update/delete) and read profiles' + ) + modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] + + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + rules = conn.get_entry(dn).get('resourceACLS', []) + if rule not in rules: + conn.conn.modify_s(str(dn), modlist) + updated = True + + conn.disconnect() + return updated + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9d1fd92b73eaf673ddfef01dc86b8dae5efc028a..0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -289,6 +289,16 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def ca_configure_profiles_acl(ca): + root_logger.info('[Authorizing RA Agent to modify profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.configure_profiles_acl() + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1370,6 +1380,7 @@ def upgrade_configuration(): upgrade_ipa_profile(ca, api.env.domain, fqdn), certificate_renewal_update(ca), ca_enable_pkix(ca), + ca_configure_profiles_acl(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From 69b4a5f9058e66098b22da0fada6ee728dea7268 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 04:55:29 -0400 Subject: [PATCH 05/13] Add certprofile plugin Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 --- ACI.txt | 8 ++ API.txt | 62 +++++++++ install/updates/40-certprofile.update | 9 ++ install/updates/40-delegation.update | 8 ++ install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/certprofile.py | 253 ++++++++++++++++++++++++++++++++++ ipapython/dogtag.py | 29 ++-- ipaserver/plugins/dogtag.py | 176 ++++++++++++++++++++++- 9 files changed, 534 insertions(+), 13 deletions(-) create mode 100644 install/updates/40-certprofile.update create mode 100644 ipalib/plugins/certprofile.py diff --git a/ACI.txt b/ACI.txt index 3c4ebde5b3ac2eb0b8e9465c5f2bd74f5bdbfb01..035a545511e4f56dcb492c97514de59cfc028405 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=costemplates,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index da69f32de5c12c0d85a7d61d9027385aa3c0ee05..7d221b839a7058e2bc7c6c95f7121e79a30ebcfd 100644 --- a/API.txt +++ b/API.txt @@ -509,6 +509,68 @@ args: 1,1,1 arg: Str('request_id') option: Str('version?', exclude='webui') output: Output('result', None, None) +command: certprofile_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: certprofile_find +args: 1,9,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='id', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False) +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: certprofile_import +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) +option: File('file', cli_name='file') +option: Bool('ipacertprofilestoreissued', attribute=True, cli_name='store', default=True, multivalue=False, required=True) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_mod +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: compat_is_enabled args: 0,1,1 option: Str('version?', exclude='webui') diff --git a/install/updates/40-certprofile.update b/install/updates/40-certprofile.update new file mode 100644 index 0000000000000000000000000000000000000000..6b0a81d0ff6d69dabe82138227d105fc780ee17d --- /dev/null +++ b/install/updates/40-certprofile.update @@ -0,0 +1,9 @@ +dn: cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: certprofiles diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 975929bd70400b2f9cf407d6faedb246003d7f58..bc0736c5b6c07747586a56c2cbde9596c7522d1c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -237,3 +237,11 @@ default:ipapermissiontype: SYSTEM dn: cn=config add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";) + +# CA Administrators +dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: CA Administrator +default:description: CA Administrator diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 4e2da05d61a41543914e79c4634331df6018c041..fc6bd624eac619cdddeba29b85440571d85fd69f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ 40-replication.update \ 40-dns.update \ 40-automember.update \ + 40-certprofile.update \ 40-otp.update \ 40-vault.update \ 45-roles.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 95dec54a51f38ae63eba667daacf35dcd7500cf3..96396a236b8694b3dd988dfe28c1b0c3cc9e3180 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -118,6 +118,7 @@ DEFAULT_CONFIG = ( ('container_radiusproxy', DN(('cn', 'radiusproxy'))), ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py new file mode 100644 index 0000000000000000000000000000000000000000..1a2d143882469858f225b37ba4ff2dd368fb8853 --- /dev/null +++ b/ipalib/plugins/certprofile.py @@ -0,0 +1,253 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import re + +from ipalib import api, Bool, File, Str +from ipalib import output +from ipalib.plugable import Registry +from ipalib.plugins.virtual import VirtualCommand +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, + LDAPDelete, LDAPUpdate, LDAPRetrieve) +from ipalib import ngettext +from ipalib.text import _ + +from ipalib import errors + + +__doc__ = _(""" +Manage Certificate Profiles + +Certificate Profiles are used by Certificate Authority (CA) in the signing of +certificates to determine if a Certificate Signing Request (CSR) is acceptable, +and if so what features and extensions will be present on the certificate. + +The Certificate Profile format is the property-list format understood by the +Dogtag or Red Hat Certificate System CA. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Import a profile that will not store issued certificates: + ipa certprofile-import ShortLivedUserCert \\ + --file UserCert.profile --summary "User Certificates" \\ + --store=false + + Delete a certificate profile: + ipa certprofile-del ShortLivedUserCert + + Show information about a profile: + ipa certprofile-show ShortLivedUserCert + + Search for profiles that do not store certificates: + ipa certprofile-find --store=false + +""") + + +register = Registry() + + +def ca_enabled_check(): + """Raise NotFound if CA is not enabled. + + This function is defined in multiple plugins to avoid circular imports + (cert depends on certprofile, so we cannot import cert here). + + """ + if not api.Command.ca_is_enabled()['result']: + raise errors.NotFound(reason=_('CA is not configured')) + + +profile_id_pattern = re.compile('^[a-zA-Z]\w*$') + + +def validate_profile_id(ugettext, value): + """Ensure profile ID matches form required by CA.""" + if profile_id_pattern.match(value) is None: + return _('invalid Profile ID') + else: + return None + + + at register() +class certprofile(LDAPObject): + """ + Certificate Profile object. + """ + container_dn = api.env.container_certprofile + object_name = _('Certificate Profile') + object_name_plural = _('Certificate Profiles') + object_class = ['ipacertprofile'] + default_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + search_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + rdn_is_primary_key = True + label = _('Certificate Profiles') + label_singular = _('Certificate Profile') + + takes_params = ( + Str('cn', validate_profile_id, + primary_key=True, + cli_name='id', + label=_('Profile ID'), + doc=_('Profile ID for referring to this profile'), + ), + Str('description', + required=True, + cli_name='desc', + label=_('Profile description'), + doc=_('Brief description of this profile'), + ), + Bool('ipacertprofilestoreissued', + default=True, + cli_name='store', + label=_('Store issued certificates'), + doc=_('Whether to store certs issued using this profile'), + ), + ) + + permission_filter_objectclasses = ['ipacertprofile'] + managed_permissions = { + 'System: Read Certificate Profiles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + 'objectclass', + }, + }, + 'System: Import Certificate Profile': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Import Certificate Profile";allow (add) groupdn = "ldap:///cn=Import Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete Certificate Profile': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=Delete Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify Certificate Profile': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + }, + 'replaces': [ + '(targetattr = "cn || description || ipacertprofilestoreissued")(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=Modify Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + + at register() +class certprofile_find(LDAPSearch): + __doc__ = _("Search for Certificate Profiles.") + msg_summary = ngettext( + '%(count)d profile matched', '%(count)d profiles matched', 0 + ) + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_find, self).execute(*args, **kwargs) + + + at register() +class certprofile_show(LDAPRetrieve): + __doc__ = _("Display the properties of a Certificate Profile.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_show, self).execute(*args, **kwargs) + + + at register() +class certprofile_import(LDAPCreate): + __doc__ = _("Import a Certificate Profile.") + msg_summary = _('Imported profile "%(value)s"') + takes_options = ( + File('file', + label=_('Filename'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + PROFILE_ID_PATTERN = re.compile('^profileId=([a-zA-Z]\w*)', re.MULTILINE) + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + + match = self.PROFILE_ID_PATTERN.search(options['file']) + if match is None: + raise errors.ValidationError(name='file', + error=_("Profile ID is not present in profile data")) + elif keys[0] != match.group(1): + raise errors.ValidationError(name='file', + error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'") + % {'cli_value': keys[0], 'file_value': match.group(1)} + ) + return dn + + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + """Import the profile into Dogtag and enable it. + + If the operation succeeds, update the LDAP entry to 'enabled'. + If the operation fails, remove the LDAP entry. + """ + try: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.create_profile(options['file']) + profile_api.enable_profile(keys[0]) + except: + # something went wrong ; delete entry + ldap.delete_entry(dn) + raise + + return dn + + + at register() +class certprofile_del(LDAPDelete): + __doc__ = _("Delete a Certificate Profile.") + msg_summary = _('Deleted profile "%(value)s"') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_del, self).execute(*args, **kwargs) + + def post_callback(self, ldap, dn, *keys, **options): + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.delete_profile(keys[0]) + return dn + + + at register() +class certprofile_mod(LDAPUpdate): + __doc__ = _("Modify Certificate Profile configuration.") + msg_summary = _('Modified Certificate Profile "%(value)s') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_mod, self).execute(*args, **kwargs) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index c74b8736a4b15f7bf081206b52b9876a8c4928af..11311cf7b55d7b84e9434a698dbfd60b0eb142a1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -233,9 +233,12 @@ def ca_status(ca_host=None, use_proxy=True): return _parse_ca_status(body) -def https_request(host, port, url, secdir, password, nickname, **kw): +def https_request(host, port, url, secdir, password, nickname, + method='POST', headers=None, body=None, **kw): """ + :param method: HTTP request method (defalut: 'POST') :param url: The path (not complete URL!) to post to. + :param body: The request body (encodes kw if None) :param kw: Keyword arguments to encode into POST body. :return: (http_status, http_reason_phrase, http_headers, http_body) as (integer, unicode, dict, str) @@ -254,9 +257,11 @@ def https_request(host, port, url, secdir, password, nickname, **kw): nickname, password, nss.get_default_certdb()) return conn - body = urlencode(kw) + if body is None: + body = urlencode(kw) return _httplib_request( - 'https', host, port, url, connection_factory, body) + 'https', host, port, url, connection_factory, body, + method=method, headers=headers) def http_request(host, port, url, **kw): @@ -288,11 +293,13 @@ def unauthenticated_https_request(host, port, url, **kw): def _httplib_request( - protocol, host, port, path, connection_factory, request_body): + protocol, host, port, path, connection_factory, request_body, + method='POST', headers=None): """ :param request_body: Request body :param connection_factory: Connection class to use. Will be called with the host and port arguments. + :param method: HTTP request method (default: 'POST') Perform a HTTP(s) request. """ @@ -301,13 +308,17 @@ def _httplib_request( uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) root_logger.debug('request %r', uri) root_logger.debug('request body %r', request_body) + + headers = headers or {} + if ( + method == 'POST' + and 'content-type' not in (str(k).lower() for k in headers.viewkeys()) + ): + headers['content-type'] = 'application/x-www-form-urlencoded' + try: conn = connection_factory(host, port) - conn.request( - 'POST', uri, - body=request_body, - headers={'Content-type': 'application/x-www-form-urlencoded'}, - ) + conn.request(method, uri, body=request_body, headers=headers) res = conn.getresponse() http_status = res.status diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 52bdb0d4245594785e718c63242e27cee0e59322..9654123b16d8e417398d49bf1305fd41880bc3a7 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -4,8 +4,9 @@ # Jason Gerard DeRose # Rob Crittenden # John Dennis +# Fraser Tweedale # -# Copyright (C) 2014 Red Hat +# Copyright (C) 2014, 2015 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -238,17 +239,21 @@ digits and nothing else follows. ''' import datetime +import json from lxml import etree +import os import tempfile import time import urllib2 +import pki from pki.client import PKIConnection import pki.crypto as cryptoutil from pki.kra import KRAClient from ipalib import Backend from ipapython.dn import DN +import ipapython.cookie import ipapython.dogtag from ipapython import ipautil from ipaserver.install.certs import CertDB @@ -1262,13 +1267,12 @@ def select_any_master(ldap2, service='CA'): #------------------------------------------------------------------------------- -from ipalib import api, SkipPluginModule +from ipalib import api, errors, SkipPluginModule if api.env.ra_plugin != 'dogtag': # In this case, abort loading this plugin module... raise SkipPluginModule(reason='dogtag not selected as RA plugin') import os, random from ipaserver.plugins import rabase -from ipalib.errors import CertificateOperationError from ipalib.constants import TYPE_ERROR from ipalib.util import cachedproperty from ipapython import dogtag @@ -1318,7 +1322,7 @@ class ra(rabase.rabase): err_msg = u'%s (%s)' % (err_msg, detail) self.error('%s.%s(): %s', self.fullname, func_name, err_msg) - raise CertificateOperationError(error=err_msg) + raise errors.CertificateOperationError(error=err_msg) @cachedproperty def ca_host(self): @@ -1923,3 +1927,167 @@ class kra(Backend): return KRAClient(connection, crypto) api.register(kra) + + +class RestClient(Backend): + """Simple Dogtag REST client to be subclassed by other backends. + + This class is a context manager. Authenticated calls must be + executed in a ``with`` suite:: + + class ra_certprofile(RestClient): + path = 'profile' + ... + + api.register(ra_certprofile) + + with api.Backend.ra_certprofile as profile_api: + # REST client is now logged in + profile_api.create_profile(...) + + """ + path = None + + @staticmethod + def _parse_dogtag_error(body): + try: + return pki.PKIException.from_json(json.loads(body)) + except: + return None + + def __init__(self): + if api.env.in_tree: + self.sec_dir = api.env.dot_ipa + os.sep + 'alias' + self.pwd_file = self.sec_dir + os.sep + '.pwd' + else: + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT + self.noise_file = self.sec_dir + os.sep + '.noise' + self.ipa_key_size = "2048" + self.ipa_certificate_nickname = "ipaCert" + self.ca_certificate_nickname = "caCert" + try: + f = open(self.pwd_file, "r") + self.password = f.readline().strip() + f.close() + except IOError: + self.password = '' + super(RestClient, self).__init__() + + # session cookie + self.cookie = None + + @cachedproperty + def ca_host(self): + """ + :return: host + as str + + Select our CA host. + """ + ldap2 = self.api.Backend.ldap2 + if host_has_service(api.env.ca_host, ldap2, "CA"): + return api.env.ca_host + if api.env.host != api.env.ca_host: + if host_has_service(api.env.host, ldap2, "CA"): + return api.env.host + host = select_any_master(ldap2) + if host: + return host + else: + return api.env.ca_host + + def __enter__(self): + """Log into the REST API""" + if self.cookie is not None: + return + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) + if status != 200 or len(cookies) == 0: + raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) + self.cookie = str(cookies[0]) + return self + + def __exit__(self, exc_type, exc_value, traceback): + """Log out of the REST API""" + dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + self.cookie = None + + def _ssldo(self, method, path, headers=None, body=None): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. + :return: (http_status, http_reason_phrase, http_headers, http_body) + as (integer, unicode, dict, str) + + Perform an HTTPS request + """ + if self.cookie is None: + raise errors.RemoteRetrieveError( + reason=_("REST API is not logged in.")) + + headers = headers or {} + headers['Cookie'] = self.cookie + + resource = os.path.join('/ca/rest', self.path, path) + + # perform main request + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, resource, + self.sec_dir, self.password, self.ipa_certificate_nickname, + method=method, headers=headers, body=body + ) + if status < 200 or status >= 300: + explanation = self._parse_dogtag_error(resp_body) or '' + raise errors.RemoteRetrieveError( + reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') + % {'status': status, 'status_text': status_text, 'explanation': explanation} + ) + return (status, status_text, resp_headers, resp_body) + + +class ra_certprofile(RestClient): + """ + Profile management backend plugin. + """ + path = 'profiles' + + def create_profile(self, profile_data): + """ + Import the profile into Dogtag + """ + self._ssldo('POST', 'raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + + def enable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=enable') + + def disable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=disable') + + def delete_profile(self, profile_id): + """ + Delete the profile from Dogtag + """ + self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + +api.register(ra_certprofile) -- 2.1.0 -------------- next part -------------- From 5d1ad6981585cbc5ea3ed8d5bf30946d7b9c82e2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 23:38:41 -0400 Subject: [PATCH 06/13] Enable LDAP-based profiles in CA on upgrade Part of: https://fedorahosted.org/freeipa/ticket/4560 --- ipaserver/install/server/upgrade.py | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e..98d73b2fc7851a2afed6f39f83cefde35a7a8e33 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -299,6 +299,45 @@ def ca_configure_profiles_acl(ca): return cainstance.configure_profiles_acl() +def ca_enable_ldap_profile_subsystem(ca): + root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + caconfig = dogtag.configured_constants() + + needs_update = False + directive = None + try: + for i in range(15): + directive = "subsystem.{}.class".format(i) + value = installutils.get_directive( + caconfig.CS_CFG_PATH, + directive, + separator='=') + if value == 'ProfileSubsystem': + needs_update = True + break + except OSError, e: + root_logger.error('Cannot read CA configuration file "%s": %s', + caconfig.CS_CFG_PATH, e) + return False + + if needs_update: + installutils.set_directive( + caconfig.CS_CFG_PATH, + directive, + 'LDAPProfileSubsystem', + quotes=False, + separator='=') + + # TODO import file-based profiles into Dogtag + # More code needed on Dogtag side for this. + + return needs_update + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1381,6 +1420,7 @@ def upgrade_configuration(): certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), + ca_enable_ldap_profile_subsystem(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From 9fe57cc8090690b4b29e8b1d489911f709f11079 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 21:17:48 -0400 Subject: [PATCH 07/13] Import included profiles during install or upgrade Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 --- freeipa.spec.in | 2 + install/configure.ac | 1 + install/share/Makefile.am | 1 + install/share/profiles/Makefile.am | 14 ++ install/share/profiles/caIPAserviceCert.cfg | 109 ++++++++++++ install/tools/ipa-upgradeconfig | 1 - ipapython/dogtag.py | 7 +- ipaserver/install/cainstance.py | 253 +++++++--------------------- ipaserver/install/ipa_server_upgrade.py | 1 + ipaserver/install/server/install.py | 6 + ipaserver/install/server/upgrade.py | 42 ++--- ipaserver/plugins/dogtag.py | 14 +- 12 files changed, 228 insertions(+), 223 deletions(-) create mode 100644 install/share/profiles/Makefile.am create mode 100644 install/share/profiles/caIPAserviceCert.cfg diff --git a/freeipa.spec.in b/freeipa.spec.in index 2f259234945be874aede64ca7c3ce04bdf467b64..a9757a194b1bf3bdcced4fd29e7fbae8b0211c94 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -720,6 +720,8 @@ fi %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 2e48aa5cc67b30f2582de987a12d4e7043256679..57f4219b66bbe1dadaed3e89c3e84b1c8240399e 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -88,6 +88,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile + share/profiles/Makefile ui/Makefile ui/css/Makefile ui/src/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f44772b20c173c6fe43503716f40454f6f6b6f11..31f391be25c58b76cc71971852074d80c5514745 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + profiles \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..4e6cf975a0f51d02ec29bd07ac8cb9ccc8320818 --- /dev/null +++ b/install/share/profiles/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/profiles +app_DATA = \ + caIPAserviceCert.cfg \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg new file mode 100644 index 0000000000000000000000000000000000000000..6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c --- /dev/null +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -0,0 +1,109 @@ +profileId=caIPAserviceCert +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 43292966a29c9077443913bdda1c81aa3de06a10..5f3a2b4a2f3864c2809178815c244c2012333fc8 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -21,7 +21,6 @@ import sys - if __name__ == '__main__': sys.exit("Please run the 'ipa-server-upgrade' command to upgrade the " "IPA server.") diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 11311cf7b55d7b84e9434a698dbfd60b0eb142a1..2b4d233354b974884c88d13a3a1b437915ba0776 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -42,6 +42,11 @@ from ipapython.ipa_log_manager import * # the configured version. +INCLUDED_PROFILES = { + # ( profile_id , description , store_issued) + (u'caIPAserviceCert', u'Standard profile for network services', True), + } + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 @@ -71,7 +76,6 @@ class Dogtag10Constants(object): RACERT_LINE_SEP = '\n' - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = True DS_USER = "dirsrv" @@ -110,7 +114,6 @@ class Dogtag9Constants(object): EE_CLIENT_AUTH_PORT = 9446 TOMCAT_SERVER_PORT = 9701 - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = False DS_USER = "pkisrv" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 871581b4afc5df854b9a090ef51bb0ad3b3871ee..ca0b6df5db80bc842a78f614872831ddd82330b1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -459,10 +459,6 @@ class CAInstance(DogtagInstance): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("set certificate subject base", self.__set_subject_in_config) - self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) - self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) - self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) if not self.clone: self.step("restarting certificate server", self.restart_instance) @@ -1125,94 +1121,6 @@ class CAInstance(DogtagInstance): return publishdir - def __set_crl_ocsp_extensions(self): - self.set_crl_ocsp_extensions(self.domain, self.fqdn) - - def set_crl_ocsp_extensions(self, domain, fqdn): - """ - Configure CRL and OCSP extensions in default IPA certificate profile - if not done already. - """ - changed = False - - # OCSP extension - ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - ocsp_location_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - separator='=') - - if ocsp_location_0 != ocsp_url: - # Set the first OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - ocsp_url, quotes=False, separator='=') - changed = True - - ocsp_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - separator='=') - - if ocsp_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '1', quotes=False, separator='=') - changed = True - - - # CRL extension - crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - crl_point_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - separator='=') - - if crl_point_0 != crl_url: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - crl_url, quotes=False, separator='=') - changed = True - - crl_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - separator='=') - - if crl_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '1', quotes=False, separator='=') - changed = True - - # CRL extension is not enabled by default - setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - new_set_list = None - - if setlist == '1,2,3,4,5,6,7,8': - new_set_list = '1,2,3,4,5,6,7,8,9' - elif setlist == '1,2,3,4,5,6,7,8,10': - new_set_list = '1,2,3,4,5,6,7,8,9,10' - elif setlist == '1,2,3,4,5,6,7,8,10,11': - new_set_list = '1,2,3,4,5,6,7,8,9,10,11' - - if new_set_list: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - new_set_list, quotes=False, separator='=') - changed = True - - return changed - def __enable_crl_publish(self): """ @@ -1267,13 +1175,6 @@ class CAInstance(DogtagInstance): installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') - def __set_subject_in_config(self): - # dogtag ships with an IPA-specific profile that forces a subject - # format. We need to update that template with our base subject - if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'OU=pki-ipa, O=IPA', str(self.subject_base)): - print "Updating subject_base in CA template failed" - def uninstall(self): # just eat state self.restore_state("enabled") @@ -1407,100 +1308,6 @@ class CAInstance(DogtagInstance): services.knownservices.certmonger.stop() - def enable_subject_key_identifier(self): - """ - See if Subject Key Identifier is set in the profile and if not, add it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist += ',10' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.class_id', - 'subjectKeyIdentifierExtDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.name', - 'Subject Key Identifier Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.params.critical', - 'false', - quotes=False, separator='=') - return True - - # No update was done - return False - - def enable_subject_alternative_name(self): - """ - See if Subject Alternative Name is set in the profile and if not, add - it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': - setlist += ',11' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.class_id', - 'userExtensionDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.name', - 'User Supplied Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.params.userExtOID', - '2.5.29.17', - quotes=False, separator='=') - return True - - # No update was done - return False def set_audit_renewal(self): """ @@ -1586,7 +1393,6 @@ class CAInstance(DogtagInstance): master_entry['ipaConfigString'].append('caRenewalMaster') self.admin_conn.update_entry(master_entry) - @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): """ @@ -1854,6 +1660,65 @@ def configure_profiles_acl(): conn.disconnect() return updated +def import_included_profiles(): + sub_dict = dict( + DOMAIN=ipautil.format_netloc(api.env.domain), + IPA_CA_RECORD=IPA_CA_RECORD, + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=str(DN(('O', api.env.realm))), + ) + + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), + api.env.container_certprofile, api.env.basedn) + try: + conn.get_entry(dn) + continue # the profile is present + except errors.NotFound: + # profile not found; add it + profile_data = ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + + entry = conn.make_entry( + dn, + objectclass=['ipacertprofile'], + cn=[profile_id], + description=[desc], + ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], + ) + conn.add_entry(entry) + api.Backend.ra_certprofile._read_password() + with api.Backend.ra_certprofile as profile_api: + # import the profile + try: + profile_api.create_profile(profile_data) + except errors.RemoteRetrieveError: + # conflicting profile; replace it if we are + # installing IPA, but keep it for upgrades + if api.env.context == 'installer': + try: + profile_api.disable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + profile_api.delete_profile(profile_id) + profile_api.create_profile(profile_data) + + # enable the profile + try: + profile_api.enable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + + root_logger.info("Imported profile '%s'", profile_id) + + conn.disconnect() + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a316317622894e5b56896f91a9e29bb8..8373b213411c34c59e838c586ff46e99efb43f58 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -41,6 +41,7 @@ class ServerUpgrade(admintool.AdminTool): super(ServerUpgrade, self).run() api.bootstrap(in_server=True, context='updates') + import ipaserver.plugins.dogtag # ensure profile backend gets loaded api.finalize() try: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 61137d2e9f41aff6a74dbfc4f7a63e74b53ed7fa..27baa03fef9db50664a1b64e4b0fa3a0638502c0 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -743,6 +743,9 @@ def install(options): api.env.ca_host = host_name api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet @@ -898,6 +901,9 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + service.print_msg("Importing certificate profiles") + cainstance.import_included_profiles() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 98d73b2fc7851a2afed6f39f83cefde35a7a8e33..c2882827a29ffb0dda285ddf07d4001b99e6a47e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -338,32 +338,28 @@ def ca_enable_ldap_profile_subsystem(ca): return needs_update -def upgrade_ipa_profile(ca, domain, fqdn): +def ca_import_included_profiles(ca): + root_logger.info('[Ensuring presence of included profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.import_included_profiles() + + +def upgrade_ca_audit_cert_validity(ca): """ - Update the IPA Profile provided by dogtag + Update the Dogtag audit signing certificate. Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA service certificate profile is updated]') + root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): - ski = ca.enable_subject_key_identifier() - if ski: - root_logger.debug('Subject Key Identifier updated.') - else: - root_logger.debug('Subject Key Identifier already set.') - san = ca.enable_subject_alternative_name() - if san: - root_logger.debug('Subject Alternative Name updated.') - else: - root_logger.debug('Subject Alternative Name already set.') - audit = ca.set_audit_renewal() - uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or san or uri: - return True + return ca.set_audit_renewal() else: root_logger.info('CA is not configured') - - return False + return False def named_remove_deprecated_options(): @@ -1416,7 +1412,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, - upgrade_ipa_profile(ca, api.env.domain, fqdn), + upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), @@ -1430,6 +1426,12 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + # This step MUST be done after ca_enable_ldap_profile_subsystem and + # ca_configure_profiles_acl, and the consequent restart, but does not + # itself require a restart. + # + ca_import_included_profiles(ca) + set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9654123b16d8e417398d49bf1305fd41880bc3a7..880b319d68728a40f4479626d5a7c2b8c56ced02 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1966,17 +1966,19 @@ class RestClient(Backend): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" - try: - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() - except IOError: - self.password = '' + self._read_password() super(RestClient, self).__init__() # session cookie self.cookie = None + def _read_password(self): + try: + with open(self.pwd_file) as f: + self.password = f.readline().strip() + except IOError: + self.password = '' + @cachedproperty def ca_host(self): """ -- 2.1.0 -------------- next part -------------- From 43eee6db57edc5d80ed48813f8a944651ec95887 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 7 May 2015 21:26:24 -0400 Subject: [PATCH 08/13] Add generic split_any_principal method There exist methods to split user or service/host principals, but there is no method to split any kind of principal and allow the caller to decide what to do. Generalize ``ipalib.plugins.service.split_principal`` to return a service of ``None`` if the principal is a user principal, rename it ``split_any_principal`` and reimplement ``split_principal`` to preserve existing behaviour. Part of: https://fedorahosted.org/freeipa/ticket/4938 --- ipalib/plugins/service.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index b37dc7b4bf56b69df204fd29e9487f1390197bbe..5af320286bab98535e1f7118840afc4d525be401 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -185,19 +185,24 @@ _ticket_flags_map = { _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth'] -def split_principal(principal): +def split_any_principal(principal): service = hostname = realm = None # Break down the principal into its component parts, which may or # may not include the realm. sp = principal.split('/') - if len(sp) != 2: - raise errors.MalformedServicePrincipal(reason=_('missing service')) + name_and_realm = None + if len(sp) > 2: + raise errors.MalformedServicePrincipal(reason=_('unable to determine service')) + elif len(sp) == 2: + service = sp[0] + if len(service) == 0: + raise errors.MalformedServicePrincipal(reason=_('blank service')) + name_and_realm = sp[1] + else: + name_and_realm = sp[0] - service = sp[0] - if len(service) == 0: - raise errors.MalformedServicePrincipal(reason=_('blank service')) - sr = sp[1].split('@') + sr = name_and_realm.split('@') if len(sr) > 2: raise errors.MalformedServicePrincipal( reason=_('unable to determine realm')) @@ -212,7 +217,13 @@ def split_principal(principal): realm = api.env.realm # Note that realm may be None. - return (service, hostname, realm) + return service, hostname, realm + +def split_principal(principal): + service, name, realm = split_any_principal(principal) + if service is None: + raise errors.MalformedServicePrincipal(reason=_('missing service')) + return service, name, realm def validate_principal(ugettext, principal): (service, hostname, principal) = split_principal(principal) -- 2.1.0 -------------- next part -------------- From 40abd142dc544b413dcb4a4724d3bb2d3ad1fe95 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 8 May 2015 02:23:24 -0400 Subject: [PATCH 09/13] Add profile_id parameter to 'request_certificate' Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 --- API.txt | 3 ++- checks/check-ra.py | 2 +- ipalib/plugins/cert.py | 2 +- ipapython/dogtag.py | 2 ++ ipaserver/install/certs.py | 2 +- ipaserver/plugins/dogtag.py | 7 +++++-- ipaserver/plugins/rabase.py | 3 ++- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 7d221b839a7058e2bc7c6c95f7121e79a30ebcfd..ec414a97c5913c0f4cc812716c72670dae7432da 100644 --- a/API.txt +++ b/API.txt @@ -485,10 +485,11 @@ arg: Str('serial_number') option: Str('version?', exclude='webui') output: Output('result', None, None) command: cert_request -args: 1,4,1 +args: 1,5,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) option: Str('principal') +option: Str('profile_id') option: Str('request_type', autofill=True, default=u'pkcs10') option: Str('version?', exclude='webui') output: Output('result', , None) diff --git a/checks/check-ra.py b/checks/check-ra.py index a1df50ba4a4ad7fc0b6d2118e40977b1da6edf65..28929545ab7f0a63e47a3829c53cf08d784c9524 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) if verbose: print "request_result=\n%s" % request_result assert_equal(request_result, {'subject' : subject, diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 7e2c77622b3627e9e57bbcb69291f723ecf509bf..e4cb6dc0aa8b89368806b08674aae277b3653e8f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -436,7 +436,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, request_type=request_type) + csr, 'caIPAserviceCert', request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 2b4d233354b974884c88d13a3a1b437915ba0776..659751e57bf3deead0966e748c7302600db0f56c 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -47,6 +47,8 @@ INCLUDED_PROFILES = { (u'caIPAserviceCert', u'Standard profile for network services', True), } +DEFAULT_PROFILE = 'caIPAserviceCert' + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bc7dccf805386e9fa84b58d2ff9346085e1b93b1..564332e6fde0698a23884922c5018fab59da7e4d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -386,7 +386,7 @@ class CertDB(object): # We just want the CSR bits, make sure there is nothing else csr = pkcs10.strip_header(csr) - params = {'profileId': 'caIPAserviceCert', + params = {'profileId': dogtag.DEFAULT_PROFILE, 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', 'cert_request': csr, diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 880b319d68728a40f4479626d5a7c2b8c56ced02..e6668bb43b994863a14fdd347635753422ed9388 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1284,6 +1284,8 @@ class ra(rabase.rabase): """ Request Authority backend plugin. """ + DEFAULT_PROFILE = dogtag.DEFAULT_PROFILE + def __init__(self): if api.env.in_tree: self.sec_dir = api.env.dot_ipa + os.sep + 'alias' @@ -1541,9 +1543,10 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ :param csr: The certificate signing request. + :param profile_id: The profile to use for the request. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1575,7 +1578,7 @@ class ra(rabase.rabase): http_status, http_reason_phrase, http_headers, http_body = \ self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, - profileId='caIPAserviceCert', + profileId=profile_id, cert_request_type=request_type, cert_request=csr, xml='true') diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index e14969970ef5b402d06b766f895200c6eb4fc76f..cf4426235b02866a3f565c51c52c44aabbdc1153 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -67,11 +67,12 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. + :param profile_id: Profile to use for this request. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.1.0 -------------- next part -------------- From 87cb5a5ed2847d44ad65e73fdb414616748ce313 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 18 May 2015 22:11:52 -0400 Subject: [PATCH 10/13] Add usercertificate attribute to user plugin Part of: https://fedorahosted.org/freeipa/tickets/4938 --- ACI.txt | 2 +- API.txt | 18 ++++++++++++------ install/share/default-aci.ldif | 1 + install/updates/20-aci.update | 4 ++++ ipalib/plugins/baseuser.py | 10 ++++++++-- ipalib/plugins/user.py | 2 +- 6 files changed, 27 insertions(+), 10 deletions(-) diff --git a/ACI.txt b/ACI.txt index 035a545511e4f56dcb492c97514de59cfc028405..fca5b269522c4ab80858c23b1a61e229eee0048e 100644 --- a/ACI.txt +++ b/ACI.txt @@ -281,7 +281,7 @@ aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sam dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || usercertificate || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index ec414a97c5913c0f4cc812716c72670dae7432da..a59e99ba31bf901b960c36b05541c3e400d4ec7c 100644 --- a/API.txt +++ b/API.txt @@ -3808,7 +3808,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: stageuser_add -args: 1,43,3 +args: 1,44,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3850,6 +3850,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -3865,7 +3866,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: stageuser_find -args: 1,52,4 +args: 1,53,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -3916,6 +3917,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -3924,7 +3926,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: stageuser_mod -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3967,6 +3969,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4594,7 +4597,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_add -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4637,6 +4640,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4668,7 +4672,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_find -args: 1,55,4 +args: 1,56,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -4721,6 +4725,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -4730,7 +4735,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,45,3 +args: 1,46,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4774,6 +4779,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b174e774aae3ea012a431fe4a2535fb4230e402 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -10,6 +10,7 @@ changetype: modify add: aci aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) +aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) dn: cn=etc,$SUFFIX changetype: modify diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index fde3afeee59e4d4dc0bd6a9c0eb24ab255c4e637..4a8b67c6579da4dab74d02861640264446153f87 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -79,3 +79,7 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";) + +# User certificates +dn: $SUFFIX +add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py index a1be29d83550a0412ed37cfde47ac74c6ca478fd..d2bc68f45ad9a3632a237c01961a30592514d96d 100644 --- a/ipalib/plugins/baseuser.py +++ b/ipalib/plugins/baseuser.py @@ -23,10 +23,11 @@ import posixpath import os from ipalib import api, errors -from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime +from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes from ipalib.plugable import Registry from ipalib.plugins.baseldap import DN, LDAPObject, \ LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve +from ipalib.plugins.service import validate_certificate from ipalib.plugins import baseldap from ipalib.request import context from ipalib import _, ngettext @@ -188,7 +189,7 @@ class baseuser(LDAPObject): 'telephonenumber', 'title', 'memberof', 'nsaccountlock', 'memberofindirect', 'ipauserauthtype', 'userclass', 'ipatokenradiusconfiglink', 'ipatokenradiususername', - 'krbprincipalexpiration' + 'krbprincipalexpiration', 'usercertificate', ] search_display_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', @@ -383,6 +384,11 @@ class baseuser(LDAPObject): + '(\s*,\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\=((0(\.[0-9]{0,3})?)|(1(\.0{0,3})?)))?)*)|(\*))$', pattern_errmsg='must match RFC 2068 - 14.4, e.g., "da, en-gb;q=0.8, en;q=0.7"', ), + Bytes('usercertificate*', validate_certificate, + cli_name='certificate', + label=_('Certificate'), + doc=_('Base-64 encoded server certificate'), + ), ) def normalize_and_validate_email(self, email, config=None): diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 54d47bb01450ec462577e552315e3d680b7648c3..119294b19f54a395a2df65c6cfd47cd8eb844297 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -267,7 +267,7 @@ class user(baseuser): 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager', 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title', 'userclass', - 'preferredlanguage', + 'preferredlanguage', 'usercertificate', }, 'replaces': [ '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)', -- 2.1.0 -------------- next part -------------- From 901b0b29a3f2e27b4f837695ee20ac5eae4c123d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:45:16 -0400 Subject: [PATCH 11/13] Update cert-request to support user certs and profiles Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 --- ipalib/pkcs10.py | 1 + ipalib/plugins/cert.py | 213 +++++++++++++++++++++++++++++-------------------- 2 files changed, 126 insertions(+), 88 deletions(-) diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index f35e200a2c1b47e2a2c8cffcf9b723f398fe3221..6299dfea43b7a3f4104f0b0ec78c4f105d9daf62 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -30,6 +30,7 @@ PEM = 0 DER = 1 SAN_DNSNAME = 'DNS name' +SAN_RFC822NAME = 'RFC822 Name' SAN_OTHERNAME_UPN = 'Other Name (OID.1.3.6.1.4.1.311.20.2.3)' SAN_OTHERNAME_KRB5PRINCIPALNAME = 'Other Name (OID.1.3.6.1.5.2.2)' diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index e4cb6dc0aa8b89368806b08674aae277b3653e8f..34621b552d3e527c2dd0fee46e240542179227f9 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -31,7 +31,8 @@ from ipalib import ngettext from ipalib.plugable import Registry from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value -from ipalib.plugins.service import split_principal +from ipalib.plugins.service import split_any_principal +from ipalib.plugins.certprofile import validate_profile_id import base64 import traceback from ipalib.text import _ @@ -122,6 +123,8 @@ http://www.ietf.org/rfc/rfc5280.txt """) +USER, HOST, SERVICE = range(3) + register = Registry() def validate_pkidate(ugettext, value): @@ -232,7 +235,7 @@ class cert_request(VirtualCommand): takes_options = ( Str('principal', label=_('Principal'), - doc=_('Service principal for this certificate (e.g. HTTP/test.example.com)'), + doc=_('Principal for this certificate (e.g. HTTP/test.example.com)'), ), Str('request_type', default=u'pkcs10', @@ -243,6 +246,10 @@ class cert_request(VirtualCommand): default=False, autofill=True ), + Str('profile_id', validate_profile_id, + label=_("Profile ID"), + doc=_("Certificate Profile to use"), + ) ) has_output_params = ( @@ -294,10 +301,9 @@ class cert_request(VirtualCommand): ca_enabled_check() ldap = self.api.Backend.ldap2 - principal = kw.get('principal') add = kw.get('add') request_type = kw.get('request_type') - service = None + profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) """ Access control is partially handled by the ACI titled @@ -310,9 +316,21 @@ class cert_request(VirtualCommand): taskgroup (directly or indirectly via role membership). """ - bind_principal = getattr(context, 'principal') - # Can this user request certs? - if not bind_principal.startswith('host/'): + principal_string = kw.get('principal') + principal = split_any_principal(principal_string) + servicename, principal_name, realm = principal + if servicename is None: + principal_type = USER + elif servicename == 'host': + principal_type = HOST + else: + principal_type = SERVICE + + bind_principal = split_any_principal(getattr(context, 'principal')) + bind_service, bind_name, bind_realm = bind_principal + + if bind_principal != principal: + # Can the bound principal request certs for another principal? self.check_access() try: @@ -323,57 +341,71 @@ class cert_request(VirtualCommand): raise errors.CertificateOperationError( error=_("Failure decoding Certificate Signing Request: %s") % e) - if not bind_principal.startswith('host/'): + # host principals may bypass allowed ext check + if bind_service != 'host': for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: self.check_access(operation) - # Ensure that the hostname in the CSR matches the principal - subject_host = subject.common_name #pylint: disable=E1101 - if not subject_host: + dn = None + principal_obj = None + # See if the service exists and punt if it doesn't and we aren't + # going to add it + try: + if principal_type == SERVICE: + principal_obj = api.Command['service_show'](principal_string, all=True) + elif principal_type == HOST: + principal_obj = api.Command['host_show'](principal_name, all=True) + elif principal_type == USER: + principal_obj = api.Command['user_show'](principal_name, all=True) + except errors.NotFound as e: + if principal_type == SERVICE and add: + principal_obj = api.Command['service_add'](principal_string, force=True) + else: + raise errors.NotFound( + reason=_("The principal for this request doesn't exist.")) + principal_obj = principal_obj['result'] + dn = principal_obj['dn'] + + # Ensure that the DN in the CSR matches the principal + cn = subject.common_name #pylint: disable=E1101 + if not cn: raise errors.ValidationError(name='csr', - error=_("No hostname was found in subject of request.")) + error=_("No Common Name was found in subject of request.")) - (servicename, hostname, realm) = split_principal(principal) - if subject_host.lower() != hostname.lower(): - raise errors.ACIError( - info=_("hostname in subject of request '%(subject_host)s' " - "does not match principal hostname '%(hostname)s'") % dict( - subject_host=subject_host, hostname=hostname)) + if principal_type in (SERVICE, HOST): + if cn.lower() != principal_name.lower(): + raise errors.ACIError( + info=_("hostname in subject of request '%(cn)s' " + "does not match principal hostname '%(hostname)s'") + % dict(cn=cn, hostname=principal_name)) + elif principal_type == USER: + # check user name + if cn != principal_name: + raise errors.ValidationError( + name='csr', + error=_( + "DN commonName does not match " + "any of user's email addresses") + ) + + # check email address + mail = subject.email_address #pylint: disable=E1101 + if mail is not None and mail not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "DN emailAddress does not match " + "any of user's email addresses") + ) for ext in extensions: if ext not in self._allowed_extensions: raise errors.ValidationError( name='csr', error=_("extension %s is forbidden") % ext) - for name_type, name in subjectaltname: - if name_type not in (pkcs10.SAN_DNSNAME, - pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, - pkcs10.SAN_OTHERNAME_UPN): - raise errors.ValidationError( - name='csr', - error=_("subject alt name type %s is forbidden") % - name_type) - - dn = None - service = None - # See if the service exists and punt if it doesn't and we aren't - # going to add it - try: - if servicename != 'host': - service = api.Command['service_show'](principal, all=True) - else: - service = api.Command['host_show'](hostname, all=True) - except errors.NotFound, e: - if not add: - raise errors.NotFound(reason=_("The service principal for " - "this request doesn't exist.")) - service = api.Command['service_add'](principal, force=True) - service = service['result'] - dn = service['dn'] - - # We got this far so the service entry exists, can we write it? + # We got this far so the principal entry exists, can we write it? if not ldap.can_write(dn, "usercertificate"): raise errors.ACIError(info=_("Insufficient 'write' privilege " "to the 'userCertificate' attribute of entry '%s'.") % dn) @@ -382,13 +414,20 @@ class cert_request(VirtualCommand): for name_type, name in subjectaltname: if name_type == pkcs10.SAN_DNSNAME: name = unicode(name) + alt_principal_obj = None try: - if servicename == 'host': - altservice = api.Command['host_show'](name, all=True) - else: + if principal_type == HOST: + alt_principal_obj = api.Command['host_show'](name, all=True) + elif principal_type == SERVICE: altprincipal = '%s/%s@%s' % (servicename, name, realm) - altservice = api.Command['service_show']( + alt_principal_obj = api.Command['service_show']( altprincipal, all=True) + elif principal_type == USER: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for user principals") % name_type + ) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -396,47 +435,41 @@ class cert_request(VirtualCommand): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not ' 'exist') % name) - altdn = altservice['result']['dn'] - if not ldap.can_write(altdn, "usercertificate"): - raise errors.ACIError(info=_( - "Insufficient privilege to create a certificate with " - "subject alt name '%s'.") % name) + if alt_principal_obj is not None: + altdn = alt_principal_obj['result']['dn'] + if not ldap.can_write(altdn, "usercertificate"): + raise errors.ACIError(info=_( + "Insufficient privilege to create a certificate " + "with subject alt name '%s'.") % name) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): - if name != principal: + if name != principal_string: raise errors.ACIError( info=_("Principal '%s' in subject alt name does not " - "match requested service principal") % name) + "match requested principal") % name) + elif name_type == pkcs10.SAN_RFC822NAME: + if principal_type == USER: + if name not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "RFC822Name does not match " + "any of user's email addresses") + ) + else: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for non-user principals") % name_type + ) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden") % name_type) - if 'usercertificate' in service: - serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER) - # revoke the certificate and remove it from the service - # entry before proceeding. First we retrieve the certificate to - # see if it is already revoked, if not then we revoke it. - try: - result = api.Command['cert_show'](unicode(serial))['result'] - if 'revocation_reason' not in result: - try: - api.Command['cert_revoke'](unicode(serial), revocation_reason=4) - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except errors.NotImplementedError: - # some CA's might not implement get - pass - if not principal.startswith('host/'): - api.Command['service_mod'](principal, usercertificate=None) - else: - hostname = get_host_from_principal(principal) - api.Command['host_mod'](hostname, usercertificate=None) - # Request the certificate result = self.Backend.ra.request_certificate( - csr, 'caIPAserviceCert', request_type=request_type) + csr, profile_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -444,15 +477,19 @@ class cert_request(VirtualCommand): result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) - # Success? Then add it to the service entry. - if 'certificate' in result: - if not principal.startswith('host/'): - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['service_mod'](principal, **skw) - else: - hostname = get_host_from_principal(principal) - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['host_mod'](hostname, **skw) + # Success? Then add it to the principal's entry + # (unless the profile tells us not to) + profile = api.Command['certprofile_show'](profile_id) + store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE' + if store and 'certificate' in result: + cert = str(result.get('certificate')) + kwargs = dict(addattr=u'usercertificate={}'.format(cert)) + if principal_type == SERVICE: + api.Command['service_mod'](principal_string, **kwargs) + elif principal_type == HOST: + api.Command['host_mod'](principal_name, **kwargs) + elif principal_type == USER: + api.Command['user_mod'](principal_name, **kwargs) return dict( result=result -- 2.1.0 -------------- next part -------------- From 8003f9b9accd5fb4a7f9b7c5e5cfa5f069e4cb61 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also add a default CA ACL that permitS certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 171 +++++++++++++++ install/share/60certificate-profiles.ldif | 8 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 12 ++ install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 343 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + 11 files changed, 561 insertions(+) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index fca5b269522c4ab80858c23b1a61e229eee0048e..c92e341834c1134cab007e61d2953b8e52f375b5 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "ipacaaclallhosts || ipacaaclallservices || ipacaaclallusers || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacaaclallcas || ipacaaclallprofiles || ipacaaclcaref || ipacaaclprofileid || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaaclallcas || ipacaaclallhosts || ipacaaclallprofiles || ipacaaclallservices || ipacaaclallusers || ipacaaclcaref || ipacaaclprofileid || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index a59e99ba31bf901b960c36b05541c3e400d4ec7c..1b3727059c362d32ac6cc56d7277ebb8763f6943 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,177 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,15,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, cli_name='ca_ref', multivalue=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, cli_name='profile_id', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,17,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, query=True, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, query=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, autofill=False, cli_name='profile_id', multivalue=True, query=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,17,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, autofill=False, cli_name='profile_id', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..d8f008c5baed4e0021944bcbaa7256aa250e5c23 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,11 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaCaAclCaRef' DESC 'Certificate Authority Reference' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaCaAclProfileId' DESC 'Certificate Profile ID' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaAclAllCAs' DESC 'Allow use of all CAs' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCaAclAllProfiles' DESC 'Allow ues of all profiles' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaAclAllUsers' DESC 'Allow all users' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaAclAllHosts' DESC 'Allow all hosts' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaAclAllServices' DESC 'Allow all services' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaAclCaRef $ ipaCaAclProfileId $ ipaCaAclAllCAs $ ipaCaAclAllProfiles $ ipaCaAclAllUsers $ ipaCaAclAllHosts $ ipaCaAclAllServices $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..b902c2f84a6898ae51e8123956496d64b6356d3e --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,12 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +ipacaaclcaref: . +ipacaaclprofileid: caIPAserviceCert +ipacaaclallhosts: TRUE +ipacaaclallservices: TRUE diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 96396a236b8694b3dd988dfe28c1b0c3cc9e3180..9812f843e1e4ced9244f3efd6a9bb6f4c2769655 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -119,6 +119,7 @@ DEFAULT_CONFIG = ( ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..84dc6d3c4db5f46d76bed560023b7cb63c5513b1 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,343 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + pkey_to_value) +from ipalib.plugins.certprofile import validate_profile_id +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --profile-id=UserCert --allusers=1 + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add john_dnp3 --profile-id=DNP3 + ipa caacl-add-user --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclprofileid', 'ipacaaclcaref', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'memberuser', 'memberhost', 'memberservice', 'memberhostgroup', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclprofileid', 'ipacaaclcaref', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'memberhost', 'memberservice', 'memberuser', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + }, + 'replaces': [ + '(targetattr = "memberuser || memberservice || memberhost || ipacaaclallusers || ipacaaclallhosts || ipacaaclallservices")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclprofileid', 'ipacaaclcaref', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag || ipacaaclprofileid || ipacaaclcaref || ipacaaclallcas || ipacaaclallprofiles")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + Str('ipacaaclprofileid*', validate_profile_id, + cli_name='profile_id', + label=_('Profile ID'), + ), + Str('ipacaaclcaref*', # validate sub-CA handle syntax + cli_name='ca_ref', + label=_('CA Reference'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallcas?', + cli_name='allcas', + label=_('Allow use of all CAs'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallprofiles?', + cli_name='allprofiles', + label=_('Allow use of all profiles'), + ), + Bool('ipacaaclallusers?', + cli_name='allusers', + label=_('Allow all users'), + ), + Bool('ipacaaclallhosts?', + cli_name='allhosts', + label=_('Allow all hosts'), + ), + Bool('ipacaaclallservices?', + cli_name='allservices', + label=_('Allow all services'), + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + entry_attrs['ipacaaclcaref'] = ['.'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove service and service groups from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) -- 2.1.0 -------------- next part -------------- From 3726479629bfc173b5fa279fad8bb731d3740ec8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 72 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 ++++++++++++ 2 files changed, 89 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 84dc6d3c4db5f46d76bed560023b7cb63c5513b1..c09df863847f0e2b0e029b5c7f82d978a7e159bf 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str from ipalib.plugable import Registry @@ -10,6 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, pkey_to_value) from ipalib.plugins.certprofile import validate_profile_id +from ipalib.plugins.service import normalize_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -49,6 +52,75 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + hostname = principal[5:] + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + if 'ipacaaclallcas' in obj and obj['ipacaaclallcas'][0] == 'TRUE': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'ipacaaclallprofiles' in obj and obj['ipacaaclallprofiles'][0] == 'TRUE': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.services.names = obj.get('ipacaaclprofileid', []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + all_principals_attr = 'ipacaaclall{}s'.format(principal_type) + if all_principals_attr in obj and obj[all_principals_attr][0] == 'TRUE': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 34621b552d3e527c2dd0fee46e240542179227f9..70ae610b6e9ec724837ddc516ad990ed08af9e0e 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From ftweedal at redhat.com Mon Jun 1 07:22:28 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 1 Jun 2015 17:22:28 +1000 Subject: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs In-Reply-To: <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> References: <555DD031.8070302@redhat.com> <555DD39C.3070103@redhat.com> <20150526155930.GI13469@dhcp-40-8.bne.redhat.com> <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> Message-ID: <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: > On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: > > On 05/29/2015 11:21 AM, Martin Basti wrote: > > >On 29/05/15 06:17, Fraser Tweedale wrote: > > >>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > > >>>On 28/05/15 11:48, Martin Basti wrote: > > >>>>On 27/05/15 16:04, Fraser Tweedale wrote: > > >>>>>Hello all, > > >>>>> > > >>>>>Fresh certificate management patchset; Changelog: > > >>>>> > > >>>>>- Now depends on patch freeipa-ftweedal-0014 for correct > > >>>>>cert-request behaviour with host and service principals. > > >>>>> > > >>>>>- Updated Dogtag dependency to 10.2.4-1. Should should be in > > >>>>>f22 soon, but for f22 right now or for f21, please grab from my > > >>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > > >>>>> > > >>>>> Martin^1 could you please add to the quasi-official freeipa > > >>>>> copr? SRPM lives at > > >>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > > >>>>> > > >>>>>- cert-request now verifies that for user principals, CSR CN > > >>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's > > >>>>>email address, if either of those is present. > > >>>>> > > >>>>>- Fixed one or two other sneaky little bugs. > > >>>>> > > >>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > > >>>>>>Hi all, > > >>>>>> > > >>>>>>Please find attached the latest certificate management > > >>>>>>patchset, which introduces the `caacl' plugin and various fixes > > >>>>>>and improvement to earlier patches. > > >>>>>> > > >>>>>>One important change to earlier patches is reverting the name > > >>>>>>of the default profile to 'caIPAserviceCert' and using the > > >>>>>>existing instance of this profile on upgrade (but not install) > > >>>>>>in case it has been modified. > > >>>>>> > > >>>>>>Other notes: > > >>>>>> > > >>>>>>- Still have changes in ipa-server-install (fewer lines now, > > >>>>>>though) > > >>>>>> > > >>>>>>- Still have the ugly import hack. It is not a high priority > > >>>>>>for me, i.e. I think it should wait until after alpha > > >>>>>> > > >>>>>>- Still need to update 'service' and 'host' plugins to support > > >>>>>>multiple certificates. (The userCertificate attribute schema > > >>>>>>itself is multi-valued, so there are no schema issues here) > > >>>>>> > > >>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and > > >>>>>>supporting multiple profiles for hosts and services (which > > >>>>>>requires changes to framework only, not schema). [1]: > > >>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > > >>>>>> > > >>>>>>Happy reviewing! I am pleased with the initial cut of the > > >>>>>>caacl plugin but I'm sure you will find some things to be fixed > > >>>>>>:) > > >>>>>> > > >>>>>>Cheers, Fraser > > >>>>[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com > > >>>>--ip-address 10.34.78.94 Directory Manager (existing master) > > >>>>password: > > >>>> > > >>>>Preparing replica for vm-094.example.com from vm-093.example.com > > >>>>Creating SSL certificate for the Directory Server not well-formed > > >>>>(invalid token): line 2, column 14 > > >>>> > > >>>>I cannot create replica file. It work on the upgraded server, > > >>>>but it doesn't work on the newly installed server. I'm not sure > > >>>>if this causes your patches which modifies the ca-installer, or > > >>>>the newer version of dogtag. > > >>>> > > >>>>Or if there was any other changes in master, I will continue to > > >>>>investigate with new RPM from master branch. > > >>>> > > >>>>Martin^2 > > >>>> > > >>>ipa-replica-prepare works for: * master branch * master branch + > > >>>pki-ca 10.2.4-1 > > >>> > > >>>So something in your patches is breaking it > > >>> > > >>>Martin^2 > > >>> > > >>Martin, master + my patches with pki 10.2.4-1 is working for me on > > >>f21 and f22. Can you provide ipa-replica-prepare --debug output and > > >>Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) > > >> > > >>Thanks, > > >>Fraser > > >I can not reproduce it today. And I already recycled the VMs from yesterday. :-( > > > > > > > In that case I would suggest ACKing&pushing the patch and fixing the bug if > > it comes again. The tree may now be a bit unstable, given the number of > > patches going in. > > > > My main motivation here is to unblock Fraser. > > > > Thanks, > > Martin > > Rebased patchset attached; no other changes. Heads up: I just discovered I have introduced a bug with ipa-replica-install, when it is spawning the CA instance. I think replication it only causes issues with ``--setup-ca``. I will try and sort it out tomorrow or later tonight (I have to head out for a few hours now, though); and I'm not suggesting it should block the push but it's something to be aware of. Cheers, Fraser From pvoborni at redhat.com Mon Jun 1 08:35:03 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 01 Jun 2015 10:35:03 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <55687B3C.4070303@redhat.com> References: <55687B3C.4070303@redhat.com> Message-ID: <556C1937.6070502@redhat.com> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: > This is a patch for the two issues reported in ticket #5035 > https://fedorahosted.org/freeipa/ticket/5035 > > Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Petr Vobornik From ofayans at redhat.com Mon Jun 1 09:19:21 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 01 Jun 2015 11:19:21 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C1937.6070502@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> Message-ID: <556C2399.6090808@redhat.com> Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! > On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >> This is a patch for the two issues reported in ticket #5035 >> https://fedorahosted.org/freeipa/ticket/5035 >> >> > > Works for me. I was able to install 2 replicas with domain level 1 in > one topology. > > Code looks good to me as well. Tentative ACK (would be nice if it was > skimmed by Thierry). -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Mon Jun 1 11:34:22 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 01 Jun 2015 13:34:22 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C2399.6090808@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> Message-ID: <556C433E.90008@redhat.com> So far I've bumped into problem, using the newly built packages: I've installed a master, a replica (replica1) Then replica3 (prepared on replica1), so, my topology looks like this: master <=> replica1 <=> replica3 However, the `ipa topologysegment-find` shows correct topology only on replicas (not on master) master: root at testmaster:~]$ ipa topologysegment-find Suffix name: realm ----------------- 1 segment matched ----------------- Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 1 ---------------------------- replica1: ofayans at replica1:~]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: replica1.zaeba.li-to-replica3.zaeba.li Left node: replica1.zaeba.li Right node: replica3.zaeba.li Connectivity: both Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- replica3: ofayans at replica3:~]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: replica1.zaeba.li-to-replica3.zaeba.li Left node: replica1.zaeba.li Right node: replica3.zaeba.li Connectivity: both Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- The second problem, is that the changes (like user creation) made on any of the nodes do not get replicate to other ones. The dirsrv logs are full of GSSAPI errors like this: ===================================================================== [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) ===================================================================== Full logs are attached I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: root at testmaster:~]$ rpm -q 389-ds-base 389-ds-base-2015_03_11-1.fc21.x86_64 On 06/01/2015 11:19 AM, Oleg Fayans wrote: > Woks for me too. Will perform extensive testing today, and report > everything that I find. > Thanks, Ludwig! >> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>> This is a patch for the two issues reported in ticket #5035 >>> https://fedorahosted.org/freeipa/ticket/5035 >>> >>> >> >> Works for me. I was able to install 2 replicas with domain level 1 in >> one topology. >> >> Code looks good to me as well. Tentative ACK (would be nice if it was >> skimmed by Thierry). > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- 389-Directory/1.3.4.a1 B2015.070.423 testmaster.zaeba.li:389 (/etc/dirsrv/slapd-ZAEBA-LI) [01/Jun/2015:04:58:10 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:04:58:10 -0400] - check_and_set_import_cache: pagesize: 4096, pages: 488624, procpages: 54078 [01/Jun/2015:04:58:10 -0400] - Import allocates 781796KB import cache. [01/Jun/2015:04:58:10 -0400] - import userRoot: Beginning import job... [01/Jun/2015:04:58:10 -0400] - import userRoot: Index buffering enabled with bucket size 100 [01/Jun/2015:04:58:10 -0400] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [01/Jun/2015:04:58:11 -0400] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [01/Jun/2015:04:58:11 -0400] - import userRoot: Workers finished; cleaning up... [01/Jun/2015:04:58:12 -0400] - import userRoot: Workers cleaned up. [01/Jun/2015:04:58:12 -0400] - import userRoot: Cleaning up producer thread... [01/Jun/2015:04:58:12 -0400] - import userRoot: Indexing complete. Post-processing... [01/Jun/2015:04:58:12 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:04:58:12 -0400] - import userRoot: Generating numSubordinates complete. [01/Jun/2015:04:58:12 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [01/Jun/2015:04:58:12 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:04:58:12 -0400] - Nothing to do to build ancestorid index [01/Jun/2015:04:58:12 -0400] - import userRoot: Created ancestorid index (new idl). [01/Jun/2015:04:58:12 -0400] - import userRoot: Flushing caches... [01/Jun/2015:04:58:12 -0400] - import userRoot: Closing files... [01/Jun/2015:04:58:12 -0400] - All database threads now stopped [01/Jun/2015:04:58:12 -0400] - import userRoot: Import complete. Processed 1 entries in 2 seconds. (0.50 entries/sec) [01/Jun/2015:04:58:13 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:04:58:13 -0400] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [01/Jun/2015:04:58:13 -0400] - resizing db cache size: 800559104 -> 6400000 [01/Jun/2015:04:58:14 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:04:58:14 -0400] - convert_pbe_des_to_aes: Converting DES passwords to AES... [01/Jun/2015:04:58:14 -0400] - convert_pbe_des_to_aes: Successfully disabled DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config) [01/Jun/2015:04:58:14 -0400] - convert_pbe_des_to_aes: Finished - no DES passwords to convert. [01/Jun/2015:04:58:15 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [01/Jun/2015:04:58:15 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:04:58:15 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:04:58:15 -0400] - All database threads now stopped [01/Jun/2015:04:58:15 -0400] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [01/Jun/2015:04:58:15 -0400] - slapd stopped. [01/Jun/2015:04:58:16 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:04:58:17 -0400] - resizing db cache size: 6400000 -> 5120000 [01/Jun/2015:04:58:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:04:58:17 -0400] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [01/Jun/2015:04:58:18 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [01/Jun/2015:04:58:18 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:04:58:18 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:04:58:18 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:04:58:19 -0400] - All database threads now stopped [01/Jun/2015:04:58:19 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [01/Jun/2015:04:58:19 -0400] - slapd stopped. [01/Jun/2015:04:58:20 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:04:58:20 -0400] - resizing db cache size: 5120000 -> 4096000 [01/Jun/2015:04:58:21 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:04:58:21 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:04:58:21 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:04:58:21 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:04:58:26 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:04:58:28 -0400] NSACLPlugin - The ACL target cn=retrieve certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:29 -0400] NSACLPlugin - The ACL target cn=request certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:29 -0400] NSACLPlugin - The ACL target cn=request certificate different host,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:29 -0400] NSACLPlugin - The ACL target cn=certificate status,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:29 -0400] NSACLPlugin - The ACL target cn=revoke certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:29 -0400] NSACLPlugin - The ACL target cn=certificate remove hold,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:30 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:04:58:31 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:04:58:33 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [01/Jun/2015:04:58:34 -0400] - slapd shutting down - waiting for 4 threads to terminate [01/Jun/2015:04:58:34 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:04:58:34 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:04:58:35 -0400] - All database threads now stopped [01/Jun/2015:04:58:35 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:04:58:35 -0400] - slapd stopped. [01/Jun/2015:04:58:36 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:04:58:37 -0400] - resizing db cache size: 4096000 -> 3276800 [01/Jun/2015:04:58:38 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:04:58:38 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:04:58:38 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:04:58:38 -0400] NSACLPlugin - The ACL target cn=retrieve certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:38 -0400] NSACLPlugin - The ACL target cn=request certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:38 -0400] NSACLPlugin - The ACL target cn=request certificate different host,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:38 -0400] NSACLPlugin - The ACL target cn=certificate status,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:38 -0400] NSACLPlugin - The ACL target cn=revoke certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:38 -0400] NSACLPlugin - The ACL target cn=certificate remove hold,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:04:58:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:04:58:38 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:04:58:38 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:04:58:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:04:58:38 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:04:58:38 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:04:58:38 -0400] - The change of nsslapd-maxdescriptors will not take effect until the server is restarted [01/Jun/2015:04:58:59 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:04:59:46 -0400] - ipaca: Indexing VLV: allCerts-pki-tomcatIndex [01/Jun/2015:04:59:46 -0400] - ipaca: Indexing VLV: allExpiredCerts-pki-tomcatIndex [01/Jun/2015:04:59:46 -0400] - ipaca: Indexing VLV: allInvalidCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allInValidCertsNotBefore-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allNonRevokedCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allRevokedCaCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allRevokedCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allRevokedCertsNotAfter-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allRevokedExpiredCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allValidCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allValidCertsNotAfter-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: allValidOrRevokedCerts-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caAll-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCanceled-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCanceledEnrollment-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCanceledRenewal-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCanceledRevocation-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caComplete-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCompleteEnrollment-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCompleteRenewal-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caCompleteRevocation-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caEnrollment-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caPending-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caPendingEnrollment-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caPendingRenewal-pki-tomcatIndex [01/Jun/2015:04:59:47 -0400] - ipaca: Indexing VLV: caPendingRevocation-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - ipaca: Indexing VLV: caRejected-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - ipaca: Indexing VLV: caRejectedEnrollment-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - ipaca: Indexing VLV: caRejectedRenewal-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - ipaca: Indexing VLV: caRejectedRevocation-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - ipaca: Indexing VLV: caRenewal-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - ipaca: Indexing VLV: caRevocation-pki-tomcatIndex [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 21; possibly, the entry id 21 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:48 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - warning: ancestorid not indexed on 23; possibly, the entry id 23 has no descendants yet. [01/Jun/2015:04:59:49 -0400] - ipaca: Finished indexing. [01/Jun/2015:05:00:50 -0400] - Warning: Adding configuration attribute "nsslapd-security" [01/Jun/2015:05:00:50 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 2 max work q stack size 2 [01/Jun/2015:05:00:50 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:05:00:50 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:00:51 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:00:52 -0400] - All database threads now stopped [01/Jun/2015:05:00:52 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:00:52 -0400] - slapd stopped. [01/Jun/2015:05:00:54 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:00:54 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:00:54 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:00:55 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:00:55 -0400] - resizing db cache size: 3276800 -> 2621440 [01/Jun/2015:05:00:55 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [01/Jun/2015:05:00:55 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:05:00:55 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [01/Jun/2015:05:00:55 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:05:00:55 -0400] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [01/Jun/2015:05:00:55 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:05:00:56 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [01/Jun/2015:05:00:56 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:05:00:56 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:00:56 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:00:57 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:00:57 -0400] NSACLPlugin - The ACL target cn=retrieve certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:00:57 -0400] NSACLPlugin - The ACL target cn=request certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:00:57 -0400] NSACLPlugin - The ACL target cn=request certificate different host,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:00:57 -0400] NSACLPlugin - The ACL target cn=certificate status,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:00:57 -0400] NSACLPlugin - The ACL target cn=revoke certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:00:57 -0400] NSACLPlugin - The ACL target cn=certificate remove hold,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:00:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:00:57 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:05:00:57 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:05:00:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:00:58 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:00:58 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:00:58 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:01:33 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [01/Jun/2015:05:01:33 -0400] - slapd shutting down - waiting for 3 threads to terminate [01/Jun/2015:05:01:33 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:01:33 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:01:36 -0400] - All database threads now stopped [01/Jun/2015:05:01:36 -0400] - slapd shutting down - freed 1 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:01:36 -0400] - slapd stopped. [01/Jun/2015:05:01:37 -0400] - Information: Non-Secure Port Disabled [01/Jun/2015:05:01:37 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:01:37 -0400] - resizing db cache size: 2621440 -> 2097152 [01/Jun/2015:05:01:38 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:01:38 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:01:38 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:01:38 -0400] NSACLPlugin - The ACL target cn=retrieve certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:01:38 -0400] NSACLPlugin - The ACL target cn=request certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:01:38 -0400] NSACLPlugin - The ACL target cn=request certificate different host,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:01:38 -0400] NSACLPlugin - The ACL target cn=certificate status,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:01:38 -0400] NSACLPlugin - The ACL target cn=revoke certificate,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:01:38 -0400] NSACLPlugin - The ACL target cn=certificate remove hold,cn=virtual operations,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:01:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:01:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:01:38 -0400] - slapd started. Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:01:40 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:01:40 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:01:40 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:01:40 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:01:46 -0400] - userRoot: Indexing attribute: memberuid [01/Jun/2015:05:01:46 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:01:52 -0400] - userRoot: Indexing attribute: member [01/Jun/2015:05:01:54 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:01:59 -0400] - userRoot: Indexing attribute: uniquemember [01/Jun/2015:05:02:00 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:05 -0400] - userRoot: Indexing attribute: owner [01/Jun/2015:05:02:06 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:11 -0400] - userRoot: Indexing attribute: seeAlso [01/Jun/2015:05:02:12 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:18 -0400] - userRoot: Indexing attribute: ipatokenradiusconfiglink [01/Jun/2015:05:02:18 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:24 -0400] - userRoot: Indexing attribute: ipaassignedidview [01/Jun/2015:05:02:24 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:30 -0400] - userRoot: Indexing attribute: ntUniqueId [01/Jun/2015:05:02:31 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:36 -0400] - userRoot: Indexing attribute: ntUserDomainId [01/Jun/2015:05:02:37 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:02:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:02:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:02:46 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:05:02:46 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:05:02:47 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:05:02:47 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:05:02:52 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:02:52 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:02:53 -0400] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:02:53 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:02:53 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:23 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:24 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:25 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:27 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 1 max work q stack size 1 [01/Jun/2015:05:03:27 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:05:03:27 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:03:27 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:03:28 -0400] - All database threads now stopped [01/Jun/2015:05:03:28 -0400] - slapd shutting down - freed 1 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:03:28 -0400] - slapd stopped. [01/Jun/2015:05:03:30 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:03:30 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:03:31 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:03:31 -0400] - resizing db cache size: 2097152 -> 1677721 [01/Jun/2015:05:03:31 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:03:31 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:03:31 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:32 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:05:03:32 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:03:32 -0400] attrcrypt - No symmetric key found for cipher AES in backend changelog, attempting to create one... [01/Jun/2015:05:03:32 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:05:03:32 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend changelog, attempting to create one... [01/Jun/2015:05:03:32 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:05:03:34 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:03:34 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:03:34 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:03:34 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:03:35 -0400] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [01/Jun/2015:05:03:35 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:03:35 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:03:36 -0400] - All database threads now stopped [01/Jun/2015:05:03:36 -0400] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [01/Jun/2015:05:03:36 -0400] - slapd stopped. [01/Jun/2015:05:03:37 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:03:37 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:37 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:03:38 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:03:38 -0400] - resizing db cache size: 1677721 -> 1342176 [01/Jun/2015:05:03:39 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:03:39 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:03:39 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=dns,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:39 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:03:40 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:05:03:40 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:03:40 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:03:40 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:03:40 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:03:54 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:05:03:56 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:05:07:54 -0400] - slapd shutting down - signaling operation threads - op stack size 5 max work q size 2 max work q stack size 2 [01/Jun/2015:05:07:54 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:05:07:54 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:07:54 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:07:55 -0400] - All database threads now stopped [01/Jun/2015:05:07:55 -0400] - slapd shutting down - freed 2 work q stack objects - freed 6 op stack objects [01/Jun/2015:05:07:55 -0400] - slapd stopped. [01/Jun/2015:05:07:56 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:07:56 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:07:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:07:56 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:07:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:56 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:07:57 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:07:58 -0400] - resizing db cache size: 1342176 -> 1073740 [01/Jun/2015:05:07:58 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:07:58 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:07:58 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:58 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:07:59 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:05:07:59 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:07:59 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:07:59 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:07:59 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:07:59 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not allowed [01/Jun/2015:05:10:51 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:05:10:53 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meToreplica1.zaeba.li" (replica1:389)". [01/Jun/2015:05:10:58 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meToreplica1.zaeba.li" (replica1:389)". Sent 382 entries. [01/Jun/2015:05:11:00 -0400] ipa-topology-plugin - ipa_topo_util_modify: failed to modify entry (cn=meToreplica1.zaeba.li,cn=replica,cn=dc\3Dzaeba\2Cdc\3Dli,cn=mapping tree,cn=config): error 53 [01/Jun/2015:05:11:02 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jun/2015:05:11:06 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with SIMPLE auth resumed [01/Jun/2015:05:12:23 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:05:12:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389)". [01/Jun/2015:05:12:30 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389)". Sent 70 entries. [01/Jun/2015:05:13:50 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) errno 0 (Success) [01/Jun/2015:05:13:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2015:05:13:51 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) [01/Jun/2015:05:13:54 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) errno 0 (Success) [01/Jun/2015:05:13:54 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2015:05:14:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 104 (Connection reset by peer) [01/Jun/2015:05:14:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:14:02 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:05:14:12 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:14:12 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:14:36 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:14:36 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:15:24 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:15:24 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:17:00 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:05:33:50 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:33:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:05:33:57 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:03 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:26 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:26 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:34:26 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:05:34:33 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:33 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:34:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:34:39 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:34:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:35:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:35:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:35:27 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:36:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:36:03 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:37:03 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:37:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:37:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:40:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:40:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:40:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:45:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:45:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:45:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:50:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:50:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:50:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:05:55:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:55:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:05:55:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:00:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:00:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:00:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:05:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:05:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:05:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:10:12 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389): Replication bind with SIMPLE auth resumed [01/Jun/2015:06:10:48 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:06:33:47 -0400] agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389) - Can't locate CSN 556c30c4000204470000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Jun/2015:06:34:32 -0400] agmt="cn=meToreplica1.zaeba.li" (replica1:389) - Can't locate CSN 556c31dc000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Jun/2015:06:38:09 -0400] agmt="cn=meToreplica1.zaeba.li" (replica1:389) - Can't locate CSN 556c3583000300050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Jun/2015:06:50:55 -0400] - slapd shutting down - signaling operation threads - op stack size 10 max work q size 2 max work q stack size 2 [01/Jun/2015:06:50:55 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:51:02 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:51:09 -0400] - All database threads now stopped [01/Jun/2015:06:51:12 -0400] - slapd shutting down - freed 2 work q stack objects - freed 10 op stack objects [01/Jun/2015:06:51:12 -0400] - slapd stopped. [01/Jun/2015:06:53:52 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:53:52 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:53:52 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:52 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:52 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:52 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:52 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:53 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:54 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:53:54 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:54 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:55 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:55 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:55 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:55 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:56 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:56 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:56 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:56 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:56 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:56 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:53:57 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:57 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:53:57 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:53:58 -0400] - resizing db cache size: 1073740 -> 858992 [01/Jun/2015:06:54:00 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:54:00 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:54:00 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:54:01 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:01 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:01 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:01 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:02 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:02 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:02 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:02 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:54:02 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:54:03 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:54:03 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:04 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-replica1.zaeba.li-pki-tomcat" (replica1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:54:04 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/testmaster.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:54:04 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [01/Jun/2015:06:54:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:04 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:54:04 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:54:04 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:54:04 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:54:07 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:08 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:54:08 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:13 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:13 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:54:14 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:25 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:54:25 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:49 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:49 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:54:49 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:55:37 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:55:37 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:55:37 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:57:13 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:57:13 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:57:13 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:00:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:00:26 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:00:26 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:05:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:05:25 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:05:25 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:10:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:10:25 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:10:25 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:15:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:15:25 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:15:25 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) -------------- next part -------------- 389-Directory/1.3.4.a1 B2015.070.423 replica1.zaeba.li:389 (/etc/dirsrv/slapd-ZAEBA-LI) [01/Jun/2015:05:10:32 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:05:10:32 -0400] - check_and_set_import_cache: pagesize: 4096, pages: 424880, procpages: 54077 [01/Jun/2015:05:10:32 -0400] - WARNING: After allocating import cache 679808KB, the available memory is 1019712KB, which is less than the soft limit 1048576KB. You may want to decrease the import cache size and rerun import. [01/Jun/2015:05:10:32 -0400] - Import allocates 679808KB import cache. [01/Jun/2015:05:10:32 -0400] - import userRoot: Beginning import job... [01/Jun/2015:05:10:32 -0400] - import userRoot: Index buffering enabled with bucket size 100 [01/Jun/2015:05:10:32 -0400] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [01/Jun/2015:05:10:32 -0400] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [01/Jun/2015:05:10:33 -0400] - import userRoot: Workers finished; cleaning up... [01/Jun/2015:05:10:33 -0400] - import userRoot: Workers cleaned up. [01/Jun/2015:05:10:33 -0400] - import userRoot: Cleaning up producer thread... [01/Jun/2015:05:10:33 -0400] - import userRoot: Indexing complete. Post-processing... [01/Jun/2015:05:10:33 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:05:10:33 -0400] - import userRoot: Generating numSubordinates complete. [01/Jun/2015:05:10:33 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [01/Jun/2015:05:10:34 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:05:10:34 -0400] - Nothing to do to build ancestorid index [01/Jun/2015:05:10:34 -0400] - import userRoot: Created ancestorid index (new idl). [01/Jun/2015:05:10:34 -0400] - import userRoot: Flushing caches... [01/Jun/2015:05:10:34 -0400] - import userRoot: Closing files... [01/Jun/2015:05:10:34 -0400] - All database threads now stopped [01/Jun/2015:05:10:34 -0400] - import userRoot: Import complete. Processed 1 entries in 2 seconds. (0.50 entries/sec) [01/Jun/2015:05:10:35 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:10:35 -0400] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [01/Jun/2015:05:10:35 -0400] - resizing db cache size: 696123392 -> 6400000 [01/Jun/2015:05:10:35 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:10:35 -0400] - convert_pbe_des_to_aes: Converting DES passwords to AES... [01/Jun/2015:05:10:35 -0400] - convert_pbe_des_to_aes: Successfully disabled DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config) [01/Jun/2015:05:10:35 -0400] - convert_pbe_des_to_aes: Finished - no DES passwords to convert. [01/Jun/2015:05:10:36 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [01/Jun/2015:05:10:36 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:10:37 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:10:37 -0400] - All database threads now stopped [01/Jun/2015:05:10:37 -0400] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [01/Jun/2015:05:10:37 -0400] - slapd stopped. [01/Jun/2015:05:10:38 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:10:38 -0400] - resizing db cache size: 6400000 -> 5120000 [01/Jun/2015:05:10:39 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:10:39 -0400] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [01/Jun/2015:05:10:39 -0400] - Warning: Adding configuration attribute "nsslapd-security" [01/Jun/2015:05:10:40 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 1 max work q stack size 1 [01/Jun/2015:05:10:40 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:05:10:40 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:10:40 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:10:41 -0400] - All database threads now stopped [01/Jun/2015:05:10:41 -0400] - slapd shutting down - freed 1 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:10:41 -0400] - slapd stopped. [01/Jun/2015:05:10:42 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:10:42 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:10:42 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:42 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:10:43 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:10:43 -0400] - resizing db cache size: 5120000 -> 4096000 [01/Jun/2015:05:10:44 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [01/Jun/2015:05:10:44 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:05:10:44 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [01/Jun/2015:05:10:44 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:05:10:44 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:05:10:44 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:05:10:44 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:10:44 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:10:44 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:10:45 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [01/Jun/2015:05:10:45 -0400] - slapd shutting down - waiting for 3 threads to terminate [01/Jun/2015:05:10:45 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:10:45 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:10:46 -0400] - All database threads now stopped [01/Jun/2015:05:10:46 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [01/Jun/2015:05:10:46 -0400] - slapd stopped. [01/Jun/2015:05:10:48 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:10:48 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:48 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:10:49 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:10:49 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:10:49 -0400] - resizing db cache size: 4096000 -> 3276800 [01/Jun/2015:05:10:49 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:05:10:49 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:05:10:49 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:10:49 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:10:49 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:10:51 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:05:10:52 -0400] ipa-topology-plugin - ipa_topo_be_state_changebackend userRoot is going offline; inactivate plugin [01/Jun/2015:05:10:52 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=zaeba,dc=li is going offline; disabling replication [01/Jun/2015:05:10:52 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:05:10:55 -0400] - import userRoot: Workers finished; cleaning up... [01/Jun/2015:05:10:56 -0400] - import userRoot: Workers cleaned up. [01/Jun/2015:05:10:56 -0400] - import userRoot: Indexing complete. Post-processing... [01/Jun/2015:05:10:56 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:05:10:56 -0400] - import userRoot: Generating numSubordinates complete. [01/Jun/2015:05:10:56 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [01/Jun/2015:05:10:56 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:05:10:56 -0400] - import userRoot: Creating ancestorid index (new idl)... [01/Jun/2015:05:10:56 -0400] - import userRoot: Created ancestorid index (new idl). [01/Jun/2015:05:10:56 -0400] - import userRoot: Flushing caches... [01/Jun/2015:05:10:56 -0400] - import userRoot: Closing files... [01/Jun/2015:05:10:57 -0400] - import userRoot: Import complete. Processed 382 entries in 4 seconds. (95.50 entries/sec) [01/Jun/2015:05:10:57 -0400] ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology [01/Jun/2015:05:10:57 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=zaeba,dc=li is coming online; enabling replication [01/Jun/2015:05:10:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:10:57 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:01 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [01/Jun/2015:05:11:01 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:11:01 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [01/Jun/2015:05:11:01 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:11:02 -0400] - All database threads now stopped [01/Jun/2015:05:11:02 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:11:02 -0400] - slapd stopped. [01/Jun/2015:05:11:04 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:11:04 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:11:04 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:11:05 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:11:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:11:05 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:11:05 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:11:05 -0400] - resizing db cache size: 8192000 -> 2621440 [01/Jun/2015:05:11:05 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:11:05 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:11:05 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:11:06 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:11:06 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:05:11:06 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:05:11:06 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:11:06 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:11:06 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:11:06 -0400] - The change of nsslapd-maxdescriptors will not take effect until the server is restarted [01/Jun/2015:05:11:28 -0400] ipa-topology-plugin - ipa_topo_util_modify: failed to modify entry (cn=meTotestmaster.zaeba.li,cn=replica,cn=dc\3Dzaeba\2Cdc\3Dli,cn=mapping tree,cn=config): error 53 [01/Jun/2015:05:11:38 -0400] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [01/Jun/2015:05:11:38 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:05:11:38 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [01/Jun/2015:05:11:38 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:05:11:38 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:12:24 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is going offline; disabling replication [01/Jun/2015:05:12:24 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica1.zaeba.li-pki-tomcat" (testmaster:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:05:12:24 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:12:25 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:05:12:28 -0400] - import ipaca: Workers finished; cleaning up... [01/Jun/2015:05:12:28 -0400] - import ipaca: Workers cleaned up. [01/Jun/2015:05:12:29 -0400] - import ipaca: Indexing complete. Post-processing... [01/Jun/2015:05:12:29 -0400] - import ipaca: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:05:12:29 -0400] - import ipaca: Generating numSubordinates complete. [01/Jun/2015:05:12:29 -0400] - import ipaca: Gathering ancestorid non-leaf IDs... [01/Jun/2015:05:12:29 -0400] - import ipaca: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:05:12:29 -0400] - import ipaca: Creating ancestorid index (new idl)... [01/Jun/2015:05:12:29 -0400] - import ipaca: Created ancestorid index (new idl). [01/Jun/2015:05:12:29 -0400] - import ipaca: Flushing caches... [01/Jun/2015:05:12:29 -0400] - import ipaca: Closing files... [01/Jun/2015:05:12:29 -0400] - import ipaca: Import complete. Processed 70 entries in 5 seconds. (14.00 entries/sec) [01/Jun/2015:05:12:29 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is coming online; enabling replication [01/Jun/2015:05:12:30 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:12:32 -0400] - ipaca: Indexing VLV: allCerts-pki-tomcatIndex [01/Jun/2015:05:12:32 -0400] - ipaca: Indexing VLV: allExpiredCerts-pki-tomcatIndex [01/Jun/2015:05:12:32 -0400] - ipaca: Indexing VLV: allInvalidCerts-pki-tomcatIndex [01/Jun/2015:05:12:32 -0400] - ipaca: Indexing VLV: allInValidCertsNotBefore-pki-tomcatIndex [01/Jun/2015:05:12:32 -0400] - ipaca: Indexing VLV: allNonRevokedCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allRevokedCaCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allRevokedCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allRevokedCertsNotAfter-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allRevokedExpiredCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allValidCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allValidCertsNotAfter-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: allValidOrRevokedCerts-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caAll-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCanceled-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCanceledEnrollment-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCanceledRenewal-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCanceledRevocation-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caComplete-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCompleteEnrollment-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCompleteRenewal-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caCompleteRevocation-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caEnrollment-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caPending-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caPendingEnrollment-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caPendingRenewal-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caPendingRevocation-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caRejected-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caRejectedEnrollment-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caRejectedRenewal-pki-tomcatIndex [01/Jun/2015:05:12:33 -0400] - ipaca: Indexing VLV: caRejectedRevocation-pki-tomcatIndex [01/Jun/2015:05:12:34 -0400] - ipaca: Indexing VLV: caRenewal-pki-tomcatIndex [01/Jun/2015:05:12:34 -0400] - ipaca: Indexing VLV: caRevocation-pki-tomcatIndex [01/Jun/2015:05:12:35 -0400] - ipaca: Finished indexing. [01/Jun/2015:05:13:00 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [01/Jun/2015:05:13:01 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:13:01 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:13:02 -0400] - All database threads now stopped [01/Jun/2015:05:13:02 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:13:02 -0400] - slapd stopped. [01/Jun/2015:05:13:04 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:13:04 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:04 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:13:05 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:13:05 -0400] - resizing db cache size: 6553600 -> 2097152 [01/Jun/2015:05:13:05 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:13:05 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:13:05 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:13:06 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:13:06 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:05:13:06 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:05:13:06 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:13:06 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:13:06 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:13:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:05:13:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:05:13:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:05:13:48 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:05:13:52 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: 13 (Permission denied) [01/Jun/2015:05:13:53 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:05:13:53 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:05:13:58 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: 13 (Permission denied) [01/Jun/2015:05:13:58 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:05:13:58 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:05:14:01 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [01/Jun/2015:05:14:01 -0400] - slapd shutting down - waiting for 2 threads to terminate [01/Jun/2015:05:14:01 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:14:02 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:14:02 -0400] - All database threads now stopped [01/Jun/2015:05:14:03 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:14:03 -0400] - slapd stopped. [01/Jun/2015:05:14:04 -0400] - Information: Non-Secure Port Disabled [01/Jun/2015:05:14:05 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:14:05 -0400] - resizing db cache size: 2097152 -> 1677721 [01/Jun/2015:05:14:05 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:14:05 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:14:05 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:14:05 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:14:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [01/Jun/2015:05:14:06 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:05:14:06 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:05:14:06 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:05:14:06 -0400] - slapd started. Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:14:08 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:14:08 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:14:08 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:14:08 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:14:09 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:05:14:13 -0400] - userRoot: Indexing attribute: memberuid [01/Jun/2015:05:14:14 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:14:19 -0400] - userRoot: Indexing attribute: member [01/Jun/2015:05:14:26 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:14:32 -0400] - userRoot: Indexing attribute: uniquemember [01/Jun/2015:05:14:32 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:14:38 -0400] - userRoot: Indexing attribute: owner [01/Jun/2015:05:14:38 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:14:44 -0400] - userRoot: Indexing attribute: seeAlso [01/Jun/2015:05:14:44 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:14:50 -0400] - userRoot: Indexing attribute: ipatokenradiusconfiglink [01/Jun/2015:05:14:50 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:14:56 -0400] - userRoot: Indexing attribute: ipaassignedidview [01/Jun/2015:05:14:56 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:15:02 -0400] - userRoot: Indexing attribute: ntUniqueId [01/Jun/2015:05:15:02 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:15:08 -0400] - userRoot: Indexing attribute: ntUserDomainId [01/Jun/2015:05:15:08 -0400] - userRoot: Finished indexing. [01/Jun/2015:05:15:11 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:05:15:11 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:05:15:14 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:05:15:14 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:05:15:15 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [01/Jun/2015:05:15:15 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [01/Jun/2015:05:15:15 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:05:15:15 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:15:17 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:15:18 -0400] - All database threads now stopped [01/Jun/2015:05:15:18 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:05:15:18 -0400] - slapd stopped. [01/Jun/2015:05:15:19 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:15:19 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:19 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:15:20 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:15:20 -0400] - resizing db cache size: 1677721 -> 1342176 [01/Jun/2015:05:15:20 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:15:21 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:15:21 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:21 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:05:15:21 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:15:21 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [01/Jun/2015:05:15:21 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:05:15:21 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:05:15:21 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:05:15:21 -0400] attrcrypt - No symmetric key found for cipher AES in backend changelog, attempting to create one... [01/Jun/2015:05:15:22 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:05:15:22 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend changelog, attempting to create one... [01/Jun/2015:05:15:22 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:05:15:22 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:15:22 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:15:22 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:15:22 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:15:22 -0400] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [01/Jun/2015:05:15:22 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:15:23 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:15:23 -0400] - All database threads now stopped [01/Jun/2015:05:15:24 -0400] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [01/Jun/2015:05:15:24 -0400] - slapd stopped. [01/Jun/2015:05:15:26 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:05:15:26 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:05:15:27 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:05:15:27 -0400] - resizing db cache size: 1342176 -> 1073740 [01/Jun/2015:05:15:28 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:15:28 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:05:15:28 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:05:15:28 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:05:15:28 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:05:15:28 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [01/Jun/2015:05:15:28 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:05:15:28 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:05:15:28 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:05:15:28 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:05:15:28 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:05:15:28 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:05:15:32 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:05:31:43 -0400] - slapd shutting down - signaling operation threads - op stack size 5 max work q size 2 max work q stack size 2 [01/Jun/2015:05:31:44 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:05:31:46 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:05:31:48 -0400] - All database threads now stopped [01/Jun/2015:05:31:48 -0400] - slapd shutting down - freed 2 work q stack objects - freed 5 op stack objects [01/Jun/2015:05:31:49 -0400] - slapd stopped. [01/Jun/2015:06:06:01 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:06:01 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:06:01 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:06:01 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:02 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:06:03 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:06:03 -0400] - resizing db cache size: 1073740 -> 858992 [01/Jun/2015:06:06:04 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:06:04 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:06:04 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:06:04 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:04 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:04 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:05 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:05 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:05 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:05 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:06:05 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:06:05 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:06:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:06:05 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:06:05 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:06:05 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:06:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [01/Jun/2015:06:06:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:06:05 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:06:09 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:06:09 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:06:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:06:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:06:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:06:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:06:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:06:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:07:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:07:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:09:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:09:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:10:11 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:10:11 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica1.zaeba.li-pki-tomcat" (testmaster:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:10:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:10:21 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:10:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:10:51 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not allowed [01/Jun/2015:06:10:57 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:11:45 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:12:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:12:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:13:21 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:13:32 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:06:13:36 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meToreplica3.zaeba.li" (replica3:389)". [01/Jun/2015:06:13:44 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meToreplica3.zaeba.li" (replica3:389)". Sent 408 entries. [01/Jun/2015:06:13:46 -0400] ipa-topology-plugin - ipa_topo_util_modify: failed to modify entry (cn=meToreplica3.zaeba.li,cn=replica,cn=dc\3Dzaeba\2Cdc\3Dli,cn=mapping tree,cn=config): error 53 [01/Jun/2015:06:14:17 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jun/2015:06:14:20 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with SIMPLE auth resumed [01/Jun/2015:06:15:06 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=masterAgreement1-replica3.zaeba.li-pki-tomcat" (replica3:389)". [01/Jun/2015:06:15:10 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=masterAgreement1-replica3.zaeba.li-pki-tomcat" (replica3:389)". Sent 83 entries. [01/Jun/2015:06:15:47 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:15:47 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:15:51 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with SIMPLE auth resumed [01/Jun/2015:06:16:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:16:35 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) errno 0 (Success) [01/Jun/2015:06:16:35 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2015:06:16:35 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) [01/Jun/2015:06:16:40 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) errno 0 (Success) [01/Jun/2015:06:16:40 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2015:06:16:45 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)) errno 0 (Success) [01/Jun/2015:06:16:45 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2015:06:16:57 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:16:57 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:16:58 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:17:21 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:17:21 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:17:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:17:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:18:09 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [01/Jun/2015:06:18:09 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:19:45 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:06:21:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:22:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:22:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:26:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:27:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:27:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:31:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:32:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:32:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:36:34 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:37:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:37:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:41:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:42:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:42:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:46:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:47:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:47:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:50:56 -0400] - slapd shutting down - signaling operation threads - op stack size 7 max work q size 3 max work q stack size 3 [01/Jun/2015:06:50:56 -0400] - slapd shutting down - waiting for 28 threads to terminate [01/Jun/2015:06:50:57 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:51:05 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:51:06 -0400] - All database threads now stopped [01/Jun/2015:06:51:07 -0400] - slapd shutting down - freed 3 work q stack objects - freed 7 op stack objects [01/Jun/2015:06:51:08 -0400] - slapd stopped. [01/Jun/2015:06:53:12 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:53:12 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:53:12 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:12 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:12 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:13 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:13 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:14 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:14 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:14 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:17 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:17 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:17 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:17 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:53:17 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:17 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:53:17 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:53:18 -0400] - WARNING: userRoot: entry cache size 900717B is less than db size 933888B; We recommend to increase the entry cache size nsslapd-cachememsize. [01/Jun/2015:06:53:18 -0400] - resizing db cache size: 858992 -> 687193 [01/Jun/2015:06:53:21 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:53:21 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:53:21 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:53:21 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:22 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:23 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:53:23 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:53:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-replica3.zaeba.li-pki-tomcat" (replica3:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:53:25 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:25 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica1.zaeba.li-pki-tomcat" (testmaster:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:53:25 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:53:26 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:53:26 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [01/Jun/2015:06:53:26 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:26 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica3.zaeba.li" (replica3:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:53:26 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [01/Jun/2015:06:53:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:27 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:53:27 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:53:27 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:53:27 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:53:28 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:29 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica1.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:53:29 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:29 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [01/Jun/2015:06:53:30 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:32 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:53:32 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:34 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:34 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:35 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:53:36 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:36 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:53:37 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:47 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:53:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:53:47 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:53:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:10 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:11 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:11 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:54:11 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:12 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:54:12 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:58 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:58 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:54:59 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:54:59 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:55:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:55:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:56:34 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:56:34 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:56:35 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:56:35 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:56:36 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:56:36 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:59:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:59:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:06:59:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:59:47 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:06:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:04:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:04:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:04:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:07:04:47 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:04:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:07:09:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:14:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:14:47 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:14:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:07:14:47 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:14:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Jun/2015:07:14:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) -------------- next part -------------- 389-Directory/1.3.4.a1 B2015.070.423 replica3.zaeba.li:389 (/etc/dirsrv/slapd-ZAEBA-LI) [01/Jun/2015:06:13:14 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:06:13:14 -0400] - check_and_set_import_cache: pagesize: 4096, pages: 254384, procpages: 54077 [01/Jun/2015:06:13:14 -0400] - WARNING: After allocating import cache 407012KB, the available memory is 610524KB, which is less than the soft limit 1048576KB. You may want to decrease the import cache size and rerun import. [01/Jun/2015:06:13:14 -0400] - Import allocates 407012KB import cache. [01/Jun/2015:06:13:14 -0400] - import userRoot: Beginning import job... [01/Jun/2015:06:13:14 -0400] - import userRoot: Index buffering enabled with bucket size 100 [01/Jun/2015:06:13:15 -0400] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [01/Jun/2015:06:13:15 -0400] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [01/Jun/2015:06:13:15 -0400] - import userRoot: Workers finished; cleaning up... [01/Jun/2015:06:13:16 -0400] - import userRoot: Workers cleaned up. [01/Jun/2015:06:13:16 -0400] - import userRoot: Cleaning up producer thread... [01/Jun/2015:06:13:16 -0400] - import userRoot: Indexing complete. Post-processing... [01/Jun/2015:06:13:16 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:06:13:16 -0400] - import userRoot: Generating numSubordinates complete. [01/Jun/2015:06:13:16 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [01/Jun/2015:06:13:16 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:06:13:16 -0400] - Nothing to do to build ancestorid index [01/Jun/2015:06:13:16 -0400] - import userRoot: Created ancestorid index (new idl). [01/Jun/2015:06:13:16 -0400] - import userRoot: Flushing caches... [01/Jun/2015:06:13:16 -0400] - import userRoot: Closing files... [01/Jun/2015:06:13:16 -0400] - All database threads now stopped [01/Jun/2015:06:13:16 -0400] - import userRoot: Import complete. Processed 1 entries in 2 seconds. (0.50 entries/sec) [01/Jun/2015:06:13:17 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:13:17 -0400] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [01/Jun/2015:06:13:17 -0400] - resizing db cache size: 333424230 -> 6400000 [01/Jun/2015:06:13:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:13:17 -0400] - convert_pbe_des_to_aes: Converting DES passwords to AES... [01/Jun/2015:06:13:17 -0400] - convert_pbe_des_to_aes: Successfully disabled DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config) [01/Jun/2015:06:13:17 -0400] - convert_pbe_des_to_aes: Finished - no DES passwords to convert. [01/Jun/2015:06:13:18 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [01/Jun/2015:06:13:18 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:13:18 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:13:19 -0400] - All database threads now stopped [01/Jun/2015:06:13:19 -0400] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [01/Jun/2015:06:13:19 -0400] - slapd stopped. [01/Jun/2015:06:13:21 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:13:21 -0400] - resizing db cache size: 6400000 -> 5120000 [01/Jun/2015:06:13:21 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:13:21 -0400] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [01/Jun/2015:06:13:22 -0400] - Warning: Adding configuration attribute "nsslapd-security" [01/Jun/2015:06:13:22 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [01/Jun/2015:06:13:23 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:06:13:23 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:13:23 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:13:23 -0400] - All database threads now stopped [01/Jun/2015:06:13:23 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [01/Jun/2015:06:13:23 -0400] - slapd stopped. [01/Jun/2015:06:13:24 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:13:24 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:24 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:13:25 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:13:25 -0400] - resizing db cache size: 5120000 -> 4096000 [01/Jun/2015:06:13:26 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [01/Jun/2015:06:13:26 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:06:13:26 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [01/Jun/2015:06:13:26 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:06:13:26 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:06:13:26 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:06:13:26 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:13:26 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:13:26 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:13:27 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [01/Jun/2015:06:13:27 -0400] - slapd shutting down - waiting for 3 threads to terminate [01/Jun/2015:06:13:27 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:13:27 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:13:28 -0400] - All database threads now stopped [01/Jun/2015:06:13:28 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [01/Jun/2015:06:13:28 -0400] - slapd stopped. [01/Jun/2015:06:13:30 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:13:30 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:30 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:31 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:13:31 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:13:31 -0400] - resizing db cache size: 4096000 -> 3276800 [01/Jun/2015:06:13:31 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:06:13:31 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:06:13:31 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:13:31 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:13:31 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:13:32 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:06:13:33 -0400] ipa-topology-plugin - ipa_topo_be_state_changebackend userRoot is going offline; inactivate plugin [01/Jun/2015:06:13:33 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=zaeba,dc=li is going offline; disabling replication [01/Jun/2015:06:13:35 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:06:13:41 -0400] - import userRoot: Workers finished; cleaning up... [01/Jun/2015:06:13:42 -0400] - import userRoot: Workers cleaned up. [01/Jun/2015:06:13:42 -0400] - import userRoot: Indexing complete. Post-processing... [01/Jun/2015:06:13:42 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:06:13:42 -0400] - import userRoot: Generating numSubordinates complete. [01/Jun/2015:06:13:42 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [01/Jun/2015:06:13:42 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:06:13:42 -0400] - import userRoot: Creating ancestorid index (new idl)... [01/Jun/2015:06:13:42 -0400] - import userRoot: Created ancestorid index (new idl). [01/Jun/2015:06:13:42 -0400] - import userRoot: Flushing caches... [01/Jun/2015:06:13:42 -0400] - import userRoot: Closing files... [01/Jun/2015:06:13:43 -0400] - import userRoot: Import complete. Processed 408 entries in 8 seconds. (51.00 entries/sec) [01/Jun/2015:06:13:43 -0400] ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology [01/Jun/2015:06:13:43 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=zaeba,dc=li is coming online; enabling replication [01/Jun/2015:06:13:43 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:43 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:44 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:48 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [01/Jun/2015:06:13:48 -0400] - slapd shutting down - waiting for 4 threads to terminate [01/Jun/2015:06:13:48 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:13:49 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:13:49 -0400] - All database threads now stopped [01/Jun/2015:06:13:49 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [01/Jun/2015:06:13:49 -0400] - slapd stopped. [01/Jun/2015:06:13:51 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:13:51 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:13:51 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:13:52 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:13:52 -0400] - resizing db cache size: 8192000 -> 2621440 [01/Jun/2015:06:13:52 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:13:52 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:13:52 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:13:52 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:13:53 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:13:53 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:06:13:53 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:06:13:53 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:13:53 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:13:53 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:13:53 -0400] - The change of nsslapd-maxdescriptors will not take effect until the server is restarted [01/Jun/2015:06:14:14 -0400] ipa-topology-plugin - ipa_topo_util_modify: failed to modify entry (cn=meToreplica1.zaeba.li,cn=replica,cn=dc\3Dzaeba\2Cdc\3Dli,cn=mapping tree,cn=config): error 53 [01/Jun/2015:06:14:19 -0400] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [01/Jun/2015:06:14:19 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:06:14:19 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [01/Jun/2015:06:14:19 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:06:14:20 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:15:04 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is going offline; disabling replication [01/Jun/2015:06:15:05 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica3.zaeba.li-pki-tomcat" (replica1:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jun/2015:06:15:05 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:15:05 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [01/Jun/2015:06:15:09 -0400] - import ipaca: Workers finished; cleaning up... [01/Jun/2015:06:15:09 -0400] - import ipaca: Workers cleaned up. [01/Jun/2015:06:15:09 -0400] - import ipaca: Indexing complete. Post-processing... [01/Jun/2015:06:15:09 -0400] - import ipaca: Generating numsubordinates (this may take several minutes to complete)... [01/Jun/2015:06:15:09 -0400] - import ipaca: Generating numSubordinates complete. [01/Jun/2015:06:15:10 -0400] - import ipaca: Gathering ancestorid non-leaf IDs... [01/Jun/2015:06:15:10 -0400] - import ipaca: Finished gathering ancestorid non-leaf IDs. [01/Jun/2015:06:15:10 -0400] - import ipaca: Creating ancestorid index (new idl)... [01/Jun/2015:06:15:10 -0400] - import ipaca: Created ancestorid index (new idl). [01/Jun/2015:06:15:10 -0400] - import ipaca: Flushing caches... [01/Jun/2015:06:15:10 -0400] - import ipaca: Closing files... [01/Jun/2015:06:15:10 -0400] - import ipaca: Import complete. Processed 83 entries in 5 seconds. (16.60 entries/sec) [01/Jun/2015:06:15:10 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is coming online; enabling replication [01/Jun/2015:06:15:10 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:15:12 -0400] - ipaca: Indexing VLV: allCerts-pki-tomcatIndex [01/Jun/2015:06:15:12 -0400] - ipaca: Indexing VLV: allExpiredCerts-pki-tomcatIndex [01/Jun/2015:06:15:12 -0400] - ipaca: Indexing VLV: allInvalidCerts-pki-tomcatIndex [01/Jun/2015:06:15:12 -0400] - ipaca: Indexing VLV: allInValidCertsNotBefore-pki-tomcatIndex [01/Jun/2015:06:15:12 -0400] - ipaca: Indexing VLV: allNonRevokedCerts-pki-tomcatIndex [01/Jun/2015:06:15:12 -0400] - ipaca: Indexing VLV: allRevokedCaCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allRevokedCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allRevokedCertsNotAfter-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allRevokedExpiredCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allValidCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allValidCertsNotAfter-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: allValidOrRevokedCerts-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caAll-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCanceled-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCanceledEnrollment-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCanceledRenewal-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCanceledRevocation-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caComplete-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCompleteEnrollment-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCompleteRenewal-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caCompleteRevocation-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caEnrollment-pki-tomcatIndex [01/Jun/2015:06:15:13 -0400] - ipaca: Indexing VLV: caPending-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caPendingEnrollment-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caPendingRenewal-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caPendingRevocation-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caRejected-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caRejectedEnrollment-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caRejectedRenewal-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caRejectedRevocation-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caRenewal-pki-tomcatIndex [01/Jun/2015:06:15:14 -0400] - ipaca: Indexing VLV: caRevocation-pki-tomcatIndex [01/Jun/2015:06:15:16 -0400] - ipaca: Finished indexing. [01/Jun/2015:06:15:43 -0400] - slapd shutting down - signaling operation threads - op stack size 9 max work q size 9 max work q stack size 9 [01/Jun/2015:06:15:43 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:15:44 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:15:45 -0400] - All database threads now stopped [01/Jun/2015:06:15:45 -0400] - slapd shutting down - freed 9 work q stack objects - freed 9 op stack objects [01/Jun/2015:06:15:45 -0400] - slapd stopped. [01/Jun/2015:06:15:47 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:15:47 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:15:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:15:48 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:15:48 -0400] - resizing db cache size: 6553600 -> 2097152 [01/Jun/2015:06:15:49 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:15:49 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:15:49 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:49 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:15:50 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:15:50 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [01/Jun/2015:06:15:50 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [01/Jun/2015:06:15:50 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:15:50 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:15:50 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:16:35 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:16:35 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:16:35 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:16:35 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:06:16:39 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: 13 (Permission denied) [01/Jun/2015:06:16:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:16:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:16:45 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: 13 (Permission denied) [01/Jun/2015:06:16:45 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:16:45 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:16:47 -0400] - slapd shutting down - signaling operation threads - op stack size 11 max work q size 10 max work q stack size 10 [01/Jun/2015:06:16:47 -0400] - slapd shutting down - waiting for 2 threads to terminate [01/Jun/2015:06:16:47 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:16:48 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:16:49 -0400] - All database threads now stopped [01/Jun/2015:06:16:49 -0400] - slapd shutting down - freed 10 work q stack objects - freed 11 op stack objects [01/Jun/2015:06:16:49 -0400] - slapd stopped. [01/Jun/2015:06:16:51 -0400] - Information: Non-Secure Port Disabled [01/Jun/2015:06:16:51 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:16:51 -0400] - resizing db cache size: 2097152 -> 1677721 [01/Jun/2015:06:16:51 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:16:51 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:16:52 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:16:52 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:16:53 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [01/Jun/2015:06:16:53 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:16:53 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:16:53 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:06:16:53 -0400] - slapd started. Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:16:55 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:16:55 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:16:55 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:16:55 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:16:56 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:06:17:01 -0400] - userRoot: Indexing attribute: memberuid [01/Jun/2015:06:17:01 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:07 -0400] - userRoot: Indexing attribute: member [01/Jun/2015:06:17:20 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:26 -0400] - userRoot: Indexing attribute: uniquemember [01/Jun/2015:06:17:26 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:32 -0400] - userRoot: Indexing attribute: owner [01/Jun/2015:06:17:32 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:38 -0400] - userRoot: Indexing attribute: seeAlso [01/Jun/2015:06:17:38 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:44 -0400] - userRoot: Indexing attribute: ipatokenradiusconfiglink [01/Jun/2015:06:17:44 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:50 -0400] - userRoot: Indexing attribute: ipaassignedidview [01/Jun/2015:06:17:50 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:17:56 -0400] - userRoot: Indexing attribute: ntUniqueId [01/Jun/2015:06:17:56 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:18:02 -0400] - userRoot: Indexing attribute: ntUserDomainId [01/Jun/2015:06:18:03 -0400] - userRoot: Finished indexing. [01/Jun/2015:06:18:05 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:06:18:05 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [01/Jun/2015:06:18:08 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:06:18:08 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [01/Jun/2015:06:18:09 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [01/Jun/2015:06:18:09 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [01/Jun/2015:06:18:09 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 1 max work q stack size 1 [01/Jun/2015:06:18:09 -0400] - slapd shutting down - waiting for 1 thread to terminate [01/Jun/2015:06:18:09 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:18:12 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:18:12 -0400] - All database threads now stopped [01/Jun/2015:06:18:12 -0400] - slapd shutting down - freed 1 work q stack objects - freed 3 op stack objects [01/Jun/2015:06:18:12 -0400] - slapd stopped. [01/Jun/2015:06:18:13 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:18:13 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:18:14 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:18:15 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:18:15 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:18:15 -0400] - resizing db cache size: 1677721 -> 1342176 [01/Jun/2015:06:18:15 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:18:15 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:18:15 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:15 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:18:15 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:18:16 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [01/Jun/2015:06:18:16 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:18:16 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:18:16 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:06:18:16 -0400] attrcrypt - No symmetric key found for cipher AES in backend changelog, attempting to create one... [01/Jun/2015:06:18:16 -0400] attrcrypt - Key for cipher AES successfully generated and stored [01/Jun/2015:06:18:16 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend changelog, attempting to create one... [01/Jun/2015:06:18:16 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [01/Jun/2015:06:18:17 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:18:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:18:17 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:18:17 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:18:18 -0400] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [01/Jun/2015:06:18:18 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:18:18 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:18:19 -0400] - All database threads now stopped [01/Jun/2015:06:18:19 -0400] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [01/Jun/2015:06:18:19 -0400] - slapd stopped. [01/Jun/2015:06:18:21 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:18:21 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:21 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:18:22 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:18:22 -0400] - resizing db cache size: 1342176 -> 1073740 [01/Jun/2015:06:18:23 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:18:23 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:18:23 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:18:23 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:18:23 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:18:24 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [01/Jun/2015:06:18:24 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:18:24 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:18:24 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:06:18:24 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:18:24 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:18:24 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:18:27 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:06:18:48 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 111 (Connection refused) [01/Jun/2015:06:18:48 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica3.zaeba.li-pki-tomcat" (replica1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:18:54 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 111 (Connection refused) [01/Jun/2015:06:18:58 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica3.zaeba.li-pki-tomcat" (replica1:389): Replication bind with SIMPLE auth resumed [01/Jun/2015:06:19:34 -0400] - slapd shutting down - signaling operation threads - op stack size 6 max work q size 1 max work q stack size 1 [01/Jun/2015:06:19:34 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:19:34 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:19:35 -0400] - All database threads now stopped [01/Jun/2015:06:19:36 -0400] - slapd shutting down - freed 1 work q stack objects - freed 6 op stack objects [01/Jun/2015:06:19:36 -0400] - slapd stopped. [01/Jun/2015:06:19:39 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:19:39 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:19:39 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:19:40 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:19:40 -0400] - resizing db cache size: 1073740 -> 858992 [01/Jun/2015:06:19:41 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:19:41 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:19:41 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:19:41 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:19:41 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:19:42 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:19:42 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:19:42 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:19:42 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:19:42 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Jun/2015:06:19:42 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Jun/2015:06:19:42 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Jun/2015:06:19:45 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth resumed [01/Jun/2015:06:31:06 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. [01/Jun/2015:06:31:06 -0400] dna-plugin - dna_pre_op: no more values available!! [01/Jun/2015:06:31:46 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. [01/Jun/2015:06:31:46 -0400] dna-plugin - dna_pre_op: no more values available!! [01/Jun/2015:06:33:50 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. [01/Jun/2015:06:33:50 -0400] dna-plugin - dna_pre_op: no more values available!! [01/Jun/2015:06:35:42 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. [01/Jun/2015:06:50:55 -0400] - slapd shutting down - signaling operation threads - op stack size 9 max work q size 2 max work q stack size 2 [01/Jun/2015:06:50:57 -0400] - slapd shutting down - closing down internal subsystems and plugins [01/Jun/2015:06:51:07 -0400] - Waiting for 4 database threads to stop [01/Jun/2015:06:51:08 -0400] - All database threads now stopped [01/Jun/2015:06:51:09 -0400] - slapd shutting down - freed 2 work q stack objects - freed 10 op stack objects [01/Jun/2015:06:51:09 -0400] - slapd stopped. [01/Jun/2015:06:53:01 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [01/Jun/2015:06:53:02 -0400] - SSL alert: Configured NSS Ciphers [01/Jun/2015:06:53:02 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:03 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:03 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:03 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:03 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:03 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:04 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:04 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:05 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:06 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:06 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:06 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:06 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:07 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:53:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:07 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:07 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [01/Jun/2015:06:53:08 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [01/Jun/2015:06:53:09 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [01/Jun/2015:06:53:09 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [01/Jun/2015:06:53:09 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [01/Jun/2015:06:53:09 -0400] - 389-Directory/1.3.4.a1 B2015.070.423 starting up [01/Jun/2015:06:53:09 -0400] - WARNING: userRoot: entry cache size 900717B is less than db size 901120B; We recommend to increase the entry cache size nsslapd-cachememsize. [01/Jun/2015:06:53:10 -0400] - resizing db cache size: 858992 -> 687193 [01/Jun/2015:06:53:13 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:53:13 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [01/Jun/2015:06:53:13 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [01/Jun/2015:06:53:14 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:14 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:14 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:15 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:15 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:15 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:15 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:16 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [01/Jun/2015:06:53:16 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [01/Jun/2015:06:53:16 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [01/Jun/2015:06:53:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Jun/2015:06:53:17 -0400] - Listening on All Interfaces port 636 for LDAPS requests [01/Jun/2015:06:53:17 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [01/Jun/2015:06:53:17 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [01/Jun/2015:06:53:17 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [01/Jun/2015:06:53:17 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:18 -0400] NSMMReplicationPlugin - agmt="cn=meToreplica1.zaeba.li" (replica1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Jun/2015:06:53:22 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:53:22 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:53:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:53:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:53:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:54:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:54:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:54:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:56:27 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:56:27 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:06:59:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:06:59:40 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:04:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:04:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:09:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:14:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [01/Jun/2015:07:14:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) From lkrispen at redhat.com Mon Jun 1 11:48:13 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 01 Jun 2015 13:48:13 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C433E.90008@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> <556C433E.90008@redhat.com> Message-ID: <556C467D.8040705@redhat.com> On 06/01/2015 01:34 PM, Oleg Fayans wrote: > So far I've bumped into problem, using the newly built packages: > > I've installed a master, a replica (replica1) Then replica3 (prepared > on replica1), so, my topology looks like this: > > master <=> replica1 <=> replica3 > > However, the `ipa topologysegment-find` shows correct topology only on > replicas (not on master) looks like replication from replica1 to master is not/nolonger working. will look into this. > > master: > root at testmaster:~]$ ipa topologysegment-find > Suffix name: realm > ----------------- > 1 segment matched > ----------------- > Segment name: replica1.zaeba.li-to-testmaster.zaeba.li > Left node: replica1.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > ---------------------------- > Number of entries returned 1 > ---------------------------- > > replica1: > ofayans at replica1:~]$ ipa topologysegment-find > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: replica1.zaeba.li-to-replica3.zaeba.li > Left node: replica1.zaeba.li > Right node: replica3.zaeba.li > Connectivity: both > > Segment name: replica1.zaeba.li-to-testmaster.zaeba.li > Left node: replica1.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > > replica3: > ofayans at replica3:~]$ ipa topologysegment-find > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: replica1.zaeba.li-to-replica3.zaeba.li > Left node: replica1.zaeba.li > Right node: replica3.zaeba.li > Connectivity: both > > Segment name: replica1.zaeba.li-to-testmaster.zaeba.li > Left node: replica1.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > > The second problem, is that the changes (like user creation) made on > any of the nodes do not get replicate to other ones. The dirsrv logs > are full of GSSAPI errors like this: > > ===================================================================== > [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 0 (Success) > ===================================================================== > > Full logs are attached > I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: > root at testmaster:~]$ rpm -q 389-ds-base > 389-ds-base-2015_03_11-1.fc21.x86_64 > > > > On 06/01/2015 11:19 AM, Oleg Fayans wrote: >> Woks for me too. Will perform extensive testing today, and report >> everything that I find. >> Thanks, Ludwig! >>> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>>> This is a patch for the two issues reported in ticket #5035 >>>> https://fedorahosted.org/freeipa/ticket/5035 >>>> >>>> >>> >>> Works for me. I was able to install 2 replicas with domain level 1 >>> in one topology. >>> >>> Code looks good to me as well. Tentative ACK (would be nice if it >>> was skimmed by Thierry). >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 1 12:02:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 01 Jun 2015 14:02:19 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache Message-ID: <556C49CB.30801@redhat.com> Fixes an issue caused by the latest installer patches pushed to master. Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0262-Installers-fix-remove-temporal-ccache.patch Type: text/x-patch Size: 1788 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 1 12:50:45 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 01 Jun 2015 14:50:45 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> Message-ID: <556C5525.8080305@redhat.com> On 01/06/15 06:40, Fraser Tweedale wrote: > New version of patch; ``{host,service}-show --out=FILE`` now writes > all certs to FILE. Rebased on latest master. > > Thanks, > Fraser > > On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >> Updated patch attached. Notably restores/adds revocation behaviour >> to host-mod and service-mod. >> >> Thanks, >> Fraser >> >> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>> This patch adds supports for multiple user / host certificates. No >>>> schema change is needed ('usercertificate' attribute is already >>>> multi-value). The revoke-previous-cert behaviour of host-mod and >>>> user-mod has been removed but revocation behaviour of -del and >>>> -disable is preserved. >>>> >>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this >>>> patch for correct cert-request behaviour. >>>> >>>> There is one design question (or maybe more, let me know): the >>>> `--out=FILENAME' option to {host,service} show saves ONE certificate >>>> to the named file. I propose to either: >>>> >>>> a) write all certs, suffixing suggested filename with either a >>>> sequential numerical index, e.g. "cert.pem" becomes >>>> "cert.pem.1", "cert.pem.2", and so on; or >>>> >>>> b) as above, but suffix with serial number and, if there are >>>> different issues, some issuer-identifying information. >>>> >>>> Let me know your thoughts. >>>> >>>> Thanks, >>>> Fraser >>>> >>>> >>> Is there a possible way how to store certificates into one file? >>> I read about possibilities to have multiple certs in one .pem file, but I'm >>> not cert guru :) >>> >>> I personally vote for serial number in case there are multiple certificates, >>> if ^ is no possible. >>> >>> >>> 1) >>> + if len(certs) > 0: >>> >>> please use only, >>> if certs: >>> >>> 2) >>> You need to re-generate API/ACI.txt in this patch >>> >>> 3) >>> syntax error: >>> + for dercert in certs_der >>> >>> >>> 4) >>> command >>> ipa user-mod ca_user --certificate= >>> >>> removes the current certificate from the LDAP, by design. >>> Should be the old certificate(s) revoked? You removed that part in the code. >>> >>> only the --addattr='usercertificate=' appends new value there >>> >>> -- >>> Martin Basti >>> My objections/proposed solutions in attached patch. * VERSION * In the previous version normalized values was stored in LDAP, so I added it back. (I dont know why there is no normalization in param settings, but normalization for every certificate is done in callback. I will file a ticket for this) * IMO only normalized certificates should be compared in the old certificates detection -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-review.patch Type: text/x-patch Size: 3309 bytes Desc: not available URL: From tbordaz at redhat.com Mon Jun 1 13:10:50 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 01 Jun 2015 15:10:50 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C2399.6090808@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> Message-ID: <556C59DA.3000305@redhat.com> On 06/01/2015 11:19 AM, Oleg Fayans wrote: > Woks for me too. Will perform extensive testing today, and report > everything that I find. > Thanks, Ludwig! >> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>> This is a patch for the two issues reported in ticket #5035 >>> https://fedorahosted.org/freeipa/ticket/5035 >>> >>> >> >> Works for me. I was able to install 2 replicas with domain level 1 in >> one topology. >> >> Code looks good to me as well. Tentative ACK (would be nice if it was >> skimmed by Thierry). > Sorry for the late feedback. This change looks good to me as well. ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Mon Jun 1 14:13:08 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 01 Jun 2015 16:13:08 +0200 Subject: [Freeipa-devel] Domain level change failed Message-ID: <556C6874.7010505@redhat.com> Hi, In my installation of the freeipa built with the latest topology patches applied, I was unable to reset domain level to 0 on neither of nodes: ofayans at testmaster:~/ldap]$ ipa domainlevel-set 0 ipa: ERROR: Domain Level cannot be lowered. I am able to reset domain level to 0 manually using ldapmodify with the following ldif file: dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li changetype: modify replace: ipaDomainLevel ipaDomainLevel: 0 and subsequently raise it back to 1 with the standard command: ofayans at testmaster:~/ldap]$ ipa domainlevel-get ----------------------- Current domain level: 0 ----------------------- ofayans at testmaster:~/ldap]$ ipa domainlevel-set 1 ----------------------- Current domain level: 1 ----------------------- My topology looks like this: master <=> replica1 <=> replica3 The question is: is it a correct behavior? AFAIU, The admin should not be able to *raise* domain level if one of the replicas does not support this, but there should be no limitations on *lowering* the domain level. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pvoborni at redhat.com Mon Jun 1 14:14:50 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 01 Jun 2015 16:14:50 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C467D.8040705@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> <556C433E.90008@redhat.com> <556C467D.8040705@redhat.com> Message-ID: <556C68DA.40309@redhat.com> On 06/01/2015 01:48 PM, Ludwig Krispenz wrote: > > On 06/01/2015 01:34 PM, Oleg Fayans wrote: >> So far I've bumped into problem, using the newly built packages: >> >> I've installed a master, a replica (replica1) Then replica3 (prepared >> on replica1), so, my topology looks like this: >> >> master <=> replica1 <=> replica3 >> >> However, the `ipa topologysegment-find` shows correct topology only on >> replicas (not on master) > looks like replication from replica1 to master is not/nolonger working. > will look into this. With the same topology, replication works for me. I've not done anything else related to topology after the installation. Maybe some other operations caused that. >> >> The second problem, is that the changes (like user creation) made on >> any of the nodes do not get replicate to other ones. The dirsrv logs >> are full of GSSAPI errors like this: Seems to be caused by the first issue. >> >> ===================================================================== >> [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) >> [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) >> [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 0 (Success) >> ===================================================================== >> >> Full logs are attached >> I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: >> root at testmaster:~]$ rpm -q 389-ds-base >> 389-ds-base-2015_03_11-1.fc21.x86_64 I used the one from mkosek/freeipa-master COPR: 389-ds-base-1.3.4.a1-20150512143653.git1bf67a4.fc17.src.rpm >> >> >> >> On 06/01/2015 11:19 AM, Oleg Fayans wrote: >>> Woks for me too. Will perform extensive testing today, and report >>> everything that I find. >>> Thanks, Ludwig! >>>> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>>>> This is a patch for the two issues reported in ticket #5035 >>>>> https://fedorahosted.org/freeipa/ticket/5035 >>>>> >>>>> >>>> >>>> Works for me. I was able to install 2 replicas with domain level 1 >>>> in one topology. >>>> >>>> Code looks good to me as well. Tentative ACK (would be nice if it >>>> was skimmed by Thierry). -- Petr Vobornik From rcritten at redhat.com Mon Jun 1 14:14:50 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Jun 2015 10:14:50 -0400 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <556C49CB.30801@redhat.com> References: <556C49CB.30801@redhat.com> Message-ID: <556C68DA.4030808@redhat.com> Martin Basti wrote: > Fixes an issue caused by the latest installer patches pushed to master. > > Patch attached. > > > The use of globals makes my skin crawl a bit, but since you're making changes in here you should take a look at this ticket: https://fedorahosted.org/freeipa/ticket/5042 rob From tbabej at redhat.com Mon Jun 1 14:19:07 2015 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 01 Jun 2015 16:19:07 +0200 Subject: [Freeipa-devel] Domain level change failed In-Reply-To: <556C6874.7010505@redhat.com> References: <556C6874.7010505@redhat.com> Message-ID: <556C69DB.7040805@redhat.com> On 06/01/2015 04:13 PM, Oleg Fayans wrote: > Hi, > > In my installation of the freeipa built with the latest topology patches > applied, I was unable to reset domain level to 0 on neither of nodes: > > ofayans at testmaster:~/ldap]$ ipa domainlevel-set 0 > ipa: ERROR: Domain Level cannot be lowered. > > I am able to reset domain level to 0 manually using ldapmodify with the > following ldif file: > dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li > changetype: modify > replace: ipaDomainLevel > ipaDomainLevel: 0 > > and subsequently raise it back to 1 with the standard command: > > ofayans at testmaster:~/ldap]$ ipa domainlevel-get > ----------------------- > Current domain level: 0 > ----------------------- > ofayans at testmaster:~/ldap]$ ipa domainlevel-set 1 > ----------------------- > Current domain level: 1 > ----------------------- > > My topology looks like this: > master <=> replica1 <=> replica3 > > The question is: is it a correct behavior? AFAIU, The admin should not > be able to *raise* domain level if one of the replicas does not support > this, but there should be no limitations on *lowering* the domain level. > Yes. Domain Level cannot be lowered as raising the domain level can cause permanent changes in the tree that cannot be reversed. See http://www.freeipa.org/page/V4/Domain_Levels. Tomas From pvoborni at redhat.com Mon Jun 1 14:20:50 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 01 Jun 2015 16:20:50 +0200 Subject: [Freeipa-devel] Domain level change failed In-Reply-To: <556C6874.7010505@redhat.com> References: <556C6874.7010505@redhat.com> Message-ID: <556C6A42.3060301@redhat.com> On 06/01/2015 04:13 PM, Oleg Fayans wrote: > Hi, > > In my installation of the freeipa built with the latest topology patches > applied, I was unable to reset domain level to 0 on neither of nodes: > > ofayans at testmaster:~/ldap]$ ipa domainlevel-set 0 > ipa: ERROR: Domain Level cannot be lowered. > > I am able to reset domain level to 0 manually using ldapmodify with the > following ldif file: > dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li > changetype: modify > replace: ipaDomainLevel > ipaDomainLevel: 0 > > and subsequently raise it back to 1 with the standard command: > > ofayans at testmaster:~/ldap]$ ipa domainlevel-get > ----------------------- > Current domain level: 0 > ----------------------- > ofayans at testmaster:~/ldap]$ ipa domainlevel-set 1 > ----------------------- > Current domain level: 1 > ----------------------- > > My topology looks like this: > master <=> replica1 <=> replica3 > > The question is: is it a correct behavior? AFAIU, The admin should not > be able to *raise* domain level if one of the replicas does not support > this, but there should be no limitations on *lowering* the domain level. > > It is a correct behavior. From design page: """ The Domain Level cannot be lowered as raising the Domain Level can cause changes to the tree (new schema, changes in behavior and data) that cannot be easily undone. """ http://www.freeipa.org/page/V4/Domain_Levels -- Petr Vobornik From mbasti at redhat.com Mon Jun 1 14:47:46 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 01 Jun 2015 16:47:46 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <556C68DA.4030808@redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> Message-ID: <556C7092.1070700@redhat.com> On 01/06/15 16:14, Rob Crittenden wrote: > Martin Basti wrote: >> Fixes an issue caused by the latest installer patches pushed to master. >> >> Patch attached. >> >> >> > > The use of globals makes my skin crawl a bit, but since you're making > changes in here you should take a look at this ticket: > https://fedorahosted.org/freeipa/ticket/5042 > > rob Hi Rob, this is fix for that ticket, I missed the ticket somehow. Thanks. Martin^2 From lkrispen at redhat.com Mon Jun 1 14:52:22 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 01 Jun 2015 16:52:22 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C68DA.40309@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> <556C433E.90008@redhat.com> <556C467D.8040705@redhat.com> <556C68DA.40309@redhat.com> Message-ID: <556C71A6.9040101@redhat.com> Hi Oleg, On 06/01/2015 04:14 PM, Petr Vobornik wrote: > On 06/01/2015 01:48 PM, Ludwig Krispenz wrote: >> >> On 06/01/2015 01:34 PM, Oleg Fayans wrote: >>> So far I've bumped into problem, using the newly built packages: >>> >>> I've installed a master, a replica (replica1) Then replica3 (prepared >>> on replica1), so, my topology looks like this: >>> >>> master <=> replica1 <=> replica3 >>> >>> However, the `ipa topologysegment-find` shows correct topology only on >>> replicas (not on master) >> looks like replication from replica1 to master is not/nolonger working. >> will look into this. > > With the same topology, replication works for me. I've not done > anything else related to topology after the installation. Maybe some > other operations caused that. could it be that you had a replica2 which you had removed ? > > >>> >>> The second problem, is that the changes (like user creation) made on >>> any of the nodes do not get replicate to other ones. The dirsrv logs >>> are full of GSSAPI errors like this: > > Seems to be caused by the first issue. > >>> >>> ===================================================================== >>> [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -1 (Can't contact LDAP server) >>> [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send >>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>> (Success) >>> [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send >>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>> (Success) >>> [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 0 (Success) >>> ===================================================================== >>> >>> Full logs are attached >>> I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: >>> root at testmaster:~]$ rpm -q 389-ds-base >>> 389-ds-base-2015_03_11-1.fc21.x86_64 > > I used the one from mkosek/freeipa-master COPR: > 389-ds-base-1.3.4.a1-20150512143653.git1bf67a4.fc17.src.rpm > >>> >>> >>> >>> On 06/01/2015 11:19 AM, Oleg Fayans wrote: >>>> Woks for me too. Will perform extensive testing today, and report >>>> everything that I find. >>>> Thanks, Ludwig! >>>>> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>>>>> This is a patch for the two issues reported in ticket #5035 >>>>>> https://fedorahosted.org/freeipa/ticket/5035 >>>>>> >>>>>> >>>>> >>>>> Works for me. I was able to install 2 replicas with domain level 1 >>>>> in one topology. >>>>> >>>>> Code looks good to me as well. Tentative ACK (would be nice if it >>>>> was skimmed by Thierry). > From edewata at redhat.com Tue Jun 2 00:00:09 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 01 Jun 2015 19:00:09 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556558AA.6040107@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> Message-ID: <556CF209.7050404@redhat.com> Please take a look at the updated patch. On 5/27/2015 12:39 AM, Jan Cholasta wrote: >>>>>>> 21) vault_archive is not a retrieve operation, it should be based on >>>>>>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it >>>>>>> does >>>>>>> not do anything with LDAP. The same applies to vault_retrieve. >>>>>> >>>>>> The vault_archive does not actually modify the LDAP entry because it >>>>>> stores the data in KRA. It is actually an LDAPRetrieve operation >>>>>> because >>>>>> it needs to get the vault info before it can perform the archival >>>>>> operation. Same thing with vault_retrieve. >>>>> >>>>> It is not a LDAPRetrieve operation, because it has different >>>>> semantics. >>>>> Please use Command as base class and either use ldap2 for direct >>>>> LDAP or >>>>> call vault_show instead of hacking around LDAPRetrieve. >>>> >>>> It's been changed to inherit from LDAPQuery instead. >>> >>> NACK, it's not a LDAPQuery operation, because it has different >>> semantics. There is more to a command than executing code, so you should >>> use a correct base class. >> >> Changed to inherit from Command as requested. Now these commands no >> longer have a direct access to the vault object (self.obj) although they >> are accessing vault objects like other vault commands. Also now the >> vault name argument has to be added explicitly on each command. > > You can inherit from crud.Retrieve and crud.Update to get self.obj and > the argument back. I tried this: class vault_retrieve(Command, crud.Retrieve): and it gave me an error: TypeError: Error when calling the metaclass bases Cannot create a consistent method resolution order (MRO) for bases Retrieve, Command I'm sticking with the original code since it works fine although not ideal. I'm not a Python expert, so if you know how to fix this properly please feel free to post a patch on top of this. > If KRA is not installed, vault-archive and vault-retrieve fail with > internal error. Added a code to check KRA installation in all vault commands. If you know a way not to load the vault plugin if the KRA is not installed please let me know, that's probably even better. Not sure how that will work on the client side though. > The commands still behave differently based on whether they were called > from API which was initialized with in_server set to True or False. That is unfortunately a restriction imposed by the framework. In order to guarantee the security, the vault is designed to have separate client and server code. The client code encrypts the secret, the server code forwards the encrypted secret to KRA. To archive a secret into a vault properly, you are supposed to call the client code. If you're calling the server code directly, you are responsible to do your own encryption (i.e. generating session key, nonce, and vault data). If another plugin wants to use vault, it should implement a client code which calls the vault client code to perform the archival from the client side. What is the use case for calling the vault API from the server side anyway? Wouldn't that defeat the purpose of having a vault? If a secret exists on the server side in an unencrypted form doesn't it mean the secret may already have been compromised? > There is no point in exposing the session_key, nonce and vault_data > options in CLI when their value is always overwritten in forward(). I agree there is no need to expose them in CLI, but in this framework the API also defines the CLI. If there's a way to keep them in the server API but not expose them in the CLI please let me know. Or, if there's a way to define completely separate server API (without a matching client CLI) and client CLI (without a matching server API) that will work too. > Will this always succeed? > > + # deactivate vault record in KRA > + response = kra_client.keys.list_keys( > + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) Yes. If there's no active keys it will return an empty collection. > + for key_info in response.key_infos: > + kra_client.keys.modify_key_status( > + key_info.get_key_id(), > + pki.key.KeyClient.KEY_STATUS_INACTIVE) This loop will do nothing given an empty collection. > If not, we might get into an inconsistent state, where the vault is > deleted in LDAP but still active in KRA. (I'm not sure if this is > actually a problem or not.) That can only happen if the server crashes after deleting the vault but before deactivating the key. Regardless, it will not be a problem because the key is identified by vault ID/path so it will not conflict with other vaults, and it will get overwritten if the same vault is recreated again. -- Endi S. Dewata -------------- next part -------------- >From d1123f07745fea856ced305a814d933cd793dbf2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 21 Oct 2014 10:57:08 -0400 Subject: [PATCH] Added vault-archive and vault-retrieve commands. New commands have been added to archive and retrieve data into and from a vault, also to retrieve the transport certificate. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 28 ++ VERSION | 4 +- ipalib/plugins/vault.py | 501 +++++++++++++++++++++++++++++- ipatests/test_xmlrpc/test_vault_plugin.py | 71 ++++- 4 files changed, 600 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index da69f32de5c12c0d85a7d61d9027385aa3c0ee05..3741e6f16689e43838c2d31a44872d1ea47589c7 100644 --- a/API.txt +++ b/API.txt @@ -4768,6 +4768,24 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_archive +args: 1,9,1 +arg: Str('cn', cli_name='name', maxlength=255, pattern='^[a-zA-Z0-9_.-]+$') +option: Bytes('data?') +option: Str('in?') +option: Str('nonce?') +option: Str('service?') +option: Str('session_key?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user?') +option: Str('vault_data?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) +command: vault_config +args: 0,2,1 +option: Str('transport_out?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vault_del args: 1,5,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) @@ -4814,6 +4832,16 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_retrieve +args: 1,6,1 +arg: Str('cn', cli_name='name', maxlength=255, pattern='^[a-zA-Z0-9_.-]+$') +option: Str('out?') +option: Str('service?') +option: Str('session_key?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vault_show args: 1,7,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) diff --git a/VERSION b/VERSION index 07c00d000064a7687497b09524aa821dbcecc88a..2bfb2fe46b3760f30e1aa378841544a51f014728 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=121 -# Last change: pvoborni - added server-find and server-show +IPA_API_VERSION_MINOR=122 +# Last change: edewata - added vault-archive and vault-retrieve diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index ebb9f9fd3cf3b5a7d6b44ac9e63e122e8f71aa1a..cb68d136e98efa73ce8281ee12ef897af67c3da9 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -17,8 +17,21 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import base64 +import json +import os +import sys +import tempfile + +import nss.nss as nss + +import pki.account +import pki.crypto +import pki.key + +from ipalib.frontend import Command from ipalib import api, errors -from ipalib import Str, Flag +from ipalib import Bytes, Str, Flag from ipalib import output from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ @@ -26,7 +39,9 @@ from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.nsslib import current_dbdir __doc__ = _(""" Vaults @@ -94,6 +109,33 @@ EXAMPLES: """) + _(""" Delete a user vault: ipa vault-del --user +""") + _(""" + Display vault configuration: + ipa vault-config +""") + _(""" + Archive data into private vault: + ipa vault-archive --in +""") + _(""" + Archive data into service vault: + ipa vault-archive --service --in +""") + _(""" + Archive data into shared vault: + ipa vault-archive --shared --in +""") + _(""" + Archive data into user vault: + ipa vault-archive --user --in +""") + _(""" + Retrieve data from private vault: + ipa vault-retrieve --out +""") + _(""" + Retrieve data from service vault: + ipa vault-retrieve --service --out +""") + _(""" + Retrieve data from shared vault: + ipa vault-retrieve --shared --out +""") + _(""" + Retrieve data from user vault: + ipa vault-retrieve --user --out """) register = Registry() @@ -243,6 +285,26 @@ class vault(LDAPObject): for entry in entries: self.backend.add_entry(entry) + def get_key_id(self, dn): + """ + Generates a client key ID to archive/retrieve data in KRA. + """ + + # TODO: create container_dn after object initialization then reuse it + container_dn = DN(self.container_dn, self.api.env.basedn) + + # make sure the DN is a vault DN + if not dn.endswith(container_dn, 1): + raise ValueError('Invalid vault DN: %s' % dn) + + # construct the vault ID from the bottom up + id = u'' + for rdn in dn[:-len(container_dn)]: + name = rdn['cn'] + id = u'/' + name + id + + return 'ipa:' + id + @register() class vault_add(LDAPCreate): @@ -256,6 +318,10 @@ class vault_add(LDAPCreate): **options): assert isinstance(dn, DN) + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + try: parent_dn = DN(*dn[1:]) self.obj.create_container(parent_dn) @@ -273,6 +339,38 @@ class vault_del(LDAPDelete): msg_summary = _('Deleted vault "%(value)s"') + def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + return dn + + def post_callback(self, ldap, dn, *args, **options): + assert isinstance(dn, DN) + + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.obj.get_key_id(dn) + + # deactivate vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) + + for key_info in response.key_infos: + kra_client.keys.modify_key_status( + key_info.get_key_id(), + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + kra_account.logout() + + return True + @register() class vault_find(LDAPSearch): @@ -290,6 +388,10 @@ class vault_find(LDAPSearch): **options): assert isinstance(base_dn, DN) + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + base_dn = self.obj.get_dn(*args, **options) return (filter, base_dn, scope) @@ -313,9 +415,406 @@ class vault_mod(LDAPUpdate): msg_summary = _('Modified vault "%(value)s"') + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, + *keys, **options): + + assert isinstance(dn, DN) + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + return dn + @register() class vault_show(LDAPRetrieve): __doc__ = _('Display information about a vault.') takes_options = LDAPRetrieve.takes_options + vault_options + + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + assert isinstance(dn, DN) + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + return dn + + + at register() +class vault_config(Command): + __doc__ = _('Show vault configuration.') + + takes_options = ( + Str( + 'transport_out?', + doc=_('Output file to store the transport certificate'), + ), + ) + + has_output_params = ( + Str( + 'transport_cert', + label=_('Transport Certificate'), + ), + ) + + def forward(self, *args, **options): + + file = options.get('transport_out') + + # don't send these parameters to server + if 'transport_out' in options: + del options['transport_out'] + + response = super(vault_config, self).forward(*args, **options) + + if file: + with open(file, 'w') as f: + f.write(response['result']['transport_cert']) + + return response + + def execute(self, *args, **options): + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + kra_client = self.api.Backend.kra.get_client() + transport_cert = kra_client.system_certs.get_transport_cert() + return { + 'result': { + 'transport_cert': transport_cert.encoded + } + } + + + at register() +class vault_archive(Command): + __doc__ = _('Archive data into a vault.') + + takes_args = ( + Str( + 'cn', + cli_name='name', + label=_('Vault name'), + pattern='^[a-zA-Z0-9_.-]+$', + pattern_errmsg='may only include letters, numbers, _, ., and -', + maxlength=255, + ), + ) + + takes_options = vault_options + ( + Bytes( + 'data?', + doc=_('Binary data to archive'), + ), + Str( # TODO: use File parameter + 'in?', + doc=_('File containing data to archive'), + ), + Str( + 'session_key?', + doc=_( + 'Session key wrapped with transport certificate' + ' and encoded in base-64'), + ), + Str( + 'vault_data?', + doc=_( + 'Vault data encrypted with session key' + ' and encoded in base-64'), + ), + Str( + 'nonce?', + doc=_('Nonce encrypted encoded in base-64'), + ), + ) + + msg_summary = _('Archived data into vault "%(value)s"') + + def forward(self, *args, **options): + + data = options.get('data') + input_file = options.get('in') + + # don't send these parameters to server + if 'data' in options: + del options['data'] + if 'in' in options: + del options['in'] + + # get data + if data and input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + if input_file: + with open(input_file, 'rb') as f: + data = f.read() + + elif not data: + data = '' + + # initialize NSS database + crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) + crypto.initialize() + current_dbdir = paths.IPA_NSSDB_DIR + + # retrieve transport certificate + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + self.api.Command.vault_config(transport_out=unicode(filename)) + transport_cert_der = nss.read_der_from_file(filename, True) + nss_transport_cert = nss.Certificate(transport_cert_der) + + finally: + os.remove(filename) + + # generate session key + session_key = crypto.generate_session_key() + + # wrap session key with transport certificate + wrapped_session_key = crypto.asymmetric_wrap( + session_key, + nss_transport_cert + ) + + options['session_key'] = base64.b64encode(wrapped_session_key)\ + .decode('utf-8') + + nonce = crypto.generate_nonce_iv() + options['nonce'] = base64.b64encode(nonce).decode('utf-8') + + vault_data = {} + vault_data[u'data'] = base64.b64encode(data).decode('utf-8') + + json_vault_data = json.dumps(vault_data) + + # wrap vault_data with session key + wrapped_vault_data = crypto.symmetric_wrap( + json_vault_data, + session_key, + nonce_iv=nonce + ) + + options['vault_data'] = base64.b64encode(wrapped_vault_data)\ + .decode('utf-8') + + return super(vault_archive, self).forward(*args, **options) + + def execute(self, *args, **options): + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + vault_name = args[0] + + # retrieve vault info + vault = self.api.Command.vault_show( + vault_name, + service=options.get('service'), + shared=options.get('shared'), + user=options.get('user'), + )['result'] + + # connect to KRA + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.api.Object.vault.get_key_id(vault['dn']) + + # deactivate existing vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, + pki.key.KeyClient.KEY_STATUS_ACTIVE) + + for key_info in response.key_infos: + kra_client.keys.modify_key_status( + key_info.get_key_id(), + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + wrapped_session_key = base64.b64decode(options['session_key']) + nonce = base64.b64decode(options['nonce']) + + # forward wrapped data to KRA + wrapped_vault_data = base64.b64decode(options['vault_data']) + + kra_client.keys.archive_encrypted_data( + client_key_id, + pki.key.KeyClient.PASS_PHRASE_TYPE, + wrapped_vault_data, + wrapped_session_key, + None, + nonce, + ) + + kra_account.logout() + + response = {} + response['result'] = {} + + return response + + + at register() +class vault_retrieve(Command): + __doc__ = _('Retrieve a data from a vault.') + + takes_args = ( + Str( + 'cn', + cli_name='name', + label=_('Vault name'), + pattern='^[a-zA-Z0-9_.-]+$', + pattern_errmsg='may only include letters, numbers, _, ., and -', + maxlength=255, + ), + ) + + takes_options = vault_options + ( + Str( + 'out?', + doc=_('File to store retrieved data'), + ), + Str( + 'session_key?', + doc=_( + 'Session key wrapped with transport certificate' + ' and encoded in base-64'), + ), + ) + + has_output_params = ( + Bytes( + 'data', + label=_('Data'), + ), + ) + + msg_summary = _('Retrieved data from vault "%(value)s"') + + def forward(self, *args, **options): + + output_file = options.get('out') + + # don't send these parameters to server + if 'out' in options: + del options['out'] + + # initialize NSS database + crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) + crypto.initialize() + current_dbdir = paths.IPA_NSSDB_DIR + + # retrieve transport certificate + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + self.api.Command.vault_config(transport_out=unicode(filename)) + transport_cert_der = nss.read_der_from_file(filename, True) + nss_transport_cert = nss.Certificate(transport_cert_der) + + finally: + os.remove(filename) + + # generate session key + session_key = crypto.generate_session_key() + + # wrap session key with transport certificate + wrapped_session_key = crypto.asymmetric_wrap( + session_key, + nss_transport_cert + ) + + # send retrieval request to server + options['session_key'] = base64.b64encode(wrapped_session_key)\ + .decode('utf-8') + + response = super(vault_retrieve, self).forward(*args, **options) + + result = response['result'] + nonce = base64.b64decode(result['nonce']) + + # unwrap data with session key + wrapped_vault_data = base64.b64decode(result['vault_data']) + + json_vault_data = crypto.symmetric_unwrap( + wrapped_vault_data, + session_key, + nonce_iv=nonce) + + vault_data = json.loads(json_vault_data) + data = base64.b64decode(vault_data[u'data'].encode('utf-8')) + + if output_file: + response = {} + response['result'] = {} + with open(output_file, 'w') as f: + f.write(data) + + else: + response['result']['data'] = data + del response['result']['nonce'] + del response['result']['vault_data'] + + return response + + def execute(self, *args, **options): + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + vault_name = args[0] + + # retrieve vault info + vault = self.api.Command.vault_show( + vault_name, + service=options.get('service'), + shared=options.get('shared'), + user=options.get('user'), + )['result'] + + wrapped_session_key = base64.b64decode(options['session_key']) + + # connect to KRA + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.api.Object.vault.get_key_id(vault['dn']) + + # find vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, + pki.key.KeyClient.KEY_STATUS_ACTIVE) + + if not len(response.key_infos): + raise errors.NotFound(reason=_('No archived data.')) + + key_info = response.key_infos[0] + + # retrieve encrypted data from KRA + key = kra_client.keys.retrieve_key( + key_info.get_key_id(), + wrapped_session_key) + + vault['vault_data'] = base64.b64encode( + key.encrypted_data).decode('utf-8') + vault['nonce'] = base64.b64encode(key.nonce_data).decode('utf-8') + + kra_account.logout() + + response = {} + response['result'] = vault + + return response diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 44d397c583928d98ec252899398ae6c3a83c207c..0664addd646806f1b8a5083ef5da16c4dfc015dc 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -22,12 +22,15 @@ Test the `ipalib/plugins/vault.py` module. """ from ipalib import api, errors -from xmlrpc_test import Declarative, fuzzy_string +from xmlrpc_test import Declarative vault_name = u'test_vault' service_name = u'HTTP/server.example.com' user_name = u'testuser' +# binary data from \x00 to \xff +secret = ''.join(map(chr, xrange(0, 256))) + class test_vault_plugin(Declarative): @@ -442,4 +445,70 @@ class test_vault_plugin(Declarative): }, }, + { + 'desc': 'Create vault for archival', + 'command': ( + 'vault_add', + [vault_name], + {}, + ), + 'expected': { + 'value': vault_name, + 'summary': 'Added vault "%s"' % vault_name, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (vault_name, api.env.basedn), + 'objectclass': [u'top', u'ipaVault'], + 'cn': [vault_name], + }, + }, + }, + + { + 'desc': 'Archive secret', + 'command': ( + 'vault_archive', + [vault_name], + { + 'data': secret, + }, + ), + 'expected': { + 'result': {}, + }, + }, + + { + 'desc': 'Retrieve secret', + 'command': ( + 'vault_retrieve', + [vault_name], + {}, + ), + 'expected': { + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (vault_name, api.env.basedn), + 'cn': [vault_name], + 'data': secret, + }, + }, + }, + + { + 'desc': 'Delete vault for archival', + 'command': ( + 'vault_del', + [vault_name], + {}, + ), + 'expected': { + 'value': [vault_name], + 'summary': u'Deleted vault "%s"' % vault_name, + 'result': { + 'failed': (), + }, + }, + }, + ] -- 1.9.3 From edewata at redhat.com Tue Jun 2 00:02:34 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 01 Jun 2015 19:02:34 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <5566ABAB.7050008@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> Message-ID: <556CF29A.9090404@redhat.com> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >> On a related note, since KRA is optional, can we move the vaults >> container to cn=kra,cn=vaults? This is the convetion used by the other >> optional components (DNS and recently CA). > > I mean cn=vaults,cn=kra of course. If you are talking about the o=kra,, I'm not sure whether the IPA framework will work with it. If you are talking about adding a new cn=kra, entry on top of cn=vaults, what is the purpose of this entry? Is the entry going to be created/deleted automatically when the KRA is installed/removed? Is it going to be used for something else other than vaults? There are a lot of questions that need to be answered before we can make this change. We probably should revisit this issue after the core vault functionality is added. -- Endi S. Dewata From mkosek at redhat.com Tue Jun 2 06:10:59 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 08:10:59 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556CF209.7050404@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> Message-ID: <556D48F3.7040902@redhat.com> On 06/02/2015 02:00 AM, Endi Sukma Dewata wrote: > Please take a look at the updated patch. > > On 5/27/2015 12:39 AM, Jan Cholasta wrote: >>>>>>>> 21) vault_archive is not a retrieve operation, it should be based on >>>>>>>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it >>>>>>>> does >>>>>>>> not do anything with LDAP. The same applies to vault_retrieve. >>>>>>> >>>>>>> The vault_archive does not actually modify the LDAP entry because it >>>>>>> stores the data in KRA. It is actually an LDAPRetrieve operation >>>>>>> because >>>>>>> it needs to get the vault info before it can perform the archival >>>>>>> operation. Same thing with vault_retrieve. >>>>>> >>>>>> It is not a LDAPRetrieve operation, because it has different >>>>>> semantics. >>>>>> Please use Command as base class and either use ldap2 for direct >>>>>> LDAP or >>>>>> call vault_show instead of hacking around LDAPRetrieve. >>>>> >>>>> It's been changed to inherit from LDAPQuery instead. >>>> >>>> NACK, it's not a LDAPQuery operation, because it has different >>>> semantics. There is more to a command than executing code, so you should >>>> use a correct base class. >>> >>> Changed to inherit from Command as requested. Now these commands no >>> longer have a direct access to the vault object (self.obj) although they >>> are accessing vault objects like other vault commands. Also now the >>> vault name argument has to be added explicitly on each command. >> >> You can inherit from crud.Retrieve and crud.Update to get self.obj and >> the argument back. > > I tried this: > > class vault_retrieve(Command, crud.Retrieve): > > and it gave me an error: > > TypeError: Error when calling the metaclass bases > Cannot create a consistent method resolution > order (MRO) for bases Retrieve, Command > > I'm sticking with the original code since it works fine although not ideal. I'm > not a Python expert, so if you know how to fix this properly please feel free > to post a patch on top of this. > >> If KRA is not installed, vault-archive and vault-retrieve fail with >> internal error. > > Added a code to check KRA installation in all vault commands. If you know a way > not to load the vault plugin if the KRA is not installed please let me know, > that's probably even better. Not sure how that will work on the client side > though. > >> The commands still behave differently based on whether they were called >> from API which was initialized with in_server set to True or False. > > That is unfortunately a restriction imposed by the framework. In order to > guarantee the security, the vault is designed to have separate client and > server code. The client code encrypts the secret, the server code forwards the > encrypted secret to KRA. To archive a secret into a vault properly, you are > supposed to call the client code. If you're calling the server code directly, > you are responsible to do your own encryption (i.e. generating session key, > nonce, and vault data). > > If another plugin wants to use vault, it should implement a client code which > calls the vault client code to perform the archival from the client side. > > What is the use case for calling the vault API from the server side anyway? > Wouldn't that defeat the purpose of having a vault? If a secret exists on the > server side in an unencrypted form doesn't it mean the secret may already have > been compromised? > >> There is no point in exposing the session_key, nonce and vault_data >> options in CLI when their value is always overwritten in forward(). > > I agree there is no need to expose them in CLI, but in this framework the API > also defines the CLI. If there's a way to keep them in the server API but not > expose them in the CLI please let me know. Or, if there's a way to define > completely separate server API (without a matching client CLI) and client CLI > (without a matching server API) that will work too. > >> Will this always succeed? >> >> + # deactivate vault record in KRA >> + response = kra_client.keys.list_keys( >> + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) > > Yes. If there's no active keys it will return an empty collection. > >> + for key_info in response.key_infos: >> + kra_client.keys.modify_key_status( >> + key_info.get_key_id(), >> + pki.key.KeyClient.KEY_STATUS_INACTIVE) > > This loop will do nothing given an empty collection. > >> If not, we might get into an inconsistent state, where the vault is >> deleted in LDAP but still active in KRA. (I'm not sure if this is >> actually a problem or not.) > > That can only happen if the server crashes after deleting the vault but before > deactivating the key. Regardless, it will not be a problem because the key is > identified by vault ID/path so it will not conflict with other vaults, and it > will get overwritten if the same vault is recreated again. > Hi Endi, Quickly skimming through your patches raised couple questions on my side: 1) Will it be possible to also store plain text password via Vault? It talks about taking in the binary data or the text file, but will it also work with plain user secrets (passwords)? I am talking about use like this: # ipa vault-archive --user mkosek --data Secret123 2) Didn't we discuss a dependency of IPA/Vault on python-cryptography in the past? I rather see use of python-nss for cryptography... 3) You do a lot of actions in the forward() method (as planned in https://www.freeipa.org/page/V4/Password_Vault#Archival). But how do you envision that this is consumed by the Web UI? It does not have access to the forward() method. Would it need to also include some crypto library? 4) In the vault-archive forward method, you use "pki" module. However, this module will be only available on FreeIPA PKI-powered servers and not on FreeIPA clients - so this will not work unless freeipa-client gets a dependency on pki-base - which is definitely not something we want... Thanks, Martin From ofayans at redhat.com Tue Jun 2 07:56:49 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 02 Jun 2015 09:56:49 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C71A6.9040101@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> <556C433E.90008@redhat.com> <556C467D.8040705@redhat.com> <556C68DA.40309@redhat.com> <556C71A6.9040101@redhat.com> Message-ID: <556D61C1.1060400@redhat.com> Hi Ludwig, Nope, I did not remove the replica2 (this time) I just used replica3 machine because I had it by hand. I'll re-run the whole procedure today to see if it reproduces On 06/01/2015 04:52 PM, Ludwig Krispenz wrote: > Hi Oleg, > On 06/01/2015 04:14 PM, Petr Vobornik wrote: >> On 06/01/2015 01:48 PM, Ludwig Krispenz wrote: >>> >>> On 06/01/2015 01:34 PM, Oleg Fayans wrote: >>>> So far I've bumped into problem, using the newly built packages: >>>> >>>> I've installed a master, a replica (replica1) Then replica3 (prepared >>>> on replica1), so, my topology looks like this: >>>> >>>> master <=> replica1 <=> replica3 >>>> >>>> However, the `ipa topologysegment-find` shows correct topology only on >>>> replicas (not on master) >>> looks like replication from replica1 to master is not/nolonger working. >>> will look into this. >> >> With the same topology, replication works for me. I've not done >> anything else related to topology after the installation. Maybe some >> other operations caused that. > could it be that you had a replica2 which you had removed ? >> >> >>>> >>>> The second problem, is that the changes (like user creation) made on >>>> any of the nodes do not get replicate to other ones. The dirsrv logs >>>> are full of GSSAPI errors like this: >> >> Seems to be caused by the first issue. >> >>>> >>>> ===================================================================== >>>> [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -1 (Can't contact LDAP server) >>>> [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send >>>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>>> (Success) >>>> [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send >>>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>>> (Success) >>>> [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -1 (Can't contact LDAP server) ((null)) errno 0 (Success) >>>> ===================================================================== >>>> >>>> Full logs are attached >>>> I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: >>>> root at testmaster:~]$ rpm -q 389-ds-base >>>> 389-ds-base-2015_03_11-1.fc21.x86_64 >> >> I used the one from mkosek/freeipa-master COPR: >> 389-ds-base-1.3.4.a1-20150512143653.git1bf67a4.fc17.src.rpm >> >>>> >>>> >>>> >>>> On 06/01/2015 11:19 AM, Oleg Fayans wrote: >>>>> Woks for me too. Will perform extensive testing today, and report >>>>> everything that I find. >>>>> Thanks, Ludwig! >>>>>> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>>>>>> This is a patch for the two issues reported in ticket #5035 >>>>>>> https://fedorahosted.org/freeipa/ticket/5035 >>>>>>> >>>>>>> >>>>>> >>>>>> Works for me. I was able to install 2 replicas with domain level 1 >>>>>> in one topology. >>>>>> >>>>>> Code looks good to me as well. Tentative ACK (would be nice if it >>>>>> was skimmed by Thierry). >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From lkrispen at redhat.com Tue Jun 2 08:04:55 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 02 Jun 2015 10:04:55 +0200 Subject: [Freeipa-devel] [PATCH 0008-0009] use 1 as domain level to activate plugin, fix a crash when removing a replica Message-ID: <556D63A7.4090307@redhat.com> Hi, with the first patch the topo plugin no longer uses plugin version to compare to set domainlevel, always gets activated if dom level >= 1 the second patch fixes a crash at replica removal Ludwig -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0008-plugin-uses-1-as-minimum-domain-level-to-become-acti.patch Type: text/x-patch Size: 5160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0009-crash-when-removing-a-replica.patch Type: text/x-patch Size: 2032 bytes Desc: not available URL: From ofayans at redhat.com Tue Jun 2 08:12:07 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 02 Jun 2015 10:12:07 +0200 Subject: [Freeipa-devel] [PATCH 0008-0009] use 1 as domain level to activate plugin, fix a crash when removing a replica In-Reply-To: <556D63A7.4090307@redhat.com> References: <556D63A7.4090307@redhat.com> Message-ID: <556D6557.4060506@redhat.com> Hi Ludwig, Are you talking about this crash? 2015-06-02T08:06:57Z DEBUG stderr= 2015-06-02T08:06:57Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 733, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 375, in main server.uninstall(options) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 279, in decorated destroy_private_ccache() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in destroy_private_ccache if os.path.exists(path): File "/usr/lib64/python2.7/genericpath.py", line 18, in exists os.stat(path) 2015-06-02T08:06:57Z DEBUG The ipa-server-install command failed, exception: TypeError: coercing to Unicode: need string or buffer, NoneType found On 06/02/2015 10:04 AM, Ludwig Krispenz wrote: > Hi, > > with the first patch the topo plugin no longer uses plugin version to > compare to set domainlevel, always gets activated if dom level >= 1 > the second patch fixes a crash at replica removal > > Ludwig > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jun 2 08:24:05 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 02 Jun 2015 10:24:05 +0200 Subject: [Freeipa-devel] [PATCH 0008-0009] use 1 as domain level to activate plugin, fix a crash when removing a replica In-Reply-To: <556D6557.4060506@redhat.com> References: <556D63A7.4090307@redhat.com> <556D6557.4060506@redhat.com> Message-ID: <556D6825.2070000@redhat.com> On 06/02/2015 10:12 AM, Oleg Fayans wrote: > Hi Ludwig, > > Are you talking about this crash? I'm talking about a crash in DS which MBasti reported for ipa-replia-manage del > > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 733, in run_script > return_value = main_function() > > File "/sbin/ipa-server-install", line 375, in main > server.uninstall(options) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line > 279, in decorated > destroy_private_ccache() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line > 267, in destroy_private_ccache > if os.path.exists(path): > > File "/usr/lib64/python2.7/genericpath.py", line 18, in exists > os.stat(path) > > 2015-06-02T08:06:57Z DEBUG The ipa-server-install command failed, > exception: TypeError: coercing to Unicode: need string or buffer, > NoneType found > > > > On 06/02/2015 10:04 AM, Ludwig Krispenz wrote: >> Hi, >> >> with the first patch the topo plugin no longer uses plugin version to >> compare to set domainlevel, always gets activated if dom level >= 1 >> the second patch fixes a crash at replica removal >> >> Ludwig >> >> > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Jun 2 08:24:48 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 2 Jun 2015 18:24:48 +1000 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <556C7092.1070700@redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> <556C7092.1070700@redhat.com> Message-ID: <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: > On 01/06/15 16:14, Rob Crittenden wrote: > >Martin Basti wrote: > >>Fixes an issue caused by the latest installer patches pushed to master. > >> > >>Patch attached. > >> > >> > >> > > > >The use of globals makes my skin crawl a bit, but since you're making > >changes in here you should take a look at this ticket: > >https://fedorahosted.org/freeipa/ticket/5042 > > > >rob > Hi Rob, > > this is fix for that ticket, I missed the ticket somehow. > > Thanks. > Martin^2 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Fixes the problem for me, but I agree with Rob re globals - a context manager would be much nicer. Something like (pseudocode): @contextlib.context_manager def private_ccache(): ... stuff currently in init_private_ccache() yield ... stuff currently in destroy_private_ccache() Then in ipa-server-install main(): with private_ccache: if not options.uninstall: server.install_check(options) server.install(options) else: server.uninstall_check(options) server.uninstall(options) Cheers, Fraser From mkubik at redhat.com Tue Jun 2 08:27:26 2015 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 02 Jun 2015 10:27:26 +0200 Subject: [Freeipa-devel] [patch 0002] Abstract the HostTracker class from host plugin test Message-ID: <556D68EE.7010403@redhat.com> Hello, this is the (first) patch with the Tracker class implementation based on host plugin test. It is meant to be used as a base class to implement a helper class to write xml-rpc (api) tests for LDAP based plugins and to replace the Declarative class which is used for most of the xml-rpc tests at the moment. For an example usage take a look at the host plugin test. Cheers, Milan -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0002-Abstract-the-HostTracker-class-from-host-plugin-test.patch Type: text/x-patch Size: 20259 bytes Desc: not available URL: From Duncan.Innes at virginmoney.com Tue Jun 2 08:29:04 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 2 Jun 2015 09:29:04 +0100 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <56343345B145C043AE990701E3D193950478E5A6@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet><55407D25.9030505@redhat.com> <56343345B145C043AE990701E3D193950478E5A6@EXVS2.nrplc.localnet> Message-ID: <56343345B145C043AE990701E3D193950BD1FBA1@EXVS2.nrplc.localnet> Just a bit of a head's up and a refresh of this with perhaps some new data. > > Good to hear :-) We recently also started investigating the Audit > capabilities for (notice I write "for" and not "in") IPA. You can > check my initial nudge to the freeipa-users list, which was > unfortunately with no reply: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00940.html > First up, just got round to reading this Martin. Not sure how I missed it when it first came out as it's a strong area of interest for me. The main part of what this message is about is a big change I made to our logging recently. I added in 4 of our main production IPA servers (there are 8 in total, but 4 sit beyond firewalls that take more scrutiny for changes than I wanted for now). The 4 I've added, though, serve more clients I figure. The amount of log traffic to the pair of Logstash servers has now jumped from around 50k records/hour to around 250k. Doubtless this still doesn't push any of the parts to their limits, but there has been a barely noticeably increase in CPU usage on the 2 Logstash servers. We've gone from around 2% CPU usage to 4%. Since the CPU usage on our 'loudest' IPA server rarely peaks above 10%, this doesn't present nearly as much load as I had anticipated. I have run Logstash parsers on my DEV IPA boxes, but will now investigate running them on my Prod servers too. What I'm getting at is that perhaps clients sending logs back to the IPA servers for parsing, then being sent on to a central DB for storage, isn't going to break the bank performance-wise. All of the systems in question here are 2vCPU with 4Gb vRAM running on ESXi hosts, so nothing special in the performance arena. It strikes me as a reasonably elegant solution to pair the authentication and log parsing services on the same set of servers. This would allow each client to use the same servers/failover etc for SSSD as for rsyslog. There may, of course, be other considerations, but I'm suggesting that system load isn't necessarily one of them. Much as projects such as Katello can run with everything on the same server, or split out Postgres and the like onto separate servers when there are performance considerations. Thoughts? I'm not saying they should always be paired, but that if a user designs a system with enough horse power, this piggy-backing could work well. Cheers Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From ofayans at redhat.com Tue Jun 2 08:37:43 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 02 Jun 2015 10:37:43 +0200 Subject: [Freeipa-devel] TypeError at ipa-server-uninstall Message-ID: <556D6B57.7080301@redhat.com> Hi all, I've just caught a TypeError while performing the ipa-server-install --uninstall on replicas running the latest ipa code (without today's patches from Ludwig, though). Here is the session transcript: $ ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Replication agreements with the following IPA masters found: replica3.zaeba.li, testmaster.zaeba.li. Removing any replication agreements before uninstalling the server is strongly recommended. You can remove replication agreements by running the following command on any other IPA master: $ ipa-replica-manage del replica1.zaeba.li Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached Unconfiguring ipa-otpd Unexpected error - see /var/log/ipaserver-uninstall.log for details: TypeError: coercing to Unicode: need string or buffer, NoneType found The logfile is attached. This error was reproduced twice. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-uninstall.log Type: text/x-log Size: 58877 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 2 08:41:03 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 10:41:03 +0200 Subject: [Freeipa-devel] TypeError at ipa-server-uninstall In-Reply-To: <556D6B57.7080301@redhat.com> References: <556D6B57.7080301@redhat.com> Message-ID: <556D6C1F.5070800@redhat.com> On 02/06/15 10:37, Oleg Fayans wrote: > Hi all, > > I've just caught a TypeError while performing the ipa-server-install > --uninstall on replicas running the latest ipa code (without today's > patches from Ludwig, though). > Here is the session transcript: > $ ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > > Replication agreements with the following IPA masters found: > replica3.zaeba.li, > testmaster.zaeba.li. Removing any replication agreements before > uninstalling the > server is strongly recommended. You can remove replication agreements > by running > the following command on any other IPA master: > $ ipa-replica-manage del replica1.zaeba.li > > Are you sure you want to continue with the uninstall procedure? [no]: yes > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Configuring certmonger to stop tracking system certificates for KRA > Configuring certmonger to stop tracking system certificates for CA > Unconfiguring CA > Unconfiguring named > Unconfiguring ipa-dnskeysyncd > Unconfiguring web server > Unconfiguring krb5kdc > Unconfiguring kadmin > Unconfiguring directory server > Unconfiguring ipa_memcached > Unconfiguring ipa-otpd > Unexpected error - see /var/log/ipaserver-uninstall.log for details: > TypeError: coercing to Unicode: need string or buffer, NoneType found > > The logfile is attached. This error was reproduced twice. > > > Patch mbasti-0262 fixes it. https://fedorahosted.org/freeipa/ticket/5042 HTH -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Tue Jun 2 08:46:20 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 02 Jun 2015 10:46:20 +0200 Subject: [Freeipa-devel] TypeError at ipa-server-uninstall In-Reply-To: <556D6C1F.5070800@redhat.com> References: <556D6B57.7080301@redhat.com> <556D6C1F.5070800@redhat.com> Message-ID: <556D6D5C.1020605@redhat.com> Thanks Martin! It's not merged yet, I can suggest? I think I'll apply it as it is manually then. On 06/02/2015 10:41 AM, Martin Basti wrote: > On 02/06/15 10:37, Oleg Fayans wrote: >> Hi all, >> >> I've just caught a TypeError while performing the ipa-server-install >> --uninstall on replicas running the latest ipa code (without today's >> patches from Ludwig, though). >> Here is the session transcript: >> $ ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: >> yes >> >> Replication agreements with the following IPA masters found: >> replica3.zaeba.li, >> testmaster.zaeba.li. Removing any replication agreements before >> uninstalling the >> server is strongly recommended. You can remove replication agreements >> by running >> the following command on any other IPA master: >> $ ipa-replica-manage del replica1.zaeba.li >> >> Are you sure you want to continue with the uninstall procedure? [no]: >> yes >> Shutting down all IPA services >> Removing IPA client configuration >> Unconfiguring ntpd >> Configuring certmonger to stop tracking system certificates for KRA >> Configuring certmonger to stop tracking system certificates for CA >> Unconfiguring CA >> Unconfiguring named >> Unconfiguring ipa-dnskeysyncd >> Unconfiguring web server >> Unconfiguring krb5kdc >> Unconfiguring kadmin >> Unconfiguring directory server >> Unconfiguring ipa_memcached >> Unconfiguring ipa-otpd >> Unexpected error - see /var/log/ipaserver-uninstall.log for details: >> TypeError: coercing to Unicode: need string or buffer, NoneType found >> >> The logfile is attached. This error was reproduced twice. >> >> >> > > Patch mbasti-0262 fixes it. > https://fedorahosted.org/freeipa/ticket/5042 > HTH > -- > Martin Basti -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 2 08:47:28 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 10:47:28 +0200 Subject: [Freeipa-devel] TypeError at ipa-server-uninstall In-Reply-To: <556D6D5C.1020605@redhat.com> References: <556D6B57.7080301@redhat.com> <556D6C1F.5070800@redhat.com> <556D6D5C.1020605@redhat.com> Message-ID: <556D6DA0.8000901@redhat.com> On 02/06/15 10:46, Oleg Fayans wrote: > Thanks Martin! > > It's not merged yet, I can suggest? I think I'll apply it as it is > manually then. > > On 06/02/2015 10:41 AM, Martin Basti wrote: >> On 02/06/15 10:37, Oleg Fayans wrote: >>> Hi all, >>> >>> I've just caught a TypeError while performing the ipa-server-install >>> --uninstall on replicas running the latest ipa code (without today's >>> patches from Ludwig, though). >>> Here is the session transcript: >>> $ ipa-server-install --uninstall >>> >>> This is a NON REVERSIBLE operation and will delete all data and >>> configuration! >>> >>> Are you sure you want to continue with the uninstall procedure? >>> [no]: yes >>> >>> Replication agreements with the following IPA masters found: >>> replica3.zaeba.li, >>> testmaster.zaeba.li. Removing any replication agreements before >>> uninstalling the >>> server is strongly recommended. You can remove replication >>> agreements by running >>> the following command on any other IPA master: >>> $ ipa-replica-manage del replica1.zaeba.li >>> >>> Are you sure you want to continue with the uninstall procedure? >>> [no]: yes >>> Shutting down all IPA services >>> Removing IPA client configuration >>> Unconfiguring ntpd >>> Configuring certmonger to stop tracking system certificates for KRA >>> Configuring certmonger to stop tracking system certificates for CA >>> Unconfiguring CA >>> Unconfiguring named >>> Unconfiguring ipa-dnskeysyncd >>> Unconfiguring web server >>> Unconfiguring krb5kdc >>> Unconfiguring kadmin >>> Unconfiguring directory server >>> Unconfiguring ipa_memcached >>> Unconfiguring ipa-otpd >>> Unexpected error - see /var/log/ipaserver-uninstall.log for details: >>> TypeError: coercing to Unicode: need string or buffer, NoneType found >>> >>> The logfile is attached. This error was reproduced twice. >>> >>> >>> >> >> Patch mbasti-0262 fixes it. >> https://fedorahosted.org/freeipa/ticket/5042 >> HTH >> -- >> Martin Basti > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. It is not merged, and it may change. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 2 08:53:11 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 10:53:11 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> <556C7092.1070700@redhat.com> <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> Message-ID: <556D6EF7.9050902@redhat.com> On 02/06/15 10:24, Fraser Tweedale wrote: > On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: >> On 01/06/15 16:14, Rob Crittenden wrote: >>> Martin Basti wrote: >>>> Fixes an issue caused by the latest installer patches pushed to master. >>>> >>>> Patch attached. >>>> >>>> >>>> >>> The use of globals makes my skin crawl a bit, but since you're making >>> changes in here you should take a look at this ticket: >>> https://fedorahosted.org/freeipa/ticket/5042 >>> >>> rob >> Hi Rob, >> >> this is fix for that ticket, I missed the ticket somehow. >> >> Thanks. >> Martin^2 >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > Fixes the problem for me, but I agree with Rob re globals - a > context manager would be much nicer. Something like (pseudocode): > > @contextlib.context_manager > def private_ccache(): > ... stuff currently in init_private_ccache() > yield > ... stuff currently in destroy_private_ccache() > > Then in ipa-server-install main(): > > with private_ccache: > if not options.uninstall: > server.install_check(options) > server.install(options) > else: > server.uninstall_check(options) > server.uninstall(options) > > Cheers, > Fraser Thank you! However, I would wait for Honza's answer, if this will fit in his big installer plan. -- Martin Basti From ftweedal at redhat.com Tue Jun 2 09:07:18 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 2 Jun 2015 19:07:18 +1000 Subject: [Freeipa-devel] TypeError at ipa-server-uninstall In-Reply-To: <556D6B57.7080301@redhat.com> References: <556D6B57.7080301@redhat.com> Message-ID: <20150602090718.GQ23523@dhcp-40-8.bne.redhat.com> On Tue, Jun 02, 2015 at 10:37:43AM +0200, Oleg Fayans wrote: > Hi all, > > I've just caught a TypeError while performing the ipa-server-install > --uninstall on replicas running the latest ipa code (without today's patches > from Ludwig, though). > Martin Basti's PATCH 0262 (not yet pushed) fixes this issues. > Here is the session transcript: > $ ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > > Replication agreements with the following IPA masters found: > replica3.zaeba.li, > testmaster.zaeba.li. Removing any replication agreements before uninstalling > the > server is strongly recommended. You can remove replication agreements by > running > the following command on any other IPA master: > $ ipa-replica-manage del replica1.zaeba.li > > Are you sure you want to continue with the uninstall procedure? [no]: yes > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Configuring certmonger to stop tracking system certificates for KRA > Configuring certmonger to stop tracking system certificates for CA > Unconfiguring CA > Unconfiguring named > Unconfiguring ipa-dnskeysyncd > Unconfiguring web server > Unconfiguring krb5kdc > Unconfiguring kadmin > Unconfiguring directory server > Unconfiguring ipa_memcached > Unconfiguring ipa-otpd > Unexpected error - see /var/log/ipaserver-uninstall.log for details: > TypeError: coercing to Unicode: need string or buffer, NoneType found > > The logfile is attached. This error was reproduced twice. > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > 2015-06-02T08:06:27Z DEBUG /sbin/ipa-server-install was invoked with options: {'conf_sshd': True, 'ip_addresses': [], 'setup_pkinit': True, 'domainlevel': 1, 'mkhomedir': False, 'create_sshfp': True, 'http_cert_files': None, 'conf_ntp': True, 'subject': None, 'no_forwarders': False, 'ui_redirect': True, 'external_ca_type': None, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'http_cert_name': None, 'dirsrv_cert_files': None, 'no_dnssec_validation': False, 'ca_signing_algorithm': None, 'no_reverse': False, 'pkinit_cert_files': None, 'unattended': False, 'external_cert_files': None, 'trust_sshfp': False, 'no_host_dns': False, 'dirsrv_cert_name': None, 'realm_name': None, 'forwarders': None, 'idstart': 217600000, 'external_ca': False, 'pkinit_cert_name': None, 'conf_ssh': True, 'zonemgr': None, 'ca_cert_files': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'reverse_zones': [], 'uninstall': True} > 2015-06-02T08:06:27Z DEBUG missing options might be asked for interactively later > > 2015-06-02T08:06:27Z DEBUG IPA version 4.1.99.201506010847GITe2c2d59-0.fc21 > 2015-06-02T08:06:27Z DEBUG Starting external process > 2015-06-02T08:06:27Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:27Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:27Z DEBUG stdout= > 2015-06-02T08:06:27Z DEBUG stderr= > 2015-06-02T08:06:27Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:27Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:27Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseuser.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' > 2015-06-02T08:06:27Z DEBUG Starting external process > 2015-06-02T08:06:27Z DEBUG args='klist' '-V' > 2015-06-02T08:06:27Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:27Z DEBUG stdout=Kerberos 5 version 1.12.2 > > 2015-06-02T08:06:27Z DEBUG stderr= > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/server.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/topology.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' > 2015-06-02T08:06:27Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipaserver/install/plugins'... > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/ca_renewal_master.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_agreements.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/rename_managed.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_idranges.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_pacs.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_passsync.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_referint.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_services.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_uniqueness.py' > 2015-06-02T08:06:27Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' > 2015-06-02T08:06:30Z DEBUG Created connection context.ldap2_140233313715920 > 2015-06-02T08:06:30Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-ZAEBA-LI.socket from SchemaCache > 2015-06-02T08:06:30Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-ZAEBA-LI.socket conn= > 2015-06-02T08:06:30Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-ZAEBA-LI.socket from SchemaCache > 2015-06-02T08:06:30Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-ZAEBA-LI.socket conn= > 2015-06-02T08:06:33Z DEBUG Starting external process > 2015-06-02T08:06:33Z DEBUG args='/usr/sbin/ipactl' 'stop' > 2015-06-02T08:06:39Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:39Z DEBUG stdout=Stopping ipa-dnskeysyncd Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping httpd Service > Stopping ipa_memcached Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > > 2015-06-02T08:06:39Z DEBUG stderr=ipa: INFO: The ipactl command was successful > > 2015-06-02T08:06:39Z DEBUG Starting external process > 2015-06-02T08:06:39Z DEBUG args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--uninstall' > 2015-06-02T08:06:47Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:47Z DEBUG stdout= > 2015-06-02T08:06:47Z DEBUG stderr=Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted > Restoring client configuration files > Unconfiguring the NIS domain. > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Systemwide CA database updated. > Client uninstall complete. > > 2015-06-02T08:06:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Unconfiguring ntpd > 2015-06-02T08:06:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:47Z DEBUG Starting external process > 2015-06-02T08:06:47Z DEBUG args='/bin/systemctl' 'stop' 'ntpd.service' > 2015-06-02T08:06:47Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:47Z DEBUG stdout= > 2015-06-02T08:06:47Z DEBUG stderr= > 2015-06-02T08:06:47Z DEBUG Starting external process > 2015-06-02T08:06:47Z DEBUG args='/bin/systemctl' 'disable' 'ntpd.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr=Removed symlink /etc/systemd/system/multi-user.target.wants/ntpd.service. > > 2015-06-02T08:06:48Z DEBUG Restoring system configuration file '/etc/ntp.conf' > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/sbin/restorecon' '/etc/ntp.conf' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:48Z DEBUG Configuring certmonger to stop tracking system certificates for KRA > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'start' 'messagebus.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'messagebus.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'start' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'stop' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:48Z DEBUG Configuring certmonger to stop tracking system certificates for CA > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'start' 'messagebus.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'messagebus.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'start' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout= > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:48Z DEBUG Starting external process > 2015-06-02T08:06:48Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:48Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:48Z DEBUG stdout=active > > 2015-06-02T08:06:48Z DEBUG stderr= > 2015-06-02T08:06:49Z DEBUG Starting external process > 2015-06-02T08:06:49Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:49Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:49Z DEBUG stdout=active > > 2015-06-02T08:06:49Z DEBUG stderr= > 2015-06-02T08:06:49Z DEBUG Starting external process > 2015-06-02T08:06:49Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:49Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:49Z DEBUG stdout=active > > 2015-06-02T08:06:49Z DEBUG stderr= > 2015-06-02T08:06:49Z DEBUG Starting external process > 2015-06-02T08:06:49Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:49Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:49Z DEBUG stdout=active > > 2015-06-02T08:06:49Z DEBUG stderr= > 2015-06-02T08:06:49Z DEBUG Starting external process > 2015-06-02T08:06:49Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:49Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:49Z DEBUG stdout=active > > 2015-06-02T08:06:49Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout=active > > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/bin/systemctl' 'stop' 'certmonger.service' > 2015-06-02T08:06:50Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:50Z DEBUG stdout= > 2015-06-02T08:06:50Z DEBUG stderr= > 2015-06-02T08:06:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:50Z DEBUG Unconfiguring CA > 2015-06-02T08:06:50Z DEBUG Starting external process > 2015-06-02T08:06:50Z DEBUG args='/usr/sbin/pkidestroy' '-i' 'pki-tomcat' '-s' 'CA' > 2015-06-02T08:06:51Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:51Z DEBUG stdout=Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/registry/ca/deployment.cfg. > Uninstalling CA from /var/lib/pki/pki-tomcat. > > Uninstallation complete. > > 2015-06-02T08:06:51Z DEBUG stderr=pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from security domain 'IPA'! > pkidestroy : WARNING ....... security domain 'IPA' may be offline or unreachable! > pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', '-p', '922918590690', '-d', '/etc/pki/pki-tomcat/alias', '-e', 'name="/var/lib/pki/pki-tomcat"&type=CA&list=caList&host=replica1.zaeba.li&sport=443&ncsport=443&adminsport=443&agentsport=443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'replica1.zaeba.li:443']' returned non-zero exit status 6! > > 2015-06-02T08:06:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:51Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:51Z DEBUG Starting external process > 2015-06-02T08:06:51Z DEBUG args='/bin/systemctl' 'start' 'messagebus.service' > 2015-06-02T08:06:51Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:51Z DEBUG stdout= > 2015-06-02T08:06:51Z DEBUG stderr= > 2015-06-02T08:06:51Z DEBUG Starting external process > 2015-06-02T08:06:51Z DEBUG args='/bin/systemctl' 'is-active' 'messagebus.service' > 2015-06-02T08:06:51Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:51Z DEBUG stdout=active > > 2015-06-02T08:06:51Z DEBUG stderr= > 2015-06-02T08:06:51Z DEBUG Starting external process > 2015-06-02T08:06:51Z DEBUG args='/bin/systemctl' 'start' 'certmonger.service' > 2015-06-02T08:06:51Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:51Z DEBUG stdout= > 2015-06-02T08:06:51Z DEBUG stderr= > 2015-06-02T08:06:51Z DEBUG Starting external process > 2015-06-02T08:06:51Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:51Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:51Z DEBUG stdout=active > > 2015-06-02T08:06:51Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'stop' 'certmonger.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z INFO Remove old CRL files > 2015-06-02T08:06:52Z INFO Remove CRL directory > 2015-06-02T08:06:52Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Unconfiguring named > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_ldap._tcp', srvrecord=u'0 100 389 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 389 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_kerberos._tcp', srvrecord=u'0 100 88 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 88 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_kerberos._udp', srvrecord=u'0 100 88 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 88 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_kerberos-master._tcp', srvrecord=u'0 100 88 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 88 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_kerberos-master._udp', srvrecord=u'0 100 88 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 88 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_kpasswd._tcp', srvrecord=u'0 100 464 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 464 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_kpasswd._udp', srvrecord=u'0 100 464 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 464 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li', u'_ntp._udp', srvrecord=u'0 100 123 replica1', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , srvrecord=(u'0 100 123 replica1',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'122.168.192.in-addr.arpa.', u'@', nsrecord=u'replica1.zaeba.li.', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , nsrecord=(u'replica1.zaeba.li.',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG raw: dnsrecord_del(u'zaeba.li.', u'@', nsrecord=u'replica1.zaeba.li.', version=u'2.122') > 2015-06-02T08:06:52Z DEBUG dnsrecord_del(, , nsrecord=(u'replica1.zaeba.li.',), del_all=False, structured=False, version=u'2.122') > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Restoring system configuration file '/etc/named.conf' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/sbin/restorecon' '/etc/named.conf' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:52Z DEBUG Restoring system configuration file '/etc/resolv.conf' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/sbin/restorecon' '/etc/resolv.conf' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'unmask' 'named.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr=Removed symlink /etc/systemd/system/named.service. > > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Unconfiguring ipa-dnskeysyncd > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'stop' 'ipa-dnskeysyncd.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'disable' 'ipa-dnskeysyncd.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Restoring system configuration file '/etc/sysconfig/named' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/named' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Unconfiguring web server > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:52Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=3 > 2015-06-02T08:06:52Z DEBUG stdout=unknown > > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'start' 'certmonger.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout= > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:52Z DEBUG Starting external process > 2015-06-02T08:06:52Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:52Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:52Z DEBUG stdout=active > > 2015-06-02T08:06:52Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout=active > > 2015-06-02T08:06:53Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Restoring system configuration file '/etc/httpd/conf.d/ipa.conf' > 2015-06-02T08:06:53Z DEBUG No such file name in the index > 2015-06-02T08:06:53Z DEBUG Restoring system configuration file '/etc/httpd/conf.d/ssl.conf' > 2015-06-02T08:06:53Z DEBUG No such file name in the index > 2015-06-02T08:06:53Z DEBUG Restoring system configuration file '/etc/httpd/conf.d/nss.conf' > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout= > 2015-06-02T08:06:53Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/sbin/restorecon' '/etc/httpd/conf.d/nss.conf' > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout= > 2015-06-02T08:06:53Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/usr/bin/kdestroy' '-c' '/var/run/httpd/ipa/krbcache/krb5ccache' > 2015-06-02T08:06:53Z DEBUG runas=apache (UID 48, GID 48) > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout= > 2015-06-02T08:06:53Z DEBUG stderr=kdestroy: No credentials cache found while destroying cache > > 2015-06-02T08:06:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout= > 2015-06-02T08:06:53Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect' > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout=httpd_can_network_connect --> on > > 2015-06-02T08:06:53Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa' > 2015-06-02T08:06:53Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:53Z DEBUG stdout=httpd_manage_ipa --> on > > 2015-06-02T08:06:53Z DEBUG stderr= > 2015-06-02T08:06:53Z DEBUG Starting external process > 2015-06-02T08:06:53Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=off' 'httpd_manage_ipa=off' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Unconfiguring krb5kdc > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/bin/systemctl' 'stop' 'krb5kdc.service' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Restoring system configuration file '/var/kerberos/krb5kdc/kdc.conf' > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/sbin/restorecon' '/var/kerberos/krb5kdc/kdc.conf' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:55Z DEBUG Restoring system configuration file '/etc/krb5.conf' > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/sbin/restorecon' '/etc/krb5.conf' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Unconfiguring kadmin > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/bin/systemctl' 'stop' 'kadmin.service' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/bin/systemctl' 'disable' 'kadmin.service' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Unconfiguring directory server > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Restoring system configuration file '/etc/security/limits.conf' > 2015-06-02T08:06:55Z DEBUG No such file name in the index > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/bin/systemctl' 'enable' 'dirsrv at ZAEBA-LI.service' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout= > 2015-06-02T08:06:55Z DEBUG stderr=The unit files have no [Install] section. They are not meant to be enabled > using systemctl. > Possible reasons for having this kind of units are: > 1) A unit may be statically enabled by being symlinked from another unit's > .wants/ or .requires/ directory. > 2) A unit's purpose may be to act as a helper for some other unit which has > a requirement dependency on it. > 3) A unit may be started when needed via activation (socket, path, timer, > D-Bus, udev, scripted systemctl call, ...). > > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:55Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout=active > > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:55Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:55Z DEBUG stdout=active > > 2015-06-02T08:06:55Z DEBUG stderr= > 2015-06-02T08:06:55Z DEBUG Removing DS instance ZAEBA-LI > 2015-06-02T08:06:55Z DEBUG Starting external process > 2015-06-02T08:06:55Z DEBUG args='/usr/sbin/remove-ds.pl' '-i' 'slapd-ZAEBA-LI' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout=Instance slapd-ZAEBA-LI removed. > > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Removing DS keytab > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'stop' 'smb.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'disable' 'smb.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'stop' 'winbind.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'disable' 'winbind.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Unconfiguring ipa_memcached > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'stop' 'ipa_memcached.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'disable' 'ipa_memcached.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Unconfiguring ipa-otpd > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'stop' 'ipa-otpd.socket' '--ignore-dependencies' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'disable' 'ipa-otpd.socket' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG -> no modules, removing file > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/etc/hosts' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/usr/share/ipa/html/krb.con' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/dirsrv' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG -> Not restoring - '/var/lib/ipa/sysrestore/4d720ffcd6b607a1-named.conf' doesn't exist > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/dirsrv' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/ntpd' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/krb5kdc' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/usr/share/ipa/html/krbrealm.con' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG -> Not restoring - '/var/lib/ipa/sysrestore/d81eecfea953034b-resolv.conf' doesn't exist > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/etc/krb5.keytab' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG -> Not restoring - '/var/lib/ipa/sysrestore/d81970e754d29ebd-named' doesn't exist > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/usr/sbin/selinuxenabled' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/sbin/restorecon' '/usr/share/ipa/html/krb5.ini' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-06-02T08:06:57Z DEBUG -> no files, removing file > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'disable' 'ipa.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout= > 2015-06-02T08:06:57Z DEBUG stderr=Removed symlink /etc/systemd/system/multi-user.target.wants/ipa.service. > > 2015-06-02T08:06:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout=active > > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout=active > > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG Starting external process > 2015-06-02T08:06:57Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' > 2015-06-02T08:06:57Z DEBUG Process finished, return code=0 > 2015-06-02T08:06:57Z DEBUG stdout=active > > 2015-06-02T08:06:57Z DEBUG stderr= > 2015-06-02T08:06:57Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 733, in run_script > return_value = main_function() > > File "/sbin/ipa-server-install", line 375, in main > server.uninstall(options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 279, in decorated > destroy_private_ccache() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in destroy_private_ccache > if os.path.exists(path): > > File "/usr/lib64/python2.7/genericpath.py", line 18, in exists > os.stat(path) > > 2015-06-02T08:06:57Z DEBUG The ipa-server-install command failed, exception: TypeError: coercing to Unicode: need string or buffer, NoneType found > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From ftweedal at redhat.com Tue Jun 2 09:42:28 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 2 Jun 2015 19:42:28 +1000 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <556C5525.8080305@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> Message-ID: <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: > On 01/06/15 06:40, Fraser Tweedale wrote: > >New version of patch; ``{host,service}-show --out=FILE`` now writes > >all certs to FILE. Rebased on latest master. > > > >Thanks, > >Fraser > > > >On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: > >>Updated patch attached. Notably restores/adds revocation behaviour > >>to host-mod and service-mod. > >> > >>Thanks, > >>Fraser > >> > >>On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: > >>>On 27/05/15 15:53, Fraser Tweedale wrote: > >>>>This patch adds supports for multiple user / host certificates. No > >>>>schema change is needed ('usercertificate' attribute is already > >>>>multi-value). The revoke-previous-cert behaviour of host-mod and > >>>>user-mod has been removed but revocation behaviour of -del and > >>>>-disable is preserved. > >>>> > >>>>The latest profiles/caacl patchset (0001..0013 v5) depends on this > >>>>patch for correct cert-request behaviour. > >>>> > >>>>There is one design question (or maybe more, let me know): the > >>>>`--out=FILENAME' option to {host,service} show saves ONE certificate > >>>>to the named file. I propose to either: > >>>> > >>>>a) write all certs, suffixing suggested filename with either a > >>>> sequential numerical index, e.g. "cert.pem" becomes > >>>> "cert.pem.1", "cert.pem.2", and so on; or > >>>> > >>>>b) as above, but suffix with serial number and, if there are > >>>> different issues, some issuer-identifying information. > >>>> > >>>>Let me know your thoughts. > >>>> > >>>>Thanks, > >>>>Fraser > >>>> > >>>> > >>>Is there a possible way how to store certificates into one file? > >>>I read about possibilities to have multiple certs in one .pem file, but I'm > >>>not cert guru :) > >>> > >>>I personally vote for serial number in case there are multiple certificates, > >>>if ^ is no possible. > >>> > >>> > >>>1) > >>>+ if len(certs) > 0: > >>> > >>>please use only, > >>>if certs: > >>> > >>>2) > >>>You need to re-generate API/ACI.txt in this patch > >>> > >>>3) > >>>syntax error: > >>>+ for dercert in certs_der > >>> > >>> > >>>4) > >>>command > >>>ipa user-mod ca_user --certificate= > >>> > >>>removes the current certificate from the LDAP, by design. > >>>Should be the old certificate(s) revoked? You removed that part in the code. > >>> > >>>only the --addattr='usercertificate=' appends new value there > >>> > >>>-- > >>>Martin Basti > >>> > My objections/proposed solutions in attached patch. > > * VERSION > * In the previous version normalized values was stored in LDAP, so I added > it back. (I dont know why there is no normalization in param settings, but > normalization for every certificate is done in callback. I will file a > ticket for this) > * IMO only normalized certificates should be compared in the old > certificates detection > I incorporated your suggested changes in new patch (attached). There were no proposed changes to the other patchset (0001..0013) since rebase. Thanks, Fraser -------------- next part -------------- From a1381dcb849d24f9d77fed4cc92655075d0a5a35 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 27 May 2015 08:02:08 -0400 Subject: [PATCH] Support multiple host and service certificates Update the framework to support multiple host and service certificates. host-mod and service-mod revoke existing certificates that are not included in the modified entry. Using addattr=certificate=... will result in no certificates being revoked. The existing behaviour of host-disable, host-del, service-disable and service-del (revoke existing certificate) is preserved but now applies to all certificates in the host or service entry. Also update host-show and service-show to write all the principal's certificates to the file given by the ``--out=FILE`` option. Part of: http://www.freeipa.org/page/V4/User_Certificates --- API.txt | 10 ++--- VERSION | 4 +- ipalib/plugins/host.py | 107 +++++++++++++++++++++++++--------------------- ipalib/plugins/service.py | 94 +++++++++++++++++++++++++--------------- 4 files changed, 124 insertions(+), 91 deletions(-) diff --git a/API.txt b/API.txt index da69f32de5c12c0d85a7d61d9027385aa3c0ee05..3cfcf34939a58d6888de8f0a7a6ef0c7779c993e 100644 --- a/API.txt +++ b/API.txt @@ -1812,7 +1812,7 @@ option: Str('nsosversion', attribute=True, cli_name='os', multivalue=False, requ option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') -option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Str('userpassword', attribute=True, cli_name='password', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -1935,7 +1935,7 @@ option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) -option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Str('userpassword', attribute=True, autofill=False, cli_name='password', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -1966,7 +1966,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('updatedns?', autofill=True, default=False) -option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Str('userpassword', attribute=True, autofill=False, cli_name='password', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -3584,7 +3584,7 @@ option: Bool('ipakrbrequirespreauth', attribute=False, cli_name='requires_pre_au option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') -option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -3702,7 +3702,7 @@ option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') -option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) diff --git a/VERSION b/VERSION index 07c00d000064a7687497b09524aa821dbcecc88a..24a2913226961a807da49076184a1053c897e748 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=121 -# Last change: pvoborni - added server-find and server-show +IPA_API_VERSION_MINOR=122 +# Last change: ftweedal - allow multiple host/service certificates diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index c47439743da45b8629d1b2afbd210d87591784ce..9ad087e26250d86b15fbe723a98cca278ef29adf 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -493,7 +493,7 @@ class host(LDAPObject): label=_('Random password'), flags=('no_create', 'no_update', 'no_search', 'virtual_attribute'), ), - Bytes('usercertificate?', validate_certificate, + Bytes('usercertificate*', validate_certificate, cli_name='certificate', label=_('Certificate'), doc=_('Base-64 encoded server certificate'), @@ -640,11 +640,11 @@ class host_add(LDAPCreate): entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) - cert = options.get('usercertificate') - if cert: - cert = x509.normalize_certificate(cert) + certs = options.get('usercertificate', []) + certs_der = map(x509.normalize_certificate, certs) + for cert in certs_der: x509.verify_cert_subject(ldap, keys[-1], cert) - entry_attrs['usercertificate'] = cert + entry_attrs['usercertificate'] = certs_der entry_attrs['managedby'] = dn entry_attrs['objectclass'].append('ieee802device') entry_attrs['objectclass'].append('ipasshhost') @@ -786,8 +786,7 @@ class host_del(LDAPDelete): entry_attrs = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) - cert = entry_attrs.single_value.get('usercertificate') - if cert: + for cert in entry_attrs.get('usercertificate', []): cert = x509.normalize_certificate(cert) try: serial = unicode(x509.get_serial_number(cert, x509.DER)) @@ -864,39 +863,43 @@ class host_mod(LDAPUpdate): if 'krbprincipalaux' not in obj_classes: obj_classes.append('krbprincipalaux') entry_attrs['objectclass'] = obj_classes - cert = x509.normalize_certificate(entry_attrs.get('usercertificate')) - if cert: - if self.api.Command.ca_is_enabled()['result']: - x509.verify_cert_subject(ldap, keys[-1], cert) - entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) - oldcert = entry_attrs_old.single_value.get('usercertificate') - if oldcert: - oldcert = x509.normalize_certificate(oldcert) + + # verify certificates + certs = entry_attrs.get('usercertificate') or [] + certs_der = map(x509.normalize_certificate, certs) + for cert in certs_der: + x509.verify_cert_subject(ldap, keys[-1], cert) + + # revoke removed certificates + if self.api.Command.ca_is_enabled()['result']: + entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) + old_certs = entry_attrs_old.get('usercertificate', []) + old_certs_der = map(x509.normalize_certificate, old_certs) + removed_certs_der = set(old_certs_der) - set(certs_der) + for cert in removed_certs_der: + try: + serial = unicode(x509.get_serial_number(cert, x509.DER)) try: - serial = x509.get_serial_number(oldcert, x509.DER) - serial = unicode(serial) - try: - result = api.Command['cert_show'](serial)['result'] - if 'revocation_reason' not in result: - try: - api.Command['cert_revoke']( - serial, revocation_reason=4) - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except NSPRError, nsprerr: - if nsprerr.errno == -8183: - # If we can't decode the cert them proceed with - # modifying the host. - self.log.info("Problem decoding certificate %s" % - nsprerr.args[1]) - else: - raise nsprerr - - entry_attrs['usercertificate'] = cert + result = api.Command['cert_show'](serial)['result'] + if 'revocation_reason' not in result: + try: + api.Command['cert_revoke']( + serial, revocation_reason=4) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except NSPRError, nsprerr: + if nsprerr.errno == -8183: + # If we can't decode the cert them proceed with + # modifying the host. + self.log.info("Problem decoding certificate %s" % + nsprerr.args[1]) + else: + raise nsprerr + entry_attrs['usercertificate'] = certs_der if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) @@ -1093,8 +1096,14 @@ class host_show(LDAPRetrieve): util.check_writable_file(options['out']) result = super(host_show, self).forward(*keys, **options) if 'usercertificate' in result['result']: - x509.write_certificate(result['result']['usercertificate'][0], options['out']) - result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + x509.write_certificate_list( + result['result']['usercertificate'], + options['out'] + ) + result['summary'] = ( + _('Certificate(s) stored in file \'%(file)s\'') + % dict(file=options['out']) + ) return result else: raise errors.NoCertificateError(entry=keys[-1]) @@ -1148,10 +1157,9 @@ class host_disable(LDAPQuery): entry_attrs = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) - cert = entry_attrs.single_value.get('usercertificate') - if cert: - if self.api.Command.ca_is_enabled()['result']: - cert = x509.normalize_certificate(cert) + if self.api.Command.ca_is_enabled()['result']: + certs = entry_attrs.get('usercertificate', []) + for cert in map(x509.normalize_certificate, certs): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -1175,10 +1183,11 @@ class host_disable(LDAPQuery): else: raise nsprerr - # Remove the usercertificate altogether - entry_attrs['usercertificate'] = None - ldap.update_entry(entry_attrs) - done_work = True + if certs: + # Remove the usercertificate altogether + entry_attrs['usercertificate'] = None + ldap.update_entry(entry_attrs) + done_work = True self.obj.get_password_attributes(ldap, dn, entry_attrs) if entry_attrs['has_keytab']: diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index b37dc7b4bf56b69df204fd29e9487f1390197bbe..c290344cf6c14155ec1b103525ff8642a7a8e2af 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -437,7 +437,7 @@ class service(LDAPObject): primary_key=True, normalizer=lambda value: normalize_principal(value), ), - Bytes('usercertificate?', validate_certificate, + Bytes('usercertificate*', validate_certificate, cli_name='certificate', label=_('Certificate'), doc=_('Base-64 encoded server certificate'), @@ -503,11 +503,11 @@ class service_add(LDAPCreate): self.obj.validate_ipakrbauthzdata(entry_attrs) - cert = options.get('usercertificate') - if cert: - dercert = x509.normalize_certificate(cert) + certs = options.get('usercertificate', []) + certs_der = map(x509.normalize_certificate, certs) + for dercert in certs_der: x509.verify_cert_subject(ldap, hostname, dercert) - entry_attrs['usercertificate'] = dercert + entry_attrs['usercertificate'] = certs_der if not options.get('force', False): # We know the host exists if we've gotten this far but we @@ -555,9 +555,7 @@ class service_del(LDAPDelete): entry_attrs = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) - cert = entry_attrs.get('usercertificate') - if cert: - cert = cert[0] + for cert in entry_attrs.get('usercertificate', []): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -597,25 +595,44 @@ class service_mod(LDAPUpdate): self.obj.validate_ipakrbauthzdata(entry_attrs) - if 'usercertificate' in options: - (service, hostname, realm) = split_principal(keys[-1]) - cert = options.get('usercertificate') - if cert: - dercert = x509.normalize_certificate(cert) - x509.verify_cert_subject(ldap, hostname, dercert) + (service, hostname, realm) = split_principal(keys[-1]) + + # verify certificates + certs = options.get('usercertificate') or [] + certs_der = map(x509.normalize_certificate, certs) + for dercert in certs_der: + x509.verify_cert_subject(ldap, hostname, dercert) + + # revoke removed certificates + if self.api.Command.ca_is_enabled()['result']: + entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) + old_certs = entry_attrs_old.get('usercertificate', []) + old_certs_der = map(x509.normalize_certificate, old_certs) + removed_certs_der = set(old_certs_der) - set(certs_der) + for cert in removed_certs_der: try: - entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - if 'usercertificate' in entry_attrs_old: - # FIXME: what to do here? do we revoke the old cert? - fmt = 'entry already has a certificate, serial number: %s' % ( - x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER) - ) - raise errors.GenericError(format=fmt) - entry_attrs['usercertificate'] = dercert - else: - entry_attrs['usercertificate'] = None + serial = unicode(x509.get_serial_number(cert, x509.DER)) + try: + result = api.Command['cert_show'](serial)['result'] + if 'revocation_reason' not in result: + try: + api.Command['cert_revoke']( + serial, revocation_reason=4) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + except NSPRError, nsprerr: + if nsprerr.errno == -8183: + # If we can't decode the cert them proceed with + # modifying the host. + self.log.info("Problem decoding certificate %s" % + nsprerr.args[1]) + else: + raise nsprerr + entry_attrs['usercertificate'] = certs_der update_krbticketflags(ldap, entry_attrs, attrs_list, options, True) @@ -695,8 +712,14 @@ class service_show(LDAPRetrieve): util.check_writable_file(options['out']) result = super(service_show, self).forward(*keys, **options) if 'usercertificate' in result['result']: - x509.write_certificate(result['result']['usercertificate'][0], options['out']) - result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + x509.write_certificate_list( + result['result']['usercertificate'], + options['out'] + ) + result['summary'] = ( + _('Certificate(s) stored in file \'%(file)s\'') + % dict(file=options['out']) + ) return result else: raise errors.NoCertificateError(entry=keys[-1]) @@ -815,9 +838,9 @@ class service_disable(LDAPQuery): # See if we do any work at all here and if not raise an exception done_work = False - if 'usercertificate' in entry_attrs: - if self.api.Command.ca_is_enabled()['result']: - cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0]) + if self.api.Command.ca_is_enabled()['result']: + certs = entry_attrs.get('usercertificate', []) + for cert in map(x509.normalize_certificate, certs): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -839,10 +862,11 @@ class service_disable(LDAPQuery): else: raise nsprerr - # Remove the usercertificate altogether - entry_attrs['usercertificate'] = None - ldap.update_entry(entry_attrs) - done_work = True + if len(certs) > 0: + # Remove the usercertificate altogether + entry_attrs['usercertificate'] = None + ldap.update_entry(entry_attrs) + done_work = True self.obj.get_password_attributes(ldap, dn, entry_attrs) if entry_attrs['has_keytab']: -- 2.1.0 From jcholast at redhat.com Tue Jun 2 10:04:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 12:04:45 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556CF29A.9090404@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> Message-ID: <556D7FBD.4080207@redhat.com> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): > On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>> On a related note, since KRA is optional, can we move the vaults >>> container to cn=kra,cn=vaults? This is the convetion used by the other >>> optional components (DNS and recently CA). >> >> I mean cn=vaults,cn=kra of course. > > If you are talking about the o=kra,, I'm not sure whether > the IPA framework will work with it. > > If you are talking about adding a new cn=kra, entry on top > of cn=vaults, what is the purpose of this entry? Is the entry going to > be created/deleted automatically when the KRA is installed/removed? Is > it going to be used for something else other than vaults? I'm talking about cn=kra,. It should be created only when KRA is installed, although I think this can be done later after the release, moving vaults to cn=kra should be good enough for now. It's going to be used for everything KRA-specific. > > There are a lot of questions that need to be answered before we can make > this change. This is about sticking to a convention, which everyone should do, and everyone except KRA already does. I'm sorry I didn't realize this earlier, but the change must be done now. > We probably should revisit this issue after the core vault > functionality is added. > We can't revisit it later because after release we are stuck with whatever is there forever. See attachment for a patch which implements the change. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-434-vault-Move-vaults-to-cn-vaults-cn-kra.patch Type: text/x-patch Size: 8337 bytes Desc: not available URL: From ofayans at redhat.com Tue Jun 2 10:09:41 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 02 Jun 2015 12:09:41 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation Message-ID: <556D80E5.6050802@redhat.com> Hi all, The following error was caught during replica installation (I used all the latest patches from Ludwig and Martin Basti): root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca --setup-dns --forwarder 10.38.5.26 /var/lib/ipa/replica-info-replica1.zaeba.li.gpg Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yes Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file Checking forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. Run connection check to master Check connection from replica to remote master 'upgrademaster.zaeba.li': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at ZAEBA.LI password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'replica1.zaeba.li': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/37]: creating directory server user [2/37]: creating directory server instance [3/37]: adding default schema [4/37]: enabling memberof plugin [5/37]: enabling winsync plugin [6/37]: configuring replication version plugin [7/37]: enabling IPA enrollment plugin [8/37]: enabling ldapi [9/37]: configuring uniqueness plugin [10/37]: configuring uuid plugin [11/37]: configuring modrdn plugin [12/37]: configuring DNS plugin [13/37]: enabling entryUSN plugin [14/37]: configuring lockout plugin [15/37]: configuring topology plugin [16/37]: creating indices [17/37]: enabling referential integrity plugin [18/37]: configuring ssl for ds instance [19/37]: configuring certmap.conf [20/37]: configure autobind for root [21/37]: configure new location for managed entries [22/37]: configure dirsrv ccache [23/37]: enable SASL mapping fallback [24/37]: restarting directory server [25/37]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 7 seconds elapsed Update succeeded [26/37]: updating schema [27/37]: setting Auto Member configuration [28/37]: enabling S4U2Proxy delegation [29/37]: importing CA certificates from LDAP [30/37]: initializing group membership [31/37]: adding master entry ipa : CRITICAL Failed to load master-entry.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 [32/37]: initializing domain level [33/37]: configuring Posix uid/gid generation [34/37]: adding replication acis [35/37]: enabling compatibility plugin [36/37]: tuning directory server [37/37]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance [3/21]: stopping certificate server instance to update CS.cfg [4/21]: backing up CS.cfg [5/21]: disabling nonces [6/21]: set up CRL publishing [7/21]: enable PKIX certificate path discovery and validation [8/21]: starting certificate server instance [9/21]: creating RA agent certificate database [10/21]: importing CA chain to RA certificate database [11/21]: fixing RA database permissions [12/21]: setting up signing cert profile [13/21]: set certificate subject base [14/21]: enabling Subject Key Identifier [15/21]: enabling Subject Alternative Name [16/21]: enabling CRL and OCSP extensions for certificates [17/21]: setting audit signing renewal to 2 years [18/21]: configure certmonger for renewals [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] NO_SUCH_OBJECT: {'desc': 'No such object'} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Traceback (most recent call last): File "/sbin/ipa-replica-install", line 162, in fail_message=fail_message) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 760, in run_script message, exitcode = handle_error(error, log_file_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 799, in handle_error type(error).__name__, error.args[0]['info']), 1 KeyError: 'info' It needs to be noted, that the replica file was prepared on the master running standard 4.1.2 freeipa-server. The log is attached -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log.gz Type: application/gzip Size: 22406 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 2 10:35:50 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 12:35:50 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <556D6EF7.9050902@redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> <556C7092.1070700@redhat.com> <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> <556D6EF7.9050902@redhat.com> Message-ID: <556D8706.9050005@redhat.com> Dne 2.6.2015 v 10:53 Martin Basti napsal(a): > On 02/06/15 10:24, Fraser Tweedale wrote: >> On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: >>> On 01/06/15 16:14, Rob Crittenden wrote: >>>> Martin Basti wrote: >>>>> Fixes an issue caused by the latest installer patches pushed to >>>>> master. >>>>> >>>>> Patch attached. >>>>> >>>>> >>>>> >>>> The use of globals makes my skin crawl a bit, but since you're making >>>> changes in here you should take a look at this ticket: >>>> https://fedorahosted.org/freeipa/ticket/5042 >>>> >>>> rob >>> Hi Rob, >>> >>> this is fix for that ticket, I missed the ticket somehow. >>> >>> Thanks. >>> Martin^2 >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> Fixes the problem for me, but I agree with Rob re globals - a >> context manager would be much nicer. Something like (pseudocode): >> >> @contextlib.context_manager >> def private_ccache(): >> ... stuff currently in init_private_ccache() >> yield >> ... stuff currently in destroy_private_ccache() >> >> Then in ipa-server-install main(): >> >> with private_ccache: >> if not options.uninstall: >> server.install_check(options) >> server.install(options) >> else: >> server.uninstall_check(options) >> server.uninstall(options) >> >> Cheers, >> Fraser > Thank you! > > However, I would wait for Honza's answer, if this will fit in his big > installer plan. > The code will be gradually ported to the new install framework, removing the globals in the process. The context manager was used before the code was moved into a module and was removed on purpose to allow the split to two functions, which is necessary for the port. ACK on the patch. Pushed to master: af8f44c86ab37d83b952c0f021c6509c48be7da8 -- Jan Cholasta From mbasti at redhat.com Tue Jun 2 10:36:03 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 12:36:03 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> Message-ID: <556D8713.5030101@redhat.com> On 02/06/15 11:42, Fraser Tweedale wrote: > On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: >> On 01/06/15 06:40, Fraser Tweedale wrote: >>> New version of patch; ``{host,service}-show --out=FILE`` now writes >>> all certs to FILE. Rebased on latest master. >>> >>> Thanks, >>> Fraser >>> >>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >>>> Updated patch attached. Notably restores/adds revocation behaviour >>>> to host-mod and service-mod. >>>> >>>> Thanks, >>>> Fraser >>>> >>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>>>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>>>> This patch adds supports for multiple user / host certificates. No >>>>>> schema change is needed ('usercertificate' attribute is already >>>>>> multi-value). The revoke-previous-cert behaviour of host-mod and >>>>>> user-mod has been removed but revocation behaviour of -del and >>>>>> -disable is preserved. >>>>>> >>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this >>>>>> patch for correct cert-request behaviour. >>>>>> >>>>>> There is one design question (or maybe more, let me know): the >>>>>> `--out=FILENAME' option to {host,service} show saves ONE certificate >>>>>> to the named file. I propose to either: >>>>>> >>>>>> a) write all certs, suffixing suggested filename with either a >>>>>> sequential numerical index, e.g. "cert.pem" becomes >>>>>> "cert.pem.1", "cert.pem.2", and so on; or >>>>>> >>>>>> b) as above, but suffix with serial number and, if there are >>>>>> different issues, some issuer-identifying information. >>>>>> >>>>>> Let me know your thoughts. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>>> >>>>> Is there a possible way how to store certificates into one file? >>>>> I read about possibilities to have multiple certs in one .pem file, but I'm >>>>> not cert guru :) >>>>> >>>>> I personally vote for serial number in case there are multiple certificates, >>>>> if ^ is no possible. >>>>> >>>>> >>>>> 1) >>>>> + if len(certs) > 0: >>>>> >>>>> please use only, >>>>> if certs: >>>>> >>>>> 2) >>>>> You need to re-generate API/ACI.txt in this patch >>>>> >>>>> 3) >>>>> syntax error: >>>>> + for dercert in certs_der >>>>> >>>>> >>>>> 4) >>>>> command >>>>> ipa user-mod ca_user --certificate= >>>>> >>>>> removes the current certificate from the LDAP, by design. >>>>> Should be the old certificate(s) revoked? You removed that part in the code. >>>>> >>>>> only the --addattr='usercertificate=' appends new value there >>>>> >>>>> -- >>>>> Martin Basti >>>>> >> My objections/proposed solutions in attached patch. >> >> * VERSION >> * In the previous version normalized values was stored in LDAP, so I added >> it back. (I dont know why there is no normalization in param settings, but >> normalization for every certificate is done in callback. I will file a >> ticket for this) >> * IMO only normalized certificates should be compared in the old >> certificates detection >> > I incorporated your suggested changes in new patch (attached). > > There were no proposed changes to the other patchset (0001..0013) > since rebase. > > Thanks, > Fraser Thank you, ACK Martin^2 From ftweedal at redhat.com Tue Jun 2 10:59:05 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 2 Jun 2015 20:59:05 +1000 Subject: [Freeipa-devel] [PATCH 0008-0009] use 1 as domain level to activate plugin, fix a crash when removing a replica In-Reply-To: <556D63A7.4090307@redhat.com> References: <556D63A7.4090307@redhat.com> Message-ID: <20150602105905.GS23523@dhcp-40-8.bne.redhat.com> On Tue, Jun 02, 2015 at 10:04:55AM +0200, Ludwig Krispenz wrote: > Hi, > > with the first patch the topo plugin no longer uses plugin version to > compare to set domainlevel, always gets activated if dom level >= 1 > the second patch fixes a crash at replica removal > > Ludwig These patches fix the issue for me. I don't know what is (supposed to be) happening in the code. Is my testing enough for the ACK? Cheers, Fraser > >From 7e08b6181973cc51e50eae69974682878b8ca66b Mon Sep 17 00:00:00 2001 > From: Ludwig Krispenz > Date: Tue, 2 Jun 2015 09:17:54 +0200 > Subject: [PATCH] plugin uses 1 as minimum domain level to become active no > calculation based on plugin version > > --- > daemons/ipa-slapi-plugins/topology/topology.h | 9 ++------ > daemons/ipa-slapi-plugins/topology/topology_cfg.c | 25 +++++++--------------- > daemons/ipa-slapi-plugins/topology/topology_init.c | 2 +- > daemons/ipa-slapi-plugins/topology/topology_util.c | 4 +--- > 4 files changed, 12 insertions(+), 28 deletions(-) > > diff --git a/daemons/ipa-slapi-plugins/topology/topology.h b/daemons/ipa-slapi-plugins/topology/topology.h > index 38c2823f50153c6b02a234608869617c92d1bdf2..4135a8ff71b9160919a089fde63a95a989830de8 100644 > --- a/daemons/ipa-slapi-plugins/topology/topology.h > +++ b/daemons/ipa-slapi-plugins/topology/topology.h > @@ -125,11 +125,6 @@ typedef struct topo_plugin_config { > int activated; > } TopoPluginConf; > > -typedef struct ipa_domain_level { > - int major; > - int minor; > -} IpaDomainLevel; > - > #define CONFIG_ATTR_SHARED_BASE "nsslapd-topo-plugin-shared-config-base" > #define CONFIG_ATTR_REPLICA_ROOT "nsslapd-topo-plugin-shared-replica-root" > #define CONFIG_ATTR_SHARED_BINDDNGROUP "nsslapd-topo-plugin-shared-binddngroup" > @@ -158,8 +153,8 @@ int ipa_topo_get_plugin_version_major(void); > int ipa_topo_get_plugin_version_minor(void); > char *ipa_topo_get_domain_level_entry(void); > Slapi_DN *ipa_topo_get_domain_level_entry_dn(void); > -int ipa_topo_get_domain_level_major(void); > -int ipa_topo_get_domain_level_minor(void); > +int ipa_topo_get_domain_level(void); > +int ipa_topo_get_min_domain_level(void); > int ipa_topo_get_plugin_startup_delay(void); > void ipa_topo_set_plugin_id(void *plg_id); > void ipa_topo_set_plugin_active(int state); > diff --git a/daemons/ipa-slapi-plugins/topology/topology_cfg.c b/daemons/ipa-slapi-plugins/topology/topology_cfg.c > index 17493495af83d1095fbafead104d6f56bd7af10e..982ad647db9737c1aa0fc7f68c7d9b20de895fb6 100644 > --- a/daemons/ipa-slapi-plugins/topology/topology_cfg.c > +++ b/daemons/ipa-slapi-plugins/topology/topology_cfg.c > @@ -10,7 +10,8 @@ > */ > static TopoPluginConf topo_plugin_conf = {0}; > static TopoReplicaConf topo_shared_conf = {0}; > -static IpaDomainLevel ipa_domain_level = {0,0}; > +static int ipa_domain_level = 0; > +static int topo_min_domain_level = 1; > > char *ipa_topo_plugin_managed_attrs[] = { > "nsds5ReplicaStripAttrs", > @@ -95,15 +96,15 @@ ipa_topo_get_domain_level_entry_dn(void) > } > > int > -ipa_topo_get_domain_level_major(void) > +ipa_topo_get_min_domain_level(void) > { > - return ipa_domain_level.major; > + return topo_min_domain_level; > } > > int > -ipa_topo_get_domain_level_minor(void) > +ipa_topo_get_domain_level(void) > { > - return ipa_domain_level.minor; > + return ipa_domain_level; > } > > char * > @@ -199,22 +200,12 @@ ipa_topo_set_plugin_shared_bindgroup(char *bindgroup) > void > ipa_topo_set_domain_level(char *level) > { > - char *minor; > - > if (level == NULL) { > - ipa_domain_level.major = 0; > - ipa_domain_level.minor = 0; > + ipa_domain_level = 0; > return; > } > > - minor = strchr(level,'.'); > - if (minor) { > - *minor = '\0'; > - ipa_domain_level.minor = atoi(++minor); > - } else { > - ipa_domain_level.minor = 0; > - } > - ipa_domain_level.major = atoi(level); > + ipa_domain_level = atoi(level); > } > > void > diff --git a/daemons/ipa-slapi-plugins/topology/topology_init.c b/daemons/ipa-slapi-plugins/topology/topology_init.c > index 77e740ea182c2331c88d2716d1c4f7be8ef8c257..af5b8021f4ba6833dff11d9c89543e9bb74bdeb9 100644 > --- a/daemons/ipa-slapi-plugins/topology/topology_init.c > +++ b/daemons/ipa-slapi-plugins/topology/topology_init.c > @@ -264,7 +264,7 @@ ipa_topo_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfte > /* we expose temporarily the domain level in this function, should > * finally be handled in a plugin managing the domain level > */ > - char *level = slapi_ch_smprintf("%d", ipa_topo_get_domain_level_major()); > + char *level = slapi_ch_smprintf("%d", ipa_topo_get_domain_level()); > slapi_entry_attr_set_charptr(e, "ipaDomainLevel", level); > slapi_ch_free_string(&version); > slapi_ch_free_string(&level); > diff --git a/daemons/ipa-slapi-plugins/topology/topology_util.c b/daemons/ipa-slapi-plugins/topology/topology_util.c > index f206464a5b47b9dc7e0edd5dd764228b076b6dd9..d487cfb638ac9bd0fb94cdd2638d5fd5ae4e6908 100644 > --- a/daemons/ipa-slapi-plugins/topology/topology_util.c > +++ b/daemons/ipa-slapi-plugins/topology/topology_util.c > @@ -110,9 +110,7 @@ ipa_topo_util_get_pluginhost(void) > void > ipa_topo_util_check_plugin_active(void) > { > - if (ipa_topo_get_plugin_version_major() < ipa_topo_get_domain_level_major() || > - (ipa_topo_get_plugin_version_major() == ipa_topo_get_domain_level_major() && > - ipa_topo_get_plugin_version_minor() <= ipa_topo_get_domain_level_minor())) { > + if (ipa_topo_get_min_domain_level() <= ipa_topo_get_domain_level()) { > ipa_topo_set_plugin_active(1); > } else { > ipa_topo_set_plugin_active(0); > -- > 2.1.0 > > >From 2f27a90394da56925694d771592c9fe3ae40eeeb Mon Sep 17 00:00:00 2001 > From: Ludwig Krispenz > Date: Tue, 2 Jun 2015 09:29:23 +0200 > Subject: [PATCH] crash when removing a replica > > when a server is removed from the topology the plugin tries to remove the > credentials from the replica and the bind dn group. > It performs an internal search for the ldap principal, but can fail if it was already removed > Due to an unitialized variable in this case it can eitehr crash or erroneously remove all > principals. > --- > daemons/ipa-slapi-plugins/topology/topology_util.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/daemons/ipa-slapi-plugins/topology/topology_util.c b/daemons/ipa-slapi-plugins/topology/topology_util.c > index d487cfb638ac9bd0fb94cdd2638d5fd5ae4e6908..67014a05d4f89260d4307e5212a5594335617482 100644 > --- a/daemons/ipa-slapi-plugins/topology/topology_util.c > +++ b/daemons/ipa-slapi-plugins/topology/topology_util.c > @@ -1201,7 +1201,15 @@ void > ipa_topo_util_disable_repl_from_host(char *repl_root, char *delhost) > { > char *principal = ipa_topo_util_get_ldap_principal(repl_root, delhost); > - ipa_topo_util_disable_repl_for_principal(repl_root, principal); > + if (principal) { > + ipa_topo_util_disable_repl_for_principal(repl_root, principal); > + slapi_ch_free_string(&principal); > + } else { > + slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM, > + "ipa_topo_util_disable_repl_from_host: " > + "failed to get ldap principal for host: %s \n", > + delhost); > + } > } > > void > @@ -1322,10 +1330,10 @@ char * > ipa_topo_util_get_ldap_principal(char *repl_root, char *hostname) > { > int rc = 0; > - Slapi_Entry **entries; > + Slapi_Entry **entries = NULL; > Slapi_PBlock *pb = NULL; > char *filter; > - char *dn; > + char *dn = NULL; > > filter = slapi_ch_smprintf("krbprincipalname=ldap/%s*",hostname); > pb = slapi_pblock_new(); > -- > 2.1.0 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From thozza at redhat.com Tue Jun 2 11:15:54 2015 From: thozza at redhat.com (Tomas Hozza) Date: Tue, 02 Jun 2015 13:15:54 +0200 Subject: [Freeipa-devel] [PATCH 0377-0382] Synchronize changes from LDAP after reconnect In-Reply-To: <1005260903.6114507.1432828693773.JavaMail.zimbra@redhat.com> References: <5565BDAC.7070806@redhat.com> <1005260903.6114507.1432828693773.JavaMail.zimbra@redhat.com> Message-ID: <556D906A.2020707@redhat.com> On 05/28/2015 05:58 PM, Matus Honek wrote: > Hi, > > functionality seems to work fine. I have not checked the code thoroughly. > Kind of a test is attached (requires setting named's ldap connection appropriately). > > ACK > > Mat?? Hon?k > > > ----- Original Message ----- > From: "Petr Spacek" > To: thozza at redhat.com, "Matus Honek" > Cc: freeipa-devel at redhat.com > Sent: Wednesday, May 27, 2015 2:50:52 PM > Subject: [PATCH 0377-0382] Synchronize changes from LDAP after reconnect > > Hello, > > https://fedorahosted.org/bind-dyndb-ldap/ticket/128 > > Previously records deleted when connection to LDAP server was down were not > synchronized properly. It should work now. > > I use this command to simulate broken connections and connection re-establishment: > $ socat tcp-listen:3899,reuseaddr,fork tcp-connect:localhost:389 > > It should be enough to add "ldap://$(hostname):3899" as LDAP URI to > /etc/named.conf and then simulate changes by killing and restarting socat. > > Let me know if you need any assistance! > Hi. I did a formal review of the code. Everything looks good. ACK. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From mkosek at redhat.com Tue Jun 2 11:56:47 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 13:56:47 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556D7FBD.4080207@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> Message-ID: <556D99FF.9000806@redhat.com> On 06/02/2015 12:04 PM, Jan Cholasta wrote: > Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>>> On a related note, since KRA is optional, can we move the vaults >>>> container to cn=kra,cn=vaults? This is the convetion used by the other >>>> optional components (DNS and recently CA). >>> >>> I mean cn=vaults,cn=kra of course. >> >> If you are talking about the o=kra,, I'm not sure whether >> the IPA framework will work with it. >> >> If you are talking about adding a new cn=kra, entry on top >> of cn=vaults, what is the purpose of this entry? Is the entry going to >> be created/deleted automatically when the KRA is installed/removed? Is >> it going to be used for something else other than vaults? > > I'm talking about cn=kra,. It should be created only when KRA is > installed, although I think this can be done later after the release, moving > vaults to cn=kra should be good enough for now. It's going to be used for > everything KRA-specific. > >> >> There are a lot of questions that need to be answered before we can make >> this change. > > This is about sticking to a convention, which everyone should do, and everyone > except KRA already does. > > I'm sorry I didn't realize this earlier, but the change must be done now. +1 for this change. I do not even think it will that big deal, it is just about the default space in the IPA tree - to have proper structure in it (DNS has cn=dns, KRA has cn=kra, etc.). > >> We probably should revisit this issue after the core vault >> functionality is added. >> > > We can't revisit it later because after release we are stuck with whatever is > there forever. Right. From pvoborni at redhat.com Tue Jun 2 12:06:44 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 02 Jun 2015 14:06:44 +0200 Subject: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1 In-Reply-To: <556C59DA.3000305@redhat.com> References: <55687B3C.4070303@redhat.com> <556C1937.6070502@redhat.com> <556C2399.6090808@redhat.com> <556C59DA.3000305@redhat.com> Message-ID: <556D9C54.4020201@redhat.com> On 06/01/2015 03:10 PM, thierry bordaz wrote: > On 06/01/2015 11:19 AM, Oleg Fayans wrote: >> Woks for me too. Will perform extensive testing today, and report >> everything that I find. >> Thanks, Ludwig! >>> On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: >>>> This is a patch for the two issues reported in ticket #5035 >>>> https://fedorahosted.org/freeipa/ticket/5035 >>>> >>>> >>> >>> Works for me. I was able to install 2 replicas with domain level 1 in >>> one topology. >>> >>> Code looks good to me as well. Tentative ACK (would be nice if it was >>> skimmed by Thierry). >> > Sorry for the late feedback. This change looks good to me as well. ACK > Pushed to master: faa4d0b6ea6e911c1098b070d1959b3106d5b5b2 -- Petr Vobornik From edewata at redhat.com Tue Jun 2 12:07:02 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Jun 2015 07:07:02 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556D48F3.7040902@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> Message-ID: <556D9C66.2080706@redhat.com> On 6/2/2015 1:10 AM, Martin Kosek wrote: > Hi Endi, > > Quickly skimming through your patches raised couple questions on my side: > > 1) Will it be possible to also store plain text password via Vault? It > talks about taking in the binary data or the text file, but will it also > work with plain user secrets (passwords)? I am talking about use like this: > > # ipa vault-archive --user mkosek --data Secret123 For security the plain text password should be stored in a file first: # vi password.txt # ipa vault-archive --user mkosek --in password.txt It's also possible to specify the password as base-64 encoded data: # echo -n Secret123 | base64 # ipa vault-archive --user mkosek --data U2VjcmV0MTIz But it's not recommended since the data will be stored in the command history and someone could see and decode it. I think passing a plain text password as command line argument would be even worse. The --data parameter is mainly used for unit testing. Later we might be able to add an option to read from standard input: # cat password.txt | ipa vault-archive --user mkosek --std-in > 2) Didn't we discuss a dependency of IPA/Vault on python-cryptography in > the past? I rather see use of python-nss for cryptography... Yes. I might have mentioned that it would be in the 2nd (current) vault patch. Actually it will be in the 3rd patch when we add the symmetric and asymmetric vaults. The symmetric and asymmetric encryption will be implemented using python-cryptography. You can also see this in an old patch (#358) but it's obsolete now. The standard vault in the current patch uses python-nss for transport encryption because when the KRA interface was written python-cryptography wasn't available on Fedora, it didn't support certificates, and I'm not sure if it supports key wrapping. The symmetric and asymmetric vaults add an additional layer of encryption on top of the standard transport encryption, so it will depend on both python-nss and python-cryptography. In the future if the KRA can support python-cryptography without python-nss we may be able to drop the python-nss dependency from vaults. > 3) You do a lot of actions in the forward() method (as planned in > https://www.freeipa.org/page/V4/Password_Vault#Archival). But how do you > envision that this is consumed by the Web UI? It does not have access to > the forward() method. Would it need to also include some crypto library? If Web UI wants to access vault (not sure if everybody agrees with that), it would have to perform an encryption on the browser side. In that case we will need to use either WebCrypto or a browser-specific extension to implement something similar to vault_archive.forward(), assuming the required cryptographic functionalities are available. In the future PKI might be able to provide a JavaScript interface for KRA. > 4) In the vault-archive forward method, you use "pki" module. However, > this module will be only available on FreeIPA PKI-powered servers and > not on FreeIPA clients - so this will not work unless freeipa-client > gets a dependency on pki-base - which is definitely not something we > want... In my opinion it should be fine to require pki-base on the client because it contains just the client library, unless you have other concerns? Any objections to having pki-nss and pki-cryptography dependencies on the client? Even if we can change the client code not to depend on "pki" module, since in this framework the client and server code are written in the same plugin, the "import pki" still cannot be removed since it's still needed by the server code, and I don't think conditional import is a good programming practice. > Thanks, > Martin -- Endi S. Dewata From mbabinsk at redhat.com Tue Jun 2 12:07:27 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 02 Jun 2015 14:07:27 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation In-Reply-To: <556D80E5.6050802@redhat.com> References: <556D80E5.6050802@redhat.com> Message-ID: <556D9C7F.7010507@redhat.com> On 06/02/2015 12:09 PM, Oleg Fayans wrote: > Hi all, > > The following error was caught during replica installation (I used all > the latest patches from Ludwig and Martin Basti): > > root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca > --setup-dns --forwarder 10.38.5.26 > /var/lib/ipa/replica-info-replica1.zaeba.li.gpg > Directory Manager (existing master) password: > > Existing BIND configuration detected, overwrite? [no]: yes > Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file > Checking forwarders, please wait ... > Using reverse zone(s) 122.168.192.in-addr.arpa. > Run connection check to master > Check connection from replica to remote master 'upgrademaster.zaeba.li': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocol and would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > admin at ZAEBA.LI password: > > Check SSH connection to remote master > Execute check on remote master > Check connection from master to remote replica 'replica1.zaeba.li': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > Connection from master to replica is OK. > > Connection check OK > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv): Estimated time 1 minute > [1/37]: creating directory server user > [2/37]: creating directory server instance > [3/37]: adding default schema > [4/37]: enabling memberof plugin > [5/37]: enabling winsync plugin > [6/37]: configuring replication version plugin > [7/37]: enabling IPA enrollment plugin > [8/37]: enabling ldapi > [9/37]: configuring uniqueness plugin > [10/37]: configuring uuid plugin > [11/37]: configuring modrdn plugin > [12/37]: configuring DNS plugin > [13/37]: enabling entryUSN plugin > [14/37]: configuring lockout plugin > [15/37]: configuring topology plugin > [16/37]: creating indices > [17/37]: enabling referential integrity plugin > [18/37]: configuring ssl for ds instance > [19/37]: configuring certmap.conf > [20/37]: configure autobind for root > [21/37]: configure new location for managed entries > [22/37]: configure dirsrv ccache > [23/37]: enable SASL mapping fallback > [24/37]: restarting directory server > [25/37]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 7 seconds elapsed > Update succeeded > > [26/37]: updating schema > [27/37]: setting Auto Member configuration > [28/37]: enabling S4U2Proxy delegation > [29/37]: importing CA certificates from LDAP > [30/37]: initializing group membership > [31/37]: adding master entry > ipa : CRITICAL Failed to load master-entry.ldif: Command > ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' > 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' > '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 > [32/37]: initializing domain level > [33/37]: configuring Posix uid/gid generation > [34/37]: adding replication acis > [35/37]: enabling compatibility plugin > [36/37]: tuning directory server > [37/37]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/21]: creating certificate server user > [2/21]: configuring certificate server instance > [3/21]: stopping certificate server instance to update CS.cfg > [4/21]: backing up CS.cfg > [5/21]: disabling nonces > [6/21]: set up CRL publishing > [7/21]: enable PKIX certificate path discovery and validation > [8/21]: starting certificate server instance > [9/21]: creating RA agent certificate database > [10/21]: importing CA chain to RA certificate database > [11/21]: fixing RA database permissions > [12/21]: setting up signing cert profile > [13/21]: set certificate subject base > [14/21]: enabling Subject Key Identifier > [15/21]: enabling Subject Alternative Name > [16/21]: enabling CRL and OCSP extensions for certificates > [17/21]: setting audit signing renewal to 2 years > [18/21]: configure certmonger for renewals > [19/21]: configure certificate renewals > [20/21]: configure Server-Cert certificate renewal > [21/21]: Configure HTTP to proxy connections > Done configuring certificate server (pki-tomcatd). > Restarting the directory and certificate servers > Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds > [1/8]: adding sasl mappings to the directory > [2/8]: configuring KDC > [3/8]: creating a keytab for the directory > [4/8]: creating a keytab for the machine > [5/8]: adding the password extension to the directory > [6/8]: enable GSSAPI for replication > [error] NO_SUCH_OBJECT: {'desc': 'No such object'} > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Traceback (most recent call last): > File "/sbin/ipa-replica-install", line 162, in > fail_message=fail_message) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 760, in run_script > message, exitcode = handle_error(error, log_file_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 799, in handle_error > type(error).__name__, error.args[0]['info']), 1 > KeyError: 'info' > > It needs to be noted, that the replica file was prepared on the master > running standard 4.1.2 freeipa-server. > > The log is attached > > > > Hi Oleg, I have encountered a different error during the same step (see http://pastebin.test.redhat.com/287218) while reviewing pvoborni's topology API commands. In this case both server and the replica were from current freeipa-master (HEAD was at commit e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7). I have also noticed that everything works if I run ipa-replica-install without '--setup-ca' flag and then install CA separately using 'ipa-ca-install'. I will open a ticket for this if you or anyone else will be able to reproduce this behavior. -- Martin^3 Babinsky From tbabej at redhat.com Tue Jun 2 12:10:35 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 02 Jun 2015 14:10:35 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands Message-ID: <556D9D3B.3040901@redhat.com> Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0329-ipa-replica-manage-Do-not-allow-topology-altering-co.patch Type: text/x-patch Size: 2627 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jun 2 12:11:06 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 02 Jun 2015 14:11:06 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation In-Reply-To: <556D9C7F.7010507@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9C7F.7010507@redhat.com> Message-ID: <556D9D5A.403@redhat.com> On 06/02/2015 02:07 PM, Martin Babinsky wrote: > On 06/02/2015 12:09 PM, Oleg Fayans wrote: >> Hi all, >> >> The following error was caught during replica installation (I used all >> the latest patches from Ludwig and Martin Basti): >> >> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >> --setup-dns --forwarder 10.38.5.26 >> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg >> Directory Manager (existing master) password: >> >> Existing BIND configuration detected, overwrite? [no]: yes >> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >> Checking forwarders, please wait ... >> Using reverse zone(s) 122.168.192.in-addr.arpa. >> Run connection check to master >> Check connection from replica to remote master 'upgrademaster.zaeba.li': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> >> The following list of ports use UDP protocol and would need to be >> checked manually: >> Kerberos KDC: UDP (88): SKIPPED >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> admin at ZAEBA.LI password: >> >> Check SSH connection to remote master >> Execute check on remote master >> Check connection from master to remote replica 'replica1.zaeba.li': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos KDC: UDP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> Kerberos Kpasswd: UDP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv): Estimated time 1 minute >> [1/37]: creating directory server user >> [2/37]: creating directory server instance >> [3/37]: adding default schema >> [4/37]: enabling memberof plugin >> [5/37]: enabling winsync plugin >> [6/37]: configuring replication version plugin >> [7/37]: enabling IPA enrollment plugin >> [8/37]: enabling ldapi >> [9/37]: configuring uniqueness plugin >> [10/37]: configuring uuid plugin >> [11/37]: configuring modrdn plugin >> [12/37]: configuring DNS plugin >> [13/37]: enabling entryUSN plugin >> [14/37]: configuring lockout plugin >> [15/37]: configuring topology plugin >> [16/37]: creating indices >> [17/37]: enabling referential integrity plugin >> [18/37]: configuring ssl for ds instance >> [19/37]: configuring certmap.conf >> [20/37]: configure autobind for root >> [21/37]: configure new location for managed entries >> [22/37]: configure dirsrv ccache >> [23/37]: enable SASL mapping fallback >> [24/37]: restarting directory server >> [25/37]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress, 7 seconds elapsed >> Update succeeded >> >> [26/37]: updating schema >> [27/37]: setting Auto Member configuration >> [28/37]: enabling S4U2Proxy delegation >> [29/37]: importing CA certificates from LDAP >> [30/37]: initializing group membership >> [31/37]: adding master entry >> ipa : CRITICAL Failed to load master-entry.ldif: Command >> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >> [32/37]: initializing domain level >> [33/37]: configuring Posix uid/gid generation >> [34/37]: adding replication acis >> [35/37]: enabling compatibility plugin >> [36/37]: tuning directory server >> [37/37]: configuring directory to start on boot >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes >> 30 seconds >> [1/21]: creating certificate server user >> [2/21]: configuring certificate server instance >> [3/21]: stopping certificate server instance to update CS.cfg >> [4/21]: backing up CS.cfg >> [5/21]: disabling nonces >> [6/21]: set up CRL publishing >> [7/21]: enable PKIX certificate path discovery and validation >> [8/21]: starting certificate server instance >> [9/21]: creating RA agent certificate database >> [10/21]: importing CA chain to RA certificate database >> [11/21]: fixing RA database permissions >> [12/21]: setting up signing cert profile >> [13/21]: set certificate subject base >> [14/21]: enabling Subject Key Identifier >> [15/21]: enabling Subject Alternative Name >> [16/21]: enabling CRL and OCSP extensions for certificates >> [17/21]: setting audit signing renewal to 2 years >> [18/21]: configure certmonger for renewals >> [19/21]: configure certificate renewals >> [20/21]: configure Server-Cert certificate renewal >> [21/21]: Configure HTTP to proxy connections >> Done configuring certificate server (pki-tomcatd). >> Restarting the directory and certificate servers >> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >> [1/8]: adding sasl mappings to the directory >> [2/8]: configuring KDC >> [3/8]: creating a keytab for the directory >> [4/8]: creating a keytab for the machine >> [5/8]: adding the password extension to the directory >> [6/8]: enable GSSAPI for replication >> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Traceback (most recent call last): >> File "/sbin/ipa-replica-install", line 162, in >> fail_message=fail_message) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 760, in run_script >> message, exitcode = handle_error(error, log_file_name) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 799, in handle_error >> type(error).__name__, error.args[0]['info']), 1 >> KeyError: 'info' >> >> It needs to be noted, that the replica file was prepared on the master >> running standard 4.1.2 freeipa-server. >> >> The log is attached >> >> >> >> > > Hi Oleg, > > I have encountered a different error during the same step (see > http://pastebin.test.redhat.com/287218) while reviewing pvoborni's > topology API commands. In this case both server and the replica were > from current freeipa-master (HEAD was at commit > e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7). > > I have also noticed that everything works if I run ipa-replica-install > without '--setup-ca' flag and then install CA separately using > 'ipa-ca-install'. > > I will open a ticket for this if you or anyone else will be able to > reproduce this behavior. > Ah seems like I have just hit https://fedorahosted.org/freeipa/ticket/5035. Nevermind. -- Martin^3 Babinsky From ftweedal at redhat.com Tue Jun 2 12:11:27 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 2 Jun 2015 22:11:27 +1000 Subject: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs In-Reply-To: <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> References: <555DD39C.3070103@redhat.com> <20150526155930.GI13469@dhcp-40-8.bne.redhat.com> <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> Message-ID: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: > On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: > > On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: > > > On 05/29/2015 11:21 AM, Martin Basti wrote: > > > >On 29/05/15 06:17, Fraser Tweedale wrote: > > > >>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > > > >>>On 28/05/15 11:48, Martin Basti wrote: > > > >>>>On 27/05/15 16:04, Fraser Tweedale wrote: > > > >>>>>Hello all, > > > >>>>> > > > >>>>>Fresh certificate management patchset; Changelog: > > > >>>>> > > > >>>>>- Now depends on patch freeipa-ftweedal-0014 for correct > > > >>>>>cert-request behaviour with host and service principals. > > > >>>>> > > > >>>>>- Updated Dogtag dependency to 10.2.4-1. Should should be in > > > >>>>>f22 soon, but for f22 right now or for f21, please grab from my > > > >>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > > > >>>>> > > > >>>>> Martin^1 could you please add to the quasi-official freeipa > > > >>>>> copr? SRPM lives at > > > >>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > > > >>>>> > > > >>>>>- cert-request now verifies that for user principals, CSR CN > > > >>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's > > > >>>>>email address, if either of those is present. > > > >>>>> > > > >>>>>- Fixed one or two other sneaky little bugs. > > > >>>>> > > > >>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > > > >>>>>>Hi all, > > > >>>>>> > > > >>>>>>Please find attached the latest certificate management > > > >>>>>>patchset, which introduces the `caacl' plugin and various fixes > > > >>>>>>and improvement to earlier patches. > > > >>>>>> > > > >>>>>>One important change to earlier patches is reverting the name > > > >>>>>>of the default profile to 'caIPAserviceCert' and using the > > > >>>>>>existing instance of this profile on upgrade (but not install) > > > >>>>>>in case it has been modified. > > > >>>>>> > > > >>>>>>Other notes: > > > >>>>>> > > > >>>>>>- Still have changes in ipa-server-install (fewer lines now, > > > >>>>>>though) > > > >>>>>> > > > >>>>>>- Still have the ugly import hack. It is not a high priority > > > >>>>>>for me, i.e. I think it should wait until after alpha > > > >>>>>> > > > >>>>>>- Still need to update 'service' and 'host' plugins to support > > > >>>>>>multiple certificates. (The userCertificate attribute schema > > > >>>>>>itself is multi-valued, so there are no schema issues here) > > > >>>>>> > > > >>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and > > > >>>>>>supporting multiple profiles for hosts and services (which > > > >>>>>>requires changes to framework only, not schema). [1]: > > > >>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > > > >>>>>> > > > >>>>>>Happy reviewing! I am pleased with the initial cut of the > > > >>>>>>caacl plugin but I'm sure you will find some things to be fixed > > > >>>>>>:) > > > >>>>>> > > > >>>>>>Cheers, Fraser > > > >>>>[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com > > > >>>>--ip-address 10.34.78.94 Directory Manager (existing master) > > > >>>>password: > > > >>>> > > > >>>>Preparing replica for vm-094.example.com from vm-093.example.com > > > >>>>Creating SSL certificate for the Directory Server not well-formed > > > >>>>(invalid token): line 2, column 14 > > > >>>> > > > >>>>I cannot create replica file. It work on the upgraded server, > > > >>>>but it doesn't work on the newly installed server. I'm not sure > > > >>>>if this causes your patches which modifies the ca-installer, or > > > >>>>the newer version of dogtag. > > > >>>> > > > >>>>Or if there was any other changes in master, I will continue to > > > >>>>investigate with new RPM from master branch. > > > >>>> > > > >>>>Martin^2 > > > >>>> > > > >>>ipa-replica-prepare works for: * master branch * master branch + > > > >>>pki-ca 10.2.4-1 > > > >>> > > > >>>So something in your patches is breaking it > > > >>> > > > >>>Martin^2 > > > >>> > > > >>Martin, master + my patches with pki 10.2.4-1 is working for me on > > > >>f21 and f22. Can you provide ipa-replica-prepare --debug output and > > > >>Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) > > > >> > > > >>Thanks, > > > >>Fraser > > > >I can not reproduce it today. And I already recycled the VMs from yesterday. :-( > > > > > > > > > > In that case I would suggest ACKing&pushing the patch and fixing the bug if > > > it comes again. The tree may now be a bit unstable, given the number of > > > patches going in. > > > > > > My main motivation here is to unblock Fraser. > > > > > > Thanks, > > > Martin > > > > Rebased patchset attached; no other changes. > > Heads up: I just discovered I have introduced a bug with > ipa-replica-install, when it is spawning the CA instance. I think > replication it only causes issues with ``--setup-ca``. > > I will try and sort it out tomorrow or later tonight (I have to head > out for a few hours now, though); and I'm not suggesting it should > block the push but it's something to be aware of. > > Cheers, > Fraser > New patchset attached ; haven't gotten to the bottom of the ipa-replica-install issue mentioned above, but it fixes an upgrade bug. The change is: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c288282..c5f4d37 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): caconfig.CS_CFG_PATH, directive, separator='=') - if value == 'ProfileSubsystem': + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': needs_update = True break except OSError, e: @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): installutils.set_directive( caconfig.CS_CFG_PATH, directive, - 'LDAPProfileSubsystem', + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', quotes=False, separator='=') Cheers, Fraser -------------- next part -------------- From cda27fcc9dd1d6a7d730d62fe6ef1deab7b19c36 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 20 Apr 2015 23:20:19 -0400 Subject: [PATCH 01/13] Install CA with LDAP profiles backend Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 --- freeipa.spec.in | 6 +++--- ipaserver/install/cainstance.py | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 09dd66eec71cec714a31a42809c940ac08a5a84e..2f259234945be874aede64ca7c3ce04bdf467b64 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,7 +92,7 @@ BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0b1-3 BuildRequires: openssl-devel BuildRequires: p11-kit-devel -BuildRequires: pki-base >= 10.2.1-0.1 +BuildRequires: pki-base >= 10.2.4-1 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder @@ -135,8 +135,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.1-0.2 -Requires: pki-kra >= 10.2.1-0.1 +Requires: pki-ca >= 10.2.4-1 +Requires: pki-kra >= 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5133940687204b615eec56b6a89542ddd5617539..030c9f12daba4b38b748da8940e38d3cf2109788 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -503,6 +503,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_restart_configured_instance", "False") config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) + config.set("CA", "pki_profiles_in_ldap", "True") # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) -- 2.1.0 -------------- next part -------------- From 2932b276fc55493ff289cb1b12996b78c0dfd7e2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Apr 2015 02:24:10 -0400 Subject: [PATCH 02/13] Add schema for certificate profiles The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/share/60certificate-profiles.ldif | 3 +++ install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 12 ++++++++++++ ipaserver/install/dsinstance.py | 1 + 4 files changed, 17 insertions(+) create mode 100644 install/share/60certificate-profiles.ldif diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif new file mode 100644 index 0000000000000000000000000000000000000000..f1281949e53386e5bfe8b35e0c15858c693c5467 --- /dev/null +++ b/install/share/60certificate-profiles.ldif @@ -0,0 +1,3 @@ +dn: cn=schema +attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 8d336690f184025f8199ed1d2c57d8274f0d3886..f44772b20c173c6fe43503716f40454f6f6b6f11 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,6 +16,7 @@ app_DATA = \ 60basev3.ldif \ 60ipadns.ldif \ 60ipapk11.ldif \ + 60certificate-profiles.ldif \ 61kerberos-ipav3.ldif \ 65ipacertstore.ldif \ 65ipasudo.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..c5d4bad8b80640881f4631e4873a12c82b0ea48a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -429,3 +429,15 @@ cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE ipaRangeType: ipa-local + +dn: cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 064a2ab1db61b465638a77e13e1d9ea43b1cce63..2acab13f247ed18a750f0e1cbbd98f4e63718c03 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -57,6 +57,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif", "60basev3.ldif", "60ipapk11.ldif", "60ipadns.ldif", + "60certificate-profiles.ldif", "61kerberos-ipav3.ldif", "65ipacertstore.ldif", "65ipasudo.ldif", -- 2.1.0 -------------- next part -------------- From abd3c972ebffa7a8d37e8fa89af2c56afef79c92 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Apr 2015 06:07:58 -0400 Subject: [PATCH 03/13] ipa-pki-proxy: provide access to profiles REST API Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/conf/ipa-pki-proxy.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 5d21156848f3b5ddf14c42d92a26a30a9f94af36..366ca15a1868758547f9f1d3334fddba38793083 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 5 - DO NOT REMOVE THIS LINE +# VERSION 6 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -11,7 +11,7 @@ ProxyRequests Off # matches for admin port and installer - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -26,5 +26,13 @@ ProxyRequests Off ProxyPassReverse ajp://localhost:$DOGTAG_PORT +# matches for REST API + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT + + # Only enable this on servers that are not generating a CRL ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] -- 2.1.0 -------------- next part -------------- From 6779129dd3e69f1089e0543288f20c9b6ad09980 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 23:50:41 -0400 Subject: [PATCH 04/13] Add ACL to allow CA agent to modify profiles Part of: https://fedorahosted.org/freeipa/ticket/57 --- ipaserver/install/cainstance.py | 29 +++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 11 +++++++++++ 2 files changed, 40 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 030c9f12daba4b38b748da8940e38d3cf2109788..871581b4afc5df854b9a090ef51bb0ad3b3871ee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,6 +469,7 @@ class CAInstance(DogtagInstance): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -940,6 +941,10 @@ class CAInstance(DogtagInstance): conn.unbind() + def __configure_profiles_acl(self): + """Allow the Certificate Manager Agents group to modify profiles.""" + configure_profiles_acl() + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db @@ -1825,6 +1830,30 @@ def update_people_entry(dercert): return True +def configure_profiles_acl(): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + updated = False + + dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) + rule = ( + 'certServer.profile.configuration:read,modify:allow (read,modify) ' + 'group="Certificate Manager Agents":' + 'Certificate Manager agents may modify (create/update/delete) and read profiles' + ) + modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] + + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + rules = conn.get_entry(dn).get('resourceACLS', []) + if rule not in rules: + conn.conn.modify_s(str(dn), modlist) + updated = True + + conn.disconnect() + return updated + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9d1fd92b73eaf673ddfef01dc86b8dae5efc028a..0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -289,6 +289,16 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def ca_configure_profiles_acl(ca): + root_logger.info('[Authorizing RA Agent to modify profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.configure_profiles_acl() + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1370,6 +1380,7 @@ def upgrade_configuration(): upgrade_ipa_profile(ca, api.env.domain, fqdn), certificate_renewal_update(ca), ca_enable_pkix(ca), + ca_configure_profiles_acl(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From 0a1c221c2163d2d2c353b5c42cb3938c1b2332d3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 04:55:29 -0400 Subject: [PATCH 05/13] Add certprofile plugin Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 --- ACI.txt | 8 ++ API.txt | 62 +++++++++ install/updates/40-certprofile.update | 9 ++ install/updates/40-delegation.update | 8 ++ install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/certprofile.py | 253 ++++++++++++++++++++++++++++++++++ ipapython/dogtag.py | 29 ++-- ipaserver/plugins/dogtag.py | 176 ++++++++++++++++++++++- 9 files changed, 534 insertions(+), 13 deletions(-) create mode 100644 install/updates/40-certprofile.update create mode 100644 ipalib/plugins/certprofile.py diff --git a/ACI.txt b/ACI.txt index 3c4ebde5b3ac2eb0b8e9465c5f2bd74f5bdbfb01..035a545511e4f56dcb492c97514de59cfc028405 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=costemplates,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index da69f32de5c12c0d85a7d61d9027385aa3c0ee05..7d221b839a7058e2bc7c6c95f7121e79a30ebcfd 100644 --- a/API.txt +++ b/API.txt @@ -509,6 +509,68 @@ args: 1,1,1 arg: Str('request_id') option: Str('version?', exclude='webui') output: Output('result', None, None) +command: certprofile_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: certprofile_find +args: 1,9,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='id', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False) +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: certprofile_import +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) +option: File('file', cli_name='file') +option: Bool('ipacertprofilestoreissued', attribute=True, cli_name='store', default=True, multivalue=False, required=True) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_mod +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: compat_is_enabled args: 0,1,1 option: Str('version?', exclude='webui') diff --git a/install/updates/40-certprofile.update b/install/updates/40-certprofile.update new file mode 100644 index 0000000000000000000000000000000000000000..6b0a81d0ff6d69dabe82138227d105fc780ee17d --- /dev/null +++ b/install/updates/40-certprofile.update @@ -0,0 +1,9 @@ +dn: cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: certprofiles diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 975929bd70400b2f9cf407d6faedb246003d7f58..bc0736c5b6c07747586a56c2cbde9596c7522d1c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -237,3 +237,11 @@ default:ipapermissiontype: SYSTEM dn: cn=config add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";) + +# CA Administrators +dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: CA Administrator +default:description: CA Administrator diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 4e2da05d61a41543914e79c4634331df6018c041..fc6bd624eac619cdddeba29b85440571d85fd69f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ 40-replication.update \ 40-dns.update \ 40-automember.update \ + 40-certprofile.update \ 40-otp.update \ 40-vault.update \ 45-roles.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 95dec54a51f38ae63eba667daacf35dcd7500cf3..96396a236b8694b3dd988dfe28c1b0c3cc9e3180 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -118,6 +118,7 @@ DEFAULT_CONFIG = ( ('container_radiusproxy', DN(('cn', 'radiusproxy'))), ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py new file mode 100644 index 0000000000000000000000000000000000000000..1a2d143882469858f225b37ba4ff2dd368fb8853 --- /dev/null +++ b/ipalib/plugins/certprofile.py @@ -0,0 +1,253 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import re + +from ipalib import api, Bool, File, Str +from ipalib import output +from ipalib.plugable import Registry +from ipalib.plugins.virtual import VirtualCommand +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, + LDAPDelete, LDAPUpdate, LDAPRetrieve) +from ipalib import ngettext +from ipalib.text import _ + +from ipalib import errors + + +__doc__ = _(""" +Manage Certificate Profiles + +Certificate Profiles are used by Certificate Authority (CA) in the signing of +certificates to determine if a Certificate Signing Request (CSR) is acceptable, +and if so what features and extensions will be present on the certificate. + +The Certificate Profile format is the property-list format understood by the +Dogtag or Red Hat Certificate System CA. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Import a profile that will not store issued certificates: + ipa certprofile-import ShortLivedUserCert \\ + --file UserCert.profile --summary "User Certificates" \\ + --store=false + + Delete a certificate profile: + ipa certprofile-del ShortLivedUserCert + + Show information about a profile: + ipa certprofile-show ShortLivedUserCert + + Search for profiles that do not store certificates: + ipa certprofile-find --store=false + +""") + + +register = Registry() + + +def ca_enabled_check(): + """Raise NotFound if CA is not enabled. + + This function is defined in multiple plugins to avoid circular imports + (cert depends on certprofile, so we cannot import cert here). + + """ + if not api.Command.ca_is_enabled()['result']: + raise errors.NotFound(reason=_('CA is not configured')) + + +profile_id_pattern = re.compile('^[a-zA-Z]\w*$') + + +def validate_profile_id(ugettext, value): + """Ensure profile ID matches form required by CA.""" + if profile_id_pattern.match(value) is None: + return _('invalid Profile ID') + else: + return None + + + at register() +class certprofile(LDAPObject): + """ + Certificate Profile object. + """ + container_dn = api.env.container_certprofile + object_name = _('Certificate Profile') + object_name_plural = _('Certificate Profiles') + object_class = ['ipacertprofile'] + default_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + search_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + rdn_is_primary_key = True + label = _('Certificate Profiles') + label_singular = _('Certificate Profile') + + takes_params = ( + Str('cn', validate_profile_id, + primary_key=True, + cli_name='id', + label=_('Profile ID'), + doc=_('Profile ID for referring to this profile'), + ), + Str('description', + required=True, + cli_name='desc', + label=_('Profile description'), + doc=_('Brief description of this profile'), + ), + Bool('ipacertprofilestoreissued', + default=True, + cli_name='store', + label=_('Store issued certificates'), + doc=_('Whether to store certs issued using this profile'), + ), + ) + + permission_filter_objectclasses = ['ipacertprofile'] + managed_permissions = { + 'System: Read Certificate Profiles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + 'objectclass', + }, + }, + 'System: Import Certificate Profile': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Import Certificate Profile";allow (add) groupdn = "ldap:///cn=Import Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete Certificate Profile': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=Delete Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify Certificate Profile': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + }, + 'replaces': [ + '(targetattr = "cn || description || ipacertprofilestoreissued")(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=Modify Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + + at register() +class certprofile_find(LDAPSearch): + __doc__ = _("Search for Certificate Profiles.") + msg_summary = ngettext( + '%(count)d profile matched', '%(count)d profiles matched', 0 + ) + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_find, self).execute(*args, **kwargs) + + + at register() +class certprofile_show(LDAPRetrieve): + __doc__ = _("Display the properties of a Certificate Profile.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_show, self).execute(*args, **kwargs) + + + at register() +class certprofile_import(LDAPCreate): + __doc__ = _("Import a Certificate Profile.") + msg_summary = _('Imported profile "%(value)s"') + takes_options = ( + File('file', + label=_('Filename'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + PROFILE_ID_PATTERN = re.compile('^profileId=([a-zA-Z]\w*)', re.MULTILINE) + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + + match = self.PROFILE_ID_PATTERN.search(options['file']) + if match is None: + raise errors.ValidationError(name='file', + error=_("Profile ID is not present in profile data")) + elif keys[0] != match.group(1): + raise errors.ValidationError(name='file', + error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'") + % {'cli_value': keys[0], 'file_value': match.group(1)} + ) + return dn + + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + """Import the profile into Dogtag and enable it. + + If the operation succeeds, update the LDAP entry to 'enabled'. + If the operation fails, remove the LDAP entry. + """ + try: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.create_profile(options['file']) + profile_api.enable_profile(keys[0]) + except: + # something went wrong ; delete entry + ldap.delete_entry(dn) + raise + + return dn + + + at register() +class certprofile_del(LDAPDelete): + __doc__ = _("Delete a Certificate Profile.") + msg_summary = _('Deleted profile "%(value)s"') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_del, self).execute(*args, **kwargs) + + def post_callback(self, ldap, dn, *keys, **options): + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.delete_profile(keys[0]) + return dn + + + at register() +class certprofile_mod(LDAPUpdate): + __doc__ = _("Modify Certificate Profile configuration.") + msg_summary = _('Modified Certificate Profile "%(value)s') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_mod, self).execute(*args, **kwargs) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index c74b8736a4b15f7bf081206b52b9876a8c4928af..11311cf7b55d7b84e9434a698dbfd60b0eb142a1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -233,9 +233,12 @@ def ca_status(ca_host=None, use_proxy=True): return _parse_ca_status(body) -def https_request(host, port, url, secdir, password, nickname, **kw): +def https_request(host, port, url, secdir, password, nickname, + method='POST', headers=None, body=None, **kw): """ + :param method: HTTP request method (defalut: 'POST') :param url: The path (not complete URL!) to post to. + :param body: The request body (encodes kw if None) :param kw: Keyword arguments to encode into POST body. :return: (http_status, http_reason_phrase, http_headers, http_body) as (integer, unicode, dict, str) @@ -254,9 +257,11 @@ def https_request(host, port, url, secdir, password, nickname, **kw): nickname, password, nss.get_default_certdb()) return conn - body = urlencode(kw) + if body is None: + body = urlencode(kw) return _httplib_request( - 'https', host, port, url, connection_factory, body) + 'https', host, port, url, connection_factory, body, + method=method, headers=headers) def http_request(host, port, url, **kw): @@ -288,11 +293,13 @@ def unauthenticated_https_request(host, port, url, **kw): def _httplib_request( - protocol, host, port, path, connection_factory, request_body): + protocol, host, port, path, connection_factory, request_body, + method='POST', headers=None): """ :param request_body: Request body :param connection_factory: Connection class to use. Will be called with the host and port arguments. + :param method: HTTP request method (default: 'POST') Perform a HTTP(s) request. """ @@ -301,13 +308,17 @@ def _httplib_request( uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) root_logger.debug('request %r', uri) root_logger.debug('request body %r', request_body) + + headers = headers or {} + if ( + method == 'POST' + and 'content-type' not in (str(k).lower() for k in headers.viewkeys()) + ): + headers['content-type'] = 'application/x-www-form-urlencoded' + try: conn = connection_factory(host, port) - conn.request( - 'POST', uri, - body=request_body, - headers={'Content-type': 'application/x-www-form-urlencoded'}, - ) + conn.request(method, uri, body=request_body, headers=headers) res = conn.getresponse() http_status = res.status diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 52bdb0d4245594785e718c63242e27cee0e59322..9654123b16d8e417398d49bf1305fd41880bc3a7 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -4,8 +4,9 @@ # Jason Gerard DeRose # Rob Crittenden # John Dennis +# Fraser Tweedale # -# Copyright (C) 2014 Red Hat +# Copyright (C) 2014, 2015 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -238,17 +239,21 @@ digits and nothing else follows. ''' import datetime +import json from lxml import etree +import os import tempfile import time import urllib2 +import pki from pki.client import PKIConnection import pki.crypto as cryptoutil from pki.kra import KRAClient from ipalib import Backend from ipapython.dn import DN +import ipapython.cookie import ipapython.dogtag from ipapython import ipautil from ipaserver.install.certs import CertDB @@ -1262,13 +1267,12 @@ def select_any_master(ldap2, service='CA'): #------------------------------------------------------------------------------- -from ipalib import api, SkipPluginModule +from ipalib import api, errors, SkipPluginModule if api.env.ra_plugin != 'dogtag': # In this case, abort loading this plugin module... raise SkipPluginModule(reason='dogtag not selected as RA plugin') import os, random from ipaserver.plugins import rabase -from ipalib.errors import CertificateOperationError from ipalib.constants import TYPE_ERROR from ipalib.util import cachedproperty from ipapython import dogtag @@ -1318,7 +1322,7 @@ class ra(rabase.rabase): err_msg = u'%s (%s)' % (err_msg, detail) self.error('%s.%s(): %s', self.fullname, func_name, err_msg) - raise CertificateOperationError(error=err_msg) + raise errors.CertificateOperationError(error=err_msg) @cachedproperty def ca_host(self): @@ -1923,3 +1927,167 @@ class kra(Backend): return KRAClient(connection, crypto) api.register(kra) + + +class RestClient(Backend): + """Simple Dogtag REST client to be subclassed by other backends. + + This class is a context manager. Authenticated calls must be + executed in a ``with`` suite:: + + class ra_certprofile(RestClient): + path = 'profile' + ... + + api.register(ra_certprofile) + + with api.Backend.ra_certprofile as profile_api: + # REST client is now logged in + profile_api.create_profile(...) + + """ + path = None + + @staticmethod + def _parse_dogtag_error(body): + try: + return pki.PKIException.from_json(json.loads(body)) + except: + return None + + def __init__(self): + if api.env.in_tree: + self.sec_dir = api.env.dot_ipa + os.sep + 'alias' + self.pwd_file = self.sec_dir + os.sep + '.pwd' + else: + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT + self.noise_file = self.sec_dir + os.sep + '.noise' + self.ipa_key_size = "2048" + self.ipa_certificate_nickname = "ipaCert" + self.ca_certificate_nickname = "caCert" + try: + f = open(self.pwd_file, "r") + self.password = f.readline().strip() + f.close() + except IOError: + self.password = '' + super(RestClient, self).__init__() + + # session cookie + self.cookie = None + + @cachedproperty + def ca_host(self): + """ + :return: host + as str + + Select our CA host. + """ + ldap2 = self.api.Backend.ldap2 + if host_has_service(api.env.ca_host, ldap2, "CA"): + return api.env.ca_host + if api.env.host != api.env.ca_host: + if host_has_service(api.env.host, ldap2, "CA"): + return api.env.host + host = select_any_master(ldap2) + if host: + return host + else: + return api.env.ca_host + + def __enter__(self): + """Log into the REST API""" + if self.cookie is not None: + return + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) + if status != 200 or len(cookies) == 0: + raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) + self.cookie = str(cookies[0]) + return self + + def __exit__(self, exc_type, exc_value, traceback): + """Log out of the REST API""" + dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + self.cookie = None + + def _ssldo(self, method, path, headers=None, body=None): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. + :return: (http_status, http_reason_phrase, http_headers, http_body) + as (integer, unicode, dict, str) + + Perform an HTTPS request + """ + if self.cookie is None: + raise errors.RemoteRetrieveError( + reason=_("REST API is not logged in.")) + + headers = headers or {} + headers['Cookie'] = self.cookie + + resource = os.path.join('/ca/rest', self.path, path) + + # perform main request + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, resource, + self.sec_dir, self.password, self.ipa_certificate_nickname, + method=method, headers=headers, body=body + ) + if status < 200 or status >= 300: + explanation = self._parse_dogtag_error(resp_body) or '' + raise errors.RemoteRetrieveError( + reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') + % {'status': status, 'status_text': status_text, 'explanation': explanation} + ) + return (status, status_text, resp_headers, resp_body) + + +class ra_certprofile(RestClient): + """ + Profile management backend plugin. + """ + path = 'profiles' + + def create_profile(self, profile_data): + """ + Import the profile into Dogtag + """ + self._ssldo('POST', 'raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + + def enable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=enable') + + def disable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=disable') + + def delete_profile(self, profile_id): + """ + Delete the profile from Dogtag + """ + self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + +api.register(ra_certprofile) -- 2.1.0 -------------- next part -------------- From ede2ac1810eadf5df3ac4784064c4aad1f0beb37 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 23:38:41 -0400 Subject: [PATCH 06/13] Enable LDAP-based profiles in CA on upgrade Part of: https://fedorahosted.org/freeipa/ticket/4560 --- ipaserver/install/server/upgrade.py | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e..820533d6fa34218282941b8dcfcd3c0a192fdfb7 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -299,6 +299,45 @@ def ca_configure_profiles_acl(ca): return cainstance.configure_profiles_acl() +def ca_enable_ldap_profile_subsystem(ca): + root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + caconfig = dogtag.configured_constants() + + needs_update = False + directive = None + try: + for i in range(15): + directive = "subsystem.{}.class".format(i) + value = installutils.get_directive( + caconfig.CS_CFG_PATH, + directive, + separator='=') + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': + needs_update = True + break + except OSError, e: + root_logger.error('Cannot read CA configuration file "%s": %s', + caconfig.CS_CFG_PATH, e) + return False + + if needs_update: + installutils.set_directive( + caconfig.CS_CFG_PATH, + directive, + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', + quotes=False, + separator='=') + + # TODO import file-based profiles into Dogtag + # More code needed on Dogtag side for this. + + return needs_update + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1381,6 +1420,7 @@ def upgrade_configuration(): certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), + ca_enable_ldap_profile_subsystem(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From 9f47a82d41fa67892d63753fc4bb6cfffaa4e65c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 21:17:48 -0400 Subject: [PATCH 07/13] Import included profiles during install or upgrade Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 --- freeipa.spec.in | 2 + install/configure.ac | 1 + install/share/Makefile.am | 1 + install/share/profiles/Makefile.am | 14 ++ install/share/profiles/caIPAserviceCert.cfg | 109 ++++++++++++ install/tools/ipa-upgradeconfig | 1 - ipapython/dogtag.py | 7 +- ipaserver/install/cainstance.py | 253 +++++++--------------------- ipaserver/install/ipa_server_upgrade.py | 1 + ipaserver/install/server/install.py | 6 + ipaserver/install/server/upgrade.py | 42 ++--- ipaserver/plugins/dogtag.py | 14 +- 12 files changed, 228 insertions(+), 223 deletions(-) create mode 100644 install/share/profiles/Makefile.am create mode 100644 install/share/profiles/caIPAserviceCert.cfg diff --git a/freeipa.spec.in b/freeipa.spec.in index 2f259234945be874aede64ca7c3ce04bdf467b64..a9757a194b1bf3bdcced4fd29e7fbae8b0211c94 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -720,6 +720,8 @@ fi %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 2e48aa5cc67b30f2582de987a12d4e7043256679..57f4219b66bbe1dadaed3e89c3e84b1c8240399e 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -88,6 +88,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile + share/profiles/Makefile ui/Makefile ui/css/Makefile ui/src/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f44772b20c173c6fe43503716f40454f6f6b6f11..31f391be25c58b76cc71971852074d80c5514745 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + profiles \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..4e6cf975a0f51d02ec29bd07ac8cb9ccc8320818 --- /dev/null +++ b/install/share/profiles/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/profiles +app_DATA = \ + caIPAserviceCert.cfg \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg new file mode 100644 index 0000000000000000000000000000000000000000..6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c --- /dev/null +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -0,0 +1,109 @@ +profileId=caIPAserviceCert +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 43292966a29c9077443913bdda1c81aa3de06a10..5f3a2b4a2f3864c2809178815c244c2012333fc8 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -21,7 +21,6 @@ import sys - if __name__ == '__main__': sys.exit("Please run the 'ipa-server-upgrade' command to upgrade the " "IPA server.") diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 11311cf7b55d7b84e9434a698dbfd60b0eb142a1..2b4d233354b974884c88d13a3a1b437915ba0776 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -42,6 +42,11 @@ from ipapython.ipa_log_manager import * # the configured version. +INCLUDED_PROFILES = { + # ( profile_id , description , store_issued) + (u'caIPAserviceCert', u'Standard profile for network services', True), + } + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 @@ -71,7 +76,6 @@ class Dogtag10Constants(object): RACERT_LINE_SEP = '\n' - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = True DS_USER = "dirsrv" @@ -110,7 +114,6 @@ class Dogtag9Constants(object): EE_CLIENT_AUTH_PORT = 9446 TOMCAT_SERVER_PORT = 9701 - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = False DS_USER = "pkisrv" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 871581b4afc5df854b9a090ef51bb0ad3b3871ee..ca0b6df5db80bc842a78f614872831ddd82330b1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -459,10 +459,6 @@ class CAInstance(DogtagInstance): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("set certificate subject base", self.__set_subject_in_config) - self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) - self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) - self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) if not self.clone: self.step("restarting certificate server", self.restart_instance) @@ -1125,94 +1121,6 @@ class CAInstance(DogtagInstance): return publishdir - def __set_crl_ocsp_extensions(self): - self.set_crl_ocsp_extensions(self.domain, self.fqdn) - - def set_crl_ocsp_extensions(self, domain, fqdn): - """ - Configure CRL and OCSP extensions in default IPA certificate profile - if not done already. - """ - changed = False - - # OCSP extension - ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - ocsp_location_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - separator='=') - - if ocsp_location_0 != ocsp_url: - # Set the first OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - ocsp_url, quotes=False, separator='=') - changed = True - - ocsp_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - separator='=') - - if ocsp_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '1', quotes=False, separator='=') - changed = True - - - # CRL extension - crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - crl_point_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - separator='=') - - if crl_point_0 != crl_url: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - crl_url, quotes=False, separator='=') - changed = True - - crl_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - separator='=') - - if crl_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '1', quotes=False, separator='=') - changed = True - - # CRL extension is not enabled by default - setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - new_set_list = None - - if setlist == '1,2,3,4,5,6,7,8': - new_set_list = '1,2,3,4,5,6,7,8,9' - elif setlist == '1,2,3,4,5,6,7,8,10': - new_set_list = '1,2,3,4,5,6,7,8,9,10' - elif setlist == '1,2,3,4,5,6,7,8,10,11': - new_set_list = '1,2,3,4,5,6,7,8,9,10,11' - - if new_set_list: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - new_set_list, quotes=False, separator='=') - changed = True - - return changed - def __enable_crl_publish(self): """ @@ -1267,13 +1175,6 @@ class CAInstance(DogtagInstance): installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') - def __set_subject_in_config(self): - # dogtag ships with an IPA-specific profile that forces a subject - # format. We need to update that template with our base subject - if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'OU=pki-ipa, O=IPA', str(self.subject_base)): - print "Updating subject_base in CA template failed" - def uninstall(self): # just eat state self.restore_state("enabled") @@ -1407,100 +1308,6 @@ class CAInstance(DogtagInstance): services.knownservices.certmonger.stop() - def enable_subject_key_identifier(self): - """ - See if Subject Key Identifier is set in the profile and if not, add it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist += ',10' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.class_id', - 'subjectKeyIdentifierExtDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.name', - 'Subject Key Identifier Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.params.critical', - 'false', - quotes=False, separator='=') - return True - - # No update was done - return False - - def enable_subject_alternative_name(self): - """ - See if Subject Alternative Name is set in the profile and if not, add - it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': - setlist += ',11' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.class_id', - 'userExtensionDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.name', - 'User Supplied Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.params.userExtOID', - '2.5.29.17', - quotes=False, separator='=') - return True - - # No update was done - return False def set_audit_renewal(self): """ @@ -1586,7 +1393,6 @@ class CAInstance(DogtagInstance): master_entry['ipaConfigString'].append('caRenewalMaster') self.admin_conn.update_entry(master_entry) - @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): """ @@ -1854,6 +1660,65 @@ def configure_profiles_acl(): conn.disconnect() return updated +def import_included_profiles(): + sub_dict = dict( + DOMAIN=ipautil.format_netloc(api.env.domain), + IPA_CA_RECORD=IPA_CA_RECORD, + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=str(DN(('O', api.env.realm))), + ) + + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), + api.env.container_certprofile, api.env.basedn) + try: + conn.get_entry(dn) + continue # the profile is present + except errors.NotFound: + # profile not found; add it + profile_data = ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + + entry = conn.make_entry( + dn, + objectclass=['ipacertprofile'], + cn=[profile_id], + description=[desc], + ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], + ) + conn.add_entry(entry) + api.Backend.ra_certprofile._read_password() + with api.Backend.ra_certprofile as profile_api: + # import the profile + try: + profile_api.create_profile(profile_data) + except errors.RemoteRetrieveError: + # conflicting profile; replace it if we are + # installing IPA, but keep it for upgrades + if api.env.context == 'installer': + try: + profile_api.disable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + profile_api.delete_profile(profile_id) + profile_api.create_profile(profile_data) + + # enable the profile + try: + profile_api.enable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + + root_logger.info("Imported profile '%s'", profile_id) + + conn.disconnect() + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a316317622894e5b56896f91a9e29bb8..8373b213411c34c59e838c586ff46e99efb43f58 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -41,6 +41,7 @@ class ServerUpgrade(admintool.AdminTool): super(ServerUpgrade, self).run() api.bootstrap(in_server=True, context='updates') + import ipaserver.plugins.dogtag # ensure profile backend gets loaded api.finalize() try: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index aea1f9915f16a55c44183b0cebb41c04622be503..955e4cc11fba20475a07126f4101edbf1024290e 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -748,6 +748,9 @@ def install(options): api.env.ca_host = host_name api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet @@ -903,6 +906,9 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + service.print_msg("Importing certificate profiles") + cainstance.import_included_profiles() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 820533d6fa34218282941b8dcfcd3c0a192fdfb7..c5f4d37cc02658334d5c26f269ec5dd5e386df1d 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -338,32 +338,28 @@ def ca_enable_ldap_profile_subsystem(ca): return needs_update -def upgrade_ipa_profile(ca, domain, fqdn): +def ca_import_included_profiles(ca): + root_logger.info('[Ensuring presence of included profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.import_included_profiles() + + +def upgrade_ca_audit_cert_validity(ca): """ - Update the IPA Profile provided by dogtag + Update the Dogtag audit signing certificate. Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA service certificate profile is updated]') + root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): - ski = ca.enable_subject_key_identifier() - if ski: - root_logger.debug('Subject Key Identifier updated.') - else: - root_logger.debug('Subject Key Identifier already set.') - san = ca.enable_subject_alternative_name() - if san: - root_logger.debug('Subject Alternative Name updated.') - else: - root_logger.debug('Subject Alternative Name already set.') - audit = ca.set_audit_renewal() - uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or san or uri: - return True + return ca.set_audit_renewal() else: root_logger.info('CA is not configured') - - return False + return False def named_remove_deprecated_options(): @@ -1416,7 +1412,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, - upgrade_ipa_profile(ca, api.env.domain, fqdn), + upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), @@ -1430,6 +1426,12 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + # This step MUST be done after ca_enable_ldap_profile_subsystem and + # ca_configure_profiles_acl, and the consequent restart, but does not + # itself require a restart. + # + ca_import_included_profiles(ca) + set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9654123b16d8e417398d49bf1305fd41880bc3a7..880b319d68728a40f4479626d5a7c2b8c56ced02 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1966,17 +1966,19 @@ class RestClient(Backend): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" - try: - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() - except IOError: - self.password = '' + self._read_password() super(RestClient, self).__init__() # session cookie self.cookie = None + def _read_password(self): + try: + with open(self.pwd_file) as f: + self.password = f.readline().strip() + except IOError: + self.password = '' + @cachedproperty def ca_host(self): """ -- 2.1.0 -------------- next part -------------- From af81f8936749c48d547ef44d1831190fa466b0c2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 7 May 2015 21:26:24 -0400 Subject: [PATCH 08/13] Add generic split_any_principal method There exist methods to split user or service/host principals, but there is no method to split any kind of principal and allow the caller to decide what to do. Generalize ``ipalib.plugins.service.split_principal`` to return a service of ``None`` if the principal is a user principal, rename it ``split_any_principal`` and reimplement ``split_principal`` to preserve existing behaviour. Part of: https://fedorahosted.org/freeipa/ticket/4938 --- ipalib/plugins/service.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index b37dc7b4bf56b69df204fd29e9487f1390197bbe..5af320286bab98535e1f7118840afc4d525be401 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -185,19 +185,24 @@ _ticket_flags_map = { _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth'] -def split_principal(principal): +def split_any_principal(principal): service = hostname = realm = None # Break down the principal into its component parts, which may or # may not include the realm. sp = principal.split('/') - if len(sp) != 2: - raise errors.MalformedServicePrincipal(reason=_('missing service')) + name_and_realm = None + if len(sp) > 2: + raise errors.MalformedServicePrincipal(reason=_('unable to determine service')) + elif len(sp) == 2: + service = sp[0] + if len(service) == 0: + raise errors.MalformedServicePrincipal(reason=_('blank service')) + name_and_realm = sp[1] + else: + name_and_realm = sp[0] - service = sp[0] - if len(service) == 0: - raise errors.MalformedServicePrincipal(reason=_('blank service')) - sr = sp[1].split('@') + sr = name_and_realm.split('@') if len(sr) > 2: raise errors.MalformedServicePrincipal( reason=_('unable to determine realm')) @@ -212,7 +217,13 @@ def split_principal(principal): realm = api.env.realm # Note that realm may be None. - return (service, hostname, realm) + return service, hostname, realm + +def split_principal(principal): + service, name, realm = split_any_principal(principal) + if service is None: + raise errors.MalformedServicePrincipal(reason=_('missing service')) + return service, name, realm def validate_principal(ugettext, principal): (service, hostname, principal) = split_principal(principal) -- 2.1.0 -------------- next part -------------- From 074e1d4a33e28d0f5594fb89bbcb7a61a6deac1d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 8 May 2015 02:23:24 -0400 Subject: [PATCH 09/13] Add profile_id parameter to 'request_certificate' Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 --- API.txt | 3 ++- checks/check-ra.py | 2 +- ipalib/plugins/cert.py | 2 +- ipapython/dogtag.py | 2 ++ ipaserver/install/certs.py | 2 +- ipaserver/plugins/dogtag.py | 7 +++++-- ipaserver/plugins/rabase.py | 3 ++- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 7d221b839a7058e2bc7c6c95f7121e79a30ebcfd..ec414a97c5913c0f4cc812716c72670dae7432da 100644 --- a/API.txt +++ b/API.txt @@ -485,10 +485,11 @@ arg: Str('serial_number') option: Str('version?', exclude='webui') output: Output('result', None, None) command: cert_request -args: 1,4,1 +args: 1,5,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) option: Str('principal') +option: Str('profile_id') option: Str('request_type', autofill=True, default=u'pkcs10') option: Str('version?', exclude='webui') output: Output('result', , None) diff --git a/checks/check-ra.py b/checks/check-ra.py index a1df50ba4a4ad7fc0b6d2118e40977b1da6edf65..28929545ab7f0a63e47a3829c53cf08d784c9524 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) if verbose: print "request_result=\n%s" % request_result assert_equal(request_result, {'subject' : subject, diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 7e2c77622b3627e9e57bbcb69291f723ecf509bf..e4cb6dc0aa8b89368806b08674aae277b3653e8f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -436,7 +436,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, request_type=request_type) + csr, 'caIPAserviceCert', request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 2b4d233354b974884c88d13a3a1b437915ba0776..659751e57bf3deead0966e748c7302600db0f56c 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -47,6 +47,8 @@ INCLUDED_PROFILES = { (u'caIPAserviceCert', u'Standard profile for network services', True), } +DEFAULT_PROFILE = 'caIPAserviceCert' + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bc7dccf805386e9fa84b58d2ff9346085e1b93b1..564332e6fde0698a23884922c5018fab59da7e4d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -386,7 +386,7 @@ class CertDB(object): # We just want the CSR bits, make sure there is nothing else csr = pkcs10.strip_header(csr) - params = {'profileId': 'caIPAserviceCert', + params = {'profileId': dogtag.DEFAULT_PROFILE, 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', 'cert_request': csr, diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 880b319d68728a40f4479626d5a7c2b8c56ced02..e6668bb43b994863a14fdd347635753422ed9388 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1284,6 +1284,8 @@ class ra(rabase.rabase): """ Request Authority backend plugin. """ + DEFAULT_PROFILE = dogtag.DEFAULT_PROFILE + def __init__(self): if api.env.in_tree: self.sec_dir = api.env.dot_ipa + os.sep + 'alias' @@ -1541,9 +1543,10 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ :param csr: The certificate signing request. + :param profile_id: The profile to use for the request. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1575,7 +1578,7 @@ class ra(rabase.rabase): http_status, http_reason_phrase, http_headers, http_body = \ self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, - profileId='caIPAserviceCert', + profileId=profile_id, cert_request_type=request_type, cert_request=csr, xml='true') diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index e14969970ef5b402d06b766f895200c6eb4fc76f..cf4426235b02866a3f565c51c52c44aabbdc1153 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -67,11 +67,12 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. + :param profile_id: Profile to use for this request. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.1.0 -------------- next part -------------- From 13f732e4c1429c637185cb789ba7a38ff881f346 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 18 May 2015 22:11:52 -0400 Subject: [PATCH 10/13] Add usercertificate attribute to user plugin Part of: https://fedorahosted.org/freeipa/tickets/4938 --- ACI.txt | 2 +- API.txt | 18 ++++++++++++------ install/share/default-aci.ldif | 1 + install/updates/20-aci.update | 4 ++++ ipalib/plugins/baseuser.py | 10 ++++++++-- ipalib/plugins/user.py | 2 +- 6 files changed, 27 insertions(+), 10 deletions(-) diff --git a/ACI.txt b/ACI.txt index 035a545511e4f56dcb492c97514de59cfc028405..fca5b269522c4ab80858c23b1a61e229eee0048e 100644 --- a/ACI.txt +++ b/ACI.txt @@ -281,7 +281,7 @@ aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sam dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || usercertificate || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index ec414a97c5913c0f4cc812716c72670dae7432da..a59e99ba31bf901b960c36b05541c3e400d4ec7c 100644 --- a/API.txt +++ b/API.txt @@ -3808,7 +3808,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: stageuser_add -args: 1,43,3 +args: 1,44,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3850,6 +3850,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -3865,7 +3866,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: stageuser_find -args: 1,52,4 +args: 1,53,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -3916,6 +3917,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -3924,7 +3926,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: stageuser_mod -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3967,6 +3969,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4594,7 +4597,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_add -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4637,6 +4640,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4668,7 +4672,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_find -args: 1,55,4 +args: 1,56,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -4721,6 +4725,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -4730,7 +4735,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,45,3 +args: 1,46,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4774,6 +4779,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b174e774aae3ea012a431fe4a2535fb4230e402 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -10,6 +10,7 @@ changetype: modify add: aci aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) +aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) dn: cn=etc,$SUFFIX changetype: modify diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index fde3afeee59e4d4dc0bd6a9c0eb24ab255c4e637..4a8b67c6579da4dab74d02861640264446153f87 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -79,3 +79,7 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";) + +# User certificates +dn: $SUFFIX +add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py index a1be29d83550a0412ed37cfde47ac74c6ca478fd..d2bc68f45ad9a3632a237c01961a30592514d96d 100644 --- a/ipalib/plugins/baseuser.py +++ b/ipalib/plugins/baseuser.py @@ -23,10 +23,11 @@ import posixpath import os from ipalib import api, errors -from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime +from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes from ipalib.plugable import Registry from ipalib.plugins.baseldap import DN, LDAPObject, \ LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve +from ipalib.plugins.service import validate_certificate from ipalib.plugins import baseldap from ipalib.request import context from ipalib import _, ngettext @@ -188,7 +189,7 @@ class baseuser(LDAPObject): 'telephonenumber', 'title', 'memberof', 'nsaccountlock', 'memberofindirect', 'ipauserauthtype', 'userclass', 'ipatokenradiusconfiglink', 'ipatokenradiususername', - 'krbprincipalexpiration' + 'krbprincipalexpiration', 'usercertificate', ] search_display_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', @@ -383,6 +384,11 @@ class baseuser(LDAPObject): + '(\s*,\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\=((0(\.[0-9]{0,3})?)|(1(\.0{0,3})?)))?)*)|(\*))$', pattern_errmsg='must match RFC 2068 - 14.4, e.g., "da, en-gb;q=0.8, en;q=0.7"', ), + Bytes('usercertificate*', validate_certificate, + cli_name='certificate', + label=_('Certificate'), + doc=_('Base-64 encoded server certificate'), + ), ) def normalize_and_validate_email(self, email, config=None): diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 54d47bb01450ec462577e552315e3d680b7648c3..119294b19f54a395a2df65c6cfd47cd8eb844297 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -267,7 +267,7 @@ class user(baseuser): 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager', 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title', 'userclass', - 'preferredlanguage', + 'preferredlanguage', 'usercertificate', }, 'replaces': [ '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)', -- 2.1.0 -------------- next part -------------- From 6785d89b8b7caab4fc7ce34f1530e3f34f26ef24 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:45:16 -0400 Subject: [PATCH 11/13] Update cert-request to support user certs and profiles Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 --- ipalib/pkcs10.py | 1 + ipalib/plugins/cert.py | 213 +++++++++++++++++++++++++++++-------------------- 2 files changed, 126 insertions(+), 88 deletions(-) diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index f35e200a2c1b47e2a2c8cffcf9b723f398fe3221..6299dfea43b7a3f4104f0b0ec78c4f105d9daf62 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -30,6 +30,7 @@ PEM = 0 DER = 1 SAN_DNSNAME = 'DNS name' +SAN_RFC822NAME = 'RFC822 Name' SAN_OTHERNAME_UPN = 'Other Name (OID.1.3.6.1.4.1.311.20.2.3)' SAN_OTHERNAME_KRB5PRINCIPALNAME = 'Other Name (OID.1.3.6.1.5.2.2)' diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index e4cb6dc0aa8b89368806b08674aae277b3653e8f..34621b552d3e527c2dd0fee46e240542179227f9 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -31,7 +31,8 @@ from ipalib import ngettext from ipalib.plugable import Registry from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value -from ipalib.plugins.service import split_principal +from ipalib.plugins.service import split_any_principal +from ipalib.plugins.certprofile import validate_profile_id import base64 import traceback from ipalib.text import _ @@ -122,6 +123,8 @@ http://www.ietf.org/rfc/rfc5280.txt """) +USER, HOST, SERVICE = range(3) + register = Registry() def validate_pkidate(ugettext, value): @@ -232,7 +235,7 @@ class cert_request(VirtualCommand): takes_options = ( Str('principal', label=_('Principal'), - doc=_('Service principal for this certificate (e.g. HTTP/test.example.com)'), + doc=_('Principal for this certificate (e.g. HTTP/test.example.com)'), ), Str('request_type', default=u'pkcs10', @@ -243,6 +246,10 @@ class cert_request(VirtualCommand): default=False, autofill=True ), + Str('profile_id', validate_profile_id, + label=_("Profile ID"), + doc=_("Certificate Profile to use"), + ) ) has_output_params = ( @@ -294,10 +301,9 @@ class cert_request(VirtualCommand): ca_enabled_check() ldap = self.api.Backend.ldap2 - principal = kw.get('principal') add = kw.get('add') request_type = kw.get('request_type') - service = None + profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) """ Access control is partially handled by the ACI titled @@ -310,9 +316,21 @@ class cert_request(VirtualCommand): taskgroup (directly or indirectly via role membership). """ - bind_principal = getattr(context, 'principal') - # Can this user request certs? - if not bind_principal.startswith('host/'): + principal_string = kw.get('principal') + principal = split_any_principal(principal_string) + servicename, principal_name, realm = principal + if servicename is None: + principal_type = USER + elif servicename == 'host': + principal_type = HOST + else: + principal_type = SERVICE + + bind_principal = split_any_principal(getattr(context, 'principal')) + bind_service, bind_name, bind_realm = bind_principal + + if bind_principal != principal: + # Can the bound principal request certs for another principal? self.check_access() try: @@ -323,57 +341,71 @@ class cert_request(VirtualCommand): raise errors.CertificateOperationError( error=_("Failure decoding Certificate Signing Request: %s") % e) - if not bind_principal.startswith('host/'): + # host principals may bypass allowed ext check + if bind_service != 'host': for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: self.check_access(operation) - # Ensure that the hostname in the CSR matches the principal - subject_host = subject.common_name #pylint: disable=E1101 - if not subject_host: + dn = None + principal_obj = None + # See if the service exists and punt if it doesn't and we aren't + # going to add it + try: + if principal_type == SERVICE: + principal_obj = api.Command['service_show'](principal_string, all=True) + elif principal_type == HOST: + principal_obj = api.Command['host_show'](principal_name, all=True) + elif principal_type == USER: + principal_obj = api.Command['user_show'](principal_name, all=True) + except errors.NotFound as e: + if principal_type == SERVICE and add: + principal_obj = api.Command['service_add'](principal_string, force=True) + else: + raise errors.NotFound( + reason=_("The principal for this request doesn't exist.")) + principal_obj = principal_obj['result'] + dn = principal_obj['dn'] + + # Ensure that the DN in the CSR matches the principal + cn = subject.common_name #pylint: disable=E1101 + if not cn: raise errors.ValidationError(name='csr', - error=_("No hostname was found in subject of request.")) + error=_("No Common Name was found in subject of request.")) - (servicename, hostname, realm) = split_principal(principal) - if subject_host.lower() != hostname.lower(): - raise errors.ACIError( - info=_("hostname in subject of request '%(subject_host)s' " - "does not match principal hostname '%(hostname)s'") % dict( - subject_host=subject_host, hostname=hostname)) + if principal_type in (SERVICE, HOST): + if cn.lower() != principal_name.lower(): + raise errors.ACIError( + info=_("hostname in subject of request '%(cn)s' " + "does not match principal hostname '%(hostname)s'") + % dict(cn=cn, hostname=principal_name)) + elif principal_type == USER: + # check user name + if cn != principal_name: + raise errors.ValidationError( + name='csr', + error=_( + "DN commonName does not match " + "any of user's email addresses") + ) + + # check email address + mail = subject.email_address #pylint: disable=E1101 + if mail is not None and mail not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "DN emailAddress does not match " + "any of user's email addresses") + ) for ext in extensions: if ext not in self._allowed_extensions: raise errors.ValidationError( name='csr', error=_("extension %s is forbidden") % ext) - for name_type, name in subjectaltname: - if name_type not in (pkcs10.SAN_DNSNAME, - pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, - pkcs10.SAN_OTHERNAME_UPN): - raise errors.ValidationError( - name='csr', - error=_("subject alt name type %s is forbidden") % - name_type) - - dn = None - service = None - # See if the service exists and punt if it doesn't and we aren't - # going to add it - try: - if servicename != 'host': - service = api.Command['service_show'](principal, all=True) - else: - service = api.Command['host_show'](hostname, all=True) - except errors.NotFound, e: - if not add: - raise errors.NotFound(reason=_("The service principal for " - "this request doesn't exist.")) - service = api.Command['service_add'](principal, force=True) - service = service['result'] - dn = service['dn'] - - # We got this far so the service entry exists, can we write it? + # We got this far so the principal entry exists, can we write it? if not ldap.can_write(dn, "usercertificate"): raise errors.ACIError(info=_("Insufficient 'write' privilege " "to the 'userCertificate' attribute of entry '%s'.") % dn) @@ -382,13 +414,20 @@ class cert_request(VirtualCommand): for name_type, name in subjectaltname: if name_type == pkcs10.SAN_DNSNAME: name = unicode(name) + alt_principal_obj = None try: - if servicename == 'host': - altservice = api.Command['host_show'](name, all=True) - else: + if principal_type == HOST: + alt_principal_obj = api.Command['host_show'](name, all=True) + elif principal_type == SERVICE: altprincipal = '%s/%s@%s' % (servicename, name, realm) - altservice = api.Command['service_show']( + alt_principal_obj = api.Command['service_show']( altprincipal, all=True) + elif principal_type == USER: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for user principals") % name_type + ) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -396,47 +435,41 @@ class cert_request(VirtualCommand): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not ' 'exist') % name) - altdn = altservice['result']['dn'] - if not ldap.can_write(altdn, "usercertificate"): - raise errors.ACIError(info=_( - "Insufficient privilege to create a certificate with " - "subject alt name '%s'.") % name) + if alt_principal_obj is not None: + altdn = alt_principal_obj['result']['dn'] + if not ldap.can_write(altdn, "usercertificate"): + raise errors.ACIError(info=_( + "Insufficient privilege to create a certificate " + "with subject alt name '%s'.") % name) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): - if name != principal: + if name != principal_string: raise errors.ACIError( info=_("Principal '%s' in subject alt name does not " - "match requested service principal") % name) + "match requested principal") % name) + elif name_type == pkcs10.SAN_RFC822NAME: + if principal_type == USER: + if name not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "RFC822Name does not match " + "any of user's email addresses") + ) + else: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for non-user principals") % name_type + ) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden") % name_type) - if 'usercertificate' in service: - serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER) - # revoke the certificate and remove it from the service - # entry before proceeding. First we retrieve the certificate to - # see if it is already revoked, if not then we revoke it. - try: - result = api.Command['cert_show'](unicode(serial))['result'] - if 'revocation_reason' not in result: - try: - api.Command['cert_revoke'](unicode(serial), revocation_reason=4) - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except errors.NotImplementedError: - # some CA's might not implement get - pass - if not principal.startswith('host/'): - api.Command['service_mod'](principal, usercertificate=None) - else: - hostname = get_host_from_principal(principal) - api.Command['host_mod'](hostname, usercertificate=None) - # Request the certificate result = self.Backend.ra.request_certificate( - csr, 'caIPAserviceCert', request_type=request_type) + csr, profile_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -444,15 +477,19 @@ class cert_request(VirtualCommand): result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) - # Success? Then add it to the service entry. - if 'certificate' in result: - if not principal.startswith('host/'): - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['service_mod'](principal, **skw) - else: - hostname = get_host_from_principal(principal) - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['host_mod'](hostname, **skw) + # Success? Then add it to the principal's entry + # (unless the profile tells us not to) + profile = api.Command['certprofile_show'](profile_id) + store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE' + if store and 'certificate' in result: + cert = str(result.get('certificate')) + kwargs = dict(addattr=u'usercertificate={}'.format(cert)) + if principal_type == SERVICE: + api.Command['service_mod'](principal_string, **kwargs) + elif principal_type == HOST: + api.Command['host_mod'](principal_name, **kwargs) + elif principal_type == USER: + api.Command['user_mod'](principal_name, **kwargs) return dict( result=result -- 2.1.0 -------------- next part -------------- From c013112f7af7fbbc52805c787e482cf87b2065fe Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also add a default CA ACL that permitS certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 171 +++++++++++++++ install/share/60certificate-profiles.ldif | 8 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 12 ++ install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 343 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + 11 files changed, 561 insertions(+) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index fca5b269522c4ab80858c23b1a61e229eee0048e..c92e341834c1134cab007e61d2953b8e52f375b5 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "ipacaaclallhosts || ipacaaclallservices || ipacaaclallusers || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacaaclallcas || ipacaaclallprofiles || ipacaaclcaref || ipacaaclprofileid || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaaclallcas || ipacaaclallhosts || ipacaaclallprofiles || ipacaaclallservices || ipacaaclallusers || ipacaaclcaref || ipacaaclprofileid || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index a59e99ba31bf901b960c36b05541c3e400d4ec7c..1b3727059c362d32ac6cc56d7277ebb8763f6943 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,177 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,15,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, cli_name='ca_ref', multivalue=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, cli_name='profile_id', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,17,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, query=True, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, query=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, autofill=False, cli_name='profile_id', multivalue=True, query=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,17,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, autofill=False, cli_name='profile_id', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..d8f008c5baed4e0021944bcbaa7256aa250e5c23 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,11 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaCaAclCaRef' DESC 'Certificate Authority Reference' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaCaAclProfileId' DESC 'Certificate Profile ID' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaAclAllCAs' DESC 'Allow use of all CAs' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCaAclAllProfiles' DESC 'Allow ues of all profiles' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaAclAllUsers' DESC 'Allow all users' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaAclAllHosts' DESC 'Allow all hosts' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaAclAllServices' DESC 'Allow all services' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaAclCaRef $ ipaCaAclProfileId $ ipaCaAclAllCAs $ ipaCaAclAllProfiles $ ipaCaAclAllUsers $ ipaCaAclAllHosts $ ipaCaAclAllServices $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..b902c2f84a6898ae51e8123956496d64b6356d3e --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,12 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +ipacaaclcaref: . +ipacaaclprofileid: caIPAserviceCert +ipacaaclallhosts: TRUE +ipacaaclallservices: TRUE diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 96396a236b8694b3dd988dfe28c1b0c3cc9e3180..9812f843e1e4ced9244f3efd6a9bb6f4c2769655 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -119,6 +119,7 @@ DEFAULT_CONFIG = ( ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..84dc6d3c4db5f46d76bed560023b7cb63c5513b1 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,343 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + pkey_to_value) +from ipalib.plugins.certprofile import validate_profile_id +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --profile-id=UserCert --allusers=1 + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add john_dnp3 --profile-id=DNP3 + ipa caacl-add-user --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclprofileid', 'ipacaaclcaref', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'memberuser', 'memberhost', 'memberservice', 'memberhostgroup', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclprofileid', 'ipacaaclcaref', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'memberhost', 'memberservice', 'memberuser', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + }, + 'replaces': [ + '(targetattr = "memberuser || memberservice || memberhost || ipacaaclallusers || ipacaaclallhosts || ipacaaclallservices")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclprofileid', 'ipacaaclcaref', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag || ipacaaclprofileid || ipacaaclcaref || ipacaaclallcas || ipacaaclallprofiles")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + Str('ipacaaclprofileid*', validate_profile_id, + cli_name='profile_id', + label=_('Profile ID'), + ), + Str('ipacaaclcaref*', # validate sub-CA handle syntax + cli_name='ca_ref', + label=_('CA Reference'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallcas?', + cli_name='allcas', + label=_('Allow use of all CAs'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallprofiles?', + cli_name='allprofiles', + label=_('Allow use of all profiles'), + ), + Bool('ipacaaclallusers?', + cli_name='allusers', + label=_('Allow all users'), + ), + Bool('ipacaaclallhosts?', + cli_name='allhosts', + label=_('Allow all hosts'), + ), + Bool('ipacaaclallservices?', + cli_name='allservices', + label=_('Allow all services'), + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + entry_attrs['ipacaaclcaref'] = ['.'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove service and service groups from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) -- 2.1.0 -------------- next part -------------- From 2df3134f88602fe24ccd12dc81c0307cc20b70ad Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 72 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 ++++++++++++ 2 files changed, 89 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 84dc6d3c4db5f46d76bed560023b7cb63c5513b1..c09df863847f0e2b0e029b5c7f82d978a7e159bf 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str from ipalib.plugable import Registry @@ -10,6 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, pkey_to_value) from ipalib.plugins.certprofile import validate_profile_id +from ipalib.plugins.service import normalize_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -49,6 +52,75 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + hostname = principal[5:] + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + if 'ipacaaclallcas' in obj and obj['ipacaaclallcas'][0] == 'TRUE': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'ipacaaclallprofiles' in obj and obj['ipacaaclallprofiles'][0] == 'TRUE': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.services.names = obj.get('ipacaaclprofileid', []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + all_principals_attr = 'ipacaaclall{}s'.format(principal_type) + if all_principals_attr in obj and obj[all_principals_attr][0] == 'TRUE': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 34621b552d3e527c2dd0fee46e240542179227f9..70ae610b6e9ec724837ddc516ad990ed08af9e0e 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From lkrispen at redhat.com Tue Jun 2 12:20:42 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 02 Jun 2015 14:20:42 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556D80E5.6050802@redhat.com> References: <556D80E5.6050802@redhat.com> Message-ID: <556D9F9A.1060802@redhat.com> On 06/02/2015 12:09 PM, Oleg Fayans wrote: > Hi all, > > The following error was caught during replica installation (I used all > the latest patches from Ludwig and Martin Basti): > > root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca > --setup-dns --forwarder 10.38.5.26 > /var/lib/ipa/replica-info-replica1.zaeba.li.gpg the topology plugin needs a replica binddngroup to be able to setup agrements without having to modify cn=config. If the replica is installed from an older version, this group doesn't exist and adding members to it fails. The attached patch should handle this > Directory Manager (existing master) password: > > Existing BIND configuration detected, overwrite? [no]: yes > Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file > Checking forwarders, please wait ... > Using reverse zone(s) 122.168.192.in-addr.arpa. > Run connection check to master > Check connection from replica to remote master 'upgrademaster.zaeba.li': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocol and would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > admin at ZAEBA.LI password: > > Check SSH connection to remote master > Execute check on remote master > Check connection from master to remote replica 'replica1.zaeba.li': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > Connection from master to replica is OK. > > Connection check OK > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv): Estimated time 1 minute > [1/37]: creating directory server user > [2/37]: creating directory server instance > [3/37]: adding default schema > [4/37]: enabling memberof plugin > [5/37]: enabling winsync plugin > [6/37]: configuring replication version plugin > [7/37]: enabling IPA enrollment plugin > [8/37]: enabling ldapi > [9/37]: configuring uniqueness plugin > [10/37]: configuring uuid plugin > [11/37]: configuring modrdn plugin > [12/37]: configuring DNS plugin > [13/37]: enabling entryUSN plugin > [14/37]: configuring lockout plugin > [15/37]: configuring topology plugin > [16/37]: creating indices > [17/37]: enabling referential integrity plugin > [18/37]: configuring ssl for ds instance > [19/37]: configuring certmap.conf > [20/37]: configure autobind for root > [21/37]: configure new location for managed entries > [22/37]: configure dirsrv ccache > [23/37]: enable SASL mapping fallback > [24/37]: restarting directory server > [25/37]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 7 seconds elapsed > Update succeeded > > [26/37]: updating schema > [27/37]: setting Auto Member configuration > [28/37]: enabling S4U2Proxy delegation > [29/37]: importing CA certificates from LDAP > [30/37]: initializing group membership > [31/37]: adding master entry > ipa : CRITICAL Failed to load master-entry.ldif: Command > ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' > 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' > '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 > [32/37]: initializing domain level > [33/37]: configuring Posix uid/gid generation > [34/37]: adding replication acis > [35/37]: enabling compatibility plugin > [36/37]: tuning directory server > [37/37]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/21]: creating certificate server user > [2/21]: configuring certificate server instance > [3/21]: stopping certificate server instance to update CS.cfg > [4/21]: backing up CS.cfg > [5/21]: disabling nonces > [6/21]: set up CRL publishing > [7/21]: enable PKIX certificate path discovery and validation > [8/21]: starting certificate server instance > [9/21]: creating RA agent certificate database > [10/21]: importing CA chain to RA certificate database > [11/21]: fixing RA database permissions > [12/21]: setting up signing cert profile > [13/21]: set certificate subject base > [14/21]: enabling Subject Key Identifier > [15/21]: enabling Subject Alternative Name > [16/21]: enabling CRL and OCSP extensions for certificates > [17/21]: setting audit signing renewal to 2 years > [18/21]: configure certmonger for renewals > [19/21]: configure certificate renewals > [20/21]: configure Server-Cert certificate renewal > [21/21]: Configure HTTP to proxy connections > Done configuring certificate server (pki-tomcatd). > Restarting the directory and certificate servers > Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds > [1/8]: adding sasl mappings to the directory > [2/8]: configuring KDC > [3/8]: creating a keytab for the directory > [4/8]: creating a keytab for the machine > [5/8]: adding the password extension to the directory > [6/8]: enable GSSAPI for replication > [error] NO_SUCH_OBJECT: {'desc': 'No such object'} > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Traceback (most recent call last): > File "/sbin/ipa-replica-install", line 162, in > fail_message=fail_message) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 760, in run_script > message, exitcode = handle_error(error, log_file_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 799, in handle_error > type(error).__name__, error.args[0]['info']), 1 > KeyError: 'info' > > It needs to be noted, that the replica file was prepared on the master > running standard 4.1.2 freeipa-server. > > The log is attached > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0010-accept-missing-binddn-group.patch Type: text/x-patch Size: 1175 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jun 2 12:19:53 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 02 Jun 2015 14:19:53 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <556D9D3B.3040901@redhat.com> References: <556D9D3B.3040901@redhat.com> Message-ID: <556D9F69.6040004@redhat.com> On 06/02/2015 02:10 PM, Tomas Babej wrote: > Hi, > > With Domain Level 1 and above, the usage of ipa-replica-manage commands > that alter the replica topology is deprecated. Following commands > are prohibited: > > * connect > * disconnect > * del > > Upon executing any of these commands, users are pointed out to the > ipa topologysegment-* replacements. > > Part of: https://fedorahosted.org/freeipa/ticket/4302 > > > Works for me, ACK. -- Martin^3 Babinsky From lkrispen at redhat.com Tue Jun 2 12:24:30 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 02 Jun 2015 14:24:30 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <556D9D3B.3040901@redhat.com> References: <556D9D3B.3040901@redhat.com> Message-ID: <556DA07E.7030300@redhat.com> hi, is there a real replacement for "del", it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: > Hi, > > With Domain Level 1 and above, the usage of ipa-replica-manage commands > that alter the replica topology is deprecated. Following commands > are prohibited: > > * connect > * disconnect > * del > > Upon executing any of these commands, users are pointed out to the > ipa topologysegment-* replacements. > > Part of: https://fedorahosted.org/freeipa/ticket/4302 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jun 2 12:23:08 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 14:23:08 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <556D9F69.6040004@redhat.com> References: <556D9D3B.3040901@redhat.com> <556D9F69.6040004@redhat.com> Message-ID: <556DA02C.9080007@redhat.com> On 06/02/2015 02:19 PM, Martin Babinsky wrote: > On 06/02/2015 02:10 PM, Tomas Babej wrote: >> Hi, >> >> With Domain Level 1 and above, the usage of ipa-replica-manage commands >> that alter the replica topology is deprecated. Following commands >> are prohibited: >> >> * connect >> * disconnect >> * del >> >> Upon executing any of these commands, users are pointed out to the >> ipa topologysegment-* replacements. >> >> Part of: https://fedorahosted.org/freeipa/ticket/4302 >> >> >> > Works for me, ACK. > Not that fast... connect and disconnect is clear. However, "del" does more actions than just removing the agreement. It may need to - check domain level - if 0, continue doing what it always did - if 1, call the topology API command - continue with the cleanup (CLEANALLRUV and friends) Martin From pspacek at redhat.com Tue Jun 2 12:34:57 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 02 Jun 2015 14:34:57 +0200 Subject: [Freeipa-devel] [PATCH 0377-0382] Synchronize changes from LDAP after reconnect In-Reply-To: <556D906A.2020707@redhat.com> References: <5565BDAC.7070806@redhat.com> <1005260903.6114507.1432828693773.JavaMail.zimbra@redhat.com> <556D906A.2020707@redhat.com> Message-ID: <556DA2F1.6060606@redhat.com> On 2.6.2015 13:15, Tomas Hozza wrote: > On 05/28/2015 05:58 PM, Matus Honek wrote: >> Hi, >> >> functionality seems to work fine. I have not checked the code thoroughly. >> Kind of a test is attached (requires setting named's ldap connection appropriately). >> >> ACK >> >> Mat?? Hon?k >> >> >> ----- Original Message ----- >> From: "Petr Spacek" >> To: thozza at redhat.com, "Matus Honek" >> Cc: freeipa-devel at redhat.com >> Sent: Wednesday, May 27, 2015 2:50:52 PM >> Subject: [PATCH 0377-0382] Synchronize changes from LDAP after reconnect >> >> Hello, >> >> https://fedorahosted.org/bind-dyndb-ldap/ticket/128 >> >> Previously records deleted when connection to LDAP server was down were not >> synchronized properly. It should work now. >> >> I use this command to simulate broken connections and connection re-establishment: >> $ socat tcp-listen:3899,reuseaddr,fork tcp-connect:localhost:389 >> >> It should be enough to add "ldap://$(hostname):3899" as LDAP URI to >> /etc/named.conf and then simulate changes by killing and restarting socat. >> >> Let me know if you need any assistance! >> > Hi. > > I did a formal review of the code. Everything looks good. > > ACK. Thank you very much! Pushed to master: 9b4a6373c868f8858253d5e9bf850e1cbbed2a7f Avoid synchronization state resets. 783b04c87575205388a1277da8b46a781508f4a7 Consolidate synchronization state machine to sync_state_change(). c727f40cae75b9f2e05f2789bade937c90202f11 On reconnect, detect and delete RBT nodes which were removed from LDAP. 77ecee87f551567b94bd26290c734c7feb5ed93f Add iterators for dead nodes in metaLDAP. b476041bd6a88b88cd1739e61960a666868e1b23 Increment MetaLDAP generation number on reconnect. 57e87e325bbfe60709a53c8d5422339bb5f2b664 Add functions for MetaLDAP generation number manipulation. We are well on track to 8.0 release :-) -- Petr^2 Spacek From jcholast at redhat.com Tue Jun 2 13:21:19 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 15:21:19 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <5550956F.9080002@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> Message-ID: <556DADCF.3010305@redhat.com> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): > Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>> Hi, >>>>>>>> >>>>>>>> the attached patch adds the basics of the new installer framework. >>>>>>>> >>>>>>>> As a next step, I plan to convert the install scripts to use the >>>>>>>> framework with their old code (the old code will be gradually >>>>>>>> ported to >>>>>>>> the framework later). >>>>>>>> >>>>>>>> (Note I didn't manage to write docstrings today, expect update >>>>>>>> tomorrow.) >>>>>>> >>>>>>> Added some docstrings. >>>>>>> >>>>>>> Also updated the patch to reflect little brainstorming David and I >>>>>>> had >>>>>>> this morning. >>>>>>> >>>>>>>> >>>>>>>> Honza >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, see comments bellow: >>>>>> >>>>>> 1) We started using new shorter License header in files: >>>>>> # >>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>> # >>>>> >>>>> OK. >>>>> >>>>>> >>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>> + else: >>>>>> + if isinstance(value, from_): >>>>>> + value = None >>>>>> + stack.append(value.obj) >>>>>> + continue >>>>> >>>>> Right. >>>>> >>>>>> >>>>>> 3) Multiple inheritance. I do not like it much. >>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>> >>>>> I guess you are antagonistic to multiple inheritance because of how >>>>> other languages (like C++) do it. In Python it can be pretty elegant >>>>> and >>>>> is basis for e.g. the mixin design pattern. >>>>> >>>>>> >>>>>> Installer and CompositeConfigurator inherites from Configurator >>>>>> class, >>>>>> and all of them implements _generator method. >>>>> >>>>> Both of them call super()._generator(), so it's no problem (same for >>>>> other methods). >>>>> >>>>>> >>>>>> If I understand correctly >>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>> Installer._generator method will be used in this case. >>>>>> However in case when CompositeConfigurator has more levels >>>>>> (respectively >>>>>> it is more specialized) of inheritance, it could take precedence >>>>>> and its >>>>>> _generator method may be used instead. >>>>> >>>>> The order of precedence is defined by the order of base classes in the >>>>> class definition. >>>>> >>>>>> >>>>>> I'm afraid this may suddenly stop working. >>>>>> Maybe I'm wrong, please fix me. >>>>> >>>>> As long as you call the super class, it will work fine. >>>>> >>>>>> >>>>>> And Multiple inheritance is not easily readable, this is even a >>>>>> diamond >>>>>> inheritance model. >>>>> >>>>> Cooperative inheritance is used by design and IMHO is easily >>>>> readable if >>>>> you know how to read it. Every class defines a single bit of behavior. >>>>> Without cooperative inheritance, it would have to be hardcoded and/or >>>>> hacked around, which I wanted to avoid. >>>>> >>>>> This blog post explains it nicely: >>>>> . >>>>> >>>> >>>> Updated patch attached. >>>> >>>> Also attached is patch 425 which migrates ipa-server-install to the >>>> install >>>> framework. >>> >>> Good job there. I am just curious, will this framework and new option >>> processing be friendly to other types of option passing than just via >>> options? >>> I mean tickets >>> >>> https://fedorahosted.org/freeipa/ticket/4517 >>> https://fedorahosted.org/freeipa/ticket/4468 >>> >>> Especially 4517 is important, we need to be able to run >>> >>> # cat install.conf >>> ds_password=Secret123 >>> admin_password=Secret456 >>> ip_address=123456 >>> setup_dns=False >>> >>> # ipa-server-install --unattended --conf install.conf >>> >>> I assume yes, but I am just making sure. >> >> Yes, definitely. >> > > Updated patches attached. Another update, patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-424.4-install-Introduce-installer-framework-ipapython.inst.patch Type: text/x-patch Size: 33444 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-425.2-install-Migrate-ipa-server-install-to-the-install-fr.patch Type: text/x-patch Size: 33897 bytes Desc: not available URL: From ofayans at redhat.com Tue Jun 2 13:38:30 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 02 Jun 2015 15:38:30 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <556DA07E.7030300@redhat.com> References: <556D9D3B.3040901@redhat.com> <556DA07E.7030300@redhat.com> Message-ID: <556DB1D6.90105@redhat.com> I agree. Maybe we should think about some wrapper that would call topologysegment-del command before actually cleaning the services etc., upon each `ipa-replica-manage del` rather than prohibiting the usage of the command at all. My 2 cents (maybe, too late) On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: > hi, > > is there a real replacement for "del", it is not in the scope of the > topology commands, the removal of teh agreement is rejected and later > done by the plugin, but what about removal of the host, services, > cleanruv ? > > Ludwig > On 06/02/2015 02:10 PM, Tomas Babej wrote: >> Hi, >> >> With Domain Level 1 and above, the usage of ipa-replica-manage commands >> that alter the replica topology is deprecated. Following commands >> are prohibited: >> >> * connect >> * disconnect >> * del >> >> Upon executing any of these commands, users are pointed out to the >> ipa topologysegment-* replacements. >> >> Part of:https://fedorahosted.org/freeipa/ticket/4302 >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Tue Jun 2 13:50:36 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 15:50:36 +0200 Subject: [Freeipa-devel] [PATCH 0257] ULC: Fix: Upgrade for stage user admins failed In-Reply-To: <5562E319.2080000@redhat.com> References: <555F525E.7000007@redhat.com> <5562E319.2080000@redhat.com> Message-ID: <556DB4AC.9060106@redhat.com> Dne 25.5.2015 v 10:53 David Kupka napsal(a): > On 05/22/2015 05:59 PM, Martin Basti wrote: >> Patch attached. >> > > Thanks for patch. Works for me, ACK. > Pushed to master: 943c5391221fdeb6520e60d2f5b04ce41b085169 -- Jan Cholasta From pvoborni at redhat.com Tue Jun 2 13:53:26 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 02 Jun 2015 15:53:26 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556D9F9A.1060802@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> Message-ID: <556DB556.90606@redhat.com> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: > > On 06/02/2015 12:09 PM, Oleg Fayans wrote: >> Hi all, >> >> The following error was caught during replica installation (I used all >> the latest patches from Ludwig and Martin Basti): - except ldap.TYPE_OR_VALUE_EXISTS: + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): What happens if all replicas are updated and domain level is raised? I don't think that the group will be populated. Or will it be? Without it, topology plugin won't work, right? There should be a moment where all the DNs are added. >> >> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >> --setup-dns --forwarder 10.38.5.26 >> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg > the topology plugin needs a replica binddngroup to be able to setup > agrements without having to modify cn=config. If the replica is > installed from an older version, this group doesn't exist and adding > members to it fails. > The attached patch should handle this >> Directory Manager (existing master) password: >> >> Existing BIND configuration detected, overwrite? [no]: yes >> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >> Checking forwarders, please wait ... >> Using reverse zone(s) 122.168.192.in-addr.arpa. >> Run connection check to master >> Check connection from replica to remote master 'upgrademaster.zaeba.li': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> >> The following list of ports use UDP protocol and would need to be >> checked manually: >> Kerberos KDC: UDP (88): SKIPPED >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> admin at ZAEBA.LI password: >> >> Check SSH connection to remote master >> Execute check on remote master >> Check connection from master to remote replica 'replica1.zaeba.li': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos KDC: UDP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> Kerberos Kpasswd: UDP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv): Estimated time 1 minute >> [1/37]: creating directory server user >> [2/37]: creating directory server instance >> [3/37]: adding default schema >> [4/37]: enabling memberof plugin >> [5/37]: enabling winsync plugin >> [6/37]: configuring replication version plugin >> [7/37]: enabling IPA enrollment plugin >> [8/37]: enabling ldapi >> [9/37]: configuring uniqueness plugin >> [10/37]: configuring uuid plugin >> [11/37]: configuring modrdn plugin >> [12/37]: configuring DNS plugin >> [13/37]: enabling entryUSN plugin >> [14/37]: configuring lockout plugin >> [15/37]: configuring topology plugin >> [16/37]: creating indices >> [17/37]: enabling referential integrity plugin >> [18/37]: configuring ssl for ds instance >> [19/37]: configuring certmap.conf >> [20/37]: configure autobind for root >> [21/37]: configure new location for managed entries >> [22/37]: configure dirsrv ccache >> [23/37]: enable SASL mapping fallback >> [24/37]: restarting directory server >> [25/37]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress, 7 seconds elapsed >> Update succeeded >> >> [26/37]: updating schema >> [27/37]: setting Auto Member configuration >> [28/37]: enabling S4U2Proxy delegation >> [29/37]: importing CA certificates from LDAP >> [30/37]: initializing group membership >> [31/37]: adding master entry >> ipa : CRITICAL Failed to load master-entry.ldif: Command >> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >> [32/37]: initializing domain level >> [33/37]: configuring Posix uid/gid generation >> [34/37]: adding replication acis >> [35/37]: enabling compatibility plugin >> [36/37]: tuning directory server >> [37/37]: configuring directory to start on boot >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes >> 30 seconds >> [1/21]: creating certificate server user >> [2/21]: configuring certificate server instance >> [3/21]: stopping certificate server instance to update CS.cfg >> [4/21]: backing up CS.cfg >> [5/21]: disabling nonces >> [6/21]: set up CRL publishing >> [7/21]: enable PKIX certificate path discovery and validation >> [8/21]: starting certificate server instance >> [9/21]: creating RA agent certificate database >> [10/21]: importing CA chain to RA certificate database >> [11/21]: fixing RA database permissions >> [12/21]: setting up signing cert profile >> [13/21]: set certificate subject base >> [14/21]: enabling Subject Key Identifier >> [15/21]: enabling Subject Alternative Name >> [16/21]: enabling CRL and OCSP extensions for certificates >> [17/21]: setting audit signing renewal to 2 years >> [18/21]: configure certmonger for renewals >> [19/21]: configure certificate renewals >> [20/21]: configure Server-Cert certificate renewal >> [21/21]: Configure HTTP to proxy connections >> Done configuring certificate server (pki-tomcatd). >> Restarting the directory and certificate servers >> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >> [1/8]: adding sasl mappings to the directory >> [2/8]: configuring KDC >> [3/8]: creating a keytab for the directory >> [4/8]: creating a keytab for the machine >> [5/8]: adding the password extension to the directory >> [6/8]: enable GSSAPI for replication >> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Traceback (most recent call last): >> File "/sbin/ipa-replica-install", line 162, in >> fail_message=fail_message) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 760, in run_script >> message, exitcode = handle_error(error, log_file_name) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 799, in handle_error >> type(error).__name__, error.args[0]['info']), 1 >> KeyError: 'info' >> >> It needs to be noted, that the replica file was prepared on the master >> running standard 4.1.2 freeipa-server. >> >> The log is attached >> -- Petr Vobornik From jcholast at redhat.com Tue Jun 2 13:57:10 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 15:57:10 +0200 Subject: [Freeipa-devel] [PATCH 0048] fix ipa help command output errors In-Reply-To: <55631534.2080204@redhat.com> References: <555F44C7.8000905@redhat.com> <55631534.2080204@redhat.com> Message-ID: <556DB636.8040602@redhat.com> Dne 25.5.2015 v 14:27 Martin Basti napsal(a): > On 22/05/15 17:40, Gabe Alford wrote: >> On Fri, May 22, 2015 at 9:01 AM, Martin Basti > > wrote: >> >> On 22/05/15 16:08, Gabe Alford wrote: >>> Hello, >>> >>> This should fix https://fedorahosted.org/freeipa/ticket/3584, and >>> as requested in the ticket, this should also fix >>> https://fedorahosted.org/freeipa/ticket/2284 >>> >>> Thanks, >>> >>> Gabe >>> >>> >> Thank you! >> >> IMO your first part of fix only mask issue, not solving it. >> >> This could be way, but I did not test it. >> >> out_encoding = getattr(outfile, 'encoding', None) >> if out_encoding is None: >> out_encoding = 'utf-8' >> print >> outfile, unicode(string).encode(out_encoding) >> >> >> I'm confused and maybe missing something here. If I run `ipa help dns >> | bad_command`, shouldn't the command fail with only the following? >> -bash: bad: command not found >> >> >> Can you split this patch into 2 separate patches for each ticket >> please? >> >> >> Done >> >> Martin^2 >> >> -- >> Martin Basti >> >> > Thank you! > ACK and ACK. Pushed to master: b98077ea6844eddd8810e4ae6ddd5bf40c61b58e -- Jan Cholasta From mbasti at redhat.com Tue Jun 2 13:57:39 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 15:57:39 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> <556C7092.1070700@redhat.com> <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> Message-ID: <556DB653.9020504@redhat.com> On 02/06/15 10:24, Fraser Tweedale wrote: > On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: >> On 01/06/15 16:14, Rob Crittenden wrote: >>> Martin Basti wrote: >>>> Fixes an issue caused by the latest installer patches pushed to master. >>>> >>>> Patch attached. >>>> >>>> >>>> >>> The use of globals makes my skin crawl a bit, but since you're making >>> changes in here you should take a look at this ticket: >>> https://fedorahosted.org/freeipa/ticket/5042 >>> >>> rob >> Hi Rob, >> >> this is fix for that ticket, I missed the ticket somehow. >> >> Thanks. >> Martin^2 >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > Fixes the problem for me, but I agree with Rob re globals - a > context manager would be much nicer. Something like (pseudocode): > > @contextlib.context_manager > def private_ccache(): > ... stuff currently in init_private_ccache() > yield > ... stuff currently in destroy_private_ccache() > > Then in ipa-server-install main(): > > with private_ccache: > if not options.uninstall: > server.install_check(options) > server.install(options) > else: > server.uninstall_check(options) > server.uninstall(options) > > Cheers, > Fraser Hello, comments below: 1) + Str( + 'memberprincipal', + label=_('Failed principals'), + ), + Str( + 'ipaallowedtarget', + label=_('Failed targets'), + ), + Str( + 'servicedelegationrule', + label=_('principal member'), + ), Are these names correct? # ipa servicedelegationrule-find ---------------------------------- 1 service delegation rule matched ---------------------------------- Delegation name: ipa-http-delegation Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM 2) + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', + pattern_errmsg='may only include letters, numbers, _, -, ., ' + 'and a space inside', This regex does not allow space inside In [6]: print re.match(pattern, 'lalalala lalala') None 3) + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, + label=_('member %s') % name, + csv=True, alwaysask=True) IMHO CSV values should not be supported. Honza told me, the option doesn't work anyway. Patch with minor fixes attached. I removed unused code and PEP8 complains Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0000-review-service-delegation.patch Type: text/x-patch Size: 6160 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 2 14:00:41 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 16:00:41 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <556DB653.9020504@redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> <556C7092.1070700@redhat.com> <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> <556DB653.9020504@redhat.com> Message-ID: <556DB709.1090609@redhat.com> Dne 2.6.2015 v 15:57 Martin Basti napsal(a): > On 02/06/15 10:24, Fraser Tweedale wrote: >> On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: >>> On 01/06/15 16:14, Rob Crittenden wrote: >>>> Martin Basti wrote: >>>>> Fixes an issue caused by the latest installer patches pushed to >>>>> master. >>>>> >>>>> Patch attached. >>>>> >>>>> >>>>> >>>> The use of globals makes my skin crawl a bit, but since you're making >>>> changes in here you should take a look at this ticket: >>>> https://fedorahosted.org/freeipa/ticket/5042 >>>> >>>> rob >>> Hi Rob, >>> >>> this is fix for that ticket, I missed the ticket somehow. >>> >>> Thanks. >>> Martin^2 >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> Fixes the problem for me, but I agree with Rob re globals - a >> context manager would be much nicer. Something like (pseudocode): >> >> @contextlib.context_manager >> def private_ccache(): >> ... stuff currently in init_private_ccache() >> yield >> ... stuff currently in destroy_private_ccache() >> >> Then in ipa-server-install main(): >> >> with private_ccache: >> if not options.uninstall: >> server.install_check(options) >> server.install(options) >> else: >> server.uninstall_check(options) >> server.uninstall(options) >> >> Cheers, >> Fraser > Hello, > > comments below: > > 1) > + Str( > + 'memberprincipal', > + label=_('Failed principals'), > + ), > + Str( > + 'ipaallowedtarget', > + label=_('Failed targets'), > + ), > + Str( > + 'servicedelegationrule', > + label=_('principal member'), > + ), > Are these names correct? > # ipa servicedelegationrule-find > ---------------------------------- > 1 service delegation rule matched > ---------------------------------- > Delegation name: ipa-http-delegation > Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets > Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM > > > 2) > + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', > + pattern_errmsg='may only include letters, numbers, _, -, ., ' > + 'and a space inside', > > This regex does not allow space inside > In [6]: print re.match(pattern, 'lalalala lalala') > None > > > 3) > + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, > + label=_('member %s') % name, > + csv=True, alwaysask=True) > > IMHO CSV values should not be supported. > Honza told me, the option doesn't work anyway. > > Patch with minor fixes attached. > > I removed unused code and PEP8 complains Wrong thread :-) -- Jan Cholasta From mbasti at redhat.com Tue Jun 2 14:03:41 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 16:03:41 +0200 Subject: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin In-Reply-To: <556A6CF4.5010603@redhat.com> References: <555B4696.2070502@redhat.com> <555BA115.5070408@redhat.com> <555CB00B.3080309@redhat.com> <5565F29B.7000507@redhat.com> <5565FE97.6040202@redhat.com> <55660A2D.1080801@redhat.com> <5566D11B.3070505@redhat.com> <556A6CF4.5010603@redhat.com> Message-ID: <556DB7BD.9030101@redhat.com> On 31/05/15 04:07, Rob Crittenden wrote: > Petr Vobornik wrote: >> On 05/27/2015 08:17 PM, Martin Basti wrote: >>> On 27/05/15 19:27, Rob Crittenden wrote: >>>> Martin Basti wrote: >>>>>> >>>>> Thank you. >>>>> >>>>> I haven't finished review yet, but I have few notes in case you will >>>>> modify the patch. >>>>> >>>>> Please fix following issues: >>>>> >>>> >>>>> 3) >>>>> There are many PEP8 errors, can you fix some of them,? >>>> >>>> Is PEP8 a concern? What kinds of errors do we fix? For example, the >>>> current model for defining options generates a slew of indention >>>> errors. >> >> In old modules it's preferred to keep the old indentation style for >> options(not to mix 2 styles). New modules should use following pep8 >> compliant style: >> Str( >> 'cn', >> cli_name='name', >> primary_key=True, >> label=_('Server name'), >> doc=_('IPA server hostname'), >> ), >> >>> We try to keep PEP8 in new code, mainly indentation, blank lines, too >>> long lines. >>> Yes in test definitions and option definitions, is better to keep the >>> same style, but other parts of code should be PEP8. >>> >>> For example these should be fixed >>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:37:13: E225 >>> missing whitespace around operator >>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:39:1: E302 >>> expected 2 blank lines, found 1 >>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:42:1: E302 >>> expected 2 blank lines, found 1 >>> >>>> >>>> >>>> I'll wait and see what falls out of the API review before making any >>>> real changes. >>>> >>>> rob > > Updated API and addressed Martin's concerns. The regex must have been > a bad copy/paste, it is fixed now. > > The design page has been updated as well. > > rob > Hello, comments below, in the right thread: 1) + Str( + 'memberprincipal', + label=_('Failed principals'), + ), + Str( + 'ipaallowedtarget', + label=_('Failed targets'), + ), + Str( + 'servicedelegationrule', + label=_('principal member'), + ), Are these names correct? # ipa servicedelegationrule-find ---------------------------------- 1 service delegation rule matched ---------------------------------- Delegation name: ipa-http-delegation Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM 2) + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', + pattern_errmsg='may only include letters, numbers, _, -, ., ' + 'and a space inside', This regex does not allow space inside In [6]: print re.match(pattern, 'lalalala lalala') None 3) + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, + label=_('member %s') % name, + csv=True, alwaysask=True) IMHO CSV values should not be supported. Honza told me, the option doesn't work anyway. Patch with minor fixes attached. I removed unused code and PEP8 complains -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0000-review-service-delegation.patch Type: text/x-patch Size: 6160 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 2 14:03:39 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 02 Jun 2015 16:03:39 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <556D8713.5030101@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> <556D8713.5030101@redhat.com> Message-ID: <556DB7BB.5090600@redhat.com> Dne 2.6.2015 v 12:36 Martin Basti napsal(a): > On 02/06/15 11:42, Fraser Tweedale wrote: >> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: >>> On 01/06/15 06:40, Fraser Tweedale wrote: >>>> New version of patch; ``{host,service}-show --out=FILE`` now writes >>>> all certs to FILE. Rebased on latest master. >>>> >>>> Thanks, >>>> Fraser >>>> >>>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >>>>> Updated patch attached. Notably restores/adds revocation behaviour >>>>> to host-mod and service-mod. >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>>>>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>>>>> This patch adds supports for multiple user / host certificates. No >>>>>>> schema change is needed ('usercertificate' attribute is already >>>>>>> multi-value). The revoke-previous-cert behaviour of host-mod and >>>>>>> user-mod has been removed but revocation behaviour of -del and >>>>>>> -disable is preserved. >>>>>>> >>>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this >>>>>>> patch for correct cert-request behaviour. >>>>>>> >>>>>>> There is one design question (or maybe more, let me know): the >>>>>>> `--out=FILENAME' option to {host,service} show saves ONE certificate >>>>>>> to the named file. I propose to either: >>>>>>> >>>>>>> a) write all certs, suffixing suggested filename with either a >>>>>>> sequential numerical index, e.g. "cert.pem" becomes >>>>>>> "cert.pem.1", "cert.pem.2", and so on; or >>>>>>> >>>>>>> b) as above, but suffix with serial number and, if there are >>>>>>> different issues, some issuer-identifying information. >>>>>>> >>>>>>> Let me know your thoughts. >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>>> >>>>>>> >>>>>> Is there a possible way how to store certificates into one file? >>>>>> I read about possibilities to have multiple certs in one .pem >>>>>> file, but I'm >>>>>> not cert guru :) >>>>>> >>>>>> I personally vote for serial number in case there are multiple >>>>>> certificates, >>>>>> if ^ is no possible. >>>>>> >>>>>> >>>>>> 1) >>>>>> + if len(certs) > 0: >>>>>> >>>>>> please use only, >>>>>> if certs: >>>>>> >>>>>> 2) >>>>>> You need to re-generate API/ACI.txt in this patch >>>>>> >>>>>> 3) >>>>>> syntax error: >>>>>> + for dercert in certs_der >>>>>> >>>>>> >>>>>> 4) >>>>>> command >>>>>> ipa user-mod ca_user --certificate= >>>>>> >>>>>> removes the current certificate from the LDAP, by design. >>>>>> Should be the old certificate(s) revoked? You removed that part in >>>>>> the code. >>>>>> >>>>>> only the --addattr='usercertificate=' appends new value there >>>>>> >>>>>> -- >>>>>> Martin Basti >>>>>> >>> My objections/proposed solutions in attached patch. >>> >>> * VERSION >>> * In the previous version normalized values was stored in LDAP, so I >>> added >>> it back. (I dont know why there is no normalization in param >>> settings, but >>> normalization for every certificate is done in callback. I will file a >>> ticket for this) >>> * IMO only normalized certificates should be compared in the old >>> certificates detection >>> >> I incorporated your suggested changes in new patch (attached). >> >> There were no proposed changes to the other patchset (0001..0013) >> since rebase. >> >> Thanks, >> Fraser > Thank you, > ACK > Martin^2 > Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212 -- Jan Cholasta From mbasti at redhat.com Tue Jun 2 14:04:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 16:04:19 +0200 Subject: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache In-Reply-To: <556DB709.1090609@redhat.com> References: <556C49CB.30801@redhat.com> <556C68DA.4030808@redhat.com> <556C7092.1070700@redhat.com> <20150602082448.GP23523@dhcp-40-8.bne.redhat.com> <556DB653.9020504@redhat.com> <556DB709.1090609@redhat.com> Message-ID: <556DB7E3.2090005@redhat.com> On 02/06/15 16:00, Jan Cholasta wrote: > Dne 2.6.2015 v 15:57 Martin Basti napsal(a): >> On 02/06/15 10:24, Fraser Tweedale wrote: >>> On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: >>>> On 01/06/15 16:14, Rob Crittenden wrote: >>>>> Martin Basti wrote: >>>>>> Fixes an issue caused by the latest installer patches pushed to >>>>>> master. >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> >>>>>> >>>>> The use of globals makes my skin crawl a bit, but since you're making >>>>> changes in here you should take a look at this ticket: >>>>> https://fedorahosted.org/freeipa/ticket/5042 >>>>> >>>>> rob >>>> Hi Rob, >>>> >>>> this is fix for that ticket, I missed the ticket somehow. >>>> >>>> Thanks. >>>> Martin^2 >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>> Fixes the problem for me, but I agree with Rob re globals - a >>> context manager would be much nicer. Something like (pseudocode): >>> >>> @contextlib.context_manager >>> def private_ccache(): >>> ... stuff currently in init_private_ccache() >>> yield >>> ... stuff currently in destroy_private_ccache() >>> >>> Then in ipa-server-install main(): >>> >>> with private_ccache: >>> if not options.uninstall: >>> server.install_check(options) >>> server.install(options) >>> else: >>> server.uninstall_check(options) >>> server.uninstall(options) >>> >>> Cheers, >>> Fraser >> Hello, >> >> comments below: >> >> 1) >> + Str( >> + 'memberprincipal', >> + label=_('Failed principals'), >> + ), >> + Str( >> + 'ipaallowedtarget', >> + label=_('Failed targets'), >> + ), >> + Str( >> + 'servicedelegationrule', >> + label=_('principal member'), >> + ), >> Are these names correct? >> # ipa servicedelegationrule-find >> ---------------------------------- >> 1 service delegation rule matched >> ---------------------------------- >> Delegation name: ipa-http-delegation >> Allowed Target: ipa-ldap-delegation-targets, >> ipa-cifs-delegation-targets >> Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM >> >> >> 2) >> + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', >> + pattern_errmsg='may only include letters, numbers, _, -, >> ., ' >> + 'and a space inside', >> >> This regex does not allow space inside >> In [6]: print re.match(pattern, 'lalalala lalala') >> None >> >> >> 3) >> + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, >> + label=_('member %s') % name, >> + csv=True, alwaysask=True) >> >> IMHO CSV values should not be supported. >> Honza told me, the option doesn't work anyway. >> >> Patch with minor fixes attached. >> >> I removed unused code and PEP8 complains > > Wrong thread :-) > Sorry :-) -- Martin Basti From pvoborni at redhat.com Tue Jun 2 14:56:03 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 02 Jun 2015 16:56:03 +0200 Subject: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates In-Reply-To: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> Message-ID: <556DC403.3010300@redhat.com> On 05/27/2015 03:53 PM, Fraser Tweedale wrote: > This patch adds supports for multiple user / host certificates. No > schema change is needed ('usercertificate' attribute is already > multi-value). The revoke-previous-cert behaviour of host-mod and > user-mod has been removed but revocation behaviour of -del and > -disable is preserved. > > The latest profiles/caacl patchset (0001..0013 v5) depends on this > patch for correct cert-request behaviour. > > There is one design question (or maybe more, let me know): the > `--out=FILENAME' option to {host,service} show saves ONE certificate > to the named file. I propose to either: > > a) write all certs, suffixing suggested filename with either a > sequential numerical index, e.g. "cert.pem" becomes > "cert.pem.1", "cert.pem.2", and so on; or > > b) as above, but suffix with serial number and, if there are > different issues, some issuer-identifying information. > > Let me know your thoughts. > > Thanks, > Fraser > Has anybody tried it with Web UI? Currently Web UI is designed only for one cert. I wonder if it still works even with just one. We should probably file a ticket. -- Petr Vobornik From mkosek at redhat.com Tue Jun 2 15:05:29 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 17:05:29 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556D9C66.2080706@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> Message-ID: <556DC639.7090403@redhat.com> On 06/02/2015 02:07 PM, Endi Sukma Dewata wrote: > On 6/2/2015 1:10 AM, Martin Kosek wrote: >> Hi Endi, >> >> Quickly skimming through your patches raised couple questions on my side: >> >> 1) Will it be possible to also store plain text password via Vault? It >> talks about taking in the binary data or the text file, but will it also >> work with plain user secrets (passwords)? I am talking about use like this: >> >> # ipa vault-archive --user mkosek --data Secret123 > > For security the plain text password should be stored in a file first: > > # vi password.txt > # ipa vault-archive --user mkosek --in password.txt > > It's also possible to specify the password as base-64 encoded data: > > # echo -n Secret123 | base64 > # ipa vault-archive --user mkosek --data U2VjcmV0MTIz > > But it's not recommended since the data will be stored in the command history > and someone could see and decode it. I think passing a plain text password as > command line argument would be even worse. The --data parameter is mainly used > for unit testing. > > Later we might be able to add an option to read from standard input: > > # cat password.txt | ipa vault-archive --user mkosek --std-in Ok. Well, base64 + file input look as good enough for now. I was mostly concerned about usability of the solution for normal users as for a manual secret, it is not convenient to always create an interim file. We will see based on user experience, maybe Web UI or further CLI-only additions will be the answer. >> 2) Didn't we discuss a dependency of IPA/Vault on python-cryptography in >> the past? I rather see use of python-nss for cryptography... > > Yes. I might have mentioned that it would be in the 2nd (current) vault patch. > Actually it will be in the 3rd patch when we add the symmetric and asymmetric > vaults. The symmetric and asymmetric encryption will be implemented using > python-cryptography. You can also see this in an old patch (#358) but it's > obsolete now. Ok. > The standard vault in the current patch uses python-nss for transport > encryption because when the KRA interface was written python-cryptography > wasn't available on Fedora, it didn't support certificates, and I'm not sure if > it supports key wrapping. > > The symmetric and asymmetric vaults add an additional layer of encryption on > top of the standard transport encryption, so it will depend on both python-nss > and python-cryptography. > > In the future if the KRA can support python-cryptography without python-nss we > may be able to drop the python-nss dependency from vaults. Ok. > >> 3) You do a lot of actions in the forward() method (as planned in >> https://www.freeipa.org/page/V4/Password_Vault#Archival). But how do you >> envision that this is consumed by the Web UI? It does not have access to >> the forward() method. Would it need to also include some crypto library? > > If Web UI wants to access vault (not sure if everybody agrees with that), it > would have to perform an encryption on the browser side. In that case we will > need to use either WebCrypto or a browser-specific extension to implement > something similar to vault_archive.forward(), assuming the required > cryptographic functionalities are available. In the future PKI might be able to > provide a JavaScript interface for KRA. Ok, makes sense. I think we will want Web UI at some point, but the summary for FreeIPA 4.2 seems - no Web UI for Vault (yet). >> 4) In the vault-archive forward method, you use "pki" module. However, >> this module will be only available on FreeIPA PKI-powered servers and >> not on FreeIPA clients - so this will not work unless freeipa-client >> gets a dependency on pki-base - which is definitely not something we >> want... > > In my opinion it should be fine to require pki-base on the client because it > contains just the client library, unless you have other concerns? Any > objections to having pki-nss and pki-cryptography dependencies on the client? > > Even if we can change the client code not to depend on "pki" module, since in > this framework the client and server code are written in the same plugin, the > "import pki" still cannot be removed since it's still needed by the server > code, and I don't think conditional import is a good programming practice. I have major concerns here. Look at the different between installing "freeipa-client" and "freeipa-client + pki-base" on my F21: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ sudo yum install freeipa-client ... Install 1 Package (+4 Dependent packages) Total download size: 2.6 M Installed size: 14 M ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ sudo yum install freeipa-client pki-base ... Install 2 Packages (+288 Dependent packages) Total download size: 160 M Installed size: 235 M ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is obviously a no-go for client. The conditional import is smaller concern that big dependency growth on the client. We do them in trust plugin for example and it works fine (though I agree it is not ideal programming practice). IMO, we should limit new freeipa-client dependencies only to python-cryptography (or also python-nss in the worst case, in case python-cryptography is not enough) - there should be no pki dependencies at all, these should be only on the server side. Thanks, Martin From lkrispen at redhat.com Tue Jun 2 15:08:47 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 02 Jun 2015 17:08:47 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DB556.90606@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> Message-ID: <556DC6FF.6060703@redhat.com> On 06/02/2015 03:53 PM, Petr Vobornik wrote: > On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >> >> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>> Hi all, >>> >>> The following error was caught during replica installation (I used all >>> the latest patches from Ludwig and Martin Basti): > > - except ldap.TYPE_OR_VALUE_EXISTS: > + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): > > What happens if all replicas are updated and domain level is raised? I > don't think that the group will be populated. Or will it be? Without > it, topology plugin won't work, right? good point, it will be limited, when adding a new segment a replication agreement will be created, but it will not have the credentials to replicate. > > There should be a moment where all the DNs are added. yes, there could probably be a check when topology plugin gets active if the binddn group exists and if not create and populate it > > >>> >>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >>> --setup-dns --forwarder 10.38.5.26 >>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg >> the topology plugin needs a replica binddngroup to be able to setup >> agrements without having to modify cn=config. If the replica is >> installed from an older version, this group doesn't exist and adding >> members to it fails. >> The attached patch should handle this >>> Directory Manager (existing master) password: >>> >>> Existing BIND configuration detected, overwrite? [no]: yes >>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >>> Checking forwarders, please wait ... >>> Using reverse zone(s) 122.168.192.in-addr.arpa. >>> Run connection check to master >>> Check connection from replica to remote master >>> 'upgrademaster.zaeba.li': >>> Directory Service: Unsecure port (389): OK >>> Directory Service: Secure port (636): OK >>> Kerberos KDC: TCP (88): OK >>> Kerberos Kpasswd: TCP (464): OK >>> HTTP Server: Unsecure port (80): OK >>> HTTP Server: Secure port (443): OK >>> >>> The following list of ports use UDP protocol and would need to be >>> checked manually: >>> Kerberos KDC: UDP (88): SKIPPED >>> Kerberos Kpasswd: UDP (464): SKIPPED >>> >>> Connection from replica to master is OK. >>> Start listening on required ports for remote master check >>> Get credentials to log in to remote master >>> admin at ZAEBA.LI password: >>> >>> Check SSH connection to remote master >>> Execute check on remote master >>> Check connection from master to remote replica 'replica1.zaeba.li': >>> Directory Service: Unsecure port (389): OK >>> Directory Service: Secure port (636): OK >>> Kerberos KDC: TCP (88): OK >>> Kerberos KDC: UDP (88): OK >>> Kerberos Kpasswd: TCP (464): OK >>> Kerberos Kpasswd: UDP (464): OK >>> HTTP Server: Unsecure port (80): OK >>> HTTP Server: Secure port (443): OK >>> >>> Connection from master to replica is OK. >>> >>> Connection check OK >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv): Estimated time 1 minute >>> [1/37]: creating directory server user >>> [2/37]: creating directory server instance >>> [3/37]: adding default schema >>> [4/37]: enabling memberof plugin >>> [5/37]: enabling winsync plugin >>> [6/37]: configuring replication version plugin >>> [7/37]: enabling IPA enrollment plugin >>> [8/37]: enabling ldapi >>> [9/37]: configuring uniqueness plugin >>> [10/37]: configuring uuid plugin >>> [11/37]: configuring modrdn plugin >>> [12/37]: configuring DNS plugin >>> [13/37]: enabling entryUSN plugin >>> [14/37]: configuring lockout plugin >>> [15/37]: configuring topology plugin >>> [16/37]: creating indices >>> [17/37]: enabling referential integrity plugin >>> [18/37]: configuring ssl for ds instance >>> [19/37]: configuring certmap.conf >>> [20/37]: configure autobind for root >>> [21/37]: configure new location for managed entries >>> [22/37]: configure dirsrv ccache >>> [23/37]: enable SASL mapping fallback >>> [24/37]: restarting directory server >>> [25/37]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> Update in progress, 7 seconds elapsed >>> Update succeeded >>> >>> [26/37]: updating schema >>> [27/37]: setting Auto Member configuration >>> [28/37]: enabling S4U2Proxy delegation >>> [29/37]: importing CA certificates from LDAP >>> [30/37]: initializing group membership >>> [31/37]: adding master entry >>> ipa : CRITICAL Failed to load master-entry.ldif: Command >>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >>> [32/37]: initializing domain level >>> [33/37]: configuring Posix uid/gid generation >>> [34/37]: adding replication acis >>> [35/37]: enabling compatibility plugin >>> [36/37]: tuning directory server >>> [37/37]: configuring directory to start on boot >>> Done configuring directory server (dirsrv). >>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes >>> 30 seconds >>> [1/21]: creating certificate server user >>> [2/21]: configuring certificate server instance >>> [3/21]: stopping certificate server instance to update CS.cfg >>> [4/21]: backing up CS.cfg >>> [5/21]: disabling nonces >>> [6/21]: set up CRL publishing >>> [7/21]: enable PKIX certificate path discovery and validation >>> [8/21]: starting certificate server instance >>> [9/21]: creating RA agent certificate database >>> [10/21]: importing CA chain to RA certificate database >>> [11/21]: fixing RA database permissions >>> [12/21]: setting up signing cert profile >>> [13/21]: set certificate subject base >>> [14/21]: enabling Subject Key Identifier >>> [15/21]: enabling Subject Alternative Name >>> [16/21]: enabling CRL and OCSP extensions for certificates >>> [17/21]: setting audit signing renewal to 2 years >>> [18/21]: configure certmonger for renewals >>> [19/21]: configure certificate renewals >>> [20/21]: configure Server-Cert certificate renewal >>> [21/21]: Configure HTTP to proxy connections >>> Done configuring certificate server (pki-tomcatd). >>> Restarting the directory and certificate servers >>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >>> [1/8]: adding sasl mappings to the directory >>> [2/8]: configuring KDC >>> [3/8]: creating a keytab for the directory >>> [4/8]: creating a keytab for the machine >>> [5/8]: adding the password extension to the directory >>> [6/8]: enable GSSAPI for replication >>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> Traceback (most recent call last): >>> File "/sbin/ipa-replica-install", line 162, in >>> fail_message=fail_message) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 760, in run_script >>> message, exitcode = handle_error(error, log_file_name) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 799, in handle_error >>> type(error).__name__, error.args[0]['info']), 1 >>> KeyError: 'info' >>> >>> It needs to be noted, that the replica file was prepared on the master >>> running standard 4.1.2 freeipa-server. >>> >>> The log is attached >>> > > > From mkosek at redhat.com Tue Jun 2 15:16:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 17:16:00 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DC6FF.6060703@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> Message-ID: <556DC8B0.2000200@redhat.com> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: > > On 06/02/2015 03:53 PM, Petr Vobornik wrote: >> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>> >>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> The following error was caught during replica installation (I used all >>>> the latest patches from Ludwig and Martin Basti): >> >> - except ldap.TYPE_OR_VALUE_EXISTS: >> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >> >> What happens if all replicas are updated and domain level is raised? I don't >> think that the group will be populated. Or will it be? Without it, topology >> plugin won't work, right? > good point, > it will be limited, when adding a new segment a replication agreement will be > created, but it will not have the credentials to replicate. >> >> There should be a moment where all the DNs are added. > yes, there could probably be a check when topology plugin gets active if the > binddn group exists and if not create and populate it Should we finally start maintaining by default IPA Masters hostgroup? *That* should be the BIND DN group which Topology plugins works with, no? If this group is populated from FreeIPA 4.2+, raising to Domain Level 1 would mean no operation needed on FreeIPA side. This is part of the ticket https://fedorahosted.org/freeipa/ticket/3416 This looks as another change that should make it to the Alpha, no? Martin From abokovoy at redhat.com Tue Jun 2 15:16:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 2 Jun 2015 18:16:05 +0300 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556DC639.7090403@redhat.com> References: <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> Message-ID: <20150602151605.GK15837@redhat.com> On Tue, 02 Jun 2015, Martin Kosek wrote: >> But it's not recommended since the data will be stored in the command history >> and someone could see and decode it. I think passing a plain text password as >> command line argument would be even worse. The --data parameter is mainly used >> for unit testing. >> >> Later we might be able to add an option to read from standard input: >> >> # cat password.txt | ipa vault-archive --user mkosek --std-in > >Ok. Well, base64 + file input look as good enough for now. I was mostly >concerned about usability of the solution for normal users as for a manual >secret, it is not convenient to always create an interim file. > >We will see based on user experience, maybe Web UI or further CLI-only >additions will be the answer. Correct, this is a part that can and should be driven by actual use experience. Reading from the stdin is easy to implement (we have it done for password already) so maybe we can simply reuse password option here for such case, we even have a flag for omitting the confirmation prompt. This is fairly small addition. >>> 4) In the vault-archive forward method, you use "pki" module. However, >>> this module will be only available on FreeIPA PKI-powered servers and >>> not on FreeIPA clients - so this will not work unless freeipa-client >>> gets a dependency on pki-base - which is definitely not something we >>> want... >> >> In my opinion it should be fine to require pki-base on the client because it >> contains just the client library, unless you have other concerns? Any >> objections to having pki-nss and pki-cryptography dependencies on the client? >> >> Even if we can change the client code not to depend on "pki" module, since in >> this framework the client and server code are written in the same plugin, the >> "import pki" still cannot be removed since it's still needed by the server >> code, and I don't think conditional import is a good programming practice. > >I have major concerns here. Look at the different between installing >"freeipa-client" and "freeipa-client + pki-base" on my F21: > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >$ sudo yum install freeipa-client >... >Install 1 Package (+4 Dependent packages) > >Total download size: 2.6 M >Installed size: 14 M >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >$ sudo yum install freeipa-client pki-base >... >Install 2 Packages (+288 Dependent packages) > >Total download size: 160 M >Installed size: 235 M >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >This is obviously a no-go for client. The conditional import is smaller concern >that big dependency growth on the client. We do them in trust plugin for >example and it works fine (though I agree it is not ideal programming practice). > >IMO, we should limit new freeipa-client dependencies only to >python-cryptography (or also python-nss in the worst case, in case >python-cryptography is not enough) - there should be no pki dependencies at >all, these should be only on the server side. Yes, please use conditional import here, it is perfectly valid use case for the client side. -- / Alexander Bokovoy From lkrispen at redhat.com Tue Jun 2 15:24:18 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 02 Jun 2015 17:24:18 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DC8B0.2000200@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> Message-ID: <556DCAA2.9050107@redhat.com> On 06/02/2015 05:16 PM, Martin Kosek wrote: > On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>> Hi all, >>>>> >>>>> The following error was caught during replica installation (I used all >>>>> the latest patches from Ludwig and Martin Basti): >>> - except ldap.TYPE_OR_VALUE_EXISTS: >>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>> >>> What happens if all replicas are updated and domain level is raised? I don't >>> think that the group will be populated. Or will it be? Without it, topology >>> plugin won't work, right? >> good point, >> it will be limited, when adding a new segment a replication agreement will be >> created, but it will not have the credentials to replicate. >>> There should be a moment where all the DNs are added. >> yes, there could probably be a check when topology plugin gets active if the >> binddn group exists and if not create and populate it > Should we finally start maintaining by default IPA Masters hostgroup? *That* > should be the BIND DN group which Topology plugins works with, no? what would be the members of this group ? the binddn group needs all the ldap principals in it so that a replica can do gssapi replication to another replica. > If this > group is populated from FreeIPA 4.2+, raising to Domain Level 1 would mean no > operation needed on FreeIPA side. > > This is part of the ticket > https://fedorahosted.org/freeipa/ticket/3416 > > This looks as another change that should make it to the Alpha, no? > > Martin From mkosek at redhat.com Tue Jun 2 15:29:29 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 17:29:29 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DCAA2.9050107@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> Message-ID: <556DCBD9.1070803@redhat.com> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: > > On 06/02/2015 05:16 PM, Martin Kosek wrote: >> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>> Hi all, >>>>>> >>>>>> The following error was caught during replica installation (I used all >>>>>> the latest patches from Ludwig and Martin Basti): >>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>>> >>>> What happens if all replicas are updated and domain level is raised? I don't >>>> think that the group will be populated. Or will it be? Without it, topology >>>> plugin won't work, right? >>> good point, >>> it will be limited, when adding a new segment a replication agreement will be >>> created, but it will not have the credentials to replicate. >>>> There should be a moment where all the DNs are added. >>> yes, there could probably be a check when topology plugin gets active if the >>> binddn group exists and if not create and populate it >> Should we finally start maintaining by default IPA Masters hostgroup? *That* >> should be the BIND DN group which Topology plugins works with, no? > what would be the members of this group ? > the binddn group needs all the ldap principals in it so that a replica can do > gssapi replication to another replica. Ah. Hosts would be members of the group, i.e. host/server1.example.test principals. If this is the case, the IPA Masters group does not look that helpful. I see you created "cn=replication managers,cn=etc,SUFFIX" group. I think this should work, with couple changes: - it should rather be in "cn=sysaccounts,cn=etc,SUFFIX", where other similar groups are. See for example "cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX" used for Trusts (populated by ipa-adtrust-install), it is exactly the same case, so it should follow the similar/same location and structure. - the group should be populated during new installation of 4.2 or upgrade to 4.2 so that Domain Level raise does not need to be overloaded and generate this group by itself. >> If this >> group is populated from FreeIPA 4.2+, raising to Domain Level 1 would mean no >> operation needed on FreeIPA side. >> >> This is part of the ticket >> https://fedorahosted.org/freeipa/ticket/3416 >> >> This looks as another change that should make it to the Alpha, no? >> >> Martin > From abokovoy at redhat.com Tue Jun 2 15:31:30 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 2 Jun 2015 18:31:30 +0300 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DCAA2.9050107@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> Message-ID: <20150602153130.GL15837@redhat.com> On Tue, 02 Jun 2015, Ludwig Krispenz wrote: > >On 06/02/2015 05:16 PM, Martin Kosek wrote: >>On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>>On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>>On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>>>On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>>Hi all, >>>>>> >>>>>>The following error was caught during replica installation (I used all >>>>>>the latest patches from Ludwig and Martin Basti): >>>>- except ldap.TYPE_OR_VALUE_EXISTS: >>>>+ except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>>> >>>>What happens if all replicas are updated and domain level is raised? I don't >>>>think that the group will be populated. Or will it be? Without it, topology >>>>plugin won't work, right? >>>good point, >>>it will be limited, when adding a new segment a replication agreement will be >>>created, but it will not have the credentials to replicate. >>>>There should be a moment where all the DNs are added. >>>yes, there could probably be a check when topology plugin gets active if the >>>binddn group exists and if not create and populate it >>Should we finally start maintaining by default IPA Masters hostgroup? *That* >>should be the BIND DN group which Topology plugins works with, no? >what would be the members of this group ? >the binddn group needs all the ldap principals in it so that a replica >can do gssapi replication to another replica. They should be fqdn=ipa.master,... For example, this is how cn=adtrust agents looks like for upcoming one-way trust: # adtrust agents, sysaccounts, etc, t.vda.li dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=t,dc=vda,dc=li objectClass: GroupOfNames objectClass: top objectClass: nestedgroup cn: adtrust agents memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=t,dc=vda,dc=li memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=t,dc =vda,dc=li member: krbprincipalname=cifs/ipa-01.t.vda.li at t.vda.li,cn=services,cn=accounts ,dc=t,dc=vda,dc=li member: fqdn=ipa-01.t.vda.li,cn=computers,cn=accounts,dc=t,dc=vda,dc=li As you can see, cifs/ipa.master and host/ipa.master are members of the group through their respective DNs -- for host/ipa.master the DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Jun 2 15:32:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 2 Jun 2015 18:32:41 +0300 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DCBD9.1070803@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> Message-ID: <20150602153241.GM15837@redhat.com> On Tue, 02 Jun 2015, Martin Kosek wrote: >On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >> >> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> The following error was caught during replica installation (I used all >>>>>>> the latest patches from Ludwig and Martin Basti): >>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>>>> >>>>> What happens if all replicas are updated and domain level is raised? I don't >>>>> think that the group will be populated. Or will it be? Without it, topology >>>>> plugin won't work, right? >>>> good point, >>>> it will be limited, when adding a new segment a replication agreement will be >>>> created, but it will not have the credentials to replicate. >>>>> There should be a moment where all the DNs are added. >>>> yes, there could probably be a check when topology plugin gets active if the >>>> binddn group exists and if not create and populate it >>> Should we finally start maintaining by default IPA Masters hostgroup? *That* >>> should be the BIND DN group which Topology plugins works with, no? >> what would be the members of this group ? >> the binddn group needs all the ldap principals in it so that a replica can do >> gssapi replication to another replica. > >Ah. Hosts would be members of the group, i.e. host/server1.example.test >principals. If this is the case, the IPA Masters group does not look that helpful. No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This is exception in the way Kerberos services addressed. > >I see you created "cn=replication managers,cn=etc,SUFFIX" group. I think this >should work, with couple changes: > >- it should rather be in "cn=sysaccounts,cn=etc,SUFFIX", where other similar >groups are. See for example "cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX" >used for Trusts (populated by ipa-adtrust-install), it is exactly the same >case, so it should follow the similar/same location and structure. Yep, see my another email with an example. -- / Alexander Bokovoy From mkosek at redhat.com Tue Jun 2 15:35:11 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 17:35:11 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <20150602153241.GM15837@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> Message-ID: <556DCD2F.5080408@redhat.com> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: >> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>> >>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> The following error was caught during replica installation (I used all >>>>>>>> the latest patches from Ludwig and Martin Basti): >>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>>>>> >>>>>> What happens if all replicas are updated and domain level is raised? I don't >>>>>> think that the group will be populated. Or will it be? Without it, topology >>>>>> plugin won't work, right? >>>>> good point, >>>>> it will be limited, when adding a new segment a replication agreement will be >>>>> created, but it will not have the credentials to replicate. >>>>>> There should be a moment where all the DNs are added. >>>>> yes, there could probably be a check when topology plugin gets active if the >>>>> binddn group exists and if not create and populate it >>>> Should we finally start maintaining by default IPA Masters hostgroup? *That* >>>> should be the BIND DN group which Topology plugins works with, no? >>> what would be the members of this group ? >>> the binddn group needs all the ldap principals in it so that a replica can do >>> gssapi replication to another replica. >> >> Ah. Hosts would be members of the group, i.e. host/server1.example.test >> principals. If this is the case, the IPA Masters group does not look that >> helpful. > No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This > is exception in the way Kerberos services addressed. Sure. But my point here was that host principals (and a hostgroup) are not helpful here as DS will be authenticating with ldap/... principals. >> >> I see you created "cn=replication managers,cn=etc,SUFFIX" group. I think this >> should work, with couple changes: >> >> - it should rather be in "cn=sysaccounts,cn=etc,SUFFIX", where other similar >> groups are. See for example "cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX" >> used for Trusts (populated by ipa-adtrust-install), it is exactly the same >> case, so it should follow the similar/same location and structure. > Yep, see my another email with an example. > From abokovoy at redhat.com Tue Jun 2 15:41:22 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 2 Jun 2015 18:41:22 +0300 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DCD2F.5080408@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> <556DCD2F.5080408@redhat.com> Message-ID: <20150602154122.GN15837@redhat.com> On Tue, 02 Jun 2015, Martin Kosek wrote: >On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: >> On Tue, 02 Jun 2015, Martin Kosek wrote: >>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>>> >>>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> The following error was caught during replica installation (I used all >>>>>>>>> the latest patches from Ludwig and Martin Basti): >>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>>>>>> >>>>>>> What happens if all replicas are updated and domain level is raised? I don't >>>>>>> think that the group will be populated. Or will it be? Without it, topology >>>>>>> plugin won't work, right? >>>>>> good point, >>>>>> it will be limited, when adding a new segment a replication agreement will be >>>>>> created, but it will not have the credentials to replicate. >>>>>>> There should be a moment where all the DNs are added. >>>>>> yes, there could probably be a check when topology plugin gets active if the >>>>>> binddn group exists and if not create and populate it >>>>> Should we finally start maintaining by default IPA Masters hostgroup? *That* >>>>> should be the BIND DN group which Topology plugins works with, no? >>>> what would be the members of this group ? >>>> the binddn group needs all the ldap principals in it so that a replica can do >>>> gssapi replication to another replica. >>> >>> Ah. Hosts would be members of the group, i.e. host/server1.example.test >>> principals. If this is the case, the IPA Masters group does not look that >>> helpful. >> No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This >> is exception in the way Kerberos services addressed. > >Sure. But my point here was that host principals (and a hostgroup) are not >helpful here as DS will be authenticating with ldap/... principals. Correct, so you need to go one step more and simply add krbprincipalname=ldap/ipa.master,... to the list. You know that if the host from IPA Masters hostgroup, then it has to have ldap service and if it is not, then it is not a master, so you'd skip that one. -- / Alexander Bokovoy From mkosek at redhat.com Tue Jun 2 15:45:05 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 17:45:05 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <20150602154122.GN15837@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> <556DCD2F.5080408@redhat.com> <20150602154122.GN15837@redhat.com> Message-ID: <556DCF81.7060905@redhat.com> On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: >>> On Tue, 02 Jun 2015, Martin Kosek wrote: >>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>>>> >>>>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> The following error was caught during replica installation (I used all >>>>>>>>>> the latest patches from Ludwig and Martin Basti): >>>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>>>>>>> >>>>>>>> What happens if all replicas are updated and domain level is raised? I >>>>>>>> don't >>>>>>>> think that the group will be populated. Or will it be? Without it, >>>>>>>> topology >>>>>>>> plugin won't work, right? >>>>>>> good point, >>>>>>> it will be limited, when adding a new segment a replication agreement >>>>>>> will be >>>>>>> created, but it will not have the credentials to replicate. >>>>>>>> There should be a moment where all the DNs are added. >>>>>>> yes, there could probably be a check when topology plugin gets active if >>>>>>> the >>>>>>> binddn group exists and if not create and populate it >>>>>> Should we finally start maintaining by default IPA Masters hostgroup? *That* >>>>>> should be the BIND DN group which Topology plugins works with, no? >>>>> what would be the members of this group ? >>>>> the binddn group needs all the ldap principals in it so that a replica can do >>>>> gssapi replication to another replica. >>>> >>>> Ah. Hosts would be members of the group, i.e. host/server1.example.test >>>> principals. If this is the case, the IPA Masters group does not look that >>>> helpful. >>> No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This >>> is exception in the way Kerberos services addressed. >> >> Sure. But my point here was that host principals (and a hostgroup) are not >> helpful here as DS will be authenticating with ldap/... principals. > Correct, so you need to go one step more and simply add > krbprincipalname=ldap/ipa.master,... to the list. You know that if the > host from IPA Masters hostgroup, then it has to have ldap service and if > it is not, then it is not a master, so you'd skip that one. Ah, so this is what you though. I am not sure here, I do not think we made services members of host group in the past. And I am not convinced we want to start with it now. CCing Simo for reference. Wouldn't a system group (sysaccounts) of "replication managers" with just the ldap/ principals cleaner and perfectly inline with what we did with "cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX"? From ssorce at redhat.com Tue Jun 2 15:48:08 2015 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Jun 2015 11:48:08 -0400 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DCF81.7060905@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> <556DCD2F.5080408@redhat.com> <20150602154122.GN15837@redhat.com> <556DCF81.7060905@redhat.com> Message-ID: <1433260088.4846.34.camel@willson.usersys.redhat.com> On Tue, 2015-06-02 at 17:45 +0200, Martin Kosek wrote: > On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: > > On Tue, 02 Jun 2015, Martin Kosek wrote: > >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: > >>> On Tue, 02 Jun 2015, Martin Kosek wrote: > >>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: > >>>>> > >>>>> On 06/02/2015 05:16 PM, Martin Kosek wrote: > >>>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: > >>>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: > >>>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: > >>>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: > >>>>>>>>>> Hi all, > >>>>>>>>>> > >>>>>>>>>> The following error was caught during replica installation (I used all > >>>>>>>>>> the latest patches from Ludwig and Martin Basti): > >>>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: > >>>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): > >>>>>>>> > >>>>>>>> What happens if all replicas are updated and domain level is raised? I > >>>>>>>> don't > >>>>>>>> think that the group will be populated. Or will it be? Without it, > >>>>>>>> topology > >>>>>>>> plugin won't work, right? > >>>>>>> good point, > >>>>>>> it will be limited, when adding a new segment a replication agreement > >>>>>>> will be > >>>>>>> created, but it will not have the credentials to replicate. > >>>>>>>> There should be a moment where all the DNs are added. > >>>>>>> yes, there could probably be a check when topology plugin gets active if > >>>>>>> the > >>>>>>> binddn group exists and if not create and populate it > >>>>>> Should we finally start maintaining by default IPA Masters hostgroup? *That* > >>>>>> should be the BIND DN group which Topology plugins works with, no? > >>>>> what would be the members of this group ? > >>>>> the binddn group needs all the ldap principals in it so that a replica can do > >>>>> gssapi replication to another replica. > >>>> > >>>> Ah. Hosts would be members of the group, i.e. host/server1.example.test > >>>> principals. If this is the case, the IPA Masters group does not look that > >>>> helpful. > >>> No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This > >>> is exception in the way Kerberos services addressed. > >> > >> Sure. But my point here was that host principals (and a hostgroup) are not > >> helpful here as DS will be authenticating with ldap/... principals. > > Correct, so you need to go one step more and simply add > > krbprincipalname=ldap/ipa.master,... to the list. You know that if the > > host from IPA Masters hostgroup, then it has to have ldap service and if > > it is not, then it is not a master, so you'd skip that one. > > Ah, so this is what you though. I am not sure here, I do not think we made > services members of host group in the past. And I am not convinced we want to > start with it now. CCing Simo for reference. > > Wouldn't a system group (sysaccounts) of "replication managers" with just the > ldap/ principals cleaner and perfectly inline with what we did with "cn=adtrust > agents,cn=sysaccounts,cn=etc,SUFFIX"? I do not have a strong preference, the advantage of a host group is that admins can see and manipulate it ... and that is also the disadvantage in this case. As it is a great way to break replication. So perhaps, yes, having a masters groups under sysaccount may be safer for now. Simo. From abokovoy at redhat.com Tue Jun 2 16:00:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 2 Jun 2015 19:00:41 +0300 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <1433260088.4846.34.camel@willson.usersys.redhat.com> References: <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> <556DCD2F.5080408@redhat.com> <20150602154122.GN15837@redhat.com> <556DCF81.7060905@redhat.com> <1433260088.4846.34.camel@willson.usersys.redhat.com> Message-ID: <20150602160041.GO15837@redhat.com> On Tue, 02 Jun 2015, Simo Sorce wrote: >On Tue, 2015-06-02 at 17:45 +0200, Martin Kosek wrote: >> On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: >> > On Tue, 02 Jun 2015, Martin Kosek wrote: >> >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: >> >>> On Tue, 02 Jun 2015, Martin Kosek wrote: >> >>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >> >>>>> >> >>>>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >> >>>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >> >>>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >> >>>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >> >>>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >> >>>>>>>>>> Hi all, >> >>>>>>>>>> >> >>>>>>>>>> The following error was caught during replica installation (I used all >> >>>>>>>>>> the latest patches from Ludwig and Martin Basti): >> >>>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >> >>>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >> >>>>>>>> >> >>>>>>>> What happens if all replicas are updated and domain level is raised? I >> >>>>>>>> don't >> >>>>>>>> think that the group will be populated. Or will it be? Without it, >> >>>>>>>> topology >> >>>>>>>> plugin won't work, right? >> >>>>>>> good point, >> >>>>>>> it will be limited, when adding a new segment a replication agreement >> >>>>>>> will be >> >>>>>>> created, but it will not have the credentials to replicate. >> >>>>>>>> There should be a moment where all the DNs are added. >> >>>>>>> yes, there could probably be a check when topology plugin gets active if >> >>>>>>> the >> >>>>>>> binddn group exists and if not create and populate it >> >>>>>> Should we finally start maintaining by default IPA Masters hostgroup? *That* >> >>>>>> should be the BIND DN group which Topology plugins works with, no? >> >>>>> what would be the members of this group ? >> >>>>> the binddn group needs all the ldap principals in it so that a replica can do >> >>>>> gssapi replication to another replica. >> >>>> >> >>>> Ah. Hosts would be members of the group, i.e. host/server1.example.test >> >>>> principals. If this is the case, the IPA Masters group does not look that >> >>>> helpful. >> >>> No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This >> >>> is exception in the way Kerberos services addressed. >> >> >> >> Sure. But my point here was that host principals (and a hostgroup) are not >> >> helpful here as DS will be authenticating with ldap/... principals. >> > Correct, so you need to go one step more and simply add >> > krbprincipalname=ldap/ipa.master,... to the list. You know that if the >> > host from IPA Masters hostgroup, then it has to have ldap service and if >> > it is not, then it is not a master, so you'd skip that one. >> >> Ah, so this is what you though. I am not sure here, I do not think we made >> services members of host group in the past. And I am not convinced we want to >> start with it now. CCing Simo for reference. >> >> Wouldn't a system group (sysaccounts) of "replication managers" with just the >> ldap/ principals cleaner and perfectly inline with what we did with "cn=adtrust >> agents,cn=sysaccounts,cn=etc,SUFFIX"? > >I do not have a strong preference, the advantage of a host group is that >admins can see and manipulate it ... and that is also the disadvantage >in this case. As it is a great way to break replication. >So perhaps, yes, having a masters groups under sysaccount may be safer >for now. I'm fine to have that too, we rely on it in trusts case so just follow the pattern. -- / Alexander Bokovoy From mbasti at redhat.com Tue Jun 2 16:37:42 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 18:37:42 +0200 Subject: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs In-Reply-To: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> References: <555DD39C.3070103@redhat.com> <20150526155930.GI13469@dhcp-40-8.bne.redhat.com> <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> Message-ID: <556DDBD6.70007@redhat.com> On 02/06/15 14:11, Fraser Tweedale wrote: > On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>> >>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>> >>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>> >>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>> copr? SRPM lives at >>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>> >>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>> email address, if either of those is present. >>>>>>>>> >>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>> >>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>> and improvement to earlier patches. >>>>>>>>>> >>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>> in case it has been modified. >>>>>>>>>> >>>>>>>>>> Other notes: >>>>>>>>>> >>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>> though) >>>>>>>>>> >>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>> >>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>> >>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>> >>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>> :) >>>>>>>>>> >>>>>>>>>> Cheers, Fraser >>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>> password: >>>>>>>> >>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>> (invalid token): line 2, column 14 >>>>>>>> >>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>> the newer version of dogtag. >>>>>>>> >>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>> investigate with new RPM from master branch. >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>> pki-ca 10.2.4-1 >>>>>>> >>>>>>> So something in your patches is breaking it >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>> I can not reproduce it today. And I already recycled the VMs from yesterday. :-( >>>>> >>>> In that case I would suggest ACKing&pushing the patch and fixing the bug if >>>> it comes again. The tree may now be a bit unstable, given the number of >>>> patches going in. >>>> >>>> My main motivation here is to unblock Fraser. >>>> >>>> Thanks, >>>> Martin >>> Rebased patchset attached; no other changes. >> Heads up: I just discovered I have introduced a bug with >> ipa-replica-install, when it is spawning the CA instance. I think >> replication it only causes issues with ``--setup-ca``. >> >> I will try and sort it out tomorrow or later tonight (I have to head >> out for a few hours now, though); and I'm not suggesting it should >> block the push but it's something to be aware of. >> >> Cheers, >> Fraser >> > New patchset attached ; haven't gotten to the bottom of the > ipa-replica-install issue mentioned above, but it fixes an upgrade > bug. > > The change is: > > diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py > index c288282..c5f4d37 100644 > --- a/ipaserver/install/server/upgrade.py > +++ b/ipaserver/install/server/upgrade.py > @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): > caconfig.CS_CFG_PATH, > directive, > separator='=') > - if value == 'ProfileSubsystem': > + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': > needs_update = True > break > except OSError, e: > @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): > installutils.set_directive( > caconfig.CS_CFG_PATH, > directive, > - 'LDAPProfileSubsystem', > + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', > quotes=False, > separator='=') > > Cheers, > Fraser > > Thank you, 1) ipa-getcert request (getcert -c IPA) doesnt work, Request ID '20150602145845': status: CA_REJECTED ca-error: Server at https://vm-137.example.com/ipa/xml denied our request, giving up: 3007 (RPC failed at server. 'profile_id' is required). 2) Error from rpm install Unexpected error - see /var/log/ipaupgrade.log for details: SkipPluginModule: dogtag not selected as RA plugin Just for record as known issue, this will be fixed later in a new patch. 3) + Str('profile_id', validate_profile_id, + label=_("Profile ID"), + doc=_("Certificate Profile to use"), + ) Please mark this param as optional. ('profile_id?') This will fix issue 1, but 1 will need a option to specify profile_id Also move API related change from patch 9 to patch 11 + increment VERSION 4) * Maybe I do everything wrong :) I'm not able to create certificate stored in FILE, via ipa-getcert request. I'm getting error: status: CA_UNREACHABLE ca-error: Server at https://vm-137.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host not found). or error: Request ID '20150602154115': status: CA_REJECTED ca-error: Server at https://vm-137.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). (I'm root and kinited as admin) Maybe additional ACI is required for cert_request as it is VirtualCommand -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jun 2 16:53:41 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 18:53:41 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <20150602160041.GO15837@redhat.com> References: <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> <556DCD2F.5080408@redhat.com> <20150602154122.GN15837@redhat.com> <556DCF81.7060905@redhat.com> <1433260088.4846.34.camel@willson.usersys.redhat.com> <20150602160041.GO15837@redhat.com> Message-ID: <556DDF95.8080209@redhat.com> On 06/02/2015 06:00 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Simo Sorce wrote: >> On Tue, 2015-06-02 at 17:45 +0200, Martin Kosek wrote: >>> On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: >>> > On Tue, 02 Jun 2015, Martin Kosek wrote: >>> >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: >>> >>> On Tue, 02 Jun 2015, Martin Kosek wrote: >>> >>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>> >>>>> >>> >>>>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>> >>>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>> >>>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>> >>>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>> >>>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>> >>>>>>>>>> Hi all, >>> >>>>>>>>>> >>> >>>>>>>>>> The following error was caught during replica installation (I >>> used all >>> >>>>>>>>>> the latest patches from Ludwig and Martin Basti): >>> >>>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>> >>>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT): >>> >>>>>>>> >>> >>>>>>>> What happens if all replicas are updated and domain level is raised? I >>> >>>>>>>> don't >>> >>>>>>>> think that the group will be populated. Or will it be? Without it, >>> >>>>>>>> topology >>> >>>>>>>> plugin won't work, right? >>> >>>>>>> good point, >>> >>>>>>> it will be limited, when adding a new segment a replication agreement >>> >>>>>>> will be >>> >>>>>>> created, but it will not have the credentials to replicate. >>> >>>>>>>> There should be a moment where all the DNs are added. >>> >>>>>>> yes, there could probably be a check when topology plugin gets >>> active if >>> >>>>>>> the >>> >>>>>>> binddn group exists and if not create and populate it >>> >>>>>> Should we finally start maintaining by default IPA Masters hostgroup? >>> *That* >>> >>>>>> should be the BIND DN group which Topology plugins works with, no? >>> >>>>> what would be the members of this group ? >>> >>>>> the binddn group needs all the ldap principals in it so that a replica >>> can do >>> >>>>> gssapi replication to another replica. >>> >>>> >>> >>>> Ah. Hosts would be members of the group, i.e. host/server1.example.test >>> >>>> principals. If this is the case, the IPA Masters group does not look that >>> >>>> helpful. >>> >>> No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This >>> >>> is exception in the way Kerberos services addressed. >>> >> >>> >> Sure. But my point here was that host principals (and a hostgroup) are not >>> >> helpful here as DS will be authenticating with ldap/... principals. >>> > Correct, so you need to go one step more and simply add >>> > krbprincipalname=ldap/ipa.master,... to the list. You know that if the >>> > host from IPA Masters hostgroup, then it has to have ldap service and if >>> > it is not, then it is not a master, so you'd skip that one. >>> >>> Ah, so this is what you though. I am not sure here, I do not think we made >>> services members of host group in the past. And I am not convinced we want to >>> start with it now. CCing Simo for reference. >>> >>> Wouldn't a system group (sysaccounts) of "replication managers" with just the >>> ldap/ principals cleaner and perfectly inline with what we did with "cn=adtrust >>> agents,cn=sysaccounts,cn=etc,SUFFIX"? >> >> I do not have a strong preference, the advantage of a host group is that >> admins can see and manipulate it ... and that is also the disadvantage >> in this case. As it is a great way to break replication. >> So perhaps, yes, having a masters groups under sysaccount may be safer >> for now. > I'm fine to have that too, we rely on it in trusts case so just follow > the pattern. Cool! Who will do the work and make sure the group and the members are properly set on installation and upgrades? Petr1, Jan or anyone else? (The group should also move to sysaccounts container with this change). From mkosek at redhat.com Tue Jun 2 16:54:57 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 18:54:57 +0200 Subject: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs In-Reply-To: <556DDBD6.70007@redhat.com> References: <555DD39C.3070103@redhat.com> <20150526155930.GI13469@dhcp-40-8.bne.redhat.com> <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> Message-ID: <556DDFE1.9080603@redhat.com> On 06/02/2015 06:37 PM, Martin Basti wrote: > On 02/06/15 14:11, Fraser Tweedale wrote: >> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: ... > 4) > * Maybe I do everything wrong :) > > I'm not able to create certificate stored in FILE, via ipa-getcert request. > I'm getting error: > status: CA_UNREACHABLE > ca-error: Server at https://vm-137.example.com/ipa/xml failed request, > will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host > not found). > > or error: > Request ID '20150602154115': > status: CA_REJECTED > ca-error: Server at https://vm-137.example.com/ipa/xml denied our request, > giving up: 2100 (RPC failed at server. Insufficient access: not allowed to > perform this command). > (I'm root and kinited as admin) > > Maybe additional ACI is required for cert_request as it is VirtualCommand Note that even if you run ipa-getcert kinited as root/admin, it asks certmonger to do that job and certmonger works as host/... principal. From pvoborni at redhat.com Tue Jun 2 16:59:32 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 02 Jun 2015 18:59:32 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556DDF95.8080209@redhat.com> References: <556DB556.90606@redhat.com> <556DC6FF.6060703@redhat.com> <556DC8B0.2000200@redhat.com> <556DCAA2.9050107@redhat.com> <556DCBD9.1070803@redhat.com> <20150602153241.GM15837@redhat.com> <556DCD2F.5080408@redhat.com> <20150602154122.GN15837@redhat.com> <556DCF81.7060905@redhat.com> <1433260088.4846.34.camel@willson.usersys.redhat.com> <20150602160041.GO15837@redhat.com> <556DDF95.8080209@redhat.com> Message-ID: <556DE0F4.2010006@redhat.com> On 06/02/2015 06:53 PM, Martin Kosek wrote: > On 06/02/2015 06:00 PM, Alexander Bokovoy wrote: >> On Tue, 02 Jun 2015, Simo Sorce wrote: >>> On Tue, 2015-06-02 at 17:45 +0200, Martin Kosek wrote: >>>> On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: >>>> > On Tue, 02 Jun 2015, Martin Kosek wrote: >>>> >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: >>>> >>> On Tue, 02 Jun 2015, Martin Kosek wrote: >>>> >>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>>> >>>>> >>>> >>>>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>>> >>>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>>> >>>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>> >>>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>> >>>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>> >>>>>>>>>> Hi all, >>>> >>>>>>>>>> >>>> >>>>>>>>>> The following error was caught during replica >>>> installation (I >>>> used all >>>> >>>>>>>>>> the latest patches from Ludwig and Martin Basti): >>>> >>>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS: >>>> >>>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, >>>> ldap.NO_SUCH_OBJECT): >>>> >>>>>>>> >>>> >>>>>>>> What happens if all replicas are updated and domain level >>>> is raised? I >>>> >>>>>>>> don't >>>> >>>>>>>> think that the group will be populated. Or will it be? >>>> Without it, >>>> >>>>>>>> topology >>>> >>>>>>>> plugin won't work, right? >>>> >>>>>>> good point, >>>> >>>>>>> it will be limited, when adding a new segment a replication >>>> agreement >>>> >>>>>>> will be >>>> >>>>>>> created, but it will not have the credentials to replicate. >>>> >>>>>>>> There should be a moment where all the DNs are added. >>>> >>>>>>> yes, there could probably be a check when topology plugin gets >>>> active if >>>> >>>>>>> the >>>> >>>>>>> binddn group exists and if not create and populate it >>>> >>>>>> Should we finally start maintaining by default IPA Masters >>>> hostgroup? >>>> *That* >>>> >>>>>> should be the BIND DN group which Topology plugins works >>>> with, no? >>>> >>>>> what would be the members of this group ? >>>> >>>>> the binddn group needs all the ldap principals in it so that a >>>> replica >>>> can do >>>> >>>>> gssapi replication to another replica. >>>> >>>> >>>> >>>> Ah. Hosts would be members of the group, i.e. >>>> host/server1.example.test >>>> >>>> principals. If this is the case, the IPA Masters group does not >>>> look that >>>> >>>> helpful. >>>> >>> No, host's DN is >>>> fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This >>>> >>> is exception in the way Kerberos services addressed. >>>> >> >>>> >> Sure. But my point here was that host principals (and a >>>> hostgroup) are not >>>> >> helpful here as DS will be authenticating with ldap/... principals. >>>> > Correct, so you need to go one step more and simply add >>>> > krbprincipalname=ldap/ipa.master,... to the list. You know that if >>>> the >>>> > host from IPA Masters hostgroup, then it has to have ldap service >>>> and if >>>> > it is not, then it is not a master, so you'd skip that one. >>>> >>>> Ah, so this is what you though. I am not sure here, I do not think >>>> we made >>>> services members of host group in the past. And I am not convinced >>>> we want to >>>> start with it now. CCing Simo for reference. >>>> >>>> Wouldn't a system group (sysaccounts) of "replication managers" with >>>> just the >>>> ldap/ principals cleaner and perfectly inline with what we did with >>>> "cn=adtrust >>>> agents,cn=sysaccounts,cn=etc,SUFFIX"? >>> >>> I do not have a strong preference, the advantage of a host group is that >>> admins can see and manipulate it ... and that is also the disadvantage >>> in this case. As it is a great way to break replication. >>> So perhaps, yes, having a masters groups under sysaccount may be safer >>> for now. >> I'm fine to have that too, we rely on it in trusts case so just follow >> the pattern. > > Cool! Who will do the work and make sure the group and the members are > properly set on installation and upgrades? Petr1, Jan or anyone else? > (The group should also move to sysaccounts container with this change). I will do it. -- Petr Vobornik From simo at redhat.com Tue Jun 2 18:34:34 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 02 Jun 2015 14:34:34 -0400 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556D7FBD.4080207@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> Message-ID: <1433270074.4846.85.camel@willson.usersys.redhat.com> On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: > Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): > > On 5/28/2015 12:46 AM, Jan Cholasta wrote: > >>> On a related note, since KRA is optional, can we move the vaults > >>> container to cn=kra,cn=vaults? This is the convetion used by the other > >>> optional components (DNS and recently CA). > >> > >> I mean cn=vaults,cn=kra of course. > > > > If you are talking about the o=kra,, I'm not sure whether > > the IPA framework will work with it. > > > > If you are talking about adding a new cn=kra, entry on top > > of cn=vaults, what is the purpose of this entry? Is the entry going to > > be created/deleted automatically when the KRA is installed/removed? Is > > it going to be used for something else other than vaults? > > I'm talking about cn=kra,. It should be created only when > KRA is installed, although I think this can be done later after the > release, moving vaults to cn=kra should be good enough for now. It's > going to be used for everything KRA-specific. > > > > > There are a lot of questions that need to be answered before we can make > > this change. > > This is about sticking to a convention, which everyone should do, and > everyone except KRA already does. > > I'm sorry I didn't realize this earlier, but the change must be done now. > > > We probably should revisit this issue after the core vault > > functionality is added. > > > > We can't revisit it later because after release we are stuck with > whatever is there forever. > > See attachment for a patch which implements the change. > Shouldn't we s/kra/vault/ ? After all the feature is called Vault, not KRA. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Jun 2 18:40:58 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 02 Jun 2015 14:40:58 -0400 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556D9C66.2080706@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> Message-ID: <1433270458.4846.90.camel@willson.usersys.redhat.com> On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote: > On 6/2/2015 1:10 AM, Martin Kosek wrote: > > Hi Endi, > > > > Quickly skimming through your patches raised couple questions on my side: > > > > 1) Will it be possible to also store plain text password via Vault? It > > talks about taking in the binary data or the text file, but will it also > > work with plain user secrets (passwords)? I am talking about use like this: > > > > # ipa vault-archive --user mkosek --data Secret123 > > For security the plain text password should be stored in a file first: > > # vi password.txt > # ipa vault-archive --user mkosek --in password.txt > > It's also possible to specify the password as base-64 encoded data: > > # echo -n Secret123 | base64 > # ipa vault-archive --user mkosek --data U2VjcmV0MTIz > > But it's not recommended since the data will be stored in the command > history and someone could see and decode it. I think passing a plain > text password as command line argument would be even worse. The --data > parameter is mainly used for unit testing. > > Later we might be able to add an option to read from standard input: > > # cat password.txt | ipa vault-archive --user mkosek --std-in Yes please, a way to pass in via stdin is extremely useful, as leaving files on the filesystem is also a big risk. > > 2) Didn't we discuss a dependency of IPA/Vault on python-cryptography in > > the past? I rather see use of python-nss for cryptography... > > Yes. I might have mentioned that it would be in the 2nd (current) vault > patch. Actually it will be in the 3rd patch when we add the symmetric > and asymmetric vaults. The symmetric and asymmetric encryption will be > implemented using python-cryptography. You can also see this in an old > patch (#358) but it's obsolete now. > > The standard vault in the current patch uses python-nss for transport > encryption because when the KRA interface was written > python-cryptography wasn't available on Fedora, it didn't support > certificates, and I'm not sure if it supports key wrapping. It depends on the key wrapping, I have coded in python (jwcrypto) support for some key wrapping not yet available in python-cryptography and can lend you the code as needed. > The symmetric and asymmetric vaults add an additional layer of > encryption on top of the standard transport encryption, so it will > depend on both python-nss and python-cryptography. > > In the future if the KRA can support python-cryptography without > python-nss we may be able to drop the python-nss dependency from vaults. > > > 3) You do a lot of actions in the forward() method (as planned in > > https://www.freeipa.org/page/V4/Password_Vault#Archival). But how do you > > envision that this is consumed by the Web UI? It does not have access to > > the forward() method. Would it need to also include some crypto library? > > If Web UI wants to access vault (not sure if everybody agrees with > that), it would have to perform an encryption on the browser side. In > that case we will need to use either WebCrypto or a browser-specific > extension to implement something similar to vault_archive.forward(), > assuming the required cryptographic functionalities are available. In > the future PKI might be able to provide a JavaScript interface for KRA. I so much want to NACK crypto in web browsers ... but we may have to do it, it stinks soo much though ... Perhaps a plugin ? > > 4) In the vault-archive forward method, you use "pki" module. However, > > this module will be only available on FreeIPA PKI-powered servers and > > not on FreeIPA clients - so this will not work unless freeipa-client > > gets a dependency on pki-base - which is definitely not something we > > want... > > In my opinion it should be fine to require pki-base on the client NACK look at the dependency chain for that packages. > because it contains just the client library, unless you have other > concerns? Any objections to having pki-nss and pki-cryptography > dependencies on the client? you mean python-nss/python-cryptography ? I see no problem having them as dependencies on the client. > Even if we can change the client code not to depend on "pki" module, > since in this framework the client and server code are written in the > same plugin, the "import pki" still cannot be removed since it's still > needed by the server code, and I don't think conditional import is a > good programming practice. conditional import is just fine Simo. -- Simo Sorce * Red Hat, Inc * New York From derny at redhat.com Tue Jun 2 20:23:47 2015 From: derny at redhat.com (Drew Erny) Date: Tue, 02 Jun 2015 16:23:47 -0400 Subject: [Freeipa-devel] [PATCH 0001] Migrate now accepts scope as argument Message-ID: <556E10D3.8060702@redhat.com> Hi, all, This is my first patch, which fixes Ticket #2547 at https://fedorahosted.org/freeipa/ticket/2547 It introduces a --scope option to "ipa migrate-ds" which allows the user to specify the search depth of a migration. The previous default behavior is the same as --scope=onelevel. To search nested OUs, the user uses --scope=subtree. --scope=base will cause the migrate script not to find anything, but has been included for completeness. Any other option is invalid and will cause the command to abort. Please review this one carefully, because I'm only like 98% confident it doesn't break anything. The only thing I'm not sure about is that if you run ipa migrate-ds without --scope specified, it gives an interactive input for that option; I'm not sure if it's supposed to do that. Thanks, Drew Erny derny at redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-derny-0001-Migration-now-accepts-scope-as-argument.patch Type: text/x-patch Size: 4098 bytes Desc: not available URL: From derny at redhat.com Tue Jun 2 20:32:08 2015 From: derny at redhat.com (Drew Erny) Date: Tue, 02 Jun 2015 16:32:08 -0400 Subject: [Freeipa-devel] [PATCH 0001] Migrate now accepts scope as argument In-Reply-To: <556E10D3.8060702@redhat.com> References: <556E10D3.8060702@redhat.com> Message-ID: <556E12C8.7010508@redhat.com> Sorry, the email address on that patch is wrong. It picked the old one off my personal box when I migrated my dotfiles. I don't know if that's important, but if the merger could s/dperny at crimson.ua.edu/derny at redhat.com/g, that would be better. Sorry about that, I'll fix it in my next patch. On 06/02/2015 04:23 PM, Drew Erny wrote: > Hi, all, > > This is my first patch, which fixes Ticket #2547 at > https://fedorahosted.org/freeipa/ticket/2547 > > It introduces a --scope option to "ipa migrate-ds" which allows the > user to specify the search depth of a migration. The previous default > behavior is the same as --scope=onelevel. To search nested OUs, the > user uses --scope=subtree. --scope=base will cause the migrate script > not to find anything, but has been included for completeness. Any > other option is invalid and will cause the command to abort. > > Please review this one carefully, because I'm only like 98% confident > it doesn't break anything. The only thing I'm not sure about is that > if you run ipa migrate-ds without --scope specified, it gives an > interactive input for that option; I'm not sure if it's supposed to do > that. > > Thanks, > > Drew Erny > derny at redhat.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 2 20:51:37 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Jun 2015 16:51:37 -0400 Subject: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin In-Reply-To: <556DB7BD.9030101@redhat.com> References: <555B4696.2070502@redhat.com> <555BA115.5070408@redhat.com> <555CB00B.3080309@redhat.com> <5565F29B.7000507@redhat.com> <5565FE97.6040202@redhat.com> <55660A2D.1080801@redhat.com> <5566D11B.3070505@redhat.com> <556A6CF4.5010603@redhat.com> <556DB7BD.9030101@redhat.com> Message-ID: <556E1759.6070108@redhat.com> Martin Basti wrote: > On 31/05/15 04:07, Rob Crittenden wrote: >> Petr Vobornik wrote: >>> On 05/27/2015 08:17 PM, Martin Basti wrote: >>>> On 27/05/15 19:27, Rob Crittenden wrote: >>>>> Martin Basti wrote: >>>>>>> >>>>>> Thank you. >>>>>> >>>>>> I haven't finished review yet, but I have few notes in case you will >>>>>> modify the patch. >>>>>> >>>>>> Please fix following issues: >>>>>> >>>>> >>>>>> 3) >>>>>> There are many PEP8 errors, can you fix some of them,? >>>>> >>>>> Is PEP8 a concern? What kinds of errors do we fix? For example, the >>>>> current model for defining options generates a slew of indention >>>>> errors. >>> >>> In old modules it's preferred to keep the old indentation style for >>> options(not to mix 2 styles). New modules should use following pep8 >>> compliant style: >>> Str( >>> 'cn', >>> cli_name='name', >>> primary_key=True, >>> label=_('Server name'), >>> doc=_('IPA server hostname'), >>> ), >>> >>>> We try to keep PEP8 in new code, mainly indentation, blank lines, too >>>> long lines. >>>> Yes in test definitions and option definitions, is better to keep the >>>> same style, but other parts of code should be PEP8. >>>> >>>> For example these should be fixed >>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:37:13: E225 >>>> missing whitespace around operator >>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:39:1: E302 >>>> expected 2 blank lines, found 1 >>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:42:1: E302 >>>> expected 2 blank lines, found 1 >>>> >>>>> >>>>> >>>>> I'll wait and see what falls out of the API review before making any >>>>> real changes. >>>>> >>>>> rob >> >> Updated API and addressed Martin's concerns. The regex must have been >> a bad copy/paste, it is fixed now. >> >> The design page has been updated as well. >> >> rob >> > Hello, > > comments below, in the right thread: > > 1) > + Str( > + 'memberprincipal', > + label=_('Failed principals'), > + ), > + Str( > + 'ipaallowedtarget', > + label=_('Failed targets'), > + ), > + Str( > + 'servicedelegationrule', > + label=_('principal member'), > + ), > Are these names correct? > # ipa servicedelegationrule-find > ---------------------------------- > 1 service delegation rule matched > ---------------------------------- > Delegation name: ipa-http-delegation > Allowed Target: ipa-ldap-delegation-targets, > ipa-cifs-delegation-targets > Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM Fixed. > > > 2) > + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', > + pattern_errmsg='may only include letters, numbers, _, -, ., ' > + 'and a space inside', > > This regex does not allow space inside > In [6]: print re.match(pattern, 'lalalala lalala') > None Fixed. I'm tempted to just drop this regex entirely. Other plugins have no such restrictions, but this should work better now. > > 3) > + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, > + label=_('member %s') % name, > + csv=True, alwaysask=True) > > IMHO CSV values should not be supported. > Honza told me, the option doesn't work anyway. Yeah, a copy and paste issue. > Patch with minor fixes attached. > > I removed unused code and PEP8 complains Incorporated and fixed a number of other things, including some typos in the doc examples. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1112-5-Add-plugin-to-manage-service-constraint-delegations.patch Type: text/x-diff Size: 57147 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 2 21:01:58 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Jun 2015 16:01:58 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556DC639.7090403@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> Message-ID: <556E19C6.8090907@redhat.com> Please take a look at the new patch. On 6/2/2015 10:05 AM, Martin Kosek wrote: >>> 4) In the vault-archive forward method, you use "pki" module. However, >>> this module will be only available on FreeIPA PKI-powered servers and >>> not on FreeIPA clients - so this will not work unless freeipa-client >>> gets a dependency on pki-base - which is definitely not something we >>> want... >> >> In my opinion it should be fine to require pki-base on the client because it >> contains just the client library, unless you have other concerns? Any >> objections to having pki-nss and pki-cryptography dependencies on the client? >> >> Even if we can change the client code not to depend on "pki" module, since in >> this framework the client and server code are written in the same plugin, the >> "import pki" still cannot be removed since it's still needed by the server >> code, and I don't think conditional import is a good programming practice. > > I have major concerns here. Look at the different between installing > "freeipa-client" and "freeipa-client + pki-base" on my F21: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > $ sudo yum install freeipa-client > ... > Install 1 Package (+4 Dependent packages) > > Total download size: 2.6 M > Installed size: 14 M > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > $ sudo yum install freeipa-client pki-base > ... > Install 2 Packages (+288 Dependent packages) > > Total download size: 160 M > Installed size: 235 M > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > This is obviously a no-go for client. The conditional import is smaller concern > that big dependency growth on the client. We do them in trust plugin for > example and it works fine (though I agree it is not ideal programming practice). > > IMO, we should limit new freeipa-client dependencies only to > python-cryptography (or also python-nss in the worst case, in case > python-cryptography is not enough) - there should be no pki dependencies at > all, these should be only on the server side. OK. I opened a ticket to split the pki-base into separate Python and Java packages: https://fedorahosted.org/pki/ticket/1399 For now in this patch I added conditional imports for pki.account and pki.key which are needed to access KRA on the server side. I removed dependency on pki.crypto on the client side and replaced it with direct python-nss code. On 6/2/2015 1:40 PM, Simo Sorce wrote: > I have coded in python (jwcrypto) > support for some key wrapping not yet available in python-cryptography > and can lend you the code as needed. Thanks. I'll get back to you when it's time to add support for python-cryptography in KRA: https://fedorahosted.org/pki/ticket/1400 On 6/2/2015 10:16 AM, Alexander Bokovoy wrote: > Yes, please use conditional import here, it is perfectly valid use case > for the client side. On 6/2/2015 1:40 PM, Simo Sorce wrote: > conditional import is just fine The conditional imports that I've seen usually are used for importing different versions of the same module, which I think is acceptable because the dependency always exists. In the vault case we're selectively importing a module depending on where the code runs. I think that is bad because it adds complexity and it's easy to make mistakes. Any code that depends on that module would have to be (a) guarded: if pki_is_loaded: ... call pki ... or (b) used in a method that's only called if the module is loaded: def do_something(self): # runs only on server ... call pki ... The (a) is similar to #ifdef's which should be avoidable using OOD, and in (b) we may inadvertently call a wrong method indirectly. I think ideally the client and server code should be in separate files (so they can be deployed separately too), but the framework doesn't seem to allow that. Regardless, the conditional imports are in. -- Endi S. Dewata -------------- next part -------------- >From 0e9d3868423c21dc47d125f4b3c23e8261c4655f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 21 Oct 2014 10:57:08 -0400 Subject: [PATCH] Added vault-archive and vault-retrieve commands. New commands have been added to archive and retrieve data into and from a vault, also to retrieve the transport certificate. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 28 ++ VERSION | 4 +- ipalib/plugins/vault.py | 517 +++++++++++++++++++++++++++++- ipatests/test_xmlrpc/test_vault_plugin.py | 71 +++- 4 files changed, 616 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index da69f32de5c12c0d85a7d61d9027385aa3c0ee05..3741e6f16689e43838c2d31a44872d1ea47589c7 100644 --- a/API.txt +++ b/API.txt @@ -4768,6 +4768,24 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_archive +args: 1,9,1 +arg: Str('cn', cli_name='name', maxlength=255, pattern='^[a-zA-Z0-9_.-]+$') +option: Bytes('data?') +option: Str('in?') +option: Str('nonce?') +option: Str('service?') +option: Str('session_key?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user?') +option: Str('vault_data?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) +command: vault_config +args: 0,2,1 +option: Str('transport_out?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vault_del args: 1,5,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) @@ -4814,6 +4832,16 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_retrieve +args: 1,6,1 +arg: Str('cn', cli_name='name', maxlength=255, pattern='^[a-zA-Z0-9_.-]+$') +option: Str('out?') +option: Str('service?') +option: Str('session_key?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vault_show args: 1,7,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) diff --git a/VERSION b/VERSION index 07c00d000064a7687497b09524aa821dbcecc88a..2bfb2fe46b3760f30e1aa378841544a51f014728 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=121 -# Last change: pvoborni - added server-find and server-show +IPA_API_VERSION_MINOR=122 +# Last change: edewata - added vault-archive and vault-retrieve diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index ebb9f9fd3cf3b5a7d6b44ac9e63e122e8f71aa1a..ab28ec5cb1179855c2c14e0d72fa25d982924854 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -17,8 +17,17 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import base64 +import json +import os +import sys +import tempfile + +import nss.nss as nss + +from ipalib.frontend import Command from ipalib import api, errors -from ipalib import Str, Flag +from ipalib import Bytes, Str, Flag from ipalib import output from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ @@ -26,7 +35,13 @@ from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.nsslib import current_dbdir + +if api.env.in_server: + import pki.account + import pki.key __doc__ = _(""" Vaults @@ -94,6 +109,33 @@ EXAMPLES: """) + _(""" Delete a user vault: ipa vault-del --user +""") + _(""" + Display vault configuration: + ipa vault-config +""") + _(""" + Archive data into private vault: + ipa vault-archive --in +""") + _(""" + Archive data into service vault: + ipa vault-archive --service --in +""") + _(""" + Archive data into shared vault: + ipa vault-archive --shared --in +""") + _(""" + Archive data into user vault: + ipa vault-archive --user --in +""") + _(""" + Retrieve data from private vault: + ipa vault-retrieve --out +""") + _(""" + Retrieve data from service vault: + ipa vault-retrieve --service --out +""") + _(""" + Retrieve data from shared vault: + ipa vault-retrieve --shared --out +""") + _(""" + Retrieve data from user vault: + ipa vault-retrieve --user --out """) register = Registry() @@ -243,6 +285,26 @@ class vault(LDAPObject): for entry in entries: self.backend.add_entry(entry) + def get_key_id(self, dn): + """ + Generates a client key ID to archive/retrieve data in KRA. + """ + + # TODO: create container_dn after object initialization then reuse it + container_dn = DN(self.container_dn, self.api.env.basedn) + + # make sure the DN is a vault DN + if not dn.endswith(container_dn, 1): + raise ValueError('Invalid vault DN: %s' % dn) + + # construct the vault ID from the bottom up + id = u'' + for rdn in dn[:-len(container_dn)]: + name = rdn['cn'] + id = u'/' + name + id + + return 'ipa:' + id + @register() class vault_add(LDAPCreate): @@ -256,6 +318,10 @@ class vault_add(LDAPCreate): **options): assert isinstance(dn, DN) + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + try: parent_dn = DN(*dn[1:]) self.obj.create_container(parent_dn) @@ -273,6 +339,38 @@ class vault_del(LDAPDelete): msg_summary = _('Deleted vault "%(value)s"') + def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + return dn + + def post_callback(self, ldap, dn, *args, **options): + assert isinstance(dn, DN) + + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.obj.get_key_id(dn) + + # deactivate vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) + + for key_info in response.key_infos: + kra_client.keys.modify_key_status( + key_info.get_key_id(), + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + kra_account.logout() + + return True + @register() class vault_find(LDAPSearch): @@ -290,6 +388,10 @@ class vault_find(LDAPSearch): **options): assert isinstance(base_dn, DN) + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + base_dn = self.obj.get_dn(*args, **options) return (filter, base_dn, scope) @@ -313,9 +415,422 @@ class vault_mod(LDAPUpdate): msg_summary = _('Modified vault "%(value)s"') + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, + *keys, **options): + + assert isinstance(dn, DN) + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + return dn + @register() class vault_show(LDAPRetrieve): __doc__ = _('Display information about a vault.') takes_options = LDAPRetrieve.takes_options + vault_options + + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + assert isinstance(dn, DN) + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + return dn + + + at register() +class vault_config(Command): + __doc__ = _('Show vault configuration.') + + takes_options = ( + Str( + 'transport_out?', + doc=_('Output file to store the transport certificate'), + ), + ) + + has_output_params = ( + Str( + 'transport_cert', + label=_('Transport Certificate'), + ), + ) + + def forward(self, *args, **options): + + file = options.get('transport_out') + + # don't send these parameters to server + if 'transport_out' in options: + del options['transport_out'] + + response = super(vault_config, self).forward(*args, **options) + + if file: + with open(file, 'w') as f: + f.write(response['result']['transport_cert']) + + return response + + def execute(self, *args, **options): + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + kra_client = self.api.Backend.kra.get_client() + transport_cert = kra_client.system_certs.get_transport_cert() + return { + 'result': { + 'transport_cert': transport_cert.encoded + } + } + + + at register() +class vault_archive(Command): + __doc__ = _('Archive data into a vault.') + + takes_args = ( + Str( + 'cn', + cli_name='name', + label=_('Vault name'), + pattern='^[a-zA-Z0-9_.-]+$', + pattern_errmsg='may only include letters, numbers, _, ., and -', + maxlength=255, + ), + ) + + takes_options = vault_options + ( + Bytes( + 'data?', + doc=_('Binary data to archive'), + ), + Str( # TODO: use File parameter + 'in?', + doc=_('File containing data to archive'), + ), + Str( + 'session_key?', + doc=_( + 'Session key wrapped with transport certificate' + ' and encoded in base-64'), + ), + Str( + 'vault_data?', + doc=_( + 'Vault data encrypted with session key' + ' and encoded in base-64'), + ), + Str( + 'nonce?', + doc=_('Nonce encrypted encoded in base-64'), + ), + ) + + msg_summary = _('Archived data into vault "%(value)s"') + + def forward(self, *args, **options): + + data = options.get('data') + input_file = options.get('in') + + # don't send these parameters to server + if 'data' in options: + del options['data'] + if 'in' in options: + del options['in'] + + # get data + if data and input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + if input_file: + with open(input_file, 'rb') as f: + data = f.read() + + elif not data: + data = '' + + # initialize NSS database + current_dbdir = paths.IPA_NSSDB_DIR + nss.nss_init(current_dbdir) + + # retrieve transport certificate + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + self.api.Command.vault_config(transport_out=unicode(filename)) + transport_cert_der = nss.read_der_from_file(filename, True) + nss_transport_cert = nss.Certificate(transport_cert_der) + + finally: + os.remove(filename) + + # generate session key + mechanism = nss.CKM_DES3_CBC_PAD + slot = nss.get_best_slot(mechanism) + key_length = slot.get_best_key_length(mechanism) + session_key = slot.key_gen(mechanism, None, key_length) + + # wrap session key with transport certificate + public_key = nss_transport_cert.subject_public_key_info.public_key + wrapped_session_key = nss.pub_wrap_sym_key(mechanism, + public_key, + session_key) + + options['session_key'] = base64.b64encode(wrapped_session_key)\ + .decode('utf-8') + + nonce_length = nss.get_iv_length(mechanism) + nonce = nss.generate_random(nonce_length) + options['nonce'] = base64.b64encode(nonce).decode('utf-8') + + vault_data = {} + vault_data[u'data'] = base64.b64encode(data).decode('utf-8') + + json_vault_data = json.dumps(vault_data) + + # wrap vault_data with session key + iv_si = nss.SecItem(nonce) + iv_param = nss.param_from_iv(mechanism, iv_si) + + encoding_ctx = nss.create_context_by_sym_key(mechanism, + nss.CKA_ENCRYPT, + session_key, + iv_param) + + wrapped_vault_data = encoding_ctx.cipher_op(json_vault_data)\ + + encoding_ctx.digest_final() + + options['vault_data'] = base64.b64encode(wrapped_vault_data)\ + .decode('utf-8') + + return super(vault_archive, self).forward(*args, **options) + + def execute(self, *args, **options): + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + vault_name = args[0] + + # retrieve vault info + vault = self.api.Command.vault_show( + vault_name, + service=options.get('service'), + shared=options.get('shared'), + user=options.get('user'), + )['result'] + + # connect to KRA + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.api.Object.vault.get_key_id(vault['dn']) + + # deactivate existing vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, + pki.key.KeyClient.KEY_STATUS_ACTIVE) + + for key_info in response.key_infos: + kra_client.keys.modify_key_status( + key_info.get_key_id(), + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + wrapped_session_key = base64.b64decode(options['session_key']) + nonce = base64.b64decode(options['nonce']) + + # forward wrapped data to KRA + wrapped_vault_data = base64.b64decode(options['vault_data']) + + kra_client.keys.archive_encrypted_data( + client_key_id, + pki.key.KeyClient.PASS_PHRASE_TYPE, + wrapped_vault_data, + wrapped_session_key, + None, + nonce, + ) + + kra_account.logout() + + response = {} + response['result'] = {} + + return response + + + at register() +class vault_retrieve(Command): + __doc__ = _('Retrieve a data from a vault.') + + takes_args = ( + Str( + 'cn', + cli_name='name', + label=_('Vault name'), + pattern='^[a-zA-Z0-9_.-]+$', + pattern_errmsg='may only include letters, numbers, _, ., and -', + maxlength=255, + ), + ) + + takes_options = vault_options + ( + Str( + 'out?', + doc=_('File to store retrieved data'), + ), + Str( + 'session_key?', + doc=_( + 'Session key wrapped with transport certificate' + ' and encoded in base-64'), + ), + ) + + has_output_params = ( + Bytes( + 'data', + label=_('Data'), + ), + ) + + msg_summary = _('Retrieved data from vault "%(value)s"') + + def forward(self, *args, **options): + + output_file = options.get('out') + + # don't send these parameters to server + if 'out' in options: + del options['out'] + + # initialize NSS database + current_dbdir = paths.IPA_NSSDB_DIR + nss.nss_init(current_dbdir) + + # retrieve transport certificate + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + self.api.Command.vault_config(transport_out=unicode(filename)) + transport_cert_der = nss.read_der_from_file(filename, True) + nss_transport_cert = nss.Certificate(transport_cert_der) + + finally: + os.remove(filename) + + # generate session key + mechanism = nss.CKM_DES3_CBC_PAD + slot = nss.get_best_slot(mechanism) + key_length = slot.get_best_key_length(mechanism) + session_key = slot.key_gen(mechanism, None, key_length) + + # wrap session key with transport certificate + public_key = nss_transport_cert.subject_public_key_info.public_key + wrapped_session_key = nss.pub_wrap_sym_key(mechanism, + public_key, + session_key) + + # send retrieval request to server + options['session_key'] = base64.b64encode(wrapped_session_key)\ + .decode('utf-8') + + response = super(vault_retrieve, self).forward(*args, **options) + + result = response['result'] + nonce = base64.b64decode(result['nonce']) + + # unwrap data with session key + wrapped_vault_data = base64.b64decode(result['vault_data']) + + iv_si = nss.SecItem(nonce) + iv_param = nss.param_from_iv(mechanism, iv_si) + + decoding_ctx = nss.create_context_by_sym_key(mechanism, + nss.CKA_DECRYPT, + session_key, + iv_param) + + json_vault_data = decoding_ctx.cipher_op(wrapped_vault_data)\ + + decoding_ctx.digest_final() + + vault_data = json.loads(json_vault_data) + data = base64.b64decode(vault_data[u'data'].encode('utf-8')) + + if output_file: + response = {} + response['result'] = {} + with open(output_file, 'w') as f: + f.write(data) + + else: + response['result']['data'] = data + del response['result']['nonce'] + del response['result']['vault_data'] + + return response + + def execute(self, *args, **options): + + if not self.api.env.enable_kra: + raise errors.InvocationError( + format=_('KRA service is not enabled')) + + vault_name = args[0] + + # retrieve vault info + vault = self.api.Command.vault_show( + vault_name, + service=options.get('service'), + shared=options.get('shared'), + user=options.get('user'), + )['result'] + + wrapped_session_key = base64.b64decode(options['session_key']) + + # connect to KRA + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.api.Object.vault.get_key_id(vault['dn']) + + # find vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, + pki.key.KeyClient.KEY_STATUS_ACTIVE) + + if not len(response.key_infos): + raise errors.NotFound(reason=_('No archived data.')) + + key_info = response.key_infos[0] + + # retrieve encrypted data from KRA + key = kra_client.keys.retrieve_key( + key_info.get_key_id(), + wrapped_session_key) + + vault['vault_data'] = base64.b64encode( + key.encrypted_data).decode('utf-8') + vault['nonce'] = base64.b64encode(key.nonce_data).decode('utf-8') + + kra_account.logout() + + response = {} + response['result'] = vault + + return response diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 44d397c583928d98ec252899398ae6c3a83c207c..0664addd646806f1b8a5083ef5da16c4dfc015dc 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -22,12 +22,15 @@ Test the `ipalib/plugins/vault.py` module. """ from ipalib import api, errors -from xmlrpc_test import Declarative, fuzzy_string +from xmlrpc_test import Declarative vault_name = u'test_vault' service_name = u'HTTP/server.example.com' user_name = u'testuser' +# binary data from \x00 to \xff +secret = ''.join(map(chr, xrange(0, 256))) + class test_vault_plugin(Declarative): @@ -442,4 +445,70 @@ class test_vault_plugin(Declarative): }, }, + { + 'desc': 'Create vault for archival', + 'command': ( + 'vault_add', + [vault_name], + {}, + ), + 'expected': { + 'value': vault_name, + 'summary': 'Added vault "%s"' % vault_name, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (vault_name, api.env.basedn), + 'objectclass': [u'top', u'ipaVault'], + 'cn': [vault_name], + }, + }, + }, + + { + 'desc': 'Archive secret', + 'command': ( + 'vault_archive', + [vault_name], + { + 'data': secret, + }, + ), + 'expected': { + 'result': {}, + }, + }, + + { + 'desc': 'Retrieve secret', + 'command': ( + 'vault_retrieve', + [vault_name], + {}, + ), + 'expected': { + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (vault_name, api.env.basedn), + 'cn': [vault_name], + 'data': secret, + }, + }, + }, + + { + 'desc': 'Delete vault for archival', + 'command': ( + 'vault_del', + [vault_name], + {}, + ), + 'expected': { + 'value': [vault_name], + 'summary': u'Deleted vault "%s"' % vault_name, + 'result': { + 'failed': (), + }, + }, + }, + ] -- 1.9.3 From abokovoy at redhat.com Tue Jun 2 21:22:03 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 3 Jun 2015 00:22:03 +0300 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556E19C6.8090907@redhat.com> References: <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> <556E19C6.8090907@redhat.com> Message-ID: <20150602212203.GR15837@redhat.com> On Tue, 02 Jun 2015, Endi Sukma Dewata wrote: >Please take a look at the new patch. > >On 6/2/2015 10:05 AM, Martin Kosek wrote: >>>>4) In the vault-archive forward method, you use "pki" module. However, >>>>this module will be only available on FreeIPA PKI-powered servers and >>>>not on FreeIPA clients - so this will not work unless freeipa-client >>>>gets a dependency on pki-base - which is definitely not something we >>>>want... >>> >>>In my opinion it should be fine to require pki-base on the client because it >>>contains just the client library, unless you have other concerns? Any >>>objections to having pki-nss and pki-cryptography dependencies on the client? >>> >>>Even if we can change the client code not to depend on "pki" module, since in >>>this framework the client and server code are written in the same plugin, the >>>"import pki" still cannot be removed since it's still needed by the server >>>code, and I don't think conditional import is a good programming practice. >> >>I have major concerns here. Look at the different between installing >>"freeipa-client" and "freeipa-client + pki-base" on my F21: >> >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>$ sudo yum install freeipa-client >>... >>Install 1 Package (+4 Dependent packages) >> >>Total download size: 2.6 M >>Installed size: 14 M >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>$ sudo yum install freeipa-client pki-base >>... >>Install 2 Packages (+288 Dependent packages) >> >>Total download size: 160 M >>Installed size: 235 M >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >>This is obviously a no-go for client. The conditional import is smaller concern >>that big dependency growth on the client. We do them in trust plugin for >>example and it works fine (though I agree it is not ideal programming practice). >> >>IMO, we should limit new freeipa-client dependencies only to >>python-cryptography (or also python-nss in the worst case, in case >>python-cryptography is not enough) - there should be no pki dependencies at >>all, these should be only on the server side. > >OK. I opened a ticket to split the pki-base into separate Python and >Java packages: >https://fedorahosted.org/pki/ticket/1399 > >For now in this patch I added conditional imports for pki.account and >pki.key which are needed to access KRA on the server side. I removed >dependency on pki.crypto on the client side and replaced it with >direct python-nss code. > >On 6/2/2015 1:40 PM, Simo Sorce wrote: >> I have coded in python (jwcrypto) >> support for some key wrapping not yet available in python-cryptography >> and can lend you the code as needed. > >Thanks. I'll get back to you when it's time to add support for >python-cryptography in KRA: >https://fedorahosted.org/pki/ticket/1400 > >On 6/2/2015 10:16 AM, Alexander Bokovoy wrote: >>Yes, please use conditional import here, it is perfectly valid use case >>for the client side. > >On 6/2/2015 1:40 PM, Simo Sorce wrote: >> conditional import is just fine > >The conditional imports that I've seen usually are used for importing >different versions of the same module, which I think is acceptable >because the dependency always exists. In the vault case we're >selectively importing a module depending on where the code runs. I >think that is bad because it adds complexity and it's easy to make >mistakes. Any code that depends on that module would have to be (a) >guarded: > > if pki_is_loaded: > ... call pki ... > >or (b) used in a method that's only called if the module is loaded: > > def do_something(self): # runs only on server > ... call pki ... > >The (a) is similar to #ifdef's which should be avoidable using OOD, >and in (b) we may inadvertently call a wrong method indirectly. I >think ideally the client and server code should be in separate files >(so they can be deployed separately too), but the framework doesn't >seem to allow that. This exactly the case we have to use here and we are using that in trusts case as well -- some code has to run on server only and shouldn't cause to install Samba related packages on the client. This is because IPA client is actually using the same IPA plugins that server uses, to have access to the API calls metadata and client-side callbacks are defined in the same place where server-side callbacks are. It is IPA framework design, so we have to use what we have. In other words, it is not necessarily an evil under conditions we are dealing with. -- / Alexander Bokovoy From mrniranjan at fedoraproject.org Tue Jun 2 22:44:16 2015 From: mrniranjan at fedoraproject.org (Niranjan) Date: Wed, 3 Jun 2015 04:14:16 +0530 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of BaseException In-Reply-To: <20150601043325.GA5783@mniranja.pnq.redhat.com> References: <20150601043325.GA5783@mniranja.pnq.redhat.com> Message-ID: <20150602224416.GA4049@mniranja.pnq.redhat.com> Niranjan wrote: > Greetings, > > I would like to present patch for replacing StandardError exception > with Exception class in ipapython/adminutil.py. Also replacing > BaseException class with Exception class. > > Though the use of StandardError is many places. I would like to start > with ipapython/adminutil.py > > This is my first patch. Please let me know if my approach on this is > correct. Could anyone have a look at this please. > > Regards > Niranjan > From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 > From: Niranjan Mallapadi > Date: Mon, 1 Jun 2015 09:41:05 +0530 > Subject: [PATCH] Use Exception class instead of BaseException > > 1. Replace BaseException with Exception class. > 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) > 3 .From python3.0 use of , is not recommended, instead > use "as" keyword (PEP 3110) > > Signed-off-by: Niranjan Mallapadi > --- > ipapython/admintool.py | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/ipapython/admintool.py b/ipapython/admintool.py > index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..891232b9f387182ac5dbfb279a6f666805261ba1 100644 > --- a/ipapython/admintool.py > +++ b/ipapython/admintool.py > @@ -32,7 +32,7 @@ from ipapython import config > from ipapython import ipa_log_manager > > > -class ScriptError(StandardError): > +class ScriptError(Exception): > """An exception that records an error message and a return value > """ > def __init__(self, msg='', rval=1): > @@ -169,13 +169,20 @@ class AdminTool(object): > self.ask_for_options() > self.setup_logging() > return_value = self.run() > - except BaseException, exception: > + except Exception as exception: > traceback = sys.exc_info()[2] > error_message, return_value = self.handle_error(exception) > if return_value: > self.log_failure(error_message, return_value, exception, > traceback) > return return_value > + except SystemExit as exception: > + traceback = sys.exc_info()[2] > + error_message, return_value = self.handle_error(exception) > + if return_value: > + self.log_failure(error_message, return_value, exception, > + traceback) > + return return_value > self.log_success() > return return_value > > -- > 1.9.3 > > Removed an attachment of 322 bytes with the following headers: > > Content-Type: application/pgp-signature > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 311 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 3 06:41:38 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 08:41:38 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <20150602212203.GR15837@redhat.com> References: <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> <556E19C6.8090907@redhat.com> <20150602212203.GR15837@redhat.com> Message-ID: <556EA1A2.70809@redhat.com> On 06/02/2015 11:22 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Endi Sukma Dewata wrote: >> Please take a look at the new patch. >> >> On 6/2/2015 10:05 AM, Martin Kosek wrote: >>>>> 4) In the vault-archive forward method, you use "pki" module. However, >>>>> this module will be only available on FreeIPA PKI-powered servers and >>>>> not on FreeIPA clients - so this will not work unless freeipa-client >>>>> gets a dependency on pki-base - which is definitely not something we >>>>> want... >>>> >>>> In my opinion it should be fine to require pki-base on the client because it >>>> contains just the client library, unless you have other concerns? Any >>>> objections to having pki-nss and pki-cryptography dependencies on the client? >>>> >>>> Even if we can change the client code not to depend on "pki" module, since in >>>> this framework the client and server code are written in the same plugin, the >>>> "import pki" still cannot be removed since it's still needed by the server >>>> code, and I don't think conditional import is a good programming practice. >>> >>> I have major concerns here. Look at the different between installing >>> "freeipa-client" and "freeipa-client + pki-base" on my F21: >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> $ sudo yum install freeipa-client >>> ... >>> Install 1 Package (+4 Dependent packages) >>> >>> Total download size: 2.6 M >>> Installed size: 14 M >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> $ sudo yum install freeipa-client pki-base >>> ... >>> Install 2 Packages (+288 Dependent packages) >>> >>> Total download size: 160 M >>> Installed size: 235 M >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> This is obviously a no-go for client. The conditional import is smaller concern >>> that big dependency growth on the client. We do them in trust plugin for >>> example and it works fine (though I agree it is not ideal programming >>> practice). >>> >>> IMO, we should limit new freeipa-client dependencies only to >>> python-cryptography (or also python-nss in the worst case, in case >>> python-cryptography is not enough) - there should be no pki dependencies at >>> all, these should be only on the server side. >> >> OK. I opened a ticket to split the pki-base into separate Python and Java >> packages: >> https://fedorahosted.org/pki/ticket/1399 >> >> For now in this patch I added conditional imports for pki.account and pki.key >> which are needed to access KRA on the server side. I removed dependency on >> pki.crypto on the client side and replaced it with direct python-nss code. >> >> On 6/2/2015 1:40 PM, Simo Sorce wrote: >>> I have coded in python (jwcrypto) >>> support for some key wrapping not yet available in python-cryptography >>> and can lend you the code as needed. >> >> Thanks. I'll get back to you when it's time to add support for >> python-cryptography in KRA: >> https://fedorahosted.org/pki/ticket/1400 >> >> On 6/2/2015 10:16 AM, Alexander Bokovoy wrote: >>> Yes, please use conditional import here, it is perfectly valid use case >>> for the client side. >> >> On 6/2/2015 1:40 PM, Simo Sorce wrote: >>> conditional import is just fine >> >> The conditional imports that I've seen usually are used for importing >> different versions of the same module, which I think is acceptable because >> the dependency always exists. In the vault case we're selectively importing a >> module depending on where the code runs. I think that is bad because it adds >> complexity and it's easy to make mistakes. Any code that depends on that >> module would have to be (a) guarded: >> >> if pki_is_loaded: >> ... call pki ... >> >> or (b) used in a method that's only called if the module is loaded: >> >> def do_something(self): # runs only on server >> ... call pki ... >> >> The (a) is similar to #ifdef's which should be avoidable using OOD, and in >> (b) we may inadvertently call a wrong method indirectly. I think ideally the >> client and server code should be in separate files (so they can be deployed >> separately too), but the framework doesn't seem to allow that. > This exactly the case we have to use here and we are using that in > trusts case as well -- some code has to run on server only and shouldn't > cause to install Samba related packages on the client. This is because > IPA client is actually using the same IPA plugins that server uses, to > have access to the API calls metadata and client-side callbacks are > defined in the same place where server-side callbacks are. It is IPA > framework design, so we have to use what we have. This is planned to be changed BTW, when we start with the "Thin Client" concept and have different code/plugins for FreeIPA server side and client side. > In other words, it is not necessarily an evil under conditions we are > dealing with. > From mkosek at redhat.com Wed Jun 3 07:27:02 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 09:27:02 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <1433270074.4846.85.camel@willson.usersys.redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> <1433270074.4846.85.camel@willson.usersys.redhat.com> Message-ID: <556EAC46.3090300@redhat.com> On 06/02/2015 08:34 PM, Simo Sorce wrote: > On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: >> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>>>> On a related note, since KRA is optional, can we move the vaults >>>>> container to cn=kra,cn=vaults? This is the convetion used by the other >>>>> optional components (DNS and recently CA). >>>> >>>> I mean cn=vaults,cn=kra of course. >>> >>> If you are talking about the o=kra,, I'm not sure whether >>> the IPA framework will work with it. >>> >>> If you are talking about adding a new cn=kra, entry on top >>> of cn=vaults, what is the purpose of this entry? Is the entry going to >>> be created/deleted automatically when the KRA is installed/removed? Is >>> it going to be used for something else other than vaults? >> >> I'm talking about cn=kra,. It should be created only when >> KRA is installed, although I think this can be done later after the >> release, moving vaults to cn=kra should be good enough for now. It's >> going to be used for everything KRA-specific. >> >>> >>> There are a lot of questions that need to be answered before we can make >>> this change. >> >> This is about sticking to a convention, which everyone should do, and >> everyone except KRA already does. >> >> I'm sorry I didn't realize this earlier, but the change must be done now. >> >>> We probably should revisit this issue after the core vault >>> functionality is added. >>> >> >> We can't revisit it later because after release we are stuck with >> whatever is there forever. >> >> See attachment for a patch which implements the change. >> > > Shouldn't we s/kra/vault/ ? > After all the feature is called Vault, not KRA. I thought we are naming it by the name of the optional subsystem, not the feature itself. If for example, another feature from KRA is used, it would still live in cn=kra, no? From ofayans at redhat.com Wed Jun 3 08:33:01 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 10:33:01 +0200 Subject: [Freeipa-devel] Database error on replicas Message-ID: <556EBBBD.6060205@redhat.com> Hi, With the latest freeipa code containing Topology plugin patches, I am unable to make any changes in replicas. I have the following topology: replica1 <=> master <=> replica3 Here is the output of the ipa topologysegment-find command: Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both Segment name: replica3.zaeba.li-to-testmaster.zaeba.li Left node: replica3.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- Any changes on master get replicated to replicas successfully. However, any attempts to change anything on replicas, for example, create a user, result in the error message about DatabaseError (attached). The corresponding part of the dirsrv log looks like this: 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) The full log is attached -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa_database_error.png Type: image/png Size: 41658 bytes Desc: not available URL: -------------- next part -------------- 389-Directory/1.3.4.a1 B2015.153.44 replica3.zaeba.li:389 (/etc/dirsrv/slapd-ZAEBA-LI) [02/Jun/2015:12:01:52 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2015:12:01:52 -0400] - check_and_set_import_cache: pagesize: 4096, pages: 254384, procpages: 54105 [02/Jun/2015:12:01:52 -0400] - WARNING: After allocating import cache 407012KB, the available memory is 610524KB, which is less than the soft limit 1048576KB. You may want to decrease the import cache size and rerun import. [02/Jun/2015:12:01:52 -0400] - Import allocates 407012KB import cache. [02/Jun/2015:12:01:53 -0400] - import userRoot: Beginning import job... [02/Jun/2015:12:01:53 -0400] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2015:12:01:53 -0400] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [02/Jun/2015:12:01:53 -0400] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [02/Jun/2015:12:01:53 -0400] - import userRoot: Workers finished; cleaning up... [02/Jun/2015:12:01:54 -0400] - import userRoot: Workers cleaned up. [02/Jun/2015:12:01:54 -0400] - import userRoot: Cleaning up producer thread... [02/Jun/2015:12:01:54 -0400] - import userRoot: Indexing complete. Post-processing... [02/Jun/2015:12:01:54 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [02/Jun/2015:12:01:54 -0400] - import userRoot: Generating numSubordinates complete. [02/Jun/2015:12:01:54 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [02/Jun/2015:12:01:54 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [02/Jun/2015:12:01:54 -0400] - Nothing to do to build ancestorid index [02/Jun/2015:12:01:54 -0400] - import userRoot: Created ancestorid index (new idl). [02/Jun/2015:12:01:54 -0400] - import userRoot: Flushing caches... [02/Jun/2015:12:01:54 -0400] - import userRoot: Closing files... [02/Jun/2015:12:01:54 -0400] - All database threads now stopped [02/Jun/2015:12:01:54 -0400] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [02/Jun/2015:12:01:55 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:01:55 -0400] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [02/Jun/2015:12:01:55 -0400] - resizing db cache size: 416780288 -> 10000000 [02/Jun/2015:12:01:56 -0400] - convert_pbe_des_to_aes: Converting DES passwords to AES... [02/Jun/2015:12:01:56 -0400] - convert_pbe_des_to_aes: Successfully disabled DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config) [02/Jun/2015:12:01:56 -0400] - convert_pbe_des_to_aes: Finished - no DES passwords to convert. [02/Jun/2015:12:01:56 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:01:57 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [02/Jun/2015:12:01:57 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:01:57 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:01:58 -0400] - All database threads now stopped [02/Jun/2015:12:01:58 -0400] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [02/Jun/2015:12:01:58 -0400] - slapd stopped. [02/Jun/2015:12:01:59 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:01:59 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:02:00 -0400] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [02/Jun/2015:12:02:00 -0400] - Warning: Adding configuration attribute "nsslapd-security" [02/Jun/2015:12:02:01 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [02/Jun/2015:12:02:01 -0400] - slapd shutting down - waiting for 1 thread to terminate [02/Jun/2015:12:02:01 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:02:01 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:02:02 -0400] - All database threads now stopped [02/Jun/2015:12:02:02 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [02/Jun/2015:12:02:03 -0400] - slapd stopped. [02/Jun/2015:12:02:04 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [02/Jun/2015:12:02:05 -0400] - SSL alert: Configured NSS Ciphers [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [02/Jun/2015:12:02:05 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:02:06 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [02/Jun/2015:12:02:06 -0400] attrcrypt - Key for cipher AES successfully generated and stored [02/Jun/2015:12:02:06 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [02/Jun/2015:12:02:06 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [02/Jun/2015:12:02:06 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [02/Jun/2015:12:02:06 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [02/Jun/2015:12:02:06 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:02:06 -0400] - Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2015:12:02:06 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:02:06 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [02/Jun/2015:12:02:06 -0400] - slapd shutting down - waiting for 3 threads to terminate [02/Jun/2015:12:02:06 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:02:07 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:02:07 -0400] - All database threads now stopped [02/Jun/2015:12:02:07 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [02/Jun/2015:12:02:07 -0400] - slapd stopped. [02/Jun/2015:12:02:09 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [02/Jun/2015:12:02:09 -0400] - SSL alert: Configured NSS Ciphers [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:09 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:10 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:10 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:10 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:02:10 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:10 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [02/Jun/2015:12:02:10 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:02:10 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [02/Jun/2015:12:02:10 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [02/Jun/2015:12:02:10 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:02:10 -0400] - Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2015:12:02:10 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:02:12 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [02/Jun/2015:12:02:13 -0400] ipa-topology-plugin - ipa_topo_be_state_changebackend userRoot is going offline; inactivate plugin [02/Jun/2015:12:02:13 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=zaeba,dc=li is going offline; disabling replication [02/Jun/2015:12:02:13 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2015:12:02:16 -0400] - import userRoot: Workers finished; cleaning up... [02/Jun/2015:12:02:17 -0400] - import userRoot: Workers cleaned up. [02/Jun/2015:12:02:17 -0400] - import userRoot: Indexing complete. Post-processing... [02/Jun/2015:12:02:17 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [02/Jun/2015:12:02:17 -0400] - import userRoot: Generating numSubordinates complete. [02/Jun/2015:12:02:17 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [02/Jun/2015:12:02:17 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [02/Jun/2015:12:02:17 -0400] - import userRoot: Creating ancestorid index (new idl)... [02/Jun/2015:12:02:17 -0400] - import userRoot: Created ancestorid index (new idl). [02/Jun/2015:12:02:17 -0400] - import userRoot: Flushing caches... [02/Jun/2015:12:02:17 -0400] - import userRoot: Closing files... [02/Jun/2015:12:02:18 -0400] - import userRoot: Import complete. Processed 409 entries in 4 seconds. (102.25 entries/sec) [02/Jun/2015:12:02:18 -0400] ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology [02/Jun/2015:12:02:18 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=zaeba,dc=li is coming online; enabling replication [02/Jun/2015:12:02:18 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:18 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:24 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 1 max work q stack size 1 [02/Jun/2015:12:02:24 -0400] - slapd shutting down - waiting for 4 threads to terminate [02/Jun/2015:12:02:24 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:02:24 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:02:25 -0400] - All database threads now stopped [02/Jun/2015:12:02:25 -0400] - slapd shutting down - freed 1 work q stack objects - freed 3 op stack objects [02/Jun/2015:12:02:25 -0400] - slapd stopped. [02/Jun/2015:12:02:26 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [02/Jun/2015:12:02:27 -0400] - SSL alert: Configured NSS Ciphers [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:02:27 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:02:28 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:02:28 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:02:28 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [02/Jun/2015:12:02:28 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:02:28 -0400] - resizing db cache size: 20000000 -> 10000000 [02/Jun/2015:12:02:28 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:02:28 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:02:28 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:02:28 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:28 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:28 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:29 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:29 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:29 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:29 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:29 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:02:29 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:02:29 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [02/Jun/2015:12:02:29 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [02/Jun/2015:12:02:29 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:02:29 -0400] - Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2015:12:02:29 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:02:29 -0400] - The change of nsslapd-maxdescriptors will not take effect until the server is restarted [02/Jun/2015:12:03:00 -0400] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [02/Jun/2015:12:03:01 -0400] attrcrypt - Key for cipher AES successfully generated and stored [02/Jun/2015:12:03:01 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [02/Jun/2015:12:03:01 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [02/Jun/2015:12:03:01 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:03:46 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is going offline; disabling replication [02/Jun/2015:12:03:46 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica3.zaeba.li-pki-tomcat" (testmaster:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [02/Jun/2015:12:03:46 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:03:47 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2015:12:03:51 -0400] - import ipaca: Workers finished; cleaning up... [02/Jun/2015:12:03:51 -0400] - import ipaca: Workers cleaned up. [02/Jun/2015:12:03:51 -0400] - import ipaca: Indexing complete. Post-processing... [02/Jun/2015:12:03:51 -0400] - import ipaca: Generating numsubordinates (this may take several minutes to complete)... [02/Jun/2015:12:03:51 -0400] - import ipaca: Generating numSubordinates complete. [02/Jun/2015:12:03:51 -0400] - import ipaca: Gathering ancestorid non-leaf IDs... [02/Jun/2015:12:03:51 -0400] - import ipaca: Finished gathering ancestorid non-leaf IDs. [02/Jun/2015:12:03:51 -0400] - import ipaca: Creating ancestorid index (new idl)... [02/Jun/2015:12:03:51 -0400] - import ipaca: Created ancestorid index (new idl). [02/Jun/2015:12:03:51 -0400] - import ipaca: Flushing caches... [02/Jun/2015:12:03:51 -0400] - import ipaca: Closing files... [02/Jun/2015:12:03:52 -0400] - import ipaca: Import complete. Processed 82 entries in 6 seconds. (13.67 entries/sec) [02/Jun/2015:12:03:52 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is coming online; enabling replication [02/Jun/2015:12:03:52 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:03:55 -0400] - ipaca: Indexing VLV: allCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allExpiredCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allInvalidCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allInValidCertsNotBefore-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allNonRevokedCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allRevokedCaCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allRevokedCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allRevokedCertsNotAfter-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allRevokedExpiredCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allValidCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allValidCertsNotAfter-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: allValidOrRevokedCerts-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caAll-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCanceled-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCanceledEnrollment-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCanceledRenewal-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCanceledRevocation-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caComplete-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCompleteEnrollment-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCompleteRenewal-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caCompleteRevocation-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caEnrollment-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caPending-pki-tomcatIndex [02/Jun/2015:12:03:56 -0400] - ipaca: Indexing VLV: caPendingEnrollment-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caPendingRenewal-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caPendingRevocation-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caRejected-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caRejectedEnrollment-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caRejectedRenewal-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caRejectedRevocation-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caRenewal-pki-tomcatIndex [02/Jun/2015:12:03:57 -0400] - ipaca: Indexing VLV: caRevocation-pki-tomcatIndex [02/Jun/2015:12:04:00 -0400] - ipaca: Finished indexing. [02/Jun/2015:12:04:27 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [02/Jun/2015:12:04:27 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:04:28 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:04:29 -0400] - All database threads now stopped [02/Jun/2015:12:04:29 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [02/Jun/2015:12:04:29 -0400] - slapd stopped. [02/Jun/2015:12:04:31 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [02/Jun/2015:12:04:31 -0400] - SSL alert: Configured NSS Ciphers [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:04:31 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [02/Jun/2015:12:04:32 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:04:32 -0400] - resizing db cache size: 20000000 -> 10000000 [02/Jun/2015:12:04:33 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:04:33 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:04:33 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:04:33 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:04:33 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [02/Jun/2015:12:04:33 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [02/Jun/2015:12:04:33 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:04:33 -0400] - Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2015:12:04:33 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:05:09 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [02/Jun/2015:12:05:09 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Jun/2015:12:05:09 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Jun/2015:12:05:10 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [02/Jun/2015:12:05:14 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: 13 (Permission denied) [02/Jun/2015:12:05:14 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Jun/2015:12:05:14 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Jun/2015:12:05:20 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 2 max work q stack size 2 [02/Jun/2015:12:05:20 -0400] - slapd shutting down - waiting for 4 threads to terminate [02/Jun/2015:12:05:20 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:05:47 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [02/Jun/2015:12:05:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Jun/2015:12:05:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Jun/2015:12:05:48 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:05:49 -0400] - All database threads now stopped [02/Jun/2015:12:05:49 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [02/Jun/2015:12:05:49 -0400] - slapd stopped. [02/Jun/2015:12:05:51 -0400] - Information: Non-Secure Port Disabled [02/Jun/2015:12:05:51 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:05:51 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:05:51 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:05:52 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:05:52 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:05:52 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [02/Jun/2015:12:05:52 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Jun/2015:12:05:52 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Jun/2015:12:05:52 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [02/Jun/2015:12:05:53 -0400] - slapd started. Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:05:55 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:05:55 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:05:55 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:05:55 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:05:56 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth resumed [02/Jun/2015:12:06:01 -0400] - userRoot: Indexing attribute: memberuid [02/Jun/2015:12:06:01 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:07 -0400] - userRoot: Indexing attribute: member [02/Jun/2015:12:06:21 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:26 -0400] - userRoot: Indexing attribute: uniquemember [02/Jun/2015:12:06:27 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:32 -0400] - userRoot: Indexing attribute: owner [02/Jun/2015:12:06:33 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:38 -0400] - userRoot: Indexing attribute: seeAlso [02/Jun/2015:12:06:39 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:45 -0400] - userRoot: Indexing attribute: ipatokenradiusconfiglink [02/Jun/2015:12:06:45 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:51 -0400] - userRoot: Indexing attribute: ipaassignedidview [02/Jun/2015:12:06:51 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:06:57 -0400] - userRoot: Indexing attribute: ntUniqueId [02/Jun/2015:12:06:57 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:07:03 -0400] - userRoot: Indexing attribute: ntUserDomainId [02/Jun/2015:12:07:03 -0400] - userRoot: Finished indexing. [02/Jun/2015:12:07:05 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [02/Jun/2015:12:07:06 -0400] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [02/Jun/2015:12:07:08 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [02/Jun/2015:12:07:08 -0400] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [02/Jun/2015:12:07:10 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [02/Jun/2015:12:07:10 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [02/Jun/2015:12:07:10 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [02/Jun/2015:12:07:10 -0400] - slapd shutting down - waiting for 1 thread to terminate [02/Jun/2015:12:07:10 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:07:14 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:07:14 -0400] - All database threads now stopped [02/Jun/2015:12:07:14 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [02/Jun/2015:12:07:14 -0400] - slapd stopped. [02/Jun/2015:12:07:15 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [02/Jun/2015:12:07:15 -0400] - SSL alert: Configured NSS Ciphers [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [02/Jun/2015:12:07:16 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:07:17 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:07:17 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:07:17 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:17 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:18 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [02/Jun/2015:12:07:18 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:07:18 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [02/Jun/2015:12:07:18 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Jun/2015:12:07:18 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Jun/2015:12:07:18 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [02/Jun/2015:12:07:18 -0400] attrcrypt - No symmetric key found for cipher AES in backend changelog, attempting to create one... [02/Jun/2015:12:07:18 -0400] attrcrypt - Key for cipher AES successfully generated and stored [02/Jun/2015:12:07:18 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend changelog, attempting to create one... [02/Jun/2015:12:07:18 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [02/Jun/2015:12:07:20 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:07:20 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:07:20 -0400] - Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2015:12:07:20 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:07:20 -0400] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [02/Jun/2015:12:07:20 -0400] - slapd shutting down - waiting for 2 threads to terminate [02/Jun/2015:12:07:20 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:07:20 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:07:21 -0400] - All database threads now stopped [02/Jun/2015:12:07:21 -0400] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [02/Jun/2015:12:07:21 -0400] - slapd stopped. [02/Jun/2015:12:07:22 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [02/Jun/2015:12:07:23 -0400] - SSL alert: Configured NSS Ciphers [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [02/Jun/2015:12:07:23 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [02/Jun/2015:12:07:24 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [02/Jun/2015:12:07:24 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [02/Jun/2015:12:07:24 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [02/Jun/2015:12:07:24 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [02/Jun/2015:12:07:24 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:07:24 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [02/Jun/2015:12:07:24 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:24 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [02/Jun/2015:12:07:25 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [02/Jun/2015:12:07:25 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [02/Jun/2015:12:07:25 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [02/Jun/2015:12:07:25 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Jun/2015:12:07:25 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Jun/2015:12:07:25 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [02/Jun/2015:12:07:25 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2015:12:07:25 -0400] - Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2015:12:07:25 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [02/Jun/2015:12:07:28 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth resumed [02/Jun/2015:12:09:10 -0400] - slapd shutting down - signaling operation threads - op stack size 6 max work q size 1 max work q stack size 1 [02/Jun/2015:12:09:10 -0400] - slapd shutting down - closing down internal subsystems and plugins [02/Jun/2015:12:09:12 -0400] - Waiting for 4 database threads to stop [02/Jun/2015:12:09:12 -0400] - All database threads now stopped [02/Jun/2015:12:09:12 -0400] - slapd shutting down - freed 1 work q stack objects - freed 6 op stack objects [02/Jun/2015:12:09:13 -0400] - slapd stopped. [03/Jun/2015:03:45:26 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [03/Jun/2015:03:45:26 -0400] - SSL alert: Configured NSS Ciphers [03/Jun/2015:03:45:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [03/Jun/2015:03:45:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [03/Jun/2015:03:45:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:28 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [03/Jun/2015:03:45:29 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [03/Jun/2015:03:45:30 -0400] - 389-Directory/1.3.4.a1 B2015.153.44 starting up [03/Jun/2015:03:45:31 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=zaeba,dc=li [03/Jun/2015:03:45:32 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=zaeba,dc=li [03/Jun/2015:03:45:32 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=zaeba,dc=li [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:32 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:33 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=zaeba,dc=li does not exist [03/Jun/2015:03:45:33 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [03/Jun/2015:03:45:33 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=zaeba,dc=li--no CoS Templates found, which should be added before the CoS Definition. [03/Jun/2015:03:45:33 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/replica3.zaeba.li at ZAEBA.LI] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [03/Jun/2015:03:45:33 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [03/Jun/2015:03:45:33 -0400] - Listening on All Interfaces port 636 for LDAPS requests [03/Jun/2015:03:45:33 -0400] - Listening on /var/run/slapd-ZAEBA-LI.socket for LDAPI requests [03/Jun/2015:03:45:33 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 115 (Operation now in progress) [03/Jun/2015:03:45:33 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:45:33 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [03/Jun/2015:03:45:38 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:45:38 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:45:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:45:44 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:45:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:45:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:46:19 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:46:19 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:47:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:47:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:48:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:48:41 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-replica3.zaeba.li-pki-tomcat" (testmaster:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [03/Jun/2015:03:48:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:48:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:48:44 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:48:50 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:49:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:49:26 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:49:26 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [(anon)] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [03/Jun/2015:03:49:26 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [(anon)] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:49:26 -0400] dna-plugin - dna_pre_op: no more values available!! [03/Jun/2015:03:50:14 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:51:50 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:51:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:51:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:53:52 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [(anon)] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:53:52 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [(anon)] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:53:52 -0400] dna-plugin - dna_pre_op: no more values available!! [03/Jun/2015:03:55:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:03:56:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:03:56:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:04:00:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:04:01:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:04:01:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:04:05:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:04:06:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:04:06:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:04:10:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:04:11:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) From mkosek at redhat.com Wed Jun 3 08:44:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 10:44:00 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EBBBD.6060205@redhat.com> References: <556EBBBD.6060205@redhat.com> Message-ID: <556EBE50.9010902@redhat.com> On 06/03/2015 10:33 AM, Oleg Fayans wrote: > Hi, > > With the latest freeipa code containing Topology plugin patches, I am unable to > make any changes in replicas. > > I have the following topology: > replica1 <=> master <=> replica3 > Here is the output of the ipa topologysegment-find command: > > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: replica1.zaeba.li-to-testmaster.zaeba.li > Left node: replica1.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > > Segment name: replica3.zaeba.li-to-testmaster.zaeba.li > Left node: replica3.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > > > Any changes on master get replicated to replicas successfully. However, any > attempts to change anything on replicas, for example, create a user, result in > the error message about DatabaseError (attached). > > The corresponding part of the dirsrv log looks like this: > > 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't > contact LDAP server) > [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send startTLS > request: error -1 (Can't contact LDAP server) errno 0 (Success) > [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could > not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't > contact LDAP server) ((null)) errno 2 (No such file or directory) > [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't > contact LDAP server) > > The full log is attached Ludwig, could this be caused by the Topology plugin? From lkrispen at redhat.com Wed Jun 3 08:47:41 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 10:47:41 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EBE50.9010902@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBE50.9010902@redhat.com> Message-ID: <556EBF2D.8080702@redhat.com> On 06/03/2015 10:44 AM, Martin Kosek wrote: > On 06/03/2015 10:33 AM, Oleg Fayans wrote: >> Hi, >> >> With the latest freeipa code containing Topology plugin patches, I am unable to >> make any changes in replicas. >> >> I have the following topology: >> replica1 <=> master <=> replica3 >> Here is the output of the ipa topologysegment-find command: >> >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >> Left node: replica1.zaeba.li >> Right node: testmaster.zaeba.li >> Connectivity: both >> >> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >> Left node: replica3.zaeba.li >> Right node: testmaster.zaeba.li >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> >> Any changes on master get replicated to replicas successfully. However, any >> attempts to change anything on replicas, for example, create a user, result in >> the error message about DatabaseError (attached). >> >> The corresponding part of the dirsrv log looks like this: >> >> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't >> contact LDAP server) >> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send startTLS >> request: error -1 (Can't contact LDAP server) errno 0 (Success) >> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: could >> not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't >> contact LDAP server) ((null)) errno 2 (No such file or directory) >> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't >> contact LDAP server) >> >> The full log is attached > Ludwig, could this be caused by the Topology plugin? maybe, don't know yet > From mbabinsk at redhat.com Wed Jun 3 08:46:06 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 10:46:06 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EBBBD.6060205@redhat.com> References: <556EBBBD.6060205@redhat.com> Message-ID: <556EBECE.8000508@redhat.com> On 06/03/2015 10:33 AM, Oleg Fayans wrote: > Hi, > > With the latest freeipa code containing Topology plugin patches, I am > unable to make any changes in replicas. > > I have the following topology: > replica1 <=> master <=> replica3 > Here is the output of the ipa topologysegment-find command: > > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: replica1.zaeba.li-to-testmaster.zaeba.li > Left node: replica1.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > > Segment name: replica3.zaeba.li-to-testmaster.zaeba.li > Left node: replica3.zaeba.li > Right node: testmaster.zaeba.li > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > > > Any changes on master get replicated to replicas successfully. However, > any attempts to change anything on replicas, for example, create a user, > result in the error message about DatabaseError (attached). > > The corresponding part of the dirsrv log looks like this: > > 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -1 > (Can't contact LDAP server) > [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) > [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -1 > (Can't contact LDAP server) > > The full log is attached > > > Hi Oleg, could you also post the output of 'journalctl -xe' related to dirsrv (on master and also on replicas)? I have seen a couple of segfaults there during reviewing Petr Vobornik's topology* commands. -- Martin^3 Babinsky From mbabinsk at redhat.com Wed Jun 3 08:52:06 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 10:52:06 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556475AF.7060301@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> Message-ID: <556EC036.2070700@redhat.com> On 05/26/2015 03:31 PM, Petr Vobornik wrote: > On 05/26/2015 12:19 PM, Petr Vobornik wrote: >> this patch is based on top of my patch #856 and tbabej' >> s 325-9. >> >> Obsoletes Ludwig's 0006. >> >> ipalib part of topology management >> >> Design: >> - http://www.freeipa.org/page/V4/Manage_replication_topology >> >> https://fedorahosted.org/freeipa/ticket/4302 >> >> > > New version attached: > - domainlevel_show usage changed to domainlevel_get > - updated VERSION > - added more attrs to default_attributes > > Hi Petr, the commands themselves seem to work just fine. I had encountered some quirks in the underlying topology plugin, but I will address them in a different thread in order to keep the discussion relevant to the reviewed patch. I have some minor coomments below: 1.) IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=121 -# Last change: pvoborni - added server-find and server-show +IPA_API_VERSION_MINOR=122 +# Last change: pvoborni - added topology management commands Several people were touching API in the meantime so please double-check that you have correct VERSION and regenerate API.txt 2.) + Str( + 'nsds5replicatedattributelist?', + cli_name='replattrs', + label='Attributes to replicate', + doc=_('Attributes that are not replicated to a consumer server ' + 'during a fractional update. E.g., `(objectclass=*) ' + '$ EXCLUDE accountlockout memberof'), + ), + Str( + 'nsds5replicatedattributelisttotal?', + cli_name='replattrstotal', + label=_('Attributes for total update'), + doc=_('Attributes that are not replicated to a consumer server ' + 'during a total update. E.g. (objectclass=*) $ EXCLUDE ' + 'accountlockout'), The descriptions of these two options confused me greatly, are these attributes supposed to be replicated or not, or is there some more complex logic behind them that I failed to grasp? I am cc'ing Ludwig, he can probably explain them to us and then we can decide whether we may alter the descriptions to be less confusing. 3.) + takes_params = ( + Str( + 'cn', + cli_name='name', + primary_key=True, + label=_('Suffix name'), + ), + Str( + 'iparepltopoconfroot', + maxlength=255, + cli_name='suffix', + label=_('Suffix to be managed'), + normalizer=lambda value: value.lower(), + ), + ) This also confused me at first, I suggest to change the label of 'iparepltopoconfroot' to something like 'LDAP suffix to be managed' or 'LDAP subtree to be managed'. 4.) There is currently no way to rename existing topology segments/suffixes. In the case of hosts with funky FQDN's (pointing at you, ABC lab), the segment cn's created during replica installs are mearly impossible to remember and it would be nice to rename them to something more manageable. However, this is not related to core functionality and can be a subject of a separate patch once this gets pushed. That's all from my side. -- Martin^3 Babinsky From mbabinsk at redhat.com Wed Jun 3 08:59:22 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 10:59:22 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556EC036.2070700@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> <556EC036.2070700@redhat.com> Message-ID: <556EC1EA.4010701@redhat.com> On 06/03/2015 10:52 AM, Martin Babinsky wrote: > On 05/26/2015 03:31 PM, Petr Vobornik wrote: >> On 05/26/2015 12:19 PM, Petr Vobornik wrote: >>> this patch is based on top of my patch #856 and tbabej' >>> s 325-9. >>> >>> Obsoletes Ludwig's 0006. >>> >>> ipalib part of topology management >>> >>> Design: >>> - http://www.freeipa.org/page/V4/Manage_replication_topology >>> >>> https://fedorahosted.org/freeipa/ticket/4302 >>> >>> >> >> New version attached: >> - domainlevel_show usage changed to domainlevel_get >> - updated VERSION >> - added more attrs to default_attributes >> >> > > Hi Petr, > > the commands themselves seem to work just fine. I had encountered some > quirks in the underlying topology plugin, but I will address them in a > different thread in order to keep the discussion relevant to the > reviewed patch. > > I have some minor coomments below: > > 1.) > IPA_API_VERSION_MAJOR=2 > -IPA_API_VERSION_MINOR=121 > -# Last change: pvoborni - added server-find and server-show > +IPA_API_VERSION_MINOR=122 > +# Last change: pvoborni - added topology management commands > > Several people were touching API in the meantime so please double-check > that you have correct VERSION and regenerate API.txt > > 2.) > > + Str( > + 'nsds5replicatedattributelist?', > + cli_name='replattrs', > + label='Attributes to replicate', > + doc=_('Attributes that are not replicated to a consumer > server ' > + 'during a fractional update. E.g., `(objectclass=*) ' > + '$ EXCLUDE accountlockout memberof'), > + ), > + Str( > + 'nsds5replicatedattributelisttotal?', > + cli_name='replattrstotal', > + label=_('Attributes for total update'), > + doc=_('Attributes that are not replicated to a consumer > server ' > + 'during a total update. E.g. (objectclass=*) $ EXCLUDE ' > + 'accountlockout'), > > The descriptions of these two options confused me greatly, are these > attributes supposed to be replicated or not, or is there some more > complex logic behind them that I failed to grasp? I am cc'ing Ludwig, he > can probably explain them to us and then we can decide whether we may > alter the descriptions to be less confusing. > > 3.) > > + takes_params = ( > + Str( > + 'cn', > + cli_name='name', > + primary_key=True, > + label=_('Suffix name'), > + ), > + Str( > + 'iparepltopoconfroot', > + maxlength=255, > + cli_name='suffix', > + label=_('Suffix to be managed'), > + normalizer=lambda value: value.lower(), > + ), > + ) > > This also confused me at first, I suggest to change the label of > 'iparepltopoconfroot' to something like 'LDAP suffix to be managed' or > 'LDAP subtree to be managed'. > > 4.) > > There is currently no way to rename existing topology segments/suffixes. > In the case of hosts with funky FQDN's (pointing at you, ABC lab), the > segment cn's created during replica installs are mearly impossible to > remember and it would be nice to rename them to something more > manageable. However, this is not related to core functionality and can > be a subject of a separate patch once this gets pushed. > > That's all from my side. > I also forgot to ask what is the expected policy when deleting a non-empty topology suffix. If this is not supported and you have to first remove all segments and then the suffix itself, the 'topologysuffix-del' command should issue an error pointing the user to correct procedure. -- Martin^3 Babinsky From lkrispen at redhat.com Wed Jun 3 09:09:58 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 11:09:58 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EBECE.8000508@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> Message-ID: <556EC466.1040006@redhat.com> Oleg, is the master and the replicas up and running ? The error messages look like the dna plugin wants to establish an ldap connection to extend it's range - and fails. I don't see how the topology plugin would interfere, but of course there could be a side efect. Ludwig On 06/03/2015 10:46 AM, Martin Babinsky wrote: > On 06/03/2015 10:33 AM, Oleg Fayans wrote: >> Hi, >> >> With the latest freeipa code containing Topology plugin patches, I am >> unable to make any changes in replicas. >> >> I have the following topology: >> replica1 <=> master <=> replica3 >> Here is the output of the ipa topologysegment-find command: >> >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >> Left node: replica1.zaeba.li >> Right node: testmaster.zaeba.li >> Connectivity: both >> >> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >> Left node: replica3.zaeba.li >> Right node: testmaster.zaeba.li >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> >> Any changes on master get replicated to replicas successfully. However, >> any attempts to change anything on replicas, for example, create a user, >> result in the error message about DatabaseError (attached). >> >> The corresponding part of the dirsrv log looks like this: >> >> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >> (Can't contact LDAP server) >> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) >> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or >> directory) >> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >> (Can't contact LDAP server) >> >> The full log is attached >> >> >> > Hi Oleg, > > could you also post the output of 'journalctl -xe' related to dirsrv > (on master and also on replicas)? I have seen a couple of segfaults > there during reviewing Petr Vobornik's topology* commands. > From ofayans at redhat.com Wed Jun 3 09:11:26 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 11:11:26 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EBECE.8000508@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> Message-ID: <556EC4BE.4080802@redhat.com> Hi Martin, On 06/03/2015 10:46 AM, Martin Babinsky wrote: > On 06/03/2015 10:33 AM, Oleg Fayans wrote: >> Hi, >> >> With the latest freeipa code containing Topology plugin patches, I am >> unable to make any changes in replicas. >> >> I have the following topology: >> replica1 <=> master <=> replica3 >> Here is the output of the ipa topologysegment-find command: >> >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >> Left node: replica1.zaeba.li >> Right node: testmaster.zaeba.li >> Connectivity: both >> >> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >> Left node: replica3.zaeba.li >> Right node: testmaster.zaeba.li >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> >> Any changes on master get replicated to replicas successfully. However, >> any attempts to change anything on replicas, for example, create a user, >> result in the error message about DatabaseError (attached). >> >> The corresponding part of the dirsrv log looks like this: >> >> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >> (Can't contact LDAP server) >> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) >> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or >> directory) >> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >> (Can't contact LDAP server) >> >> The full log is attached >> >> >> > Hi Oleg, > > could you also post the output of 'journalctl -xe' related to dirsrv > (on master and also on replicas)? I have seen a couple of segfaults > there during reviewing Petr Vobornik's topology* commands. > Attached -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: journal_master.log Type: text/x-log Size: 99047 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: journal_replica.log Type: text/x-log Size: 48587 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 3 09:20:12 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 11:20:12 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EC4BE.4080802@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> <556EC4BE.4080802@redhat.com> Message-ID: <556EC6CC.8040605@redhat.com> On 06/03/2015 11:11 AM, Oleg Fayans wrote: > Jun 02 12:05:49 replica3.zaeba.li ns-slapd[2683]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Hmm, Ludwigs' PATCH 0007 should fix these errors, or am I mistaken? -- Martin^3 Babinsky From mbasti at redhat.com Wed Jun 3 09:34:46 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 11:34:46 +0200 Subject: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin In-Reply-To: <556E1759.6070108@redhat.com> References: <555B4696.2070502@redhat.com> <555BA115.5070408@redhat.com> <555CB00B.3080309@redhat.com> <5565F29B.7000507@redhat.com> <5565FE97.6040202@redhat.com> <55660A2D.1080801@redhat.com> <5566D11B.3070505@redhat.com> <556A6CF4.5010603@redhat.com> <556DB7BD.9030101@redhat.com> <556E1759.6070108@redhat.com> Message-ID: <556ECA36.4030703@redhat.com> On 02/06/15 22:51, Rob Crittenden wrote: > Martin Basti wrote: >> On 31/05/15 04:07, Rob Crittenden wrote: >>> Petr Vobornik wrote: >>>> On 05/27/2015 08:17 PM, Martin Basti wrote: >>>>> On 27/05/15 19:27, Rob Crittenden wrote: >>>>>> Martin Basti wrote: >>>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> I haven't finished review yet, but I have few notes in case you >>>>>>> will >>>>>>> modify the patch. >>>>>>> >>>>>>> Please fix following issues: >>>>>>> >>>>>> >>>>>>> 3) >>>>>>> There are many PEP8 errors, can you fix some of them,? >>>>>> >>>>>> Is PEP8 a concern? What kinds of errors do we fix? For example, the >>>>>> current model for defining options generates a slew of indention >>>>>> errors. >>>> >>>> In old modules it's preferred to keep the old indentation style for >>>> options(not to mix 2 styles). New modules should use following pep8 >>>> compliant style: >>>> Str( >>>> 'cn', >>>> cli_name='name', >>>> primary_key=True, >>>> label=_('Server name'), >>>> doc=_('IPA server hostname'), >>>> ), >>>> >>>>> We try to keep PEP8 in new code, mainly indentation, blank lines, too >>>>> long lines. >>>>> Yes in test definitions and option definitions, is better to keep the >>>>> same style, but other parts of code should be PEP8. >>>>> >>>>> For example these should be fixed >>>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:37:13: E225 >>>>> missing whitespace around operator >>>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:39:1: E302 >>>>> expected 2 blank lines, found 1 >>>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:42:1: E302 >>>>> expected 2 blank lines, found 1 >>>>> >>>>>> >>>>>> >>>>>> I'll wait and see what falls out of the API review before making any >>>>>> real changes. >>>>>> >>>>>> rob >>> >>> Updated API and addressed Martin's concerns. The regex must have been >>> a bad copy/paste, it is fixed now. >>> >>> The design page has been updated as well. >>> >>> rob >>> >> Hello, >> >> comments below, in the right thread: >> >> 1) >> + Str( >> + 'memberprincipal', >> + label=_('Failed principals'), >> + ), >> + Str( >> + 'ipaallowedtarget', >> + label=_('Failed targets'), >> + ), >> + Str( >> + 'servicedelegationrule', >> + label=_('principal member'), >> + ), >> Are these names correct? >> # ipa servicedelegationrule-find >> ---------------------------------- >> 1 service delegation rule matched >> ---------------------------------- >> Delegation name: ipa-http-delegation >> Allowed Target: ipa-ldap-delegation-targets, >> ipa-cifs-delegation-targets >> Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM > > Fixed. > >> >> >> 2) >> + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', >> + pattern_errmsg='may only include letters, numbers, _, -, >> ., ' >> + 'and a space inside', >> >> This regex does not allow space inside >> In [6]: print re.match(pattern, 'lalalala lalala') >> None > > Fixed. I'm tempted to just drop this regex entirely. Other plugins > have no such restrictions, but this should work better now. > >> >> 3) >> + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, >> + label=_('member %s') % name, >> + csv=True, alwaysask=True) >> >> IMHO CSV values should not be supported. >> Honza told me, the option doesn't work anyway. > > Yeah, a copy and paste issue. > >> Patch with minor fixes attached. >> >> I removed unused code and PEP8 complains > > Incorporated and fixed a number of other things, including some typos > in the doc examples. > > rob > > Thank you, ACK! -- Martin Basti From mbabinsk at redhat.com Wed Jun 3 09:37:32 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 11:37:32 +0200 Subject: [Freeipa-devel] Topology plugin quirks Message-ID: <556ECADC.3090303@redhat.com> Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: 1.) When replica install for whatever reason crashes _after_ the setup of replication agreements etc., it leaves the topology plugin with dangling segment pointing to the dysfunctional node. An attempt to delete it leads to: """ ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. """ And you cannot reinstall the crashed replica because it complains about existing replication agreements. It would probably help to be able to force-remove the segments if one of the endpoints doesn't exist/respond. 2.) I was not able to figure out a way remove replica from the topology without explosions or tampering 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del doesn't work anymore (I have tried just for fun, it leads to SIGSEGV of the host's dirsrv and leaves dangling segments to offending replica, leading to point 1). I managed to remove replica from the topology only by directly uninstalling FreeIPA on the node and then deleting its' host entry from 'cn=masters'. Only after this was the plugin able to automagically removed the segments pointing to/from removed node. The design page suggests that it should be enough to uninstall IPA server on the replica. The plugin would then pick-up the dangling segments and remove them automatically. However, this behavior seems to require additional modification of the uninstall procedure (e.g. the uninstalling replica should remove its' entry from cn=masters). 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? -- Martin^3 Babinsky From jcholast at redhat.com Wed Jun 3 09:41:42 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 11:41:42 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556EAC46.3090300@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> <1433270074.4846.85.camel@willson.usersys.redhat.com> <556EAC46.3090300@redhat.com> Message-ID: <556ECBD6.7040601@redhat.com> Dne 3.6.2015 v 09:27 Martin Kosek napsal(a): > On 06/02/2015 08:34 PM, Simo Sorce wrote: >> On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: >>> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >>>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>>>>> On a related note, since KRA is optional, can we move the vaults >>>>>> container to cn=kra,cn=vaults? This is the convetion used by the other >>>>>> optional components (DNS and recently CA). >>>>> >>>>> I mean cn=vaults,cn=kra of course. >>>> >>>> If you are talking about the o=kra,, I'm not sure whether >>>> the IPA framework will work with it. >>>> >>>> If you are talking about adding a new cn=kra, entry on top >>>> of cn=vaults, what is the purpose of this entry? Is the entry going to >>>> be created/deleted automatically when the KRA is installed/removed? Is >>>> it going to be used for something else other than vaults? >>> >>> I'm talking about cn=kra,. It should be created only when >>> KRA is installed, although I think this can be done later after the >>> release, moving vaults to cn=kra should be good enough for now. It's >>> going to be used for everything KRA-specific. >>> >>>> >>>> There are a lot of questions that need to be answered before we can make >>>> this change. >>> >>> This is about sticking to a convention, which everyone should do, and >>> everyone except KRA already does. >>> >>> I'm sorry I didn't realize this earlier, but the change must be done now. >>> >>>> We probably should revisit this issue after the core vault >>>> functionality is added. >>>> >>> >>> We can't revisit it later because after release we are stuck with >>> whatever is there forever. >>> >>> See attachment for a patch which implements the change. >>> >> >> Shouldn't we s/kra/vault/ ? >> After all the feature is called Vault, not KRA. > > I thought we are naming it by the name of the optional subsystem, not the > feature itself. If for example, another feature from KRA is used, it would > still live in cn=kra, no? Correct. -- Jan Cholasta From ofayans at redhat.com Wed Jun 3 09:43:43 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 11:43:43 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EC466.1040006@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> <556EC466.1040006@redhat.com> Message-ID: <556ECC4F.9000606@redhat.com> Hi Ludwig, Yep all 3 hosts were up and running during this test execution. On 06/03/2015 11:09 AM, Ludwig Krispenz wrote: > Oleg, > > is the master and the replicas up and running ? The error messages > look like the dna plugin wants to establish an ldap connection to > extend it's range - and fails. I don't see how the topology plugin > would interfere, but of course there could be a side efect. > > Ludwig > > On 06/03/2015 10:46 AM, Martin Babinsky wrote: >> On 06/03/2015 10:33 AM, Oleg Fayans wrote: >>> Hi, >>> >>> With the latest freeipa code containing Topology plugin patches, I am >>> unable to make any changes in replicas. >>> >>> I have the following topology: >>> replica1 <=> master <=> replica3 >>> Here is the output of the ipa topologysegment-find command: >>> >>> Suffix name: realm >>> ------------------ >>> 2 segments matched >>> ------------------ >>> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >>> Left node: replica1.zaeba.li >>> Right node: testmaster.zaeba.li >>> Connectivity: both >>> >>> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >>> Left node: replica3.zaeba.li >>> Right node: testmaster.zaeba.li >>> Connectivity: both >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> >>> >>> Any changes on master get replicated to replicas successfully. However, >>> any attempts to change anything on replicas, for example, create a >>> user, >>> result in the error message about DatabaseError (attached). >>> >>> The corresponding part of the dirsrv log looks like this: >>> >>> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>> (Can't contact LDAP server) >>> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send >>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>> (Success) >>> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or >>> directory) >>> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>> (Can't contact LDAP server) >>> >>> The full log is attached >>> >>> >>> >> Hi Oleg, >> >> could you also post the output of 'journalctl -xe' related to dirsrv >> (on master and also on replicas)? I have seen a couple of segfaults >> there during reviewing Petr Vobornik's topology* commands. >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Wed Jun 3 09:47:59 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 11:47:59 +0200 Subject: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin In-Reply-To: <556ECA36.4030703@redhat.com> References: <555B4696.2070502@redhat.com> <555BA115.5070408@redhat.com> <555CB00B.3080309@redhat.com> <5565F29B.7000507@redhat.com> <5565FE97.6040202@redhat.com> <55660A2D.1080801@redhat.com> <5566D11B.3070505@redhat.com> <556A6CF4.5010603@redhat.com> <556DB7BD.9030101@redhat.com> <556E1759.6070108@redhat.com> <556ECA36.4030703@redhat.com> Message-ID: <556ECD4F.2030408@redhat.com> Dne 3.6.2015 v 11:34 Martin Basti napsal(a): > On 02/06/15 22:51, Rob Crittenden wrote: >> Martin Basti wrote: >>> On 31/05/15 04:07, Rob Crittenden wrote: >>>> Petr Vobornik wrote: >>>>> On 05/27/2015 08:17 PM, Martin Basti wrote: >>>>>> On 27/05/15 19:27, Rob Crittenden wrote: >>>>>>> Martin Basti wrote: >>>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> I haven't finished review yet, but I have few notes in case you >>>>>>>> will >>>>>>>> modify the patch. >>>>>>>> >>>>>>>> Please fix following issues: >>>>>>>> >>>>>>> >>>>>>>> 3) >>>>>>>> There are many PEP8 errors, can you fix some of them,? >>>>>>> >>>>>>> Is PEP8 a concern? What kinds of errors do we fix? For example, the >>>>>>> current model for defining options generates a slew of indention >>>>>>> errors. >>>>> >>>>> In old modules it's preferred to keep the old indentation style for >>>>> options(not to mix 2 styles). New modules should use following pep8 >>>>> compliant style: >>>>> Str( >>>>> 'cn', >>>>> cli_name='name', >>>>> primary_key=True, >>>>> label=_('Server name'), >>>>> doc=_('IPA server hostname'), >>>>> ), >>>>> >>>>>> We try to keep PEP8 in new code, mainly indentation, blank lines, too >>>>>> long lines. >>>>>> Yes in test definitions and option definitions, is better to keep the >>>>>> same style, but other parts of code should be PEP8. >>>>>> >>>>>> For example these should be fixed >>>>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:37:13: E225 >>>>>> missing whitespace around operator >>>>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:39:1: E302 >>>>>> expected 2 blank lines, found 1 >>>>>> ./ipatests/test_xmlrpc/test_serviceconstraint_plugin.py:42:1: E302 >>>>>> expected 2 blank lines, found 1 >>>>>> >>>>>>> >>>>>>> >>>>>>> I'll wait and see what falls out of the API review before making any >>>>>>> real changes. >>>>>>> >>>>>>> rob >>>> >>>> Updated API and addressed Martin's concerns. The regex must have been >>>> a bad copy/paste, it is fixed now. >>>> >>>> The design page has been updated as well. >>>> >>>> rob >>>> >>> Hello, >>> >>> comments below, in the right thread: >>> >>> 1) >>> + Str( >>> + 'memberprincipal', >>> + label=_('Failed principals'), >>> + ), >>> + Str( >>> + 'ipaallowedtarget', >>> + label=_('Failed targets'), >>> + ), >>> + Str( >>> + 'servicedelegationrule', >>> + label=_('principal member'), >>> + ), >>> Are these names correct? >>> # ipa servicedelegationrule-find >>> ---------------------------------- >>> 1 service delegation rule matched >>> ---------------------------------- >>> Delegation name: ipa-http-delegation >>> Allowed Target: ipa-ldap-delegation-targets, >>> ipa-cifs-delegation-targets >>> Failed principals: HTTP/vm-093.example.com at EXAMPLE.COM >> >> Fixed. >> >>> >>> >>> 2) >>> + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', >>> + pattern_errmsg='may only include letters, numbers, _, -, >>> ., ' >>> + 'and a space inside', >>> >>> This regex does not allow space inside >>> In [6]: print re.match(pattern, 'lalalala lalala') >>> None >> >> Fixed. I'm tempted to just drop this regex entirely. Other plugins >> have no such restrictions, but this should work better now. >> >>> >>> 3) >>> + yield Str('%s*' % name, cli_name='%ss' % name, doc=doc, >>> + label=_('member %s') % name, >>> + csv=True, alwaysask=True) >>> >>> IMHO CSV values should not be supported. >>> Honza told me, the option doesn't work anyway. >> >> Yeah, a copy and paste issue. >> >>> Patch with minor fixes attached. >>> >>> I removed unused code and PEP8 complains >> >> Incorporated and fixed a number of other things, including some typos >> in the doc examples. >> >> rob >> >> > > Thank you, ACK! > Pushed to master: a92328452dced34d6d6df7ad6fe585563bb909f6 -- Jan Cholasta From ofayans at redhat.com Wed Jun 3 09:51:32 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 11:51:32 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ECADC.3090303@redhat.com> References: <556ECADC.3090303@redhat.com> Message-ID: <556ECE24.6000903@redhat.com> I confirm every point of this. On 06/03/2015 11:37 AM, Martin Babinsky wrote: > Hi everyone, > > I have been playing with the topology related patches and I have > encountered a few issues that I would like to address in this thread: > > 1.) When replica install for whatever reason crashes _after_ the setup > of replication agreements etc., it leaves the topology plugin with > dangling segment pointing to the dysfunctional node. An attempt to > delete it leads to: > > """ > ipa: ERROR: Server is unwilling to perform: Removal of Segment > disconnects topology.Deletion not allowed. > """ Furthermore, any attempts to delete a segment (even a properly setup one) lead to the same very error. > > And you cannot reinstall the crashed replica because it complains > about existing replication agreements. It would probably help to be > able to force-remove the segments if one of the endpoints doesn't > exist/respond. > > 2.) I was not able to figure out a way remove replica from the > topology without explosions or tampering > 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del > doesn't work anymore (I have tried just for fun, it leads to SIGSEGV > of the host's dirsrv and leaves dangling segments to offending > replica, leading to point 1). > > I managed to remove replica from the topology only by directly > uninstalling FreeIPA on the node and then deleting its' host entry > from 'cn=masters'. Only after this was the plugin able to > automagically removed the segments pointing to/from removed node. > > The design page suggests that it should be enough to uninstall IPA > server on the replica. The plugin would then pick-up the dangling > segments and remove them automatically. However, this behavior seems > to require additional modification of the uninstall procedure (e.g. > the uninstalling replica should remove its' entry from cn=masters). > > 3.) It seems that the removal of topology suffixes containing > functioning segments is not handled well. I once tried to do this and > it led to segmentation fault on the dirsrv instance. What is the > expected behavior in this scenario? > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Wed Jun 3 09:53:26 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 11:53:26 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <1433270458.4846.90.camel@willson.usersys.redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <1433270458.4846.90.camel@willson.usersys.redhat.com> Message-ID: <556ECE96.2050808@redhat.com> Dne 2.6.2015 v 20:40 Simo Sorce napsal(a): > On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote: >> On 6/2/2015 1:10 AM, Martin Kosek wrote: >>> Hi Endi, >>> >>> Quickly skimming through your patches raised couple questions on my side: >>> >>> 1) Will it be possible to also store plain text password via Vault? It >>> talks about taking in the binary data or the text file, but will it also >>> work with plain user secrets (passwords)? I am talking about use like this: >>> >>> # ipa vault-archive --user mkosek --data Secret123 >> >> For security the plain text password should be stored in a file first: >> >> # vi password.txt >> # ipa vault-archive --user mkosek --in password.txt >> >> It's also possible to specify the password as base-64 encoded data: >> >> # echo -n Secret123 | base64 >> # ipa vault-archive --user mkosek --data U2VjcmV0MTIz >> >> But it's not recommended since the data will be stored in the command >> history and someone could see and decode it. I think passing a plain >> text password as command line argument would be even worse. The --data >> parameter is mainly used for unit testing. >> >> Later we might be able to add an option to read from standard input: >> >> # cat password.txt | ipa vault-archive --user mkosek --std-in > > Yes please, a way to pass in via stdin is extremely useful, as leaving > files on the filesystem is also a big risk. This will not work well, it should use the normal prompting mechanism: $ ipa vault-archive --user Data: -- Jan Cholasta From lkrispen at redhat.com Wed Jun 3 10:23:05 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 12:23:05 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ECE24.6000903@redhat.com> References: <556ECADC.3090303@redhat.com> <556ECE24.6000903@redhat.com> Message-ID: <556ED589.4020408@redhat.com> On 06/03/2015 11:51 AM, Oleg Fayans wrote: > I confirm every point of this. did you test with all the latest patches applied ? In your issues you refer to crashes, the crashes reported should be resolved, if you still have crashes, pleas provide a core dump or scenario to reproduce the crash. With patch0009 ipa-replica-manage del worked for me > > On 06/03/2015 11:37 AM, Martin Babinsky wrote: >> Hi everyone, >> >> I have been playing with the topology related patches and I have >> encountered a few issues that I would like to address in this thread: >> >> 1.) When replica install for whatever reason crashes _after_ the >> setup of replication agreements etc., it leaves the topology plugin >> with dangling segment pointing to the dysfunctional node. An attempt >> to delete it leads to: >> >> """ >> ipa: ERROR: Server is unwilling to perform: Removal of Segment >> disconnects topology.Deletion not allowed. >> """ > Furthermore, any attempts to delete a segment (even a properly setup > one) lead to the same very error. >> >> And you cannot reinstall the crashed replica because it complains >> about existing replication agreements. It would probably help to be >> able to force-remove the segments if one of the endpoints doesn't >> exist/respond. >> >> 2.) I was not able to figure out a way remove replica from the >> topology without explosions or tampering >> 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del >> doesn't work anymore (I have tried just for fun, it leads to SIGSEGV >> of the host's dirsrv and leaves dangling segments to offending >> replica, leading to point 1). >> >> I managed to remove replica from the topology only by directly >> uninstalling FreeIPA on the node and then deleting its' host entry >> from 'cn=masters'. Only after this was the plugin able to >> automagically removed the segments pointing to/from removed node. >> >> The design page suggests that it should be enough to uninstall IPA >> server on the replica. The plugin would then pick-up the dangling >> segments and remove them automatically. However, this behavior seems >> to require additional modification of the uninstall procedure (e.g. >> the uninstalling replica should remove its' entry from cn=masters). >> >> 3.) It seems that the removal of topology suffixes containing >> functioning segments is not handled well. I once tried to do this and >> it led to segmentation fault on the dirsrv instance. What is the >> expected behavior in this scenario? >> > From lkrispen at redhat.com Wed Jun 3 10:31:18 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 12:31:18 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ECADC.3090303@redhat.com> References: <556ECADC.3090303@redhat.com> Message-ID: <556ED776.9080801@redhat.com> On 06/03/2015 11:37 AM, Martin Babinsky wrote: > Hi everyone, > > I have been playing with the topology related patches and I have > encountered a few issues that I would like to address in this thread: > > 1.) When replica install for whatever reason crashes _after_ the setup > of replication agreements etc., it leaves the topology plugin with > dangling segment pointing to the dysfunctional node. An attempt to > delete it leads to: > > """ > ipa: ERROR: Server is unwilling to perform: Removal of Segment > disconnects topology.Deletion not allowed. if the endpoints of the segments are still in the managed master list and there is no other path connecting these two nodes the behaviour is correct. you need to remove the master first, teh segment should be removed automatically. ipa-replica-manage del should do this, it worked for me with the latest patches. can you provide a scenario where it fails ? > """ > > And you cannot reinstall the crashed replica because it complains > about existing replication agreements. It would probably help to be > able to force-remove the segments if one of the endpoints doesn't > exist/respond. > > 2.) I was not able to figure out a way remove replica from the > topology without explosions or tampering > 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del > doesn't work anymore (I have tried just for fun, it leads to SIGSEGV > of the host's dirsrv and leaves dangling segments to offending > replica, leading to point 1). > > I managed to remove replica from the topology only by directly > uninstalling FreeIPA on the node and then deleting its' host entry > from 'cn=masters'. Only after this was the plugin able to > automagically removed the segments pointing to/from removed node. > > The design page suggests that it should be enough to uninstall IPA > server on the replica. The plugin would then pick-up the dangling > segments and remove them automatically. However, this behavior seems > to require additional modification of the uninstall procedure (e.g. > the uninstalling replica should remove its' entry from cn=masters). > > 3.) It seems that the removal of topology suffixes containing > functioning segments is not handled well. I once tried to do this and > it led to segmentation fault on the dirsrv instance. What is the > expected behavior in this scenario? > From mbabinsk at redhat.com Wed Jun 3 10:40:55 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 12:40:55 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ED589.4020408@redhat.com> References: <556ECADC.3090303@redhat.com> <556ECE24.6000903@redhat.com> <556ED589.4020408@redhat.com> Message-ID: <556ED9B7.2050202@redhat.com> On 06/03/2015 12:23 PM, Ludwig Krispenz wrote: > > On 06/03/2015 11:51 AM, Oleg Fayans wrote: >> I confirm every point of this. > did you test with all the latest patches applied ? In your issues you > refer to crashes, the crashes reported should be resolved, if you still > have crashes, pleas provide a core dump or scenario to reproduce the crash. > With patch0009 ipa-replica-manage del worked for me > I thing I have missed this patch before, I will test it again with patch 0009 applied. >> >> On 06/03/2015 11:37 AM, Martin Babinsky wrote: >>> Hi everyone, >>> >>> I have been playing with the topology related patches and I have >>> encountered a few issues that I would like to address in this thread: >>> >>> 1.) When replica install for whatever reason crashes _after_ the >>> setup of replication agreements etc., it leaves the topology plugin >>> with dangling segment pointing to the dysfunctional node. An attempt >>> to delete it leads to: >>> >>> """ >>> ipa: ERROR: Server is unwilling to perform: Removal of Segment >>> disconnects topology.Deletion not allowed. >>> """ >> Furthermore, any attempts to delete a segment (even a properly setup >> one) lead to the same very error. >>> >>> And you cannot reinstall the crashed replica because it complains >>> about existing replication agreements. It would probably help to be >>> able to force-remove the segments if one of the endpoints doesn't >>> exist/respond. >>> >>> 2.) I was not able to figure out a way remove replica from the >>> topology without explosions or tampering >>> 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del >>> doesn't work anymore (I have tried just for fun, it leads to SIGSEGV >>> of the host's dirsrv and leaves dangling segments to offending >>> replica, leading to point 1). >>> >>> I managed to remove replica from the topology only by directly >>> uninstalling FreeIPA on the node and then deleting its' host entry >>> from 'cn=masters'. Only after this was the plugin able to >>> automagically removed the segments pointing to/from removed node. >>> >>> The design page suggests that it should be enough to uninstall IPA >>> server on the replica. The plugin would then pick-up the dangling >>> segments and remove them automatically. However, this behavior seems >>> to require additional modification of the uninstall procedure (e.g. >>> the uninstalling replica should remove its' entry from cn=masters). >>> >>> 3.) It seems that the removal of topology suffixes containing >>> functioning segments is not handled well. I once tried to do this and >>> it led to segmentation fault on the dirsrv instance. What is the >>> expected behavior in this scenario? >>> >> > -- Martin^3 Babinsky From pvoborni at redhat.com Wed Jun 3 10:51:48 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 03 Jun 2015 12:51:48 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ECADC.3090303@redhat.com> References: <556ECADC.3090303@redhat.com> Message-ID: <556EDC44.8050006@redhat.com> On 06/03/2015 11:37 AM, Martin Babinsky wrote: > Hi everyone, > > I have been playing with the topology related patches and I have > encountered a few issues that I would like to address in this thread: > Additional stuff: 1. was able to add duplicate segment - same left and right node - same direction - different cn It did not allow me to remove it: """ Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. """ 2. topology plugin allows to create reflexive relation from the invalid duplicates(#1): A -> B A -> B to A -> A B -> B I.E. effective disconnect it is forbidden in `ipa topologysegment-mod` but I think that even the plugin should not allow that 3. attempt to delete the invalid reflexive or duplicate segment ends with: """ Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed."" -- Petr Vobornik From mbasti at redhat.com Wed Jun 3 11:17:54 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 13:17:54 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <556DB7BB.5090600@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> <556D8713.5030101@redhat.com> <556DB7BB.5090600@redhat.com> Message-ID: <556EE262.9070204@redhat.com> On 02/06/15 16:03, Jan Cholasta wrote: > Dne 2.6.2015 v 12:36 Martin Basti napsal(a): >> On 02/06/15 11:42, Fraser Tweedale wrote: >>> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: >>>> On 01/06/15 06:40, Fraser Tweedale wrote: >>>>> New version of patch; ``{host,service}-show --out=FILE`` now writes >>>>> all certs to FILE. Rebased on latest master. >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >>>>>> Updated patch attached. Notably restores/adds revocation behaviour >>>>>> to host-mod and service-mod. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>>>>>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>>>>>> This patch adds supports for multiple user / host >>>>>>>> certificates. No >>>>>>>> schema change is needed ('usercertificate' attribute is already >>>>>>>> multi-value). The revoke-previous-cert behaviour of host-mod and >>>>>>>> user-mod has been removed but revocation behaviour of -del and >>>>>>>> -disable is preserved. >>>>>>>> >>>>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this >>>>>>>> patch for correct cert-request behaviour. >>>>>>>> >>>>>>>> There is one design question (or maybe more, let me know): the >>>>>>>> `--out=FILENAME' option to {host,service} show saves ONE >>>>>>>> certificate >>>>>>>> to the named file. I propose to either: >>>>>>>> >>>>>>>> a) write all certs, suffixing suggested filename with either a >>>>>>>> sequential numerical index, e.g. "cert.pem" becomes >>>>>>>> "cert.pem.1", "cert.pem.2", and so on; or >>>>>>>> >>>>>>>> b) as above, but suffix with serial number and, if there are >>>>>>>> different issues, some issuer-identifying information. >>>>>>>> >>>>>>>> Let me know your thoughts. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Fraser >>>>>>>> >>>>>>>> >>>>>>> Is there a possible way how to store certificates into one file? >>>>>>> I read about possibilities to have multiple certs in one .pem >>>>>>> file, but I'm >>>>>>> not cert guru :) >>>>>>> >>>>>>> I personally vote for serial number in case there are multiple >>>>>>> certificates, >>>>>>> if ^ is no possible. >>>>>>> >>>>>>> >>>>>>> 1) >>>>>>> + if len(certs) > 0: >>>>>>> >>>>>>> please use only, >>>>>>> if certs: >>>>>>> >>>>>>> 2) >>>>>>> You need to re-generate API/ACI.txt in this patch >>>>>>> >>>>>>> 3) >>>>>>> syntax error: >>>>>>> + for dercert in certs_der >>>>>>> >>>>>>> >>>>>>> 4) >>>>>>> command >>>>>>> ipa user-mod ca_user --certificate= >>>>>>> >>>>>>> removes the current certificate from the LDAP, by design. >>>>>>> Should be the old certificate(s) revoked? You removed that part in >>>>>>> the code. >>>>>>> >>>>>>> only the --addattr='usercertificate=' appends new value there >>>>>>> >>>>>>> -- >>>>>>> Martin Basti >>>>>>> >>>> My objections/proposed solutions in attached patch. >>>> >>>> * VERSION >>>> * In the previous version normalized values was stored in LDAP, so I >>>> added >>>> it back. (I dont know why there is no normalization in param >>>> settings, but >>>> normalization for every certificate is done in callback. I will file a >>>> ticket for this) >>>> * IMO only normalized certificates should be compared in the old >>>> certificates detection >>>> >>> I incorporated your suggested changes in new patch (attached). >>> >>> There were no proposed changes to the other patchset (0001..0013) >>> since rebase. >>> >>> Thanks, >>> Fraser >> Thank you, >> ACK >> Martin^2 >> > > Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212 > Regression found. Patch to fix the issue is attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0263-Fix-regression-in-host-and-service-plugin.patch Type: text/x-patch Size: 3309 bytes Desc: not available URL: From ofayans at redhat.com Wed Jun 3 11:32:54 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 13:32:54 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ED589.4020408@redhat.com> References: <556ECADC.3090303@redhat.com> <556ECE24.6000903@redhat.com> <556ED589.4020408@redhat.com> Message-ID: <556EE5E6.10007@redhat.com> Hi Ludwig On 06/03/2015 12:23 PM, Ludwig Krispenz wrote: > > On 06/03/2015 11:51 AM, Oleg Fayans wrote: >> I confirm every point of this. > did you test with all the latest patches applied ? In your issues you > refer to crashes, the crashes reported should be resolved, if you > still have crashes, pleas provide a core dump or scenario to reproduce > the crash. > With patch0009 ipa-replica-manage del worked for me Yep, patch 0009 is applied. The full list of patches applied on top of the master branch (at it's state yesterday at 10 PM) is as follows: freeipa-lkrispen-0007-replica-install-fails-with-domain-level-1.patch freeipa-lkrispen-0008-plugin-uses-1-as-minimum-domain-level-to-become-acti.patch freeipa-lkrispen-0009-crash-when-removing-a-replica.patch freeipa-mbasti-0262-Installers-fix-remove-temporal-ccache.patch freeipa-pvoborni-0857-1-topology-ipa-management-commands.patch freeipa-pvoborni-0858-1-webui-IPA.command_dialog-a-new-dialog-base-class.patch freeipa-pvoborni-0859-1-webui-use-command_dialog-as-a-base-class-for-passwor.patch freeipa-pvoborni-0860-1-webui-make-usage-of-all-in-details-facet-optional.patch freeipa-pvoborni-0861-2-webui-topology-plugin.patch freeipa-pvoborni-0862-webui-configurable-refresh-command.patch The scenario is pretty basic: 1. 3 fedora-21 vms with the latest directory server packages from mreynolds repo: 389-ds-base-2015_06_02-1.fc21.x86_64 2. setup master on one of them, prepare gpg files for two replicas 3. setup replicas using these gpg files. 4. Try to remove one of the replicas using command `ipa topologysegment-del` 5. Try to create a new user via web UI on any of the replicas > >> >> On 06/03/2015 11:37 AM, Martin Babinsky wrote: >>> Hi everyone, >>> >>> I have been playing with the topology related patches and I have >>> encountered a few issues that I would like to address in this thread: >>> >>> 1.) When replica install for whatever reason crashes _after_ the >>> setup of replication agreements etc., it leaves the topology plugin >>> with dangling segment pointing to the dysfunctional node. An attempt >>> to delete it leads to: >>> >>> """ >>> ipa: ERROR: Server is unwilling to perform: Removal of Segment >>> disconnects topology.Deletion not allowed. >>> """ >> Furthermore, any attempts to delete a segment (even a properly setup >> one) lead to the same very error. >>> >>> And you cannot reinstall the crashed replica because it complains >>> about existing replication agreements. It would probably help to be >>> able to force-remove the segments if one of the endpoints doesn't >>> exist/respond. >>> >>> 2.) I was not able to figure out a way remove replica from the >>> topology without explosions or tampering >>> 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del >>> doesn't work anymore (I have tried just for fun, it leads to SIGSEGV >>> of the host's dirsrv and leaves dangling segments to offending >>> replica, leading to point 1). >>> >>> I managed to remove replica from the topology only by directly >>> uninstalling FreeIPA on the node and then deleting its' host entry >>> from 'cn=masters'. Only after this was the plugin able to >>> automagically removed the segments pointing to/from removed node. >>> >>> The design page suggests that it should be enough to uninstall IPA >>> server on the replica. The plugin would then pick-up the dangling >>> segments and remove them automatically. However, this behavior seems >>> to require additional modification of the uninstall procedure (e.g. >>> the uninstalling replica should remove its' entry from cn=masters). >>> >>> 3.) It seems that the removal of topology suffixes containing >>> functioning segments is not handled well. I once tried to do this >>> and it led to segmentation fault on the dirsrv instance. What is the >>> expected behavior in this scenario? >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pvoborni at redhat.com Wed Jun 3 11:34:04 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 03 Jun 2015 13:34:04 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556EC1EA.4010701@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> <556EC036.2070700@redhat.com> <556EC1EA.4010701@redhat.com> Message-ID: <556EE62C.8010109@redhat.com> On 06/03/2015 10:59 AM, Martin Babinsky wrote: > On 06/03/2015 10:52 AM, Martin Babinsky wrote: >> On 05/26/2015 03:31 PM, Petr Vobornik wrote: >>> On 05/26/2015 12:19 PM, Petr Vobornik wrote: >>>> this patch is based on top of my patch #856 and tbabej' >>>> s 325-9. >>>> >>>> Obsoletes Ludwig's 0006. >>>> >>>> ipalib part of topology management >>>> >>>> Design: >>>> - http://www.freeipa.org/page/V4/Manage_replication_topology >>>> >>>> https://fedorahosted.org/freeipa/ticket/4302 >>>> >>>> >>> >>> New version attached: >>> - domainlevel_show usage changed to domainlevel_get >>> - updated VERSION >>> - added more attrs to default_attributes >>> >>> >> >> Hi Petr, >> >> the commands themselves seem to work just fine. I had encountered some >> quirks in the underlying topology plugin, but I will address them in a >> different thread in order to keep the discussion relevant to the >> reviewed patch. >> >> I have some minor coomments below: >> >> 1.) >> IPA_API_VERSION_MAJOR=2 >> -IPA_API_VERSION_MINOR=121 >> -# Last change: pvoborni - added server-find and server-show >> +IPA_API_VERSION_MINOR=122 >> +# Last change: pvoborni - added topology management commands >> >> Several people were touching API in the meantime so please double-check >> that you have correct VERSION and regenerate API.txt Patch rebased. >> >> 2.) >> >> + Str( >> + 'nsds5replicatedattributelist?', >> + cli_name='replattrs', >> + label='Attributes to replicate', >> + doc=_('Attributes that are not replicated to a consumer >> server ' >> + 'during a fractional update. E.g., `(objectclass=*) ' >> + '$ EXCLUDE accountlockout memberof'), >> + ), >> + Str( >> + 'nsds5replicatedattributelisttotal?', >> + cli_name='replattrstotal', >> + label=_('Attributes for total update'), >> + doc=_('Attributes that are not replicated to a consumer >> server ' >> + 'during a total update. E.g. (objectclass=*) $ >> EXCLUDE ' >> + 'accountlockout'), >> >> The descriptions of these two options confused me greatly, are these >> attributes supposed to be replicated or not, or is there some more >> complex logic behind them that I failed to grasp? I am cc'ing Ludwig, he >> can probably explain them to us and then we can decide whether we may >> alter the descriptions to be less confusing. >> >> 3.) >> >> + takes_params = ( >> + Str( >> + 'cn', >> + cli_name='name', >> + primary_key=True, >> + label=_('Suffix name'), >> + ), >> + Str( >> + 'iparepltopoconfroot', >> + maxlength=255, >> + cli_name='suffix', >> + label=_('Suffix to be managed'), >> + normalizer=lambda value: value.lower(), >> + ), >> + ) >> >> This also confused me at first, I suggest to change the label of >> 'iparepltopoconfroot' to something like 'LDAP suffix to be managed' or >> 'LDAP subtree to be managed'. Changed to 'LDAP suffix to be managed' >> >> 4.) >> >> There is currently no way to rename existing topology segments/suffixes. >> In the case of hosts with funky FQDN's (pointing at you, ABC lab), the >> segment cn's created during replica installs are mearly impossible to >> remember and it would be nice to rename them to something more >> manageable. However, this is not related to core functionality and can >> be a subject of a separate patch once this gets pushed. >> >> That's all from my side. >> > > I also forgot to ask what is the expected policy when deleting a > non-empty topology suffix. If this is not supported and you have to > first remove all segments and then the suffix itself, the > 'topologysuffix-del' command should issue an error pointing the user to > correct procedure. > Do we have a use case for creation or deletion of topology suffix? -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0857-2-topology-ipa-management-commands.patch Type: text/x-patch Size: 27572 bytes Desc: not available URL: From mkubik at redhat.com Wed Jun 3 11:55:47 2015 From: mkubik at redhat.com (Milan Kubik) Date: Wed, 03 Jun 2015 13:55:47 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <556EE262.9070204@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> <556D8713.5030101@redhat.com> <556DB7BB.5090600@redhat.com> <556EE262.9070204@redhat.com> Message-ID: <556EEB43.7020108@redhat.com> On 06/03/2015 01:17 PM, Martin Basti wrote: > On 02/06/15 16:03, Jan Cholasta wrote: >> Dne 2.6.2015 v 12:36 Martin Basti napsal(a): >>> On 02/06/15 11:42, Fraser Tweedale wrote: >>>> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: >>>>> On 01/06/15 06:40, Fraser Tweedale wrote: >>>>>> New version of patch; ``{host,service}-show --out=FILE`` now writes >>>>>> all certs to FILE. Rebased on latest master. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >>>>>>> Updated patch attached. Notably restores/adds revocation behaviour >>>>>>> to host-mod and service-mod. >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>>> >>>>>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>>>>>>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>>>>>>> This patch adds supports for multiple user / host >>>>>>>>> certificates. No >>>>>>>>> schema change is needed ('usercertificate' attribute is already >>>>>>>>> multi-value). The revoke-previous-cert behaviour of host-mod and >>>>>>>>> user-mod has been removed but revocation behaviour of -del and >>>>>>>>> -disable is preserved. >>>>>>>>> >>>>>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on >>>>>>>>> this >>>>>>>>> patch for correct cert-request behaviour. >>>>>>>>> >>>>>>>>> There is one design question (or maybe more, let me know): the >>>>>>>>> `--out=FILENAME' option to {host,service} show saves ONE >>>>>>>>> certificate >>>>>>>>> to the named file. I propose to either: >>>>>>>>> >>>>>>>>> a) write all certs, suffixing suggested filename with either a >>>>>>>>> sequential numerical index, e.g. "cert.pem" becomes >>>>>>>>> "cert.pem.1", "cert.pem.2", and so on; or >>>>>>>>> >>>>>>>>> b) as above, but suffix with serial number and, if there are >>>>>>>>> different issues, some issuer-identifying information. >>>>>>>>> >>>>>>>>> Let me know your thoughts. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Fraser >>>>>>>>> >>>>>>>>> >>>>>>>> Is there a possible way how to store certificates into one file? >>>>>>>> I read about possibilities to have multiple certs in one .pem >>>>>>>> file, but I'm >>>>>>>> not cert guru :) >>>>>>>> >>>>>>>> I personally vote for serial number in case there are multiple >>>>>>>> certificates, >>>>>>>> if ^ is no possible. >>>>>>>> >>>>>>>> >>>>>>>> 1) >>>>>>>> + if len(certs) > 0: >>>>>>>> >>>>>>>> please use only, >>>>>>>> if certs: >>>>>>>> >>>>>>>> 2) >>>>>>>> You need to re-generate API/ACI.txt in this patch >>>>>>>> >>>>>>>> 3) >>>>>>>> syntax error: >>>>>>>> + for dercert in certs_der >>>>>>>> >>>>>>>> >>>>>>>> 4) >>>>>>>> command >>>>>>>> ipa user-mod ca_user --certificate= >>>>>>>> >>>>>>>> removes the current certificate from the LDAP, by design. >>>>>>>> Should be the old certificate(s) revoked? You removed that part in >>>>>>>> the code. >>>>>>>> >>>>>>>> only the --addattr='usercertificate=' appends new value >>>>>>>> there >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Basti >>>>>>>> >>>>> My objections/proposed solutions in attached patch. >>>>> >>>>> * VERSION >>>>> * In the previous version normalized values was stored in LDAP, so I >>>>> added >>>>> it back. (I dont know why there is no normalization in param >>>>> settings, but >>>>> normalization for every certificate is done in callback. I will >>>>> file a >>>>> ticket for this) >>>>> * IMO only normalized certificates should be compared in the old >>>>> certificates detection >>>>> >>>> I incorporated your suggested changes in new patch (attached). >>>> >>>> There were no proposed changes to the other patchset (0001..0013) >>>> since rebase. >>>> >>>> Thanks, >>>> Fraser >>> Thank you, >>> ACK >>> Martin^2 >>> >> >> Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212 >> > Regression found. > > Patch to fix the issue is attached. > The fix works, thanks. Milan From lkrispen at redhat.com Wed Jun 3 12:01:12 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 14:01:12 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556EE5E6.10007@redhat.com> References: <556ECADC.3090303@redhat.com> <556ECE24.6000903@redhat.com> <556ED589.4020408@redhat.com> <556EE5E6.10007@redhat.com> Message-ID: <556EEC88.2000507@redhat.com> On 06/03/2015 01:32 PM, Oleg Fayans wrote: > Hi Ludwig > > On 06/03/2015 12:23 PM, Ludwig Krispenz wrote: >> >> On 06/03/2015 11:51 AM, Oleg Fayans wrote: >>> I confirm every point of this. >> did you test with all the latest patches applied ? In your issues you >> refer to crashes, the crashes reported should be resolved, if you >> still have crashes, pleas provide a core dump or scenario to >> reproduce the crash. >> With patch0009 ipa-replica-manage del worked for me > Yep, patch 0009 is applied. > The full list of patches applied on top of the master branch (at it's > state yesterday at 10 PM) is as follows: > freeipa-lkrispen-0007-replica-install-fails-with-domain-level-1.patch > freeipa-lkrispen-0008-plugin-uses-1-as-minimum-domain-level-to-become-acti.patch > > freeipa-lkrispen-0009-crash-when-removing-a-replica.patch > freeipa-mbasti-0262-Installers-fix-remove-temporal-ccache.patch > freeipa-pvoborni-0857-1-topology-ipa-management-commands.patch > freeipa-pvoborni-0858-1-webui-IPA.command_dialog-a-new-dialog-base-class.patch > > freeipa-pvoborni-0859-1-webui-use-command_dialog-as-a-base-class-for-passwor.patch > > freeipa-pvoborni-0860-1-webui-make-usage-of-all-in-details-facet-optional.patch > > freeipa-pvoborni-0861-2-webui-topology-plugin.patch > freeipa-pvoborni-0862-webui-configurable-refresh-command.patch > > The scenario is pretty basic: > 1. 3 fedora-21 vms with the latest directory server packages from > mreynolds repo: > 389-ds-base-2015_06_02-1.fc21.x86_64 > > 2. setup master on one of them, prepare gpg files for two replicas > 3. setup replicas using these gpg files. > 4. Try to remove one of the replicas using command `ipa > topologysegment-del` this should remove a segment, not a replica and it should be rejected > 5. Try to create a new user via web UI on any of the replicas > >> >>> >>> On 06/03/2015 11:37 AM, Martin Babinsky wrote: >>>> Hi everyone, >>>> >>>> I have been playing with the topology related patches and I have >>>> encountered a few issues that I would like to address in this thread: >>>> >>>> 1.) When replica install for whatever reason crashes _after_ the >>>> setup of replication agreements etc., it leaves the topology plugin >>>> with dangling segment pointing to the dysfunctional node. An >>>> attempt to delete it leads to: >>>> >>>> """ >>>> ipa: ERROR: Server is unwilling to perform: Removal of Segment >>>> disconnects topology.Deletion not allowed. >>>> """ >>> Furthermore, any attempts to delete a segment (even a properly setup >>> one) lead to the same very error. >>>> >>>> And you cannot reinstall the crashed replica because it complains >>>> about existing replication agreements. It would probably help to be >>>> able to force-remove the segments if one of the endpoints doesn't >>>> exist/respond. >>>> >>>> 2.) I was not able to figure out a way remove replica from the >>>> topology without explosions or tampering >>>> 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage >>>> del doesn't work anymore (I have tried just for fun, it leads to >>>> SIGSEGV of the host's dirsrv and leaves dangling segments to >>>> offending replica, leading to point 1). >>>> >>>> I managed to remove replica from the topology only by directly >>>> uninstalling FreeIPA on the node and then deleting its' host entry >>>> from 'cn=masters'. Only after this was the plugin able to >>>> automagically removed the segments pointing to/from removed node. >>>> >>>> The design page suggests that it should be enough to uninstall IPA >>>> server on the replica. The plugin would then pick-up the dangling >>>> segments and remove them automatically. However, this behavior >>>> seems to require additional modification of the uninstall procedure >>>> (e.g. the uninstalling replica should remove its' entry from >>>> cn=masters). >>>> >>>> 3.) It seems that the removal of topology suffixes containing >>>> functioning segments is not handled well. I once tried to do this >>>> and it led to segmentation fault on the dirsrv instance. What is >>>> the expected behavior in this scenario? >>>> >>> >> > From ofayans at redhat.com Wed Jun 3 12:05:22 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 14:05:22 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation In-Reply-To: <556D9D5A.403@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9C7F.7010507@redhat.com> <556D9D5A.403@redhat.com> Message-ID: <556EED82.7070501@redhat.com> Update: The original error occurs ONLY when installing a replica from a gpg file prepared on a master running FreeIPA 4.1.2. If The master runs the upstream code, it works. On 06/02/2015 02:11 PM, Martin Babinsky wrote: > On 06/02/2015 02:07 PM, Martin Babinsky wrote: >> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>> Hi all, >>> >>> The following error was caught during replica installation (I used all >>> the latest patches from Ludwig and Martin Basti): >>> >>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >>> --setup-dns --forwarder 10.38.5.26 >>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg >>> Directory Manager (existing master) password: >>> >>> Existing BIND configuration detected, overwrite? [no]: yes >>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >>> Checking forwarders, please wait ... >>> Using reverse zone(s) 122.168.192.in-addr.arpa. >>> Run connection check to master >>> Check connection from replica to remote master >>> 'upgrademaster.zaeba.li': >>> Directory Service: Unsecure port (389): OK >>> Directory Service: Secure port (636): OK >>> Kerberos KDC: TCP (88): OK >>> Kerberos Kpasswd: TCP (464): OK >>> HTTP Server: Unsecure port (80): OK >>> HTTP Server: Secure port (443): OK >>> >>> The following list of ports use UDP protocol and would need to be >>> checked manually: >>> Kerberos KDC: UDP (88): SKIPPED >>> Kerberos Kpasswd: UDP (464): SKIPPED >>> >>> Connection from replica to master is OK. >>> Start listening on required ports for remote master check >>> Get credentials to log in to remote master >>> admin at ZAEBA.LI password: >>> >>> Check SSH connection to remote master >>> Execute check on remote master >>> Check connection from master to remote replica 'replica1.zaeba.li': >>> Directory Service: Unsecure port (389): OK >>> Directory Service: Secure port (636): OK >>> Kerberos KDC: TCP (88): OK >>> Kerberos KDC: UDP (88): OK >>> Kerberos Kpasswd: TCP (464): OK >>> Kerberos Kpasswd: UDP (464): OK >>> HTTP Server: Unsecure port (80): OK >>> HTTP Server: Secure port (443): OK >>> >>> Connection from master to replica is OK. >>> >>> Connection check OK >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv): Estimated time 1 minute >>> [1/37]: creating directory server user >>> [2/37]: creating directory server instance >>> [3/37]: adding default schema >>> [4/37]: enabling memberof plugin >>> [5/37]: enabling winsync plugin >>> [6/37]: configuring replication version plugin >>> [7/37]: enabling IPA enrollment plugin >>> [8/37]: enabling ldapi >>> [9/37]: configuring uniqueness plugin >>> [10/37]: configuring uuid plugin >>> [11/37]: configuring modrdn plugin >>> [12/37]: configuring DNS plugin >>> [13/37]: enabling entryUSN plugin >>> [14/37]: configuring lockout plugin >>> [15/37]: configuring topology plugin >>> [16/37]: creating indices >>> [17/37]: enabling referential integrity plugin >>> [18/37]: configuring ssl for ds instance >>> [19/37]: configuring certmap.conf >>> [20/37]: configure autobind for root >>> [21/37]: configure new location for managed entries >>> [22/37]: configure dirsrv ccache >>> [23/37]: enable SASL mapping fallback >>> [24/37]: restarting directory server >>> [25/37]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> Update in progress, 7 seconds elapsed >>> Update succeeded >>> >>> [26/37]: updating schema >>> [27/37]: setting Auto Member configuration >>> [28/37]: enabling S4U2Proxy delegation >>> [29/37]: importing CA certificates from LDAP >>> [30/37]: initializing group membership >>> [31/37]: adding master entry >>> ipa : CRITICAL Failed to load master-entry.ldif: Command >>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >>> [32/37]: initializing domain level >>> [33/37]: configuring Posix uid/gid generation >>> [34/37]: adding replication acis >>> [35/37]: enabling compatibility plugin >>> [36/37]: tuning directory server >>> [37/37]: configuring directory to start on boot >>> Done configuring directory server (dirsrv). >>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes >>> 30 seconds >>> [1/21]: creating certificate server user >>> [2/21]: configuring certificate server instance >>> [3/21]: stopping certificate server instance to update CS.cfg >>> [4/21]: backing up CS.cfg >>> [5/21]: disabling nonces >>> [6/21]: set up CRL publishing >>> [7/21]: enable PKIX certificate path discovery and validation >>> [8/21]: starting certificate server instance >>> [9/21]: creating RA agent certificate database >>> [10/21]: importing CA chain to RA certificate database >>> [11/21]: fixing RA database permissions >>> [12/21]: setting up signing cert profile >>> [13/21]: set certificate subject base >>> [14/21]: enabling Subject Key Identifier >>> [15/21]: enabling Subject Alternative Name >>> [16/21]: enabling CRL and OCSP extensions for certificates >>> [17/21]: setting audit signing renewal to 2 years >>> [18/21]: configure certmonger for renewals >>> [19/21]: configure certificate renewals >>> [20/21]: configure Server-Cert certificate renewal >>> [21/21]: Configure HTTP to proxy connections >>> Done configuring certificate server (pki-tomcatd). >>> Restarting the directory and certificate servers >>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >>> [1/8]: adding sasl mappings to the directory >>> [2/8]: configuring KDC >>> [3/8]: creating a keytab for the directory >>> [4/8]: creating a keytab for the machine >>> [5/8]: adding the password extension to the directory >>> [6/8]: enable GSSAPI for replication >>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> Traceback (most recent call last): >>> File "/sbin/ipa-replica-install", line 162, in >>> fail_message=fail_message) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 760, in run_script >>> message, exitcode = handle_error(error, log_file_name) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 799, in handle_error >>> type(error).__name__, error.args[0]['info']), 1 >>> KeyError: 'info' >>> >>> It needs to be noted, that the replica file was prepared on the master >>> running standard 4.1.2 freeipa-server. >>> >>> The log is attached >>> >>> >>> >>> >> >> Hi Oleg, >> >> I have encountered a different error during the same step (see >> http://pastebin.test.redhat.com/287218) while reviewing pvoborni's >> topology API commands. In this case both server and the replica were >> from current freeipa-master (HEAD was at commit >> e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7). >> >> I have also noticed that everything works if I run ipa-replica-install >> without '--setup-ca' flag and then install CA separately using >> 'ipa-ca-install'. >> >> I will open a ticket for this if you or anyone else will be able to >> reproduce this behavior. >> > Ah seems like I have just hit > https://fedorahosted.org/freeipa/ticket/5035. Nevermind. > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Wed Jun 3 12:17:34 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 14:17:34 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556CF209.7050404@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> Message-ID: <556EF05E.90103@redhat.com> Dne 2.6.2015 v 02:00 Endi Sukma Dewata napsal(a): > Please take a look at the updated patch. > > On 5/27/2015 12:39 AM, Jan Cholasta wrote: >>>>>>>> 21) vault_archive is not a retrieve operation, it should be >>>>>>>> based on >>>>>>>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it >>>>>>>> does >>>>>>>> not do anything with LDAP. The same applies to vault_retrieve. >>>>>>> >>>>>>> The vault_archive does not actually modify the LDAP entry because it >>>>>>> stores the data in KRA. It is actually an LDAPRetrieve operation >>>>>>> because >>>>>>> it needs to get the vault info before it can perform the archival >>>>>>> operation. Same thing with vault_retrieve. >>>>>> >>>>>> It is not a LDAPRetrieve operation, because it has different >>>>>> semantics. >>>>>> Please use Command as base class and either use ldap2 for direct >>>>>> LDAP or >>>>>> call vault_show instead of hacking around LDAPRetrieve. >>>>> >>>>> It's been changed to inherit from LDAPQuery instead. >>>> >>>> NACK, it's not a LDAPQuery operation, because it has different >>>> semantics. There is more to a command than executing code, so you >>>> should >>>> use a correct base class. >>> >>> Changed to inherit from Command as requested. Now these commands no >>> longer have a direct access to the vault object (self.obj) although they >>> are accessing vault objects like other vault commands. Also now the >>> vault name argument has to be added explicitly on each command. >> >> You can inherit from crud.Retrieve and crud.Update to get self.obj and >> the argument back. > > I tried this: > > class vault_retrieve(Command, crud.Retrieve): > > and it gave me an error: > > TypeError: Error when calling the metaclass bases > Cannot create a consistent method resolution > order (MRO) for bases Retrieve, Command > > I'm sticking with the original code since it works fine although not > ideal. I'm not a Python expert, so if you know how to fix this properly > please feel free to post a patch on top of this. The class hierarchy is as follows: frontend.Command frontend.Method crud.PKQuery crud.Retrieve cdur.Update So removing Command from the list of base classes should fix it. > >> If KRA is not installed, vault-archive and vault-retrieve fail with >> internal error. > > Added a code to check KRA installation in all vault commands. If you > know a way not to load the vault plugin if the KRA is not installed > please let me know, that's probably even better. Not sure how that will > work on the client side though. I see this has been already resolved in the other thread. > >> The commands still behave differently based on whether they were called >> from API which was initialized with in_server set to True or False. > > That is unfortunately a restriction imposed by the framework. In order > to guarantee the security, the vault is designed to have separate client > and server code. The client code encrypts the secret, the server code > forwards the encrypted secret to KRA. To archive a secret into a vault > properly, you are supposed to call the client code. If you're calling > the server code directly, you are responsible to do your own encryption > (i.e. generating session key, nonce, and vault data). I understand why the code has to be separated, what I don't understand is why it is in fact *not* separated and crammed into a single command, making weird and undefined behavior possible. > > If another plugin wants to use vault, it should implement a client code > which calls the vault client code to perform the archival from the > client side. > > What is the use case for calling the vault API from the server side > anyway? Wouldn't that defeat the purpose of having a vault? If a secret > exists on the server side in an unencrypted form doesn't it mean the > secret may already have been compromised? Server API is used not only by the server itself, but also by installers for example. Anyway the point is that there *can't* be a broken API like this, you should at least raise an error if the command is called from server API, although actually separating it into client and server parts would be preferable. > >> There is no point in exposing the session_key, nonce and vault_data >> options in CLI when their value is always overwritten in forward(). > > I agree there is no need to expose them in CLI, but in this framework > the API also defines the CLI. If there's a way to keep them in the > server API but not expose them in the CLI please let me know. Or, if > there's a way to define completely separate server API (without a > matching client CLI) and client CLI (without a matching server API) that > will work too. As I suggested above, you can split the commands into separate client and server commands. The client command should inherit from frontend.Local so that it is always executed locally and the server command should have a "NO_CLI = True" attribute so that it is not available in the CLI. > >> Will this always succeed? >> >> + # deactivate vault record in KRA >> + response = kra_client.keys.list_keys( >> + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) > > Yes. If there's no active keys it will return an empty collection. > >> + for key_info in response.key_infos: >> + kra_client.keys.modify_key_status( >> + key_info.get_key_id(), >> + pki.key.KeyClient.KEY_STATUS_INACTIVE) > > This loop will do nothing given an empty collection. > >> If not, we might get into an inconsistent state, where the vault is >> deleted in LDAP but still active in KRA. (I'm not sure if this is >> actually a problem or not.) > > That can only happen if the server crashes after deleting the vault but > before deactivating the key. Regardless, it will not be a problem > because the key is identified by vault ID/path so it will not conflict > with other vaults, and it will get overwritten if the same vault is > recreated again. OK. -- Jan Cholasta From lkrispen at redhat.com Wed Jun 3 12:21:25 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 14:21:25 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation In-Reply-To: <556EED82.7070501@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9C7F.7010507@redhat.com> <556D9D5A.403@redhat.com> <556EED82.7070501@redhat.com> Message-ID: <556EF145.4070903@redhat.com> On 06/03/2015 02:05 PM, Oleg Fayans wrote: > Update: > > The original error occurs ONLY when installing a replica from a gpg > file prepared on a master running FreeIPA 4.1.2. but this should be covere with patch 0010 > If The master runs the upstream code, it works. > > On 06/02/2015 02:11 PM, Martin Babinsky wrote: >> On 06/02/2015 02:07 PM, Martin Babinsky wrote: >>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> The following error was caught during replica installation (I used all >>>> the latest patches from Ludwig and Martin Basti): >>>> >>>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >>>> --setup-dns --forwarder 10.38.5.26 >>>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg >>>> Directory Manager (existing master) password: >>>> >>>> Existing BIND configuration detected, overwrite? [no]: yes >>>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >>>> Checking forwarders, please wait ... >>>> Using reverse zone(s) 122.168.192.in-addr.arpa. >>>> Run connection check to master >>>> Check connection from replica to remote master >>>> 'upgrademaster.zaeba.li': >>>> Directory Service: Unsecure port (389): OK >>>> Directory Service: Secure port (636): OK >>>> Kerberos KDC: TCP (88): OK >>>> Kerberos Kpasswd: TCP (464): OK >>>> HTTP Server: Unsecure port (80): OK >>>> HTTP Server: Secure port (443): OK >>>> >>>> The following list of ports use UDP protocol and would need to be >>>> checked manually: >>>> Kerberos KDC: UDP (88): SKIPPED >>>> Kerberos Kpasswd: UDP (464): SKIPPED >>>> >>>> Connection from replica to master is OK. >>>> Start listening on required ports for remote master check >>>> Get credentials to log in to remote master >>>> admin at ZAEBA.LI password: >>>> >>>> Check SSH connection to remote master >>>> Execute check on remote master >>>> Check connection from master to remote replica 'replica1.zaeba.li': >>>> Directory Service: Unsecure port (389): OK >>>> Directory Service: Secure port (636): OK >>>> Kerberos KDC: TCP (88): OK >>>> Kerberos KDC: UDP (88): OK >>>> Kerberos Kpasswd: TCP (464): OK >>>> Kerberos Kpasswd: UDP (464): OK >>>> HTTP Server: Unsecure port (80): OK >>>> HTTP Server: Secure port (443): OK >>>> >>>> Connection from master to replica is OK. >>>> >>>> Connection check OK >>>> Configuring NTP daemon (ntpd) >>>> [1/4]: stopping ntpd >>>> [2/4]: writing configuration >>>> [3/4]: configuring ntpd to start on boot >>>> [4/4]: starting ntpd >>>> Done configuring NTP daemon (ntpd). >>>> Configuring directory server (dirsrv): Estimated time 1 minute >>>> [1/37]: creating directory server user >>>> [2/37]: creating directory server instance >>>> [3/37]: adding default schema >>>> [4/37]: enabling memberof plugin >>>> [5/37]: enabling winsync plugin >>>> [6/37]: configuring replication version plugin >>>> [7/37]: enabling IPA enrollment plugin >>>> [8/37]: enabling ldapi >>>> [9/37]: configuring uniqueness plugin >>>> [10/37]: configuring uuid plugin >>>> [11/37]: configuring modrdn plugin >>>> [12/37]: configuring DNS plugin >>>> [13/37]: enabling entryUSN plugin >>>> [14/37]: configuring lockout plugin >>>> [15/37]: configuring topology plugin >>>> [16/37]: creating indices >>>> [17/37]: enabling referential integrity plugin >>>> [18/37]: configuring ssl for ds instance >>>> [19/37]: configuring certmap.conf >>>> [20/37]: configure autobind for root >>>> [21/37]: configure new location for managed entries >>>> [22/37]: configure dirsrv ccache >>>> [23/37]: enable SASL mapping fallback >>>> [24/37]: restarting directory server >>>> [25/37]: setting up initial replication >>>> Starting replication, please wait until this has completed. >>>> Update in progress, 7 seconds elapsed >>>> Update succeeded >>>> >>>> [26/37]: updating schema >>>> [27/37]: setting Auto Member configuration >>>> [28/37]: enabling S4U2Proxy delegation >>>> [29/37]: importing CA certificates from LDAP >>>> [30/37]: initializing group membership >>>> [31/37]: adding master entry >>>> ipa : CRITICAL Failed to load master-entry.ldif: Command >>>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >>>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >>>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >>>> [32/37]: initializing domain level >>>> [33/37]: configuring Posix uid/gid generation >>>> [34/37]: adding replication acis >>>> [35/37]: enabling compatibility plugin >>>> [36/37]: tuning directory server >>>> [37/37]: configuring directory to start on boot >>>> Done configuring directory server (dirsrv). >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes >>>> 30 seconds >>>> [1/21]: creating certificate server user >>>> [2/21]: configuring certificate server instance >>>> [3/21]: stopping certificate server instance to update CS.cfg >>>> [4/21]: backing up CS.cfg >>>> [5/21]: disabling nonces >>>> [6/21]: set up CRL publishing >>>> [7/21]: enable PKIX certificate path discovery and validation >>>> [8/21]: starting certificate server instance >>>> [9/21]: creating RA agent certificate database >>>> [10/21]: importing CA chain to RA certificate database >>>> [11/21]: fixing RA database permissions >>>> [12/21]: setting up signing cert profile >>>> [13/21]: set certificate subject base >>>> [14/21]: enabling Subject Key Identifier >>>> [15/21]: enabling Subject Alternative Name >>>> [16/21]: enabling CRL and OCSP extensions for certificates >>>> [17/21]: setting audit signing renewal to 2 years >>>> [18/21]: configure certmonger for renewals >>>> [19/21]: configure certificate renewals >>>> [20/21]: configure Server-Cert certificate renewal >>>> [21/21]: Configure HTTP to proxy connections >>>> Done configuring certificate server (pki-tomcatd). >>>> Restarting the directory and certificate servers >>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >>>> [1/8]: adding sasl mappings to the directory >>>> [2/8]: configuring KDC >>>> [3/8]: creating a keytab for the directory >>>> [4/8]: creating a keytab for the machine >>>> [5/8]: adding the password extension to the directory >>>> [6/8]: enable GSSAPI for replication >>>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >>>> >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> Traceback (most recent call last): >>>> File "/sbin/ipa-replica-install", line 162, in >>>> fail_message=fail_message) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>> line 760, in run_script >>>> message, exitcode = handle_error(error, log_file_name) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>> line 799, in handle_error >>>> type(error).__name__, error.args[0]['info']), 1 >>>> KeyError: 'info' >>>> >>>> It needs to be noted, that the replica file was prepared on the master >>>> running standard 4.1.2 freeipa-server. >>>> >>>> The log is attached >>>> >>>> >>>> >>>> >>> >>> Hi Oleg, >>> >>> I have encountered a different error during the same step (see >>> http://pastebin.test.redhat.com/287218) while reviewing pvoborni's >>> topology API commands. In this case both server and the replica were >>> from current freeipa-master (HEAD was at commit >>> e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7). >>> >>> I have also noticed that everything works if I run ipa-replica-install >>> without '--setup-ca' flag and then install CA separately using >>> 'ipa-ca-install'. >>> >>> I will open a ticket for this if you or anyone else will be able to >>> reproduce this behavior. >>> >> Ah seems like I have just hit >> https://fedorahosted.org/freeipa/ticket/5035. Nevermind. >> > From lkrispen at redhat.com Wed Jun 3 12:30:27 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 14:30:27 +0200 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556EDC44.8050006@redhat.com> References: <556ECADC.3090303@redhat.com> <556EDC44.8050006@redhat.com> Message-ID: <556EF363.8080101@redhat.com> Hi Petr, good catch. I didn't check for self referential segments. There is a check for existing segments, but unfortuantely the entry lookup in the pblock was incorrect and the test always passed. For the removal, there is teh assumption that no duplicate segments exist and so removal of A->B only succeeds if there is another path from A to B. I'm building a patch and will sen to the list soon Ludwig On 06/03/2015 12:51 PM, Petr Vobornik wrote: > On 06/03/2015 11:37 AM, Martin Babinsky wrote: >> Hi everyone, >> >> I have been playing with the topology related patches and I have >> encountered a few issues that I would like to address in this thread: >> > > Additional stuff: > > 1. was able to add duplicate segment > - same left and right node > - same direction > - different cn > > It did not allow me to remove it: > """ > Server is unwilling to perform: Removal of Segment disconnects > topology.Deletion not allowed. > """ > > 2. topology plugin allows to create reflexive relation from the > invalid duplicates(#1): > > A -> B > A -> B > to > A -> A > B -> B > > I.E. effective disconnect > > it is forbidden in `ipa topologysegment-mod` but I think that even the > plugin should not allow that > > 3. attempt to delete the invalid reflexive or duplicate segment ends > with: > """ > Server is unwilling to perform: Removal of Segment disconnects > topology.Deletion not allowed."" > > From mbabinsk at redhat.com Wed Jun 3 12:38:02 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 14:38:02 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556EE62C.8010109@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> <556EC036.2070700@redhat.com> <556EC1EA.4010701@redhat.com> <556EE62C.8010109@redhat.com> Message-ID: <556EF52A.7090907@redhat.com> On 06/03/2015 01:34 PM, Petr Vobornik wrote: > On 06/03/2015 10:59 AM, Martin Babinsky wrote: >> On 06/03/2015 10:52 AM, Martin Babinsky wrote: >>> On 05/26/2015 03:31 PM, Petr Vobornik wrote: >>>> On 05/26/2015 12:19 PM, Petr Vobornik wrote: >>>>> this patch is based on top of my patch #856 and tbabej' >>>>> s 325-9. >>>>> >>>>> Obsoletes Ludwig's 0006. >>>>> >>>>> ipalib part of topology management >>>>> >>>>> Design: >>>>> - http://www.freeipa.org/page/V4/Manage_replication_topology >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4302 >>>>> >>>>> >>>> >>>> New version attached: >>>> - domainlevel_show usage changed to domainlevel_get >>>> - updated VERSION >>>> - added more attrs to default_attributes >>>> >>>> >>> >>> Hi Petr, >>> >>> the commands themselves seem to work just fine. I had encountered some >>> quirks in the underlying topology plugin, but I will address them in a >>> different thread in order to keep the discussion relevant to the >>> reviewed patch. >>> >>> I have some minor coomments below: >>> >>> 1.) >>> IPA_API_VERSION_MAJOR=2 >>> -IPA_API_VERSION_MINOR=121 >>> -# Last change: pvoborni - added server-find and server-show >>> +IPA_API_VERSION_MINOR=122 >>> +# Last change: pvoborni - added topology management commands >>> >>> Several people were touching API in the meantime so please double-check >>> that you have correct VERSION and regenerate API.txt > > Patch rebased. > >>> >>> 2.) >>> >>> + Str( >>> + 'nsds5replicatedattributelist?', >>> + cli_name='replattrs', >>> + label='Attributes to replicate', >>> + doc=_('Attributes that are not replicated to a consumer >>> server ' >>> + 'during a fractional update. E.g., `(objectclass=*) ' >>> + '$ EXCLUDE accountlockout memberof'), >>> + ), >>> + Str( >>> + 'nsds5replicatedattributelisttotal?', >>> + cli_name='replattrstotal', >>> + label=_('Attributes for total update'), >>> + doc=_('Attributes that are not replicated to a consumer >>> server ' >>> + 'during a total update. E.g. (objectclass=*) $ >>> EXCLUDE ' >>> + 'accountlockout'), >>> >>> The descriptions of these two options confused me greatly, are these >>> attributes supposed to be replicated or not, or is there some more >>> complex logic behind them that I failed to grasp? I am cc'ing Ludwig, he >>> can probably explain them to us and then we can decide whether we may >>> alter the descriptions to be less confusing. >>> >>> 3.) >>> >>> + takes_params = ( >>> + Str( >>> + 'cn', >>> + cli_name='name', >>> + primary_key=True, >>> + label=_('Suffix name'), >>> + ), >>> + Str( >>> + 'iparepltopoconfroot', >>> + maxlength=255, >>> + cli_name='suffix', >>> + label=_('Suffix to be managed'), >>> + normalizer=lambda value: value.lower(), >>> + ), >>> + ) >>> >>> This also confused me at first, I suggest to change the label of >>> 'iparepltopoconfroot' to something like 'LDAP suffix to be managed' or >>> 'LDAP subtree to be managed'. > > Changed to 'LDAP suffix to be managed' > >>> >>> 4.) >>> >>> There is currently no way to rename existing topology segments/suffixes. >>> In the case of hosts with funky FQDN's (pointing at you, ABC lab), the >>> segment cn's created during replica installs are mearly impossible to >>> remember and it would be nice to rename them to something more >>> manageable. However, this is not related to core functionality and can >>> be a subject of a separate patch once this gets pushed. >>> >>> That's all from my side. >>> >> >> I also forgot to ask what is the expected policy when deleting a >> non-empty topology suffix. If this is not supported and you have to >> first remove all segments and then the suffix itself, the >> 'topologysuffix-del' command should issue an error pointing the user to >> correct procedure. >> > > Do we have a use case for creation or deletion of topology suffix? That's a good question. Anyway, I have noticed couple more things: 1.) it seems that there some of unused imports in topology.py. Please investigate whether all of them are really needed. 2.) +from ipalib.plugins.baseldap import * +from ipalib.plugins import baseldap I do not like that starred import at all. Either import the particular classes you use (like e.g. in basuser.py), or just leave the second import statetement and use the appropriate namespace (baseldap.LDAPObject etc.). 3.) there are couple of pep8 complaints, please try to fix them unless it impairs readability: ./ipalib/constants.py:121:80: E501 line too long (81 > 79 characters) ./ipalib/plugins/topology.py:72:80: E501 line too long (88 > 79 characters) ./ipalib/plugins/topology.py:73:26: E131 continuation line unaligned for hanging indent ./ipalib/plugins/topology.py:73:80: E501 line too long (93 > 79 characters) ./ipalib/plugins/topology.py:103:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/topology.py:111:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/topology.py:207:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/topology.py:232:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/topology.py:269:80: E501 line too long (84 > 79 characters) ./ipalib/plugins/topology.py:278:80: E501 line too long (89 > 79 characters) ./ipalib/plugins/topology.py:363:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/topology.py:375:80: E501 line too long (80 > 79 characters) -- Martin^3 Babinsky From pviktori at redhat.com Wed Jun 3 12:40:03 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 03 Jun 2015 14:40:03 +0200 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of BaseException In-Reply-To: <20150601043325.GA5783@mniranja.pnq.redhat.com> References: <20150601043325.GA5783@mniranja.pnq.redhat.com> Message-ID: <556EF5A3.3080903@redhat.com> On 06/01/2015 06:33 AM, Niranjan wrote: > Greetings, > > I would like to present patch for replacing StandardError exception > with Exception class in ipapython/adminutil.py. Also replacing > BaseException class with Exception class. > > Though the use of StandardError is many places. I would like to start > with ipapython/adminutil.py > > This is my first patch. Please let me know if my approach on this is > correct. > > Regards > Niranjan > > > 0001-Use-Exception-class-instead-of-BaseException.patch > > > From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 > From: Niranjan Mallapadi > Date: Mon, 1 Jun 2015 09:41:05 +0530 > Subject: [PATCH] Use Exception class instead of BaseException > > 1. Replace BaseException with Exception class. I don't see a reason for this change. This is top-level CLI code that handles calling our Python library. We really do want to catch all exceptions here, including KeyboardInterrupt and SystemExit. > 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) I'm okay with this change, as long as tests still pass. > 3 .From python3.0 use of , is not recommended, instead > use "as" keyword (PEP 3110) +1 -- Petr Viktorin From mbasti at redhat.com Wed Jun 3 12:46:48 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 14:46:48 +0200 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of BaseException In-Reply-To: <20150601043325.GA5783@mniranja.pnq.redhat.com> References: <20150601043325.GA5783@mniranja.pnq.redhat.com> Message-ID: <556EF738.6090906@redhat.com> On 01/06/15 06:33, Niranjan wrote: > Greetings, > > I would like to present patch for replacing StandardError exception > with Exception class in ipapython/adminutil.py. Also replacing > BaseException class with Exception class. > > Though the use of StandardError is many places. I would like to start > with ipapython/adminutil.py > > This is my first patch. Please let me know if my approach on this is > correct. > > Regards > Niranjan > > Thank you, I have another objection: 1) Please do not copy/paste code, use this for except except (Exception, SystemExit) as exception: Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 3 12:53:17 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 14:53:17 +0200 Subject: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments Message-ID: <556EF8BD.1000906@redhat.com> Hi, this should prevent adding duplicate segments or segments with same start and end node -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch Type: text/x-patch Size: 3127 bytes Desc: not available URL: From ofayans at redhat.com Wed Jun 3 12:53:46 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 14:53:46 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation In-Reply-To: <556EF145.4070903@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9C7F.7010507@redhat.com> <556D9D5A.403@redhat.com> <556EED82.7070501@redhat.com> <556EF145.4070903@redhat.com> Message-ID: <556EF8DA.2050608@redhat.com> Hi Ludwig, I'll rebuild the packages again with the whole set of patches including 0010 and 0011 and try again. Thanks! On 06/03/2015 02:21 PM, Ludwig Krispenz wrote: > > On 06/03/2015 02:05 PM, Oleg Fayans wrote: >> Update: >> >> The original error occurs ONLY when installing a replica from a gpg >> file prepared on a master running FreeIPA 4.1.2. > but this should be covere with patch 0010 >> If The master runs the upstream code, it works. >> >> On 06/02/2015 02:11 PM, Martin Babinsky wrote: >>> On 06/02/2015 02:07 PM, Martin Babinsky wrote: >>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>> Hi all, >>>>> >>>>> The following error was caught during replica installation (I used >>>>> all >>>>> the latest patches from Ludwig and Martin Basti): >>>>> >>>>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >>>>> --setup-dns --forwarder 10.38.5.26 >>>>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg >>>>> Directory Manager (existing master) password: >>>>> >>>>> Existing BIND configuration detected, overwrite? [no]: yes >>>>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >>>>> Checking forwarders, please wait ... >>>>> Using reverse zone(s) 122.168.192.in-addr.arpa. >>>>> Run connection check to master >>>>> Check connection from replica to remote master >>>>> 'upgrademaster.zaeba.li': >>>>> Directory Service: Unsecure port (389): OK >>>>> Directory Service: Secure port (636): OK >>>>> Kerberos KDC: TCP (88): OK >>>>> Kerberos Kpasswd: TCP (464): OK >>>>> HTTP Server: Unsecure port (80): OK >>>>> HTTP Server: Secure port (443): OK >>>>> >>>>> The following list of ports use UDP protocol and would need to be >>>>> checked manually: >>>>> Kerberos KDC: UDP (88): SKIPPED >>>>> Kerberos Kpasswd: UDP (464): SKIPPED >>>>> >>>>> Connection from replica to master is OK. >>>>> Start listening on required ports for remote master check >>>>> Get credentials to log in to remote master >>>>> admin at ZAEBA.LI password: >>>>> >>>>> Check SSH connection to remote master >>>>> Execute check on remote master >>>>> Check connection from master to remote replica 'replica1.zaeba.li': >>>>> Directory Service: Unsecure port (389): OK >>>>> Directory Service: Secure port (636): OK >>>>> Kerberos KDC: TCP (88): OK >>>>> Kerberos KDC: UDP (88): OK >>>>> Kerberos Kpasswd: TCP (464): OK >>>>> Kerberos Kpasswd: UDP (464): OK >>>>> HTTP Server: Unsecure port (80): OK >>>>> HTTP Server: Secure port (443): OK >>>>> >>>>> Connection from master to replica is OK. >>>>> >>>>> Connection check OK >>>>> Configuring NTP daemon (ntpd) >>>>> [1/4]: stopping ntpd >>>>> [2/4]: writing configuration >>>>> [3/4]: configuring ntpd to start on boot >>>>> [4/4]: starting ntpd >>>>> Done configuring NTP daemon (ntpd). >>>>> Configuring directory server (dirsrv): Estimated time 1 minute >>>>> [1/37]: creating directory server user >>>>> [2/37]: creating directory server instance >>>>> [3/37]: adding default schema >>>>> [4/37]: enabling memberof plugin >>>>> [5/37]: enabling winsync plugin >>>>> [6/37]: configuring replication version plugin >>>>> [7/37]: enabling IPA enrollment plugin >>>>> [8/37]: enabling ldapi >>>>> [9/37]: configuring uniqueness plugin >>>>> [10/37]: configuring uuid plugin >>>>> [11/37]: configuring modrdn plugin >>>>> [12/37]: configuring DNS plugin >>>>> [13/37]: enabling entryUSN plugin >>>>> [14/37]: configuring lockout plugin >>>>> [15/37]: configuring topology plugin >>>>> [16/37]: creating indices >>>>> [17/37]: enabling referential integrity plugin >>>>> [18/37]: configuring ssl for ds instance >>>>> [19/37]: configuring certmap.conf >>>>> [20/37]: configure autobind for root >>>>> [21/37]: configure new location for managed entries >>>>> [22/37]: configure dirsrv ccache >>>>> [23/37]: enable SASL mapping fallback >>>>> [24/37]: restarting directory server >>>>> [25/37]: setting up initial replication >>>>> Starting replication, please wait until this has completed. >>>>> Update in progress, 7 seconds elapsed >>>>> Update succeeded >>>>> >>>>> [26/37]: updating schema >>>>> [27/37]: setting Auto Member configuration >>>>> [28/37]: enabling S4U2Proxy delegation >>>>> [29/37]: importing CA certificates from LDAP >>>>> [30/37]: initializing group membership >>>>> [31/37]: adding master entry >>>>> ipa : CRITICAL Failed to load master-entry.ldif: Command >>>>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >>>>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >>>>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >>>>> [32/37]: initializing domain level >>>>> [33/37]: configuring Posix uid/gid generation >>>>> [34/37]: adding replication acis >>>>> [35/37]: enabling compatibility plugin >>>>> [36/37]: tuning directory server >>>>> [37/37]: configuring directory to start on boot >>>>> Done configuring directory server (dirsrv). >>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 >>>>> minutes >>>>> 30 seconds >>>>> [1/21]: creating certificate server user >>>>> [2/21]: configuring certificate server instance >>>>> [3/21]: stopping certificate server instance to update CS.cfg >>>>> [4/21]: backing up CS.cfg >>>>> [5/21]: disabling nonces >>>>> [6/21]: set up CRL publishing >>>>> [7/21]: enable PKIX certificate path discovery and validation >>>>> [8/21]: starting certificate server instance >>>>> [9/21]: creating RA agent certificate database >>>>> [10/21]: importing CA chain to RA certificate database >>>>> [11/21]: fixing RA database permissions >>>>> [12/21]: setting up signing cert profile >>>>> [13/21]: set certificate subject base >>>>> [14/21]: enabling Subject Key Identifier >>>>> [15/21]: enabling Subject Alternative Name >>>>> [16/21]: enabling CRL and OCSP extensions for certificates >>>>> [17/21]: setting audit signing renewal to 2 years >>>>> [18/21]: configure certmonger for renewals >>>>> [19/21]: configure certificate renewals >>>>> [20/21]: configure Server-Cert certificate renewal >>>>> [21/21]: Configure HTTP to proxy connections >>>>> Done configuring certificate server (pki-tomcatd). >>>>> Restarting the directory and certificate servers >>>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >>>>> [1/8]: adding sasl mappings to the directory >>>>> [2/8]: configuring KDC >>>>> [3/8]: creating a keytab for the directory >>>>> [4/8]: creating a keytab for the machine >>>>> [5/8]: adding the password extension to the directory >>>>> [6/8]: enable GSSAPI for replication >>>>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >>>>> >>>>> Your system may be partly configured. >>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> >>>>> Traceback (most recent call last): >>>>> File "/sbin/ipa-replica-install", line 162, in >>>>> fail_message=fail_message) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>> line 760, in run_script >>>>> message, exitcode = handle_error(error, log_file_name) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>> line 799, in handle_error >>>>> type(error).__name__, error.args[0]['info']), 1 >>>>> KeyError: 'info' >>>>> >>>>> It needs to be noted, that the replica file was prepared on the >>>>> master >>>>> running standard 4.1.2 freeipa-server. >>>>> >>>>> The log is attached >>>>> >>>>> >>>>> >>>>> >>>> >>>> Hi Oleg, >>>> >>>> I have encountered a different error during the same step (see >>>> http://pastebin.test.redhat.com/287218) while reviewing pvoborni's >>>> topology API commands. In this case both server and the replica were >>>> from current freeipa-master (HEAD was at commit >>>> e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7). >>>> >>>> I have also noticed that everything works if I run ipa-replica-install >>>> without '--setup-ca' flag and then install CA separately using >>>> 'ipa-ca-install'. >>>> >>>> I will open a ticket for this if you or anyone else will be able to >>>> reproduce this behavior. >>>> >>> Ah seems like I have just hit >>> https://fedorahosted.org/freeipa/ticket/5035. Nevermind. >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Wed Jun 3 12:57:08 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 03 Jun 2015 14:57:08 +0200 Subject: [Freeipa-devel] KeyError raised upon replica installation In-Reply-To: <556EF8DA.2050608@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9C7F.7010507@redhat.com> <556D9D5A.403@redhat.com> <556EED82.7070501@redhat.com> <556EF145.4070903@redhat.com> <556EF8DA.2050608@redhat.com> Message-ID: <556EF9A4.50701@redhat.com> BTW, Ludwig, it seems you forgot to attach the 0010 patch to your email. At least, your first letter from 06/02/2015 05:08 PM, containing PATCH 0010 does not have the actual patch On 06/03/2015 02:53 PM, Oleg Fayans wrote: > Hi Ludwig, > > I'll rebuild the packages again with the whole set of patches > including 0010 and 0011 and try again. Thanks! > > On 06/03/2015 02:21 PM, Ludwig Krispenz wrote: >> >> On 06/03/2015 02:05 PM, Oleg Fayans wrote: >>> Update: >>> >>> The original error occurs ONLY when installing a replica from a gpg >>> file prepared on a master running FreeIPA 4.1.2. >> but this should be covere with patch 0010 >>> If The master runs the upstream code, it works. >>> >>> On 06/02/2015 02:11 PM, Martin Babinsky wrote: >>>> On 06/02/2015 02:07 PM, Martin Babinsky wrote: >>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: >>>>>> Hi all, >>>>>> >>>>>> The following error was caught during replica installation (I >>>>>> used all >>>>>> the latest patches from Ludwig and Martin Basti): >>>>>> >>>>>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca >>>>>> --setup-dns --forwarder 10.38.5.26 >>>>>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg >>>>>> Directory Manager (existing master) password: >>>>>> >>>>>> Existing BIND configuration detected, overwrite? [no]: yes >>>>>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file >>>>>> Checking forwarders, please wait ... >>>>>> Using reverse zone(s) 122.168.192.in-addr.arpa. >>>>>> Run connection check to master >>>>>> Check connection from replica to remote master >>>>>> 'upgrademaster.zaeba.li': >>>>>> Directory Service: Unsecure port (389): OK >>>>>> Directory Service: Secure port (636): OK >>>>>> Kerberos KDC: TCP (88): OK >>>>>> Kerberos Kpasswd: TCP (464): OK >>>>>> HTTP Server: Unsecure port (80): OK >>>>>> HTTP Server: Secure port (443): OK >>>>>> >>>>>> The following list of ports use UDP protocol and would need to be >>>>>> checked manually: >>>>>> Kerberos KDC: UDP (88): SKIPPED >>>>>> Kerberos Kpasswd: UDP (464): SKIPPED >>>>>> >>>>>> Connection from replica to master is OK. >>>>>> Start listening on required ports for remote master check >>>>>> Get credentials to log in to remote master >>>>>> admin at ZAEBA.LI password: >>>>>> >>>>>> Check SSH connection to remote master >>>>>> Execute check on remote master >>>>>> Check connection from master to remote replica 'replica1.zaeba.li': >>>>>> Directory Service: Unsecure port (389): OK >>>>>> Directory Service: Secure port (636): OK >>>>>> Kerberos KDC: TCP (88): OK >>>>>> Kerberos KDC: UDP (88): OK >>>>>> Kerberos Kpasswd: TCP (464): OK >>>>>> Kerberos Kpasswd: UDP (464): OK >>>>>> HTTP Server: Unsecure port (80): OK >>>>>> HTTP Server: Secure port (443): OK >>>>>> >>>>>> Connection from master to replica is OK. >>>>>> >>>>>> Connection check OK >>>>>> Configuring NTP daemon (ntpd) >>>>>> [1/4]: stopping ntpd >>>>>> [2/4]: writing configuration >>>>>> [3/4]: configuring ntpd to start on boot >>>>>> [4/4]: starting ntpd >>>>>> Done configuring NTP daemon (ntpd). >>>>>> Configuring directory server (dirsrv): Estimated time 1 minute >>>>>> [1/37]: creating directory server user >>>>>> [2/37]: creating directory server instance >>>>>> [3/37]: adding default schema >>>>>> [4/37]: enabling memberof plugin >>>>>> [5/37]: enabling winsync plugin >>>>>> [6/37]: configuring replication version plugin >>>>>> [7/37]: enabling IPA enrollment plugin >>>>>> [8/37]: enabling ldapi >>>>>> [9/37]: configuring uniqueness plugin >>>>>> [10/37]: configuring uuid plugin >>>>>> [11/37]: configuring modrdn plugin >>>>>> [12/37]: configuring DNS plugin >>>>>> [13/37]: enabling entryUSN plugin >>>>>> [14/37]: configuring lockout plugin >>>>>> [15/37]: configuring topology plugin >>>>>> [16/37]: creating indices >>>>>> [17/37]: enabling referential integrity plugin >>>>>> [18/37]: configuring ssl for ds instance >>>>>> [19/37]: configuring certmap.conf >>>>>> [20/37]: configure autobind for root >>>>>> [21/37]: configure new location for managed entries >>>>>> [22/37]: configure dirsrv ccache >>>>>> [23/37]: enable SASL mapping fallback >>>>>> [24/37]: restarting directory server >>>>>> [25/37]: setting up initial replication >>>>>> Starting replication, please wait until this has completed. >>>>>> Update in progress, 7 seconds elapsed >>>>>> Update succeeded >>>>>> >>>>>> [26/37]: updating schema >>>>>> [27/37]: setting Auto Member configuration >>>>>> [28/37]: enabling S4U2Proxy delegation >>>>>> [29/37]: importing CA certificates from LDAP >>>>>> [30/37]: initializing group membership >>>>>> [31/37]: adding master entry >>>>>> ipa : CRITICAL Failed to load master-entry.ldif: Command >>>>>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H' >>>>>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y' >>>>>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68 >>>>>> [32/37]: initializing domain level >>>>>> [33/37]: configuring Posix uid/gid generation >>>>>> [34/37]: adding replication acis >>>>>> [35/37]: enabling compatibility plugin >>>>>> [36/37]: tuning directory server >>>>>> [37/37]: configuring directory to start on boot >>>>>> Done configuring directory server (dirsrv). >>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 >>>>>> minutes >>>>>> 30 seconds >>>>>> [1/21]: creating certificate server user >>>>>> [2/21]: configuring certificate server instance >>>>>> [3/21]: stopping certificate server instance to update CS.cfg >>>>>> [4/21]: backing up CS.cfg >>>>>> [5/21]: disabling nonces >>>>>> [6/21]: set up CRL publishing >>>>>> [7/21]: enable PKIX certificate path discovery and validation >>>>>> [8/21]: starting certificate server instance >>>>>> [9/21]: creating RA agent certificate database >>>>>> [10/21]: importing CA chain to RA certificate database >>>>>> [11/21]: fixing RA database permissions >>>>>> [12/21]: setting up signing cert profile >>>>>> [13/21]: set certificate subject base >>>>>> [14/21]: enabling Subject Key Identifier >>>>>> [15/21]: enabling Subject Alternative Name >>>>>> [16/21]: enabling CRL and OCSP extensions for certificates >>>>>> [17/21]: setting audit signing renewal to 2 years >>>>>> [18/21]: configure certmonger for renewals >>>>>> [19/21]: configure certificate renewals >>>>>> [20/21]: configure Server-Cert certificate renewal >>>>>> [21/21]: Configure HTTP to proxy connections >>>>>> Done configuring certificate server (pki-tomcatd). >>>>>> Restarting the directory and certificate servers >>>>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >>>>>> [1/8]: adding sasl mappings to the directory >>>>>> [2/8]: configuring KDC >>>>>> [3/8]: creating a keytab for the directory >>>>>> [4/8]: creating a keytab for the machine >>>>>> [5/8]: adding the password extension to the directory >>>>>> [6/8]: enable GSSAPI for replication >>>>>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'} >>>>>> >>>>>> Your system may be partly configured. >>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> >>>>>> Traceback (most recent call last): >>>>>> File "/sbin/ipa-replica-install", line 162, in >>>>>> fail_message=fail_message) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>> >>>>>> line 760, in run_script >>>>>> message, exitcode = handle_error(error, log_file_name) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>> >>>>>> line 799, in handle_error >>>>>> type(error).__name__, error.args[0]['info']), 1 >>>>>> KeyError: 'info' >>>>>> >>>>>> It needs to be noted, that the replica file was prepared on the >>>>>> master >>>>>> running standard 4.1.2 freeipa-server. >>>>>> >>>>>> The log is attached >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hi Oleg, >>>>> >>>>> I have encountered a different error during the same step (see >>>>> http://pastebin.test.redhat.com/287218) while reviewing pvoborni's >>>>> topology API commands. In this case both server and the replica were >>>>> from current freeipa-master (HEAD was at commit >>>>> e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7). >>>>> >>>>> I have also noticed that everything works if I run >>>>> ipa-replica-install >>>>> without '--setup-ca' flag and then install CA separately using >>>>> 'ipa-ca-install'. >>>>> >>>>> I will open a ticket for this if you or anyone else will be able to >>>>> reproduce this behavior. >>>>> >>>> Ah seems like I have just hit >>>> https://fedorahosted.org/freeipa/ticket/5035. Nevermind. >>>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pspacek at redhat.com Wed Jun 3 12:57:40 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 03 Jun 2015 14:57:40 +0200 Subject: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation In-Reply-To: <5559D191.4070406@redhat.com> References: <553A3D88.6080200@redhat.com> <55423032.9080505@redhat.com> <5548BED1.1060806@redhat.com> <554A1539.3040002@redhat.com> <554B0D69.5040008@redhat.com> <554B3C19.9080002@redhat.com> <554B8F01.9010501@redhat.com> <55561ACD.6070306@redhat.com> <5559D191.4070406@redhat.com> Message-ID: <556EF9C4.9020406@redhat.com> On 18.5.2015 13:48, Martin Basti wrote: > On 15/05/15 18:11, Petr Spacek wrote: >> On 7.5.2015 18:12, Martin Basti wrote: >>> On 07/05/15 12:19, Petr Spacek wrote: >>>> On 7.5.2015 08:59, David Kupka wrote: >>>>> On 05/06/2015 03:20 PM, Martin Basti wrote: >>>>>> On 05/05/15 15:00, Martin Basti wrote: >>>>>>> On 30/04/15 15:37, David Kupka wrote: >>>>>>>> On 04/24/2015 02:56 PM, Martin Basti wrote: >>>>>>>>> Patches attached. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Hi, >>>>>>>> thanks for patches. >>>>>>>> >>>>>>>> 1. You changed message in DNSServerNotRespondingWarning class but not >>>>>>>> the test in ipatest/test_xmlrpc/test_dns_plugin.py >>>>>>>> >>>>>>>> nitpick. Please spell 'edns' correctly. I've seen several instances >>>>>>>> of 'ends'. >>>>>>>> >>>>>>> Thank you, >>>>>>> >>>>>>> updated patches attached: >>>>>>> * new error messages >>>>>>> * logging to debug log server output if exception was raised >>>>>>> * fixed test >>>>>>> * fixed spelling >>>>>>> >>>>>>> >>>>>>> >>>>>> Fixed tests (again) >>>>>> >>>>>> Updated patches attached >>>>>> >>>>> The code looks good to me and tests are no longer broken. (I would prefer >>>>> better fix of the tests but given that the priorities are different now >>>>> it can >>>>> wait.) >>>>> >>>>> Petr, can you please confirm that the patch set works for you? >>>> Sorry, NACK: >>>> >>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>> Server will check DNS forwarder(s). >>>> This may take some time, please wait ... >>>> ipa: ERROR: an internal error has occurred >>>> >>>> # /var/log/httpd/error_log >>>> ipa: ERROR: non-public: AssertionError: >>>> Traceback (most recent call last): >>>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line >>>> 350, in >>>> wsgi_execute >>>> result = self.Command[name](*args, **options) >>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >>>> __call__ >>>> ret = self.run(*args, **options) >>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, >>>> in run >>>> return self.execute(*args, **options) >>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>> 4444, in >>>> execute >>>> **options) >>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>> 4405, in >>>> _warning_if_forwarders_do_not_work >>>> log=self.log) >>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 715, in >>>> validate_dnssec_zone_forwarder_step2 >>>> timeout=timeout) >>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 610, in >>>> _resolve_record >>>> assert isinstance(nameserver_ip, basestring) >>>> AssertionError >>>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(>>> name ptr.test.>, idnsforwarders=(u'10.34.47.236',), all=False, raw=False, >>>> version=u'2.116'): AssertionError >>>> >>>> This is constantly reproducible in my vm-090.abc. Let me know if you want to >>>> take a look. >>>> >>>> >>>> I'm attaching little response.patch which improves compatibility with older >>>> python-dns packages. This patch allows IPA to work while error messages are >>>> simply not as nice as they could be with latest python-dns :-) >>>> >>>> check_fwd_msg.patch is a little nitpick, just to make sure everyone >>>> understands the message. >>>> >>>> BTW why some messages in check_forwarders() are printed using 'print' and >>>> others using logger? I would prefer to use logger for everything to make sure >>>> that logs contain all the information, including warnings. >>>> >>>> Thank you for your time! >>>> >>> Thank you, fixed. >>> >>> I added missing except block after forwarders validation step2. >> I confirm that this works but I just discovered another deficiency. >> >> Setup: >> - DNSSEC validation is enabled on IPA server >> - forwarders uses fake TLD, e.g. 'test.' >> - remote DNS server is responding, supports EDNS0 and so on >> >> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >> Server will check DNS forwarder(s). >> This may take some time, please wait ... >> ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query >> name does not exist: ptr.test.. >> >> Huh? Let's check named log: >> forward zone 'ptr.test': loaded >> validating ./SOA: got insecure response; parent indicates it should be secure >> >> Sometimes I get SERVFAIL from IPA server, too. >> >> >> Unfortunately this check was the main reason for writing this patchset so we >> need to improve it. >> >> Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and >> print the DNSSEC-validation-failed error, too? The problem is that it could >> trigger some false positives because NXDOMAIN may simply be caused by a delay >> somewhere. >> >> Any ideas? > I add catch block for NXDOMAIN >> >> By the way, this is also weird: >> >> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >> Server will check DNS forwarder(s). >> This may take some time, please wait ... >> ipa: ERROR: DNS forward zone with name "ptr.test." already exists >> >> Is it actually doing the check even if the forward zone exists already? (This >> is just nitpick, not a blocker!) >> > The first part is written by IPA client, it is not response from server. > It is just written when user use --forwarder option. > > Updated patch attached. NACK, it does not work for me - it explodes when I try to add a forward zone: $ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1 ipa: ERROR: non-public: TypeError: _warning_if_forwarders_do_not_work() got multiple values for keyword argument 'new_zone' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 4461, in execute result, new_zone=True, *keys, **options) TypeError: _warning_if_forwarders_do_not_work() got multiple values for keyword argument 'new_zone' ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(, idnsforwarders=(u'192.0.2.1',), all=False, raw=False, version=u'2.123'): TypeError -- Petr^2 Spacek From edewata at redhat.com Wed Jun 3 12:58:21 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Jun 2015 07:58:21 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <1433270074.4846.85.camel@willson.usersys.redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> <1433270074.4846.85.camel@willson.usersys.redhat.com> Message-ID: <556EF9ED.7040500@redhat.com> On 6/2/2015 1:34 PM, Simo Sorce wrote: > On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: >> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>>>> On a related note, since KRA is optional, can we move the vaults >>>>> container to cn=kra,cn=vaults? This is the convetion used by the other >>>>> optional components (DNS and recently CA). >>>> >>>> I mean cn=vaults,cn=kra of course. >>> >>> If you are talking about the o=kra,, I'm not sure whether >>> the IPA framework will work with it. >>> >>> If you are talking about adding a new cn=kra, entry on top >>> of cn=vaults, what is the purpose of this entry? Is the entry going to >>> be created/deleted automatically when the KRA is installed/removed? Is >>> it going to be used for something else other than vaults? >> >> I'm talking about cn=kra,. It should be created only when >> KRA is installed, although I think this can be done later after the >> release, moving vaults to cn=kra should be good enough for now. It's >> going to be used for everything KRA-specific. >> >>> >>> There are a lot of questions that need to be answered before we can make >>> this change. >> >> This is about sticking to a convention, which everyone should do, and >> everyone except KRA already does. >> >> I'm sorry I didn't realize this earlier, but the change must be done now. >> >>> We probably should revisit this issue after the core vault >>> functionality is added. >>> >> >> We can't revisit it later because after release we are stuck with >> whatever is there forever. >> >> See attachment for a patch which implements the change. >> > > Shouldn't we s/kra/vault/ ? > After all the feature is called Vault, not KRA. > > Simo. > Here are the options: 1. the original code uses "cn=vaults,". 2. Honza proposed "cn=vaults,cn=kra,", ACKed by Martin. Are you proposing a third option "cn=vaults,cn=vault," or did you mean the first option? I think the first option would make more sense since we're not introducing KRA to the end user, but I'll let the IPA team decide. My next patch will be based on whatever pushed at the time. -- Endi S. Dewata From mbasti at redhat.com Wed Jun 3 13:02:28 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 15:02:28 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <556DADCF.3010305@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> Message-ID: <556EFAE4.70908@redhat.com> On 02/06/15 15:21, Jan Cholasta wrote: > Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>> framework. >>>>>>>>> >>>>>>>>> As a next step, I plan to convert the install scripts to use the >>>>>>>>> framework with their old code (the old code will be gradually >>>>>>>>> ported to >>>>>>>>> the framework later). >>>>>>>>> >>>>>>>>> (Note I didn't manage to write docstrings today, expect update >>>>>>>>> tomorrow.) >>>>>>>> >>>>>>>> Added some docstrings. >>>>>>>> >>>>>>>> Also updated the patch to reflect little brainstorming David and I >>>>>>>> had >>>>>>>> this morning. >>>>>>>> >>>>>>>>> >>>>>>>>> Honza >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Hello, see comments bellow: >>>>>>> >>>>>>> 1) We started using new shorter License header in files: >>>>>>> # >>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>>> # >>>>>> >>>>>> OK. >>>>>> >>>>>>> >>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>> + else: >>>>>>> + if isinstance(value, from_): >>>>>>> + value = None >>>>>>> + stack.append(value.obj) >>>>>>> + continue >>>>>> >>>>>> Right. >>>>>> >>>>>>> >>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>> >>>>>> I guess you are antagonistic to multiple inheritance because of how >>>>>> other languages (like C++) do it. In Python it can be pretty elegant >>>>>> and >>>>>> is basis for e.g. the mixin design pattern. >>>>>> >>>>>>> >>>>>>> Installer and CompositeConfigurator inherites from Configurator >>>>>>> class, >>>>>>> and all of them implements _generator method. >>>>>> >>>>>> Both of them call super()._generator(), so it's no problem (same for >>>>>> other methods). >>>>>> >>>>>>> >>>>>>> If I understand correctly >>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>> Installer._generator method will be used in this case. >>>>>>> However in case when CompositeConfigurator has more levels >>>>>>> (respectively >>>>>>> it is more specialized) of inheritance, it could take precedence >>>>>>> and its >>>>>>> _generator method may be used instead. >>>>>> >>>>>> The order of precedence is defined by the order of base classes >>>>>> in the >>>>>> class definition. >>>>>> >>>>>>> >>>>>>> I'm afraid this may suddenly stop working. >>>>>>> Maybe I'm wrong, please fix me. >>>>>> >>>>>> As long as you call the super class, it will work fine. >>>>>> >>>>>>> >>>>>>> And Multiple inheritance is not easily readable, this is even a >>>>>>> diamond >>>>>>> inheritance model. >>>>>> >>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>> readable if >>>>>> you know how to read it. Every class defines a single bit of >>>>>> behavior. >>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>> and/or >>>>>> hacked around, which I wanted to avoid. >>>>>> >>>>>> This blog post explains it nicely: >>>>>> . >>>>>> >>>>>> >>>>> >>>>> Updated patch attached. >>>>> >>>>> Also attached is patch 425 which migrates ipa-server-install to the >>>>> install >>>>> framework. >>>> >>>> Good job there. I am just curious, will this framework and new option >>>> processing be friendly to other types of option passing than just via >>>> options? >>>> I mean tickets >>>> >>>> https://fedorahosted.org/freeipa/ticket/4517 >>>> https://fedorahosted.org/freeipa/ticket/4468 >>>> >>>> Especially 4517 is important, we need to be able to run >>>> >>>> # cat install.conf >>>> ds_password=Secret123 >>>> admin_password=Secret456 >>>> ip_address=123456 >>>> setup_dns=False >>>> >>>> # ipa-server-install --unattended --conf install.conf >>>> >>>> I assume yes, but I am just making sure. >>> >>> Yes, definitely. >>> >> >> Updated patches attached. > > Another update, patches attached. > thank you, 1) ipa-server-install --uninstall prints 0 ... Unconfiguring ipa_memcached Unconfiguring ipa-otpd 0 The ipa-server-install command was successful 2) ipa-server-install --setup-dns 'ServerOptions' object has no attribute 'dnssec_master' 3) For record, this will be fixed in extra patch. info messages from ldapupdate are printed to console 4) + if default is not _missing: + class_dict['default'] = default Why is new _missing object needed? Isn't NoneType enough? -- Martin Basti From simo at redhat.com Wed Jun 3 13:20:57 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 09:20:57 -0400 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556EAC46.3090300@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> <1433270074.4846.85.camel@willson.usersys.redhat.com> <556EAC46.3090300@redhat.com> Message-ID: <1433337657.3020.20.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 09:27 +0200, Martin Kosek wrote: > On 06/02/2015 08:34 PM, Simo Sorce wrote: > > On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: > >> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): > >>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: > >>>>> On a related note, since KRA is optional, can we move the vaults > >>>>> container to cn=kra,cn=vaults? This is the convetion used by the other > >>>>> optional components (DNS and recently CA). > >>>> > >>>> I mean cn=vaults,cn=kra of course. > >>> > >>> If you are talking about the o=kra,, I'm not sure whether > >>> the IPA framework will work with it. > >>> > >>> If you are talking about adding a new cn=kra, entry on top > >>> of cn=vaults, what is the purpose of this entry? Is the entry going to > >>> be created/deleted automatically when the KRA is installed/removed? Is > >>> it going to be used for something else other than vaults? > >> > >> I'm talking about cn=kra,. It should be created only when > >> KRA is installed, although I think this can be done later after the > >> release, moving vaults to cn=kra should be good enough for now. It's > >> going to be used for everything KRA-specific. > >> > >>> > >>> There are a lot of questions that need to be answered before we can make > >>> this change. > >> > >> This is about sticking to a convention, which everyone should do, and > >> everyone except KRA already does. > >> > >> I'm sorry I didn't realize this earlier, but the change must be done now. > >> > >>> We probably should revisit this issue after the core vault > >>> functionality is added. > >>> > >> > >> We can't revisit it later because after release we are stuck with > >> whatever is there forever. > >> > >> See attachment for a patch which implements the change. > >> > > > > Shouldn't we s/kra/vault/ ? > > After all the feature is called Vault, not KRA. > > I thought we are naming it by the name of the optional subsystem, not the > feature itself. If for example, another feature from KRA is used, it would > still live in cn=kra, no? For services so far we have CA, not dogtag, and LDAP, not 389ds, also KDC not krb5kdc and kpasswd not kadmind, etc... we normally named everything after the function. Now kra is probably a somewhat generic term, but I have not been able to find what it means exactly in 5 minutes, and it is quite obscure as a name. OTOH cn=Vault would make it really clear what's in it. I do not have a very strong opinion but a generic and clear name is important for the DIT. Simo. -- Simo Sorce * Red Hat, Inc * New York From ftweedal at redhat.com Wed Jun 3 13:21:47 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 3 Jun 2015 23:21:47 +1000 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <556EEB43.7020108@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> <556D8713.5030101@redhat.com> <556DB7BB.5090600@redhat.com> <556EE262.9070204@redhat.com> <556EEB43.7020108@redhat.com> Message-ID: <20150603132147.GY23523@dhcp-40-8.bne.redhat.com> On Wed, Jun 03, 2015 at 01:55:47PM +0200, Milan Kubik wrote: > On 06/03/2015 01:17 PM, Martin Basti wrote: > >On 02/06/15 16:03, Jan Cholasta wrote: > >>Dne 2.6.2015 v 12:36 Martin Basti napsal(a): > >>>On 02/06/15 11:42, Fraser Tweedale wrote: > >>>>On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: > >>>>>On 01/06/15 06:40, Fraser Tweedale wrote: > >>>>>>New version of patch; ``{host,service}-show --out=FILE`` now writes > >>>>>>all certs to FILE. Rebased on latest master. > >>>>>> > >>>>>>Thanks, > >>>>>>Fraser > >>>>>> > >>>>>>On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: > >>>>>>>Updated patch attached. Notably restores/adds revocation behaviour > >>>>>>>to host-mod and service-mod. > >>>>>>> > >>>>>>>Thanks, > >>>>>>>Fraser > >>>>>>> > >>>>>>>On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: > >>>>>>>>On 27/05/15 15:53, Fraser Tweedale wrote: > >>>>>>>>>This patch adds supports for multiple user / host > >>>>>>>>>certificates. No > >>>>>>>>>schema change is needed ('usercertificate' attribute is already > >>>>>>>>>multi-value). The revoke-previous-cert behaviour of host-mod and > >>>>>>>>>user-mod has been removed but revocation behaviour of -del and > >>>>>>>>>-disable is preserved. > >>>>>>>>> > >>>>>>>>>The latest profiles/caacl patchset (0001..0013 v5) depends > >>>>>>>>>on this > >>>>>>>>>patch for correct cert-request behaviour. > >>>>>>>>> > >>>>>>>>>There is one design question (or maybe more, let me know): the > >>>>>>>>>`--out=FILENAME' option to {host,service} show saves ONE > >>>>>>>>>certificate > >>>>>>>>>to the named file. I propose to either: > >>>>>>>>> > >>>>>>>>>a) write all certs, suffixing suggested filename with either a > >>>>>>>>> sequential numerical index, e.g. "cert.pem" becomes > >>>>>>>>> "cert.pem.1", "cert.pem.2", and so on; or > >>>>>>>>> > >>>>>>>>>b) as above, but suffix with serial number and, if there are > >>>>>>>>> different issues, some issuer-identifying information. > >>>>>>>>> > >>>>>>>>>Let me know your thoughts. > >>>>>>>>> > >>>>>>>>>Thanks, > >>>>>>>>>Fraser > >>>>>>>>> > >>>>>>>>> > >>>>>>>>Is there a possible way how to store certificates into one file? > >>>>>>>>I read about possibilities to have multiple certs in one .pem > >>>>>>>>file, but I'm > >>>>>>>>not cert guru :) > >>>>>>>> > >>>>>>>>I personally vote for serial number in case there are multiple > >>>>>>>>certificates, > >>>>>>>>if ^ is no possible. > >>>>>>>> > >>>>>>>> > >>>>>>>>1) > >>>>>>>>+ if len(certs) > 0: > >>>>>>>> > >>>>>>>>please use only, > >>>>>>>>if certs: > >>>>>>>> > >>>>>>>>2) > >>>>>>>>You need to re-generate API/ACI.txt in this patch > >>>>>>>> > >>>>>>>>3) > >>>>>>>>syntax error: > >>>>>>>>+ for dercert in certs_der > >>>>>>>> > >>>>>>>> > >>>>>>>>4) > >>>>>>>>command > >>>>>>>>ipa user-mod ca_user --certificate= > >>>>>>>> > >>>>>>>>removes the current certificate from the LDAP, by design. > >>>>>>>>Should be the old certificate(s) revoked? You removed that part in > >>>>>>>>the code. > >>>>>>>> > >>>>>>>>only the --addattr='usercertificate=' appends new > >>>>>>>>value there > >>>>>>>> > >>>>>>>>-- > >>>>>>>>Martin Basti > >>>>>>>> > >>>>>My objections/proposed solutions in attached patch. > >>>>> > >>>>>* VERSION > >>>>>* In the previous version normalized values was stored in LDAP, so I > >>>>>added > >>>>>it back. (I dont know why there is no normalization in param > >>>>>settings, but > >>>>>normalization for every certificate is done in callback. I will > >>>>>file a > >>>>>ticket for this) > >>>>>* IMO only normalized certificates should be compared in the old > >>>>>certificates detection > >>>>> > >>>>I incorporated your suggested changes in new patch (attached). > >>>> > >>>>There were no proposed changes to the other patchset (0001..0013) > >>>>since rebase. > >>>> > >>>>Thanks, > >>>>Fraser > >>>Thank you, > >>>ACK > >>>Martin^2 > >>> > >> > >>Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212 > >> > >Regression found. > > > >Patch to fix the issue is attached. > > > The fix works, thanks. > > Milan Thanks for finding, fixing and testing! ACK from me. I also present a fix of my own. It fixes a problem where service-mod deleted all certificates when '--addattr usercertificate=XXX' was used instead of '--usercertificate=XXX' options. Cheers, Fraser -------------- next part -------------- From 5816c655b75a516068301186b20ddc36b966073c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 3 Jun 2015 02:49:28 -0400 Subject: [PATCH] Fix certificate management with service-mod Adding or removing certificates from a service via --addattr or --delattr is broken. Get certificates from entry_attrs instead of options. --- ipalib/plugins/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index c290344cf6c14155ec1b103525ff8642a7a8e2af..369321d76a7b8e4e0a0d572fa1d26145cca010f4 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -598,7 +598,7 @@ class service_mod(LDAPUpdate): (service, hostname, realm) = split_principal(keys[-1]) # verify certificates - certs = options.get('usercertificate') or [] + certs = entry_attrs.get('usercertificate') or [] certs_der = map(x509.normalize_certificate, certs) for dercert in certs_der: x509.verify_cert_subject(ldap, hostname, dercert) -- 2.1.0 From mbasti at redhat.com Wed Jun 3 13:24:47 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 15:24:47 +0200 Subject: [Freeipa-devel] [PATCH 0001] Migrate now accepts scope as argument In-Reply-To: <556E12C8.7010508@redhat.com> References: <556E10D3.8060702@redhat.com> <556E12C8.7010508@redhat.com> Message-ID: <556F001F.9060509@redhat.com> On 02/06/15 22:32, Drew Erny wrote: > Sorry, the email address on that patch is wrong. It picked the old one > off my personal box when I migrated my dotfiles. I don't know if > that's important, but if the merger could > s/dperny at crimson.ua.edu/derny at redhat.com/g, that would be better. > Sorry about that, I'll fix it in my next patch. > > On 06/02/2015 04:23 PM, Drew Erny wrote: >> Hi, all, >> >> This is my first patch, which fixes Ticket #2547 at >> https://fedorahosted.org/freeipa/ticket/2547 >> >> It introduces a --scope option to "ipa migrate-ds" which allows the >> user to specify the search depth of a migration. The previous default >> behavior is the same as --scope=onelevel. To search nested OUs, the >> user uses --scope=subtree. --scope=base will cause the migrate script >> not to find anything, but has been included for completeness. Any >> other option is invalid and will cause the command to abort. >> >> Please review this one carefully, because I'm only like 98% confident >> it doesn't break anything. The only thing I'm not sure about is that >> if you run ipa migrate-ds without --scope specified, it gives an >> interactive input for that option; I'm not sure if it's supposed to >> do that. >> >> Thanks, >> >> Drew Erny >> derny at redhat.com >> >> > > > Hello, thank you for your patch. 1) Please don't use backslash + doc=_('LDAP search scope for users and groups: base, onelevel, or '\ + 'subtree. Defaults to onelevel'), 2) You can use dictionary: _default_scope = 'onelevel' # I do not like hardcoded index there _supported_scopes = {'base': ldap.SCOPE_BASE, _default_scope: ldap.SCOPE_ONELEVEL, ...} StrEnum( .... values=_supported_scopes.keys(), default=_default_scope ) scope = _supported_scopes[options.get('scope', _default_scope)] # or autofill=True should be in StrEnum param for scope instead, I'm not sure, you must test it :-) 3) do not forget to change the email PS: I did not test the code, it is just example. Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Jun 3 13:31:09 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Jun 2015 08:31:09 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556EA1A2.70809@redhat.com> References: <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> <556E19C6.8090907@redhat.com> <20150602212203.GR15837@redhat.com> <556EA1A2.70809@redhat.com> Message-ID: <556F019D.9020000@redhat.com> On 6/3/2015 1:41 AM, Martin Kosek wrote: > On 06/02/2015 11:22 PM, Alexander Bokovoy wrote: >> On Tue, 02 Jun 2015, Endi Sukma Dewata wrote: >>> I think ideally the >>> client and server code should be in separate files (so they can be deployed >>> separately too), but the framework doesn't seem to allow that. >> This exactly the case we have to use here and we are using that in >> trusts case as well -- some code has to run on server only and shouldn't >> cause to install Samba related packages on the client. This is because >> IPA client is actually using the same IPA plugins that server uses, to >> have access to the API calls metadata and client-side callbacks are >> defined in the same place where server-side callbacks are. It is IPA >> framework design, so we have to use what we have. > > This is planned to be changed BTW, when we start with the "Thin Client" concept > and have different code/plugins for FreeIPA server side and client side. Is there a ticket for this? >> In other words, it is not necessarily an evil under conditions we are >> dealing with. Having to use the same plugins for client and server is a framework limitation/poor design. Having to use conditional imports to work around the limitation is a bad programming practice. The fact that trust plugin has to implement a similar workaround is not a justification, it just shows that the problem is not vault-specific. -- Endi S. Dewata From jcholast at redhat.com Wed Jun 3 13:36:11 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 15:36:11 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <1433337657.3020.20.camel@willson.usersys.redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> <1433270074.4846.85.camel@willson.usersys.redhat.com> <556EAC46.3090300@redhat.com> <1433337657.3020.20.camel@willson.usersys.redhat.com> Message-ID: <556F02CB.4090103@redhat.com> Dne 3.6.2015 v 15:20 Simo Sorce napsal(a): > On Wed, 2015-06-03 at 09:27 +0200, Martin Kosek wrote: >> On 06/02/2015 08:34 PM, Simo Sorce wrote: >>> On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: >>>> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >>>>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>>>>>> On a related note, since KRA is optional, can we move the vaults >>>>>>> container to cn=kra,cn=vaults? This is the convetion used by the other >>>>>>> optional components (DNS and recently CA). >>>>>> >>>>>> I mean cn=vaults,cn=kra of course. >>>>> >>>>> If you are talking about the o=kra,, I'm not sure whether >>>>> the IPA framework will work with it. >>>>> >>>>> If you are talking about adding a new cn=kra, entry on top >>>>> of cn=vaults, what is the purpose of this entry? Is the entry going to >>>>> be created/deleted automatically when the KRA is installed/removed? Is >>>>> it going to be used for something else other than vaults? >>>> >>>> I'm talking about cn=kra,. It should be created only when >>>> KRA is installed, although I think this can be done later after the >>>> release, moving vaults to cn=kra should be good enough for now. It's >>>> going to be used for everything KRA-specific. >>>> >>>>> >>>>> There are a lot of questions that need to be answered before we can make >>>>> this change. >>>> >>>> This is about sticking to a convention, which everyone should do, and >>>> everyone except KRA already does. >>>> >>>> I'm sorry I didn't realize this earlier, but the change must be done now. >>>> >>>>> We probably should revisit this issue after the core vault >>>>> functionality is added. >>>>> >>>> >>>> We can't revisit it later because after release we are stuck with >>>> whatever is there forever. >>>> >>>> See attachment for a patch which implements the change. >>>> >>> >>> Shouldn't we s/kra/vault/ ? >>> After all the feature is called Vault, not KRA. >> >> I thought we are naming it by the name of the optional subsystem, not the >> feature itself. If for example, another feature from KRA is used, it would >> still live in cn=kra, no? > > For services so far we have CA, not dogtag, and LDAP, not 389ds, also > KDC not krb5kdc and kpasswd not kadmind, etc... we normally named > everything after the function. Now kra is probably a somewhat generic > term, but I have not been able to find what it means exactly in 5 > minutes, and it is quite obscure as a name. OTOH cn=Vault would make it > really clear what's in it. I do not have a very strong opinion but a > generic and clear name is important for the DIT. There is also ipa-kra-install and I guess cn=KRA,cn=,cn=masters,cn=ipa,cn=etc. If we rename it, it should be renamed everywhere, and I'm not sure if that's worth it. Also "vault" is too generic, it should be "password vault", but that's too long, so IMO "KRA" is better, as it's short and descriptive. Are vaults the only feature KRA provides? If there are more possible features provided by KRA, it's another reason to keep it "KRA". -- Jan Cholasta From jcholast at redhat.com Wed Jun 3 13:43:34 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 15:43:34 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556EF9ED.7040500@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <5566AB15.3070605@redhat.com> <5566ABAB.7050008@redhat.com> <556CF29A.9090404@redhat.com> <556D7FBD.4080207@redhat.com> <1433270074.4846.85.camel@willson.usersys.redhat.com> <556EF9ED.7040500@redhat.com> Message-ID: <556F0486.5090902@redhat.com> Dne 3.6.2015 v 14:58 Endi Sukma Dewata napsal(a): > On 6/2/2015 1:34 PM, Simo Sorce wrote: >> On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: >>> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >>>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: >>>>>> On a related note, since KRA is optional, can we move the vaults >>>>>> container to cn=kra,cn=vaults? This is the convetion used by the >>>>>> other >>>>>> optional components (DNS and recently CA). >>>>> >>>>> I mean cn=vaults,cn=kra of course. >>>> >>>> If you are talking about the o=kra,, I'm not sure whether >>>> the IPA framework will work with it. >>>> >>>> If you are talking about adding a new cn=kra, entry on top >>>> of cn=vaults, what is the purpose of this entry? Is the entry going to >>>> be created/deleted automatically when the KRA is installed/removed? Is >>>> it going to be used for something else other than vaults? >>> >>> I'm talking about cn=kra,. It should be created only when >>> KRA is installed, although I think this can be done later after the >>> release, moving vaults to cn=kra should be good enough for now. It's >>> going to be used for everything KRA-specific. >>> >>>> >>>> There are a lot of questions that need to be answered before we can >>>> make >>>> this change. >>> >>> This is about sticking to a convention, which everyone should do, and >>> everyone except KRA already does. >>> >>> I'm sorry I didn't realize this earlier, but the change must be done >>> now. >>> >>>> We probably should revisit this issue after the core vault >>>> functionality is added. >>>> >>> >>> We can't revisit it later because after release we are stuck with >>> whatever is there forever. >>> >>> See attachment for a patch which implements the change. >>> >> >> Shouldn't we s/kra/vault/ ? >> After all the feature is called Vault, not KRA. >> >> Simo. >> > > Here are the options: > 1. the original code uses "cn=vaults,". > 2. Honza proposed "cn=vaults,cn=kra,", ACKed by Martin. > > Are you proposing a third option "cn=vaults,cn=vault," or > did you mean the first option? > > I think the first option would make more sense since we're not > introducing KRA to the end user, but I'll let the IPA team decide. My > next patch will be based on whatever pushed at the time. The DNs are not exposed to the end user, they are only relevant for our internal organization of entries. -- Jan Cholasta From abokovoy at redhat.com Wed Jun 3 13:52:19 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 3 Jun 2015 16:52:19 +0300 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556F019D.9020000@redhat.com> References: <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> <556E19C6.8090907@redhat.com> <20150602212203.GR15837@redhat.com> <556EA1A2.70809@redhat.com> <556F019D.9020000@redhat.com> Message-ID: <20150603135219.GA10162@redhat.com> On Wed, 03 Jun 2015, Endi Sukma Dewata wrote: >On 6/3/2015 1:41 AM, Martin Kosek wrote: >>On 06/02/2015 11:22 PM, Alexander Bokovoy wrote: >>>On Tue, 02 Jun 2015, Endi Sukma Dewata wrote: >>>>I think ideally the >>>>client and server code should be in separate files (so they can be deployed >>>>separately too), but the framework doesn't seem to allow that. > >>>This exactly the case we have to use here and we are using that in >>>trusts case as well -- some code has to run on server only and shouldn't >>>cause to install Samba related packages on the client. This is because >>>IPA client is actually using the same IPA plugins that server uses, to >>>have access to the API calls metadata and client-side callbacks are >>>defined in the same place where server-side callbacks are. It is IPA >>>framework design, so we have to use what we have. >> >>This is planned to be changed BTW, when we start with the "Thin Client" concept >>and have different code/plugins for FreeIPA server side and client side. > >Is there a ticket for this? > >>>In other words, it is not necessarily an evil under conditions we are >>>dealing with. > >Having to use the same plugins for client and server is a framework >limitation/poor design. Having to use conditional imports to work >around the limitation is a bad programming practice. The fact that >trust plugin has to implement a similar workaround is not a >justification, it just shows that the problem is not vault-specific. There is another thing. Even when splitting client/server sides, we'll need to check on the server side that certain functionality is available. In trust case we have ID Views (a separate plugin) which does use information about trusts to resolve users from AD to their normalized references (SIDs) and few other places would be depending on functionality only provided when Samba packages are installed. To continue your approach, we would need to split also server-side parts of plugins into separate callable units that would only be provided and called when appropriate rpm subpackages are installed. This is unneeded complication in place where we can simply handle dependencies in run time and make sure the packaging deps are managed separately. -- / Alexander Bokovoy From pvoborni at redhat.com Wed Jun 3 13:53:37 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 03 Jun 2015 15:53:37 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556EF52A.7090907@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> <556EC036.2070700@redhat.com> <556EC1EA.4010701@redhat.com> <556EE62C.8010109@redhat.com> <556EF52A.7090907@redhat.com> Message-ID: <556F06E1.2040400@redhat.com> On 06/03/2015 02:38 PM, Martin Babinsky wrote: > On 06/03/2015 01:34 PM, Petr Vobornik wrote: >> On 06/03/2015 10:59 AM, Martin Babinsky wrote: >>> On 06/03/2015 10:52 AM, Martin Babinsky wrote: >>>> On 05/26/2015 03:31 PM, Petr Vobornik wrote: >>>>> On 05/26/2015 12:19 PM, Petr Vobornik wrote: >>>>>> this patch is based on top of my patch #856 and tbabej' >>>>>> s 325-9. >>>>>> >>>>>> Obsoletes Ludwig's 0006. >>>>>> >>>>>> ipalib part of topology management >>>>>> >>>>>> Design: >>>>>> - http://www.freeipa.org/page/V4/Manage_replication_topology >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4302 >>>>>> >>>>>> >>>>> >>>>> New version attached: >>>>> - domainlevel_show usage changed to domainlevel_get >>>>> - updated VERSION >>>>> - added more attrs to default_attributes >>>>> >>>>> >>>> >>>> Hi Petr, >>>> >>>> the commands themselves seem to work just fine. I had encountered some >>>> quirks in the underlying topology plugin, but I will address them in a >>>> different thread in order to keep the discussion relevant to the >>>> reviewed patch. >>>> >>>> I have some minor coomments below: >>>> >>>> 1.) >>>> IPA_API_VERSION_MAJOR=2 >>>> -IPA_API_VERSION_MINOR=121 >>>> -# Last change: pvoborni - added server-find and server-show >>>> +IPA_API_VERSION_MINOR=122 >>>> +# Last change: pvoborni - added topology management commands >>>> >>>> Several people were touching API in the meantime so please double-check >>>> that you have correct VERSION and regenerate API.txt >> >> Patch rebased. >> >>>> >>>> 2.) >>>> >>>> + Str( >>>> + 'nsds5replicatedattributelist?', >>>> + cli_name='replattrs', >>>> + label='Attributes to replicate', >>>> + doc=_('Attributes that are not replicated to a consumer >>>> server ' >>>> + 'during a fractional update. E.g., >>>> `(objectclass=*) ' >>>> + '$ EXCLUDE accountlockout memberof'), >>>> + ), >>>> + Str( >>>> + 'nsds5replicatedattributelisttotal?', >>>> + cli_name='replattrstotal', >>>> + label=_('Attributes for total update'), >>>> + doc=_('Attributes that are not replicated to a consumer >>>> server ' >>>> + 'during a total update. E.g. (objectclass=*) $ >>>> EXCLUDE ' >>>> + 'accountlockout'), >>>> >>>> The descriptions of these two options confused me greatly, are these >>>> attributes supposed to be replicated or not, or is there some more >>>> complex logic behind them that I failed to grasp? I am cc'ing >>>> Ludwig, he >>>> can probably explain them to us and then we can decide whether we may >>>> alter the descriptions to be less confusing. >>>> >>>> 3.) >>>> >>>> + takes_params = ( >>>> + Str( >>>> + 'cn', >>>> + cli_name='name', >>>> + primary_key=True, >>>> + label=_('Suffix name'), >>>> + ), >>>> + Str( >>>> + 'iparepltopoconfroot', >>>> + maxlength=255, >>>> + cli_name='suffix', >>>> + label=_('Suffix to be managed'), >>>> + normalizer=lambda value: value.lower(), >>>> + ), >>>> + ) >>>> >>>> This also confused me at first, I suggest to change the label of >>>> 'iparepltopoconfroot' to something like 'LDAP suffix to be managed' or >>>> 'LDAP subtree to be managed'. >> >> Changed to 'LDAP suffix to be managed' >> >>>> >>>> 4.) >>>> >>>> There is currently no way to rename existing topology >>>> segments/suffixes. >>>> In the case of hosts with funky FQDN's (pointing at you, ABC lab), the >>>> segment cn's created during replica installs are mearly impossible to >>>> remember and it would be nice to rename them to something more >>>> manageable. However, this is not related to core functionality and can >>>> be a subject of a separate patch once this gets pushed. >>>> >>>> That's all from my side. >>>> >>> >>> I also forgot to ask what is the expected policy when deleting a >>> non-empty topology suffix. If this is not supported and you have to >>> first remove all segments and then the suffix itself, the >>> 'topologysuffix-del' command should issue an error pointing the user to >>> correct procedure. >>> >> >> Do we have a use case for creation or deletion of topology suffix? > That's a good question. > > Anyway, I have noticed couple more things: > > 1.) it seems that there some of unused imports in topology.py. Please > investigate whether all of them are really needed. Fixed > > 2.) > > +from ipalib.plugins.baseldap import * > +from ipalib.plugins import baseldap > > I do not like that starred import at all. Either import the particular > classes you use (like e.g. in basuser.py), or just leave the second > import statetement and use the appropriate namespace > (baseldap.LDAPObject etc.). Fixed > > 3.) there are couple of pep8 complaints, please try to fix them unless > it impairs readability: > > ./ipalib/constants.py:121:80: E501 line too long (81 > 79 characters) > ./ipalib/plugins/topology.py:72:80: E501 line too long (88 > 79 characters) > ./ipalib/plugins/topology.py:73:26: E131 continuation line unaligned for > hanging indent > ./ipalib/plugins/topology.py:73:80: E501 line too long (93 > 79 characters) > ./ipalib/plugins/topology.py:103:80: E501 line too long (80 > 79 > characters) > ./ipalib/plugins/topology.py:111:80: E501 line too long (80 > 79 > characters) > ./ipalib/plugins/topology.py:207:80: E501 line too long (80 > 79 > characters) > ./ipalib/plugins/topology.py:232:80: E501 line too long (80 > 79 > characters) won't fix > ./ipalib/plugins/topology.py:269:80: E501 line too long (84 > 79 > characters) > ./ipalib/plugins/topology.py:278:80: E501 line too long (89 > 79 > characters) fixed > ./ipalib/plugins/topology.py:363:80: E501 line too long (80 > 79 > characters) > ./ipalib/plugins/topology.py:375:80: E501 line too long (80 > 79 > characters) > won't fix -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0857-3-topology-ipa-management-commands.patch Type: text/x-patch Size: 27673 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 3 13:55:55 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 15:55:55 +0200 Subject: [Freeipa-devel] [PATCH 0026-0028] Fix nits in user-visible output In-Reply-To: <552CC516.3030500@redhat.com> References: <552BDB36.4090006@redhat.com> <552CBD6E.7080609@redhat.com> <552CC516.3030500@redhat.com> Message-ID: <556F076B.5000305@redhat.com> On 14/04/15 09:43, Petr Spacek wrote: > On 14.4.2015 09:10, Martin Kosek wrote: >> On 04/13/2015 05:05 PM, Petr Spacek wrote: >>> Hello, >>> >>> documentation team proposed few changes in user-visible messages so here it >>> is. It was not worth a ticket and related overhead. >> The changes look OK to me. I would just have one (prudish) request to not add >> nazi reference to our git history - whether they are grammar or not. Please >> keep the git technical :-) > Sure, here is the same patch with modified commit message. > > > 0026 ACK 0027-2 ACK 0028 ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Jun 3 14:10:55 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 03 Jun 2015 16:10:55 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556D9F9A.1060802@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> Message-ID: <556F0AEF.6000108@redhat.com> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: > replicas installed from older versions do not have a binddn group > just accept the errror ACK Pushed to master: 8457edc14dade724b486540800bcdafb7d9a6f76 Note that this group will be populated later. IMHO it should be done as a part of domain-level raise procedure before setting the new level. -- Petr Vobornik From ftweedal at redhat.com Wed Jun 3 14:17:17 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 4 Jun 2015 00:17:17 +1000 Subject: [Freeipa-devel] [PATCHES 0001-0013 v7] Profiles and CA ACLs In-Reply-To: <556DDBD6.70007@redhat.com> References: <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> Message-ID: <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: > On 02/06/15 14:11, Fraser Tweedale wrote: > >On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: > >>On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: > >>>On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: > >>>>On 05/29/2015 11:21 AM, Martin Basti wrote: > >>>>>On 29/05/15 06:17, Fraser Tweedale wrote: > >>>>>>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > >>>>>>>On 28/05/15 11:48, Martin Basti wrote: > >>>>>>>>On 27/05/15 16:04, Fraser Tweedale wrote: > >>>>>>>>>Hello all, > >>>>>>>>> > >>>>>>>>>Fresh certificate management patchset; Changelog: > >>>>>>>>> > >>>>>>>>>- Now depends on patch freeipa-ftweedal-0014 for correct > >>>>>>>>>cert-request behaviour with host and service principals. > >>>>>>>>> > >>>>>>>>>- Updated Dogtag dependency to 10.2.4-1. Should should be in > >>>>>>>>>f22 soon, but for f22 right now or for f21, please grab from my > >>>>>>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > >>>>>>>>> > >>>>>>>>> Martin^1 could you please add to the quasi-official freeipa > >>>>>>>>> copr? SRPM lives at > >>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > >>>>>>>>> > >>>>>>>>>- cert-request now verifies that for user principals, CSR CN > >>>>>>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's > >>>>>>>>>email address, if either of those is present. > >>>>>>>>> > >>>>>>>>>- Fixed one or two other sneaky little bugs. > >>>>>>>>> > >>>>>>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > >>>>>>>>>>Hi all, > >>>>>>>>>> > >>>>>>>>>>Please find attached the latest certificate management > >>>>>>>>>>patchset, which introduces the `caacl' plugin and various fixes > >>>>>>>>>>and improvement to earlier patches. > >>>>>>>>>> > >>>>>>>>>>One important change to earlier patches is reverting the name > >>>>>>>>>>of the default profile to 'caIPAserviceCert' and using the > >>>>>>>>>>existing instance of this profile on upgrade (but not install) > >>>>>>>>>>in case it has been modified. > >>>>>>>>>> > >>>>>>>>>>Other notes: > >>>>>>>>>> > >>>>>>>>>>- Still have changes in ipa-server-install (fewer lines now, > >>>>>>>>>>though) > >>>>>>>>>> > >>>>>>>>>>- Still have the ugly import hack. It is not a high priority > >>>>>>>>>>for me, i.e. I think it should wait until after alpha > >>>>>>>>>> > >>>>>>>>>>- Still need to update 'service' and 'host' plugins to support > >>>>>>>>>>multiple certificates. (The userCertificate attribute schema > >>>>>>>>>>itself is multi-valued, so there are no schema issues here) > >>>>>>>>>> > >>>>>>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and > >>>>>>>>>>supporting multiple profiles for hosts and services (which > >>>>>>>>>>requires changes to framework only, not schema). [1]: > >>>>>>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > >>>>>>>>>> > >>>>>>>>>>Happy reviewing! I am pleased with the initial cut of the > >>>>>>>>>>caacl plugin but I'm sure you will find some things to be fixed > >>>>>>>>>>:) > >>>>>>>>>> > >>>>>>>>>>Cheers, Fraser > >>>>>>>>[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com > >>>>>>>>--ip-address 10.34.78.94 Directory Manager (existing master) > >>>>>>>>password: > >>>>>>>> > >>>>>>>>Preparing replica for vm-094.example.com from vm-093.example.com > >>>>>>>>Creating SSL certificate for the Directory Server not well-formed > >>>>>>>>(invalid token): line 2, column 14 > >>>>>>>> > >>>>>>>>I cannot create replica file. It work on the upgraded server, > >>>>>>>>but it doesn't work on the newly installed server. I'm not sure > >>>>>>>>if this causes your patches which modifies the ca-installer, or > >>>>>>>>the newer version of dogtag. > >>>>>>>> > >>>>>>>>Or if there was any other changes in master, I will continue to > >>>>>>>>investigate with new RPM from master branch. > >>>>>>>> > >>>>>>>>Martin^2 > >>>>>>>> > >>>>>>>ipa-replica-prepare works for: * master branch * master branch + > >>>>>>>pki-ca 10.2.4-1 > >>>>>>> > >>>>>>>So something in your patches is breaking it > >>>>>>> > >>>>>>>Martin^2 > >>>>>>> > >>>>>>Martin, master + my patches with pki 10.2.4-1 is working for me on > >>>>>>f21 and f22. Can you provide ipa-replica-prepare --debug output and > >>>>>>Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) > >>>>>> > >>>>>>Thanks, > >>>>>>Fraser > >>>>>I can not reproduce it today. And I already recycled the VMs from yesterday. :-( > >>>>> > >>>>In that case I would suggest ACKing&pushing the patch and fixing the bug if > >>>>it comes again. The tree may now be a bit unstable, given the number of > >>>>patches going in. > >>>> > >>>>My main motivation here is to unblock Fraser. > >>>> > >>>>Thanks, > >>>>Martin > >>>Rebased patchset attached; no other changes. > >>Heads up: I just discovered I have introduced a bug with > >>ipa-replica-install, when it is spawning the CA instance. I think > >>replication it only causes issues with ``--setup-ca``. > >> > >>I will try and sort it out tomorrow or later tonight (I have to head > >>out for a few hours now, though); and I'm not suggesting it should > >>block the push but it's something to be aware of. > >> > >>Cheers, > >>Fraser > >> > >New patchset attached ; haven't gotten to the bottom of the > >ipa-replica-install issue mentioned above, but it fixes an upgrade > >bug. > > > >The change is: > > > >diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py > >index c288282..c5f4d37 100644 > >--- a/ipaserver/install/server/upgrade.py > >+++ b/ipaserver/install/server/upgrade.py > >@@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): > > caconfig.CS_CFG_PATH, > > directive, > > separator='=') > >- if value == 'ProfileSubsystem': > >+ if value == 'com.netscape.cmscore.profile.ProfileSubsystem': > > needs_update = True > > break > > except OSError, e: > >@@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): > > installutils.set_directive( > > caconfig.CS_CFG_PATH, > > directive, > >- 'LDAPProfileSubsystem', > >+ 'com.netscape.cmscore.profile.LDAPProfileSubsystem', > > quotes=False, > > separator='=') > > > >Cheers, > >Fraser > > > > > Thank you, > > 1) > ipa-getcert request (getcert -c IPA) > doesnt work, > > Request ID '20150602145845': > status: CA_REJECTED > ca-error: Server at https://vm-137.example.com/ipa/xml denied our > request, giving up: 3007 (RPC failed at server. 'profile_id' is required). > > 2) > Error from rpm install > Unexpected error - see /var/log/ipaupgrade.log for details: > SkipPluginModule: dogtag not selected as RA plugin > > Just for record as known issue, this will be fixed later in a new patch. > > 3) > + Str('profile_id', validate_profile_id, > + label=_("Profile ID"), > + doc=_("Certificate Profile to use"), > + ) > Please mark this param as optional. ('profile_id?') > This will fix issue 1, but 1 will need a option to specify profile_id > > Also move API related change from patch 9 to patch 11 + increment VERSION > > 4) > * Maybe I do everything wrong :) > > I'm not able to create certificate stored in FILE, via ipa-getcert request. > I'm getting error: > status: CA_UNREACHABLE > ca-error: Server at https://vm-137.example.com/ipa/xml failed request, > will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host > not found). > > or error: > Request ID '20150602154115': > status: CA_REJECTED > ca-error: Server at https://vm-137.example.com/ipa/xml denied our > request, giving up: 2100 (RPC failed at server. Insufficient access: not > allowed to perform this command). > (I'm root and kinited as admin) > > Maybe additional ACI is required for cert_request as it is VirtualCommand > > > -- > Martin Basti > Thanks for report. Attached patchset should fix the certmonger issues, and also makes cert-request --profile-id argument optional. The changes were fixup'd into the appropriate patches but the combined diff follows. (Note that the API.txt and VERSION changes you recommended were executed but are missing from this diff.) Thanks, Fraser diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index c09df86..a9dde86 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, pkey_to_value) from ipalib.plugins.certprofile import validate_profile_id -from ipalib.plugins.service import normalize_principal +from ipalib.plugins.service import normalize_principal, split_any_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): groups = user_obj.get('memberof_group', []) groups += user_obj.get('memberofindirect_group', []) elif principal_type == 'host': - hostname = principal[5:] + service, hostname, realm = split_any_principal(principal) host_obj = api.Command.host_show(hostname)['result'] groups = host_obj.get('memberof_hostgroup', []) groups += host_obj.get('memberofindirect_hostgroup', []) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 70ae610..1878e5a 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): default=False, autofill=True ), - Str('profile_id', validate_profile_id, + Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), ) @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal - if bind_principal != principal: + if bind_service is None: + bind_principal_type = USER + elif bind_service == 'host': + bind_principal_type = HOST + else: + bind_principal_type = SERVICE + + if bind_principal != principal and bind_principal_type != HOST: # Can the bound principal request certs for another principal? self.check_access() @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): error=_("Failure decoding Certificate Signing Request: %s") % e) # host principals may bypass allowed ext check - if bind_service != 'host': + if bind_principal_type != HOST: for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 659751e..53085f7 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { (u'caIPAserviceCert', u'Standard profile for network services', True), } -DEFAULT_PROFILE = 'caIPAserviceCert' +DEFAULT_PROFILE = u'caIPAserviceCert' class Dogtag10Constants(object): DOGTAG_VERSION = 10 -------------- next part -------------- From 0ee2d712fc05d5957ceb9ce0c097303ad6f1ea41 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 20 Apr 2015 23:20:19 -0400 Subject: [PATCH 01/13] Install CA with LDAP profiles backend Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 --- freeipa.spec.in | 6 +++--- ipaserver/install/cainstance.py | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 09dd66eec71cec714a31a42809c940ac08a5a84e..2f259234945be874aede64ca7c3ce04bdf467b64 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,7 +92,7 @@ BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0b1-3 BuildRequires: openssl-devel BuildRequires: p11-kit-devel -BuildRequires: pki-base >= 10.2.1-0.1 +BuildRequires: pki-base >= 10.2.4-1 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder @@ -135,8 +135,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.1-0.2 -Requires: pki-kra >= 10.2.1-0.1 +Requires: pki-ca >= 10.2.4-1 +Requires: pki-kra >= 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5133940687204b615eec56b6a89542ddd5617539..030c9f12daba4b38b748da8940e38d3cf2109788 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -503,6 +503,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_restart_configured_instance", "False") config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) + config.set("CA", "pki_profiles_in_ldap", "True") # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) -- 2.1.0 -------------- next part -------------- From 0f9df215433089a30d6646d4024ca4c8b1148b9a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Apr 2015 02:24:10 -0400 Subject: [PATCH 02/13] Add schema for certificate profiles The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/share/60certificate-profiles.ldif | 3 +++ install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 12 ++++++++++++ ipaserver/install/dsinstance.py | 1 + 4 files changed, 17 insertions(+) create mode 100644 install/share/60certificate-profiles.ldif diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif new file mode 100644 index 0000000000000000000000000000000000000000..f1281949e53386e5bfe8b35e0c15858c693c5467 --- /dev/null +++ b/install/share/60certificate-profiles.ldif @@ -0,0 +1,3 @@ +dn: cn=schema +attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 8d336690f184025f8199ed1d2c57d8274f0d3886..f44772b20c173c6fe43503716f40454f6f6b6f11 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,6 +16,7 @@ app_DATA = \ 60basev3.ldif \ 60ipadns.ldif \ 60ipapk11.ldif \ + 60certificate-profiles.ldif \ 61kerberos-ipav3.ldif \ 65ipacertstore.ldif \ 65ipasudo.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..c5d4bad8b80640881f4631e4873a12c82b0ea48a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -429,3 +429,15 @@ cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE ipaRangeType: ipa-local + +dn: cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 064a2ab1db61b465638a77e13e1d9ea43b1cce63..2acab13f247ed18a750f0e1cbbd98f4e63718c03 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -57,6 +57,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif", "60basev3.ldif", "60ipapk11.ldif", "60ipadns.ldif", + "60certificate-profiles.ldif", "61kerberos-ipav3.ldif", "65ipacertstore.ldif", "65ipasudo.ldif", -- 2.1.0 -------------- next part -------------- From 4a48f603f444e57f52efa047ac8a64d6b0896eec Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Apr 2015 06:07:58 -0400 Subject: [PATCH 03/13] ipa-pki-proxy: provide access to profiles REST API Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/conf/ipa-pki-proxy.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 5d21156848f3b5ddf14c42d92a26a30a9f94af36..366ca15a1868758547f9f1d3334fddba38793083 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 5 - DO NOT REMOVE THIS LINE +# VERSION 6 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -11,7 +11,7 @@ ProxyRequests Off # matches for admin port and installer - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -26,5 +26,13 @@ ProxyRequests Off ProxyPassReverse ajp://localhost:$DOGTAG_PORT +# matches for REST API + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT + + # Only enable this on servers that are not generating a CRL ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] -- 2.1.0 -------------- next part -------------- From ec6198aeca82cfb3a63e9910c2be2f746f4e2c9e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 23:50:41 -0400 Subject: [PATCH 04/13] Add ACL to allow CA agent to modify profiles Part of: https://fedorahosted.org/freeipa/ticket/57 --- ipaserver/install/cainstance.py | 29 +++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 11 +++++++++++ 2 files changed, 40 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 030c9f12daba4b38b748da8940e38d3cf2109788..871581b4afc5df854b9a090ef51bb0ad3b3871ee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,6 +469,7 @@ class CAInstance(DogtagInstance): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -940,6 +941,10 @@ class CAInstance(DogtagInstance): conn.unbind() + def __configure_profiles_acl(self): + """Allow the Certificate Manager Agents group to modify profiles.""" + configure_profiles_acl() + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db @@ -1825,6 +1830,30 @@ def update_people_entry(dercert): return True +def configure_profiles_acl(): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + updated = False + + dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) + rule = ( + 'certServer.profile.configuration:read,modify:allow (read,modify) ' + 'group="Certificate Manager Agents":' + 'Certificate Manager agents may modify (create/update/delete) and read profiles' + ) + modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] + + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + rules = conn.get_entry(dn).get('resourceACLS', []) + if rule not in rules: + conn.conn.modify_s(str(dn), modlist) + updated = True + + conn.disconnect() + return updated + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9d1fd92b73eaf673ddfef01dc86b8dae5efc028a..0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -289,6 +289,16 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def ca_configure_profiles_acl(ca): + root_logger.info('[Authorizing RA Agent to modify profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.configure_profiles_acl() + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1370,6 +1380,7 @@ def upgrade_configuration(): upgrade_ipa_profile(ca, api.env.domain, fqdn), certificate_renewal_update(ca), ca_enable_pkix(ca), + ca_configure_profiles_acl(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From a139c364388228d1191deb988d52fbc7b3aa9722 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 04:55:29 -0400 Subject: [PATCH 05/13] Add certprofile plugin Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 --- ACI.txt | 8 ++ API.txt | 62 +++++++++ install/updates/40-certprofile.update | 9 ++ install/updates/40-delegation.update | 8 ++ install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/certprofile.py | 253 ++++++++++++++++++++++++++++++++++ ipapython/dogtag.py | 29 ++-- ipaserver/plugins/dogtag.py | 176 ++++++++++++++++++++++- 9 files changed, 534 insertions(+), 13 deletions(-) create mode 100644 install/updates/40-certprofile.update create mode 100644 ipalib/plugins/certprofile.py diff --git a/ACI.txt b/ACI.txt index 1821696fda912fdd11149062f9feaf4edcf0adfd..543d8da69fb2adf79dc9821fb24028717670326a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=costemplates,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 6520f2c428342cdd30b0db830ed4ddbc89e4302a..81aca14afcaa5234ad218b8d84f3bc8efc734c9d 100644 --- a/API.txt +++ b/API.txt @@ -509,6 +509,68 @@ args: 1,1,1 arg: Str('request_id') option: Str('version?', exclude='webui') output: Output('result', None, None) +command: certprofile_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: certprofile_find +args: 1,9,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='id', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False) +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: certprofile_import +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) +option: File('file', cli_name='file') +option: Bool('ipacertprofilestoreissued', attribute=True, cli_name='store', default=True, multivalue=False, required=True) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_mod +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: compat_is_enabled args: 0,1,1 option: Str('version?', exclude='webui') diff --git a/install/updates/40-certprofile.update b/install/updates/40-certprofile.update new file mode 100644 index 0000000000000000000000000000000000000000..6b0a81d0ff6d69dabe82138227d105fc780ee17d --- /dev/null +++ b/install/updates/40-certprofile.update @@ -0,0 +1,9 @@ +dn: cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: certprofiles diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 975929bd70400b2f9cf407d6faedb246003d7f58..bc0736c5b6c07747586a56c2cbde9596c7522d1c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -237,3 +237,11 @@ default:ipapermissiontype: SYSTEM dn: cn=config add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";) + +# CA Administrators +dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: CA Administrator +default:description: CA Administrator diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 4e2da05d61a41543914e79c4634331df6018c041..fc6bd624eac619cdddeba29b85440571d85fd69f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ 40-replication.update \ 40-dns.update \ 40-automember.update \ + 40-certprofile.update \ 40-otp.update \ 40-vault.update \ 45-roles.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 95dec54a51f38ae63eba667daacf35dcd7500cf3..96396a236b8694b3dd988dfe28c1b0c3cc9e3180 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -118,6 +118,7 @@ DEFAULT_CONFIG = ( ('container_radiusproxy', DN(('cn', 'radiusproxy'))), ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py new file mode 100644 index 0000000000000000000000000000000000000000..1a2d143882469858f225b37ba4ff2dd368fb8853 --- /dev/null +++ b/ipalib/plugins/certprofile.py @@ -0,0 +1,253 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import re + +from ipalib import api, Bool, File, Str +from ipalib import output +from ipalib.plugable import Registry +from ipalib.plugins.virtual import VirtualCommand +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, + LDAPDelete, LDAPUpdate, LDAPRetrieve) +from ipalib import ngettext +from ipalib.text import _ + +from ipalib import errors + + +__doc__ = _(""" +Manage Certificate Profiles + +Certificate Profiles are used by Certificate Authority (CA) in the signing of +certificates to determine if a Certificate Signing Request (CSR) is acceptable, +and if so what features and extensions will be present on the certificate. + +The Certificate Profile format is the property-list format understood by the +Dogtag or Red Hat Certificate System CA. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Import a profile that will not store issued certificates: + ipa certprofile-import ShortLivedUserCert \\ + --file UserCert.profile --summary "User Certificates" \\ + --store=false + + Delete a certificate profile: + ipa certprofile-del ShortLivedUserCert + + Show information about a profile: + ipa certprofile-show ShortLivedUserCert + + Search for profiles that do not store certificates: + ipa certprofile-find --store=false + +""") + + +register = Registry() + + +def ca_enabled_check(): + """Raise NotFound if CA is not enabled. + + This function is defined in multiple plugins to avoid circular imports + (cert depends on certprofile, so we cannot import cert here). + + """ + if not api.Command.ca_is_enabled()['result']: + raise errors.NotFound(reason=_('CA is not configured')) + + +profile_id_pattern = re.compile('^[a-zA-Z]\w*$') + + +def validate_profile_id(ugettext, value): + """Ensure profile ID matches form required by CA.""" + if profile_id_pattern.match(value) is None: + return _('invalid Profile ID') + else: + return None + + + at register() +class certprofile(LDAPObject): + """ + Certificate Profile object. + """ + container_dn = api.env.container_certprofile + object_name = _('Certificate Profile') + object_name_plural = _('Certificate Profiles') + object_class = ['ipacertprofile'] + default_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + search_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + rdn_is_primary_key = True + label = _('Certificate Profiles') + label_singular = _('Certificate Profile') + + takes_params = ( + Str('cn', validate_profile_id, + primary_key=True, + cli_name='id', + label=_('Profile ID'), + doc=_('Profile ID for referring to this profile'), + ), + Str('description', + required=True, + cli_name='desc', + label=_('Profile description'), + doc=_('Brief description of this profile'), + ), + Bool('ipacertprofilestoreissued', + default=True, + cli_name='store', + label=_('Store issued certificates'), + doc=_('Whether to store certs issued using this profile'), + ), + ) + + permission_filter_objectclasses = ['ipacertprofile'] + managed_permissions = { + 'System: Read Certificate Profiles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + 'objectclass', + }, + }, + 'System: Import Certificate Profile': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Import Certificate Profile";allow (add) groupdn = "ldap:///cn=Import Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete Certificate Profile': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=Delete Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify Certificate Profile': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + }, + 'replaces': [ + '(targetattr = "cn || description || ipacertprofilestoreissued")(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=Modify Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + + at register() +class certprofile_find(LDAPSearch): + __doc__ = _("Search for Certificate Profiles.") + msg_summary = ngettext( + '%(count)d profile matched', '%(count)d profiles matched', 0 + ) + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_find, self).execute(*args, **kwargs) + + + at register() +class certprofile_show(LDAPRetrieve): + __doc__ = _("Display the properties of a Certificate Profile.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_show, self).execute(*args, **kwargs) + + + at register() +class certprofile_import(LDAPCreate): + __doc__ = _("Import a Certificate Profile.") + msg_summary = _('Imported profile "%(value)s"') + takes_options = ( + File('file', + label=_('Filename'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + PROFILE_ID_PATTERN = re.compile('^profileId=([a-zA-Z]\w*)', re.MULTILINE) + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + + match = self.PROFILE_ID_PATTERN.search(options['file']) + if match is None: + raise errors.ValidationError(name='file', + error=_("Profile ID is not present in profile data")) + elif keys[0] != match.group(1): + raise errors.ValidationError(name='file', + error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'") + % {'cli_value': keys[0], 'file_value': match.group(1)} + ) + return dn + + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + """Import the profile into Dogtag and enable it. + + If the operation succeeds, update the LDAP entry to 'enabled'. + If the operation fails, remove the LDAP entry. + """ + try: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.create_profile(options['file']) + profile_api.enable_profile(keys[0]) + except: + # something went wrong ; delete entry + ldap.delete_entry(dn) + raise + + return dn + + + at register() +class certprofile_del(LDAPDelete): + __doc__ = _("Delete a Certificate Profile.") + msg_summary = _('Deleted profile "%(value)s"') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_del, self).execute(*args, **kwargs) + + def post_callback(self, ldap, dn, *keys, **options): + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.delete_profile(keys[0]) + return dn + + + at register() +class certprofile_mod(LDAPUpdate): + __doc__ = _("Modify Certificate Profile configuration.") + msg_summary = _('Modified Certificate Profile "%(value)s') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_mod, self).execute(*args, **kwargs) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index c74b8736a4b15f7bf081206b52b9876a8c4928af..11311cf7b55d7b84e9434a698dbfd60b0eb142a1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -233,9 +233,12 @@ def ca_status(ca_host=None, use_proxy=True): return _parse_ca_status(body) -def https_request(host, port, url, secdir, password, nickname, **kw): +def https_request(host, port, url, secdir, password, nickname, + method='POST', headers=None, body=None, **kw): """ + :param method: HTTP request method (defalut: 'POST') :param url: The path (not complete URL!) to post to. + :param body: The request body (encodes kw if None) :param kw: Keyword arguments to encode into POST body. :return: (http_status, http_reason_phrase, http_headers, http_body) as (integer, unicode, dict, str) @@ -254,9 +257,11 @@ def https_request(host, port, url, secdir, password, nickname, **kw): nickname, password, nss.get_default_certdb()) return conn - body = urlencode(kw) + if body is None: + body = urlencode(kw) return _httplib_request( - 'https', host, port, url, connection_factory, body) + 'https', host, port, url, connection_factory, body, + method=method, headers=headers) def http_request(host, port, url, **kw): @@ -288,11 +293,13 @@ def unauthenticated_https_request(host, port, url, **kw): def _httplib_request( - protocol, host, port, path, connection_factory, request_body): + protocol, host, port, path, connection_factory, request_body, + method='POST', headers=None): """ :param request_body: Request body :param connection_factory: Connection class to use. Will be called with the host and port arguments. + :param method: HTTP request method (default: 'POST') Perform a HTTP(s) request. """ @@ -301,13 +308,17 @@ def _httplib_request( uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) root_logger.debug('request %r', uri) root_logger.debug('request body %r', request_body) + + headers = headers or {} + if ( + method == 'POST' + and 'content-type' not in (str(k).lower() for k in headers.viewkeys()) + ): + headers['content-type'] = 'application/x-www-form-urlencoded' + try: conn = connection_factory(host, port) - conn.request( - 'POST', uri, - body=request_body, - headers={'Content-type': 'application/x-www-form-urlencoded'}, - ) + conn.request(method, uri, body=request_body, headers=headers) res = conn.getresponse() http_status = res.status diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 52bdb0d4245594785e718c63242e27cee0e59322..9654123b16d8e417398d49bf1305fd41880bc3a7 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -4,8 +4,9 @@ # Jason Gerard DeRose # Rob Crittenden # John Dennis +# Fraser Tweedale # -# Copyright (C) 2014 Red Hat +# Copyright (C) 2014, 2015 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -238,17 +239,21 @@ digits and nothing else follows. ''' import datetime +import json from lxml import etree +import os import tempfile import time import urllib2 +import pki from pki.client import PKIConnection import pki.crypto as cryptoutil from pki.kra import KRAClient from ipalib import Backend from ipapython.dn import DN +import ipapython.cookie import ipapython.dogtag from ipapython import ipautil from ipaserver.install.certs import CertDB @@ -1262,13 +1267,12 @@ def select_any_master(ldap2, service='CA'): #------------------------------------------------------------------------------- -from ipalib import api, SkipPluginModule +from ipalib import api, errors, SkipPluginModule if api.env.ra_plugin != 'dogtag': # In this case, abort loading this plugin module... raise SkipPluginModule(reason='dogtag not selected as RA plugin') import os, random from ipaserver.plugins import rabase -from ipalib.errors import CertificateOperationError from ipalib.constants import TYPE_ERROR from ipalib.util import cachedproperty from ipapython import dogtag @@ -1318,7 +1322,7 @@ class ra(rabase.rabase): err_msg = u'%s (%s)' % (err_msg, detail) self.error('%s.%s(): %s', self.fullname, func_name, err_msg) - raise CertificateOperationError(error=err_msg) + raise errors.CertificateOperationError(error=err_msg) @cachedproperty def ca_host(self): @@ -1923,3 +1927,167 @@ class kra(Backend): return KRAClient(connection, crypto) api.register(kra) + + +class RestClient(Backend): + """Simple Dogtag REST client to be subclassed by other backends. + + This class is a context manager. Authenticated calls must be + executed in a ``with`` suite:: + + class ra_certprofile(RestClient): + path = 'profile' + ... + + api.register(ra_certprofile) + + with api.Backend.ra_certprofile as profile_api: + # REST client is now logged in + profile_api.create_profile(...) + + """ + path = None + + @staticmethod + def _parse_dogtag_error(body): + try: + return pki.PKIException.from_json(json.loads(body)) + except: + return None + + def __init__(self): + if api.env.in_tree: + self.sec_dir = api.env.dot_ipa + os.sep + 'alias' + self.pwd_file = self.sec_dir + os.sep + '.pwd' + else: + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT + self.noise_file = self.sec_dir + os.sep + '.noise' + self.ipa_key_size = "2048" + self.ipa_certificate_nickname = "ipaCert" + self.ca_certificate_nickname = "caCert" + try: + f = open(self.pwd_file, "r") + self.password = f.readline().strip() + f.close() + except IOError: + self.password = '' + super(RestClient, self).__init__() + + # session cookie + self.cookie = None + + @cachedproperty + def ca_host(self): + """ + :return: host + as str + + Select our CA host. + """ + ldap2 = self.api.Backend.ldap2 + if host_has_service(api.env.ca_host, ldap2, "CA"): + return api.env.ca_host + if api.env.host != api.env.ca_host: + if host_has_service(api.env.host, ldap2, "CA"): + return api.env.host + host = select_any_master(ldap2) + if host: + return host + else: + return api.env.ca_host + + def __enter__(self): + """Log into the REST API""" + if self.cookie is not None: + return + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) + if status != 200 or len(cookies) == 0: + raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) + self.cookie = str(cookies[0]) + return self + + def __exit__(self, exc_type, exc_value, traceback): + """Log out of the REST API""" + dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + self.cookie = None + + def _ssldo(self, method, path, headers=None, body=None): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. + :return: (http_status, http_reason_phrase, http_headers, http_body) + as (integer, unicode, dict, str) + + Perform an HTTPS request + """ + if self.cookie is None: + raise errors.RemoteRetrieveError( + reason=_("REST API is not logged in.")) + + headers = headers or {} + headers['Cookie'] = self.cookie + + resource = os.path.join('/ca/rest', self.path, path) + + # perform main request + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, resource, + self.sec_dir, self.password, self.ipa_certificate_nickname, + method=method, headers=headers, body=body + ) + if status < 200 or status >= 300: + explanation = self._parse_dogtag_error(resp_body) or '' + raise errors.RemoteRetrieveError( + reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') + % {'status': status, 'status_text': status_text, 'explanation': explanation} + ) + return (status, status_text, resp_headers, resp_body) + + +class ra_certprofile(RestClient): + """ + Profile management backend plugin. + """ + path = 'profiles' + + def create_profile(self, profile_data): + """ + Import the profile into Dogtag + """ + self._ssldo('POST', 'raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + + def enable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=enable') + + def disable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=disable') + + def delete_profile(self, profile_id): + """ + Delete the profile from Dogtag + """ + self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + +api.register(ra_certprofile) -- 2.1.0 -------------- next part -------------- From f069528c1da1fb2ca47e0d0092433cd5f54125a3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 23:38:41 -0400 Subject: [PATCH 06/13] Enable LDAP-based profiles in CA on upgrade Part of: https://fedorahosted.org/freeipa/ticket/4560 --- ipaserver/install/server/upgrade.py | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e..820533d6fa34218282941b8dcfcd3c0a192fdfb7 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -299,6 +299,45 @@ def ca_configure_profiles_acl(ca): return cainstance.configure_profiles_acl() +def ca_enable_ldap_profile_subsystem(ca): + root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + caconfig = dogtag.configured_constants() + + needs_update = False + directive = None + try: + for i in range(15): + directive = "subsystem.{}.class".format(i) + value = installutils.get_directive( + caconfig.CS_CFG_PATH, + directive, + separator='=') + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': + needs_update = True + break + except OSError, e: + root_logger.error('Cannot read CA configuration file "%s": %s', + caconfig.CS_CFG_PATH, e) + return False + + if needs_update: + installutils.set_directive( + caconfig.CS_CFG_PATH, + directive, + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', + quotes=False, + separator='=') + + # TODO import file-based profiles into Dogtag + # More code needed on Dogtag side for this. + + return needs_update + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1381,6 +1420,7 @@ def upgrade_configuration(): certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), + ca_enable_ldap_profile_subsystem(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From 332b0516bf6fa1a39b450fc2def2508d1d147b47 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 21:17:48 -0400 Subject: [PATCH 07/13] Import included profiles during install or upgrade Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 --- freeipa.spec.in | 2 + install/configure.ac | 1 + install/share/Makefile.am | 1 + install/share/profiles/Makefile.am | 14 ++ install/share/profiles/caIPAserviceCert.cfg | 109 ++++++++++++ install/tools/ipa-upgradeconfig | 1 - ipapython/dogtag.py | 7 +- ipaserver/install/cainstance.py | 253 +++++++--------------------- ipaserver/install/ipa_server_upgrade.py | 1 + ipaserver/install/server/install.py | 6 + ipaserver/install/server/upgrade.py | 42 ++--- ipaserver/plugins/dogtag.py | 14 +- 12 files changed, 228 insertions(+), 223 deletions(-) create mode 100644 install/share/profiles/Makefile.am create mode 100644 install/share/profiles/caIPAserviceCert.cfg diff --git a/freeipa.spec.in b/freeipa.spec.in index 2f259234945be874aede64ca7c3ce04bdf467b64..a9757a194b1bf3bdcced4fd29e7fbae8b0211c94 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -720,6 +720,8 @@ fi %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 2e48aa5cc67b30f2582de987a12d4e7043256679..57f4219b66bbe1dadaed3e89c3e84b1c8240399e 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -88,6 +88,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile + share/profiles/Makefile ui/Makefile ui/css/Makefile ui/src/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f44772b20c173c6fe43503716f40454f6f6b6f11..31f391be25c58b76cc71971852074d80c5514745 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + profiles \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..4e6cf975a0f51d02ec29bd07ac8cb9ccc8320818 --- /dev/null +++ b/install/share/profiles/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/profiles +app_DATA = \ + caIPAserviceCert.cfg \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg new file mode 100644 index 0000000000000000000000000000000000000000..6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c --- /dev/null +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -0,0 +1,109 @@ +profileId=caIPAserviceCert +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 43292966a29c9077443913bdda1c81aa3de06a10..5f3a2b4a2f3864c2809178815c244c2012333fc8 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -21,7 +21,6 @@ import sys - if __name__ == '__main__': sys.exit("Please run the 'ipa-server-upgrade' command to upgrade the " "IPA server.") diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 11311cf7b55d7b84e9434a698dbfd60b0eb142a1..2b4d233354b974884c88d13a3a1b437915ba0776 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -42,6 +42,11 @@ from ipapython.ipa_log_manager import * # the configured version. +INCLUDED_PROFILES = { + # ( profile_id , description , store_issued) + (u'caIPAserviceCert', u'Standard profile for network services', True), + } + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 @@ -71,7 +76,6 @@ class Dogtag10Constants(object): RACERT_LINE_SEP = '\n' - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = True DS_USER = "dirsrv" @@ -110,7 +114,6 @@ class Dogtag9Constants(object): EE_CLIENT_AUTH_PORT = 9446 TOMCAT_SERVER_PORT = 9701 - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = False DS_USER = "pkisrv" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 871581b4afc5df854b9a090ef51bb0ad3b3871ee..ca0b6df5db80bc842a78f614872831ddd82330b1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -459,10 +459,6 @@ class CAInstance(DogtagInstance): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("set certificate subject base", self.__set_subject_in_config) - self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) - self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) - self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) if not self.clone: self.step("restarting certificate server", self.restart_instance) @@ -1125,94 +1121,6 @@ class CAInstance(DogtagInstance): return publishdir - def __set_crl_ocsp_extensions(self): - self.set_crl_ocsp_extensions(self.domain, self.fqdn) - - def set_crl_ocsp_extensions(self, domain, fqdn): - """ - Configure CRL and OCSP extensions in default IPA certificate profile - if not done already. - """ - changed = False - - # OCSP extension - ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - ocsp_location_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - separator='=') - - if ocsp_location_0 != ocsp_url: - # Set the first OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - ocsp_url, quotes=False, separator='=') - changed = True - - ocsp_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - separator='=') - - if ocsp_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '1', quotes=False, separator='=') - changed = True - - - # CRL extension - crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - crl_point_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - separator='=') - - if crl_point_0 != crl_url: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - crl_url, quotes=False, separator='=') - changed = True - - crl_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - separator='=') - - if crl_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '1', quotes=False, separator='=') - changed = True - - # CRL extension is not enabled by default - setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - new_set_list = None - - if setlist == '1,2,3,4,5,6,7,8': - new_set_list = '1,2,3,4,5,6,7,8,9' - elif setlist == '1,2,3,4,5,6,7,8,10': - new_set_list = '1,2,3,4,5,6,7,8,9,10' - elif setlist == '1,2,3,4,5,6,7,8,10,11': - new_set_list = '1,2,3,4,5,6,7,8,9,10,11' - - if new_set_list: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - new_set_list, quotes=False, separator='=') - changed = True - - return changed - def __enable_crl_publish(self): """ @@ -1267,13 +1175,6 @@ class CAInstance(DogtagInstance): installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') - def __set_subject_in_config(self): - # dogtag ships with an IPA-specific profile that forces a subject - # format. We need to update that template with our base subject - if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'OU=pki-ipa, O=IPA', str(self.subject_base)): - print "Updating subject_base in CA template failed" - def uninstall(self): # just eat state self.restore_state("enabled") @@ -1407,100 +1308,6 @@ class CAInstance(DogtagInstance): services.knownservices.certmonger.stop() - def enable_subject_key_identifier(self): - """ - See if Subject Key Identifier is set in the profile and if not, add it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist += ',10' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.class_id', - 'subjectKeyIdentifierExtDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.name', - 'Subject Key Identifier Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.params.critical', - 'false', - quotes=False, separator='=') - return True - - # No update was done - return False - - def enable_subject_alternative_name(self): - """ - See if Subject Alternative Name is set in the profile and if not, add - it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': - setlist += ',11' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.class_id', - 'userExtensionDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.name', - 'User Supplied Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.params.userExtOID', - '2.5.29.17', - quotes=False, separator='=') - return True - - # No update was done - return False def set_audit_renewal(self): """ @@ -1586,7 +1393,6 @@ class CAInstance(DogtagInstance): master_entry['ipaConfigString'].append('caRenewalMaster') self.admin_conn.update_entry(master_entry) - @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): """ @@ -1854,6 +1660,65 @@ def configure_profiles_acl(): conn.disconnect() return updated +def import_included_profiles(): + sub_dict = dict( + DOMAIN=ipautil.format_netloc(api.env.domain), + IPA_CA_RECORD=IPA_CA_RECORD, + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=str(DN(('O', api.env.realm))), + ) + + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), + api.env.container_certprofile, api.env.basedn) + try: + conn.get_entry(dn) + continue # the profile is present + except errors.NotFound: + # profile not found; add it + profile_data = ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + + entry = conn.make_entry( + dn, + objectclass=['ipacertprofile'], + cn=[profile_id], + description=[desc], + ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], + ) + conn.add_entry(entry) + api.Backend.ra_certprofile._read_password() + with api.Backend.ra_certprofile as profile_api: + # import the profile + try: + profile_api.create_profile(profile_data) + except errors.RemoteRetrieveError: + # conflicting profile; replace it if we are + # installing IPA, but keep it for upgrades + if api.env.context == 'installer': + try: + profile_api.disable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + profile_api.delete_profile(profile_id) + profile_api.create_profile(profile_data) + + # enable the profile + try: + profile_api.enable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + + root_logger.info("Imported profile '%s'", profile_id) + + conn.disconnect() + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a316317622894e5b56896f91a9e29bb8..8373b213411c34c59e838c586ff46e99efb43f58 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -41,6 +41,7 @@ class ServerUpgrade(admintool.AdminTool): super(ServerUpgrade, self).run() api.bootstrap(in_server=True, context='updates') + import ipaserver.plugins.dogtag # ensure profile backend gets loaded api.finalize() try: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index aea1f9915f16a55c44183b0cebb41c04622be503..955e4cc11fba20475a07126f4101edbf1024290e 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -748,6 +748,9 @@ def install(options): api.env.ca_host = host_name api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet @@ -903,6 +906,9 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + service.print_msg("Importing certificate profiles") + cainstance.import_included_profiles() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 820533d6fa34218282941b8dcfcd3c0a192fdfb7..c5f4d37cc02658334d5c26f269ec5dd5e386df1d 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -338,32 +338,28 @@ def ca_enable_ldap_profile_subsystem(ca): return needs_update -def upgrade_ipa_profile(ca, domain, fqdn): +def ca_import_included_profiles(ca): + root_logger.info('[Ensuring presence of included profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.import_included_profiles() + + +def upgrade_ca_audit_cert_validity(ca): """ - Update the IPA Profile provided by dogtag + Update the Dogtag audit signing certificate. Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA service certificate profile is updated]') + root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): - ski = ca.enable_subject_key_identifier() - if ski: - root_logger.debug('Subject Key Identifier updated.') - else: - root_logger.debug('Subject Key Identifier already set.') - san = ca.enable_subject_alternative_name() - if san: - root_logger.debug('Subject Alternative Name updated.') - else: - root_logger.debug('Subject Alternative Name already set.') - audit = ca.set_audit_renewal() - uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or san or uri: - return True + return ca.set_audit_renewal() else: root_logger.info('CA is not configured') - - return False + return False def named_remove_deprecated_options(): @@ -1416,7 +1412,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, - upgrade_ipa_profile(ca, api.env.domain, fqdn), + upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), @@ -1430,6 +1426,12 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + # This step MUST be done after ca_enable_ldap_profile_subsystem and + # ca_configure_profiles_acl, and the consequent restart, but does not + # itself require a restart. + # + ca_import_included_profiles(ca) + set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9654123b16d8e417398d49bf1305fd41880bc3a7..880b319d68728a40f4479626d5a7c2b8c56ced02 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1966,17 +1966,19 @@ class RestClient(Backend): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" - try: - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() - except IOError: - self.password = '' + self._read_password() super(RestClient, self).__init__() # session cookie self.cookie = None + def _read_password(self): + try: + with open(self.pwd_file) as f: + self.password = f.readline().strip() + except IOError: + self.password = '' + @cachedproperty def ca_host(self): """ -- 2.1.0 -------------- next part -------------- From 92ff31ed8043c8ece53441ed60384080bffed0b7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 7 May 2015 21:26:24 -0400 Subject: [PATCH 08/13] Add generic split_any_principal method There exist methods to split user or service/host principals, but there is no method to split any kind of principal and allow the caller to decide what to do. Generalize ``ipalib.plugins.service.split_principal`` to return a service of ``None`` if the principal is a user principal, rename it ``split_any_principal`` and reimplement ``split_principal`` to preserve existing behaviour. Part of: https://fedorahosted.org/freeipa/ticket/4938 --- ipalib/plugins/service.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 2d34eac7db5b97b7a969175f488a547dde54010a..166d978a248e7c5da6f8df4b534edad0a0799b7e 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -185,19 +185,24 @@ _ticket_flags_map = { _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth'] -def split_principal(principal): +def split_any_principal(principal): service = hostname = realm = None # Break down the principal into its component parts, which may or # may not include the realm. sp = principal.split('/') - if len(sp) != 2: - raise errors.MalformedServicePrincipal(reason=_('missing service')) + name_and_realm = None + if len(sp) > 2: + raise errors.MalformedServicePrincipal(reason=_('unable to determine service')) + elif len(sp) == 2: + service = sp[0] + if len(service) == 0: + raise errors.MalformedServicePrincipal(reason=_('blank service')) + name_and_realm = sp[1] + else: + name_and_realm = sp[0] - service = sp[0] - if len(service) == 0: - raise errors.MalformedServicePrincipal(reason=_('blank service')) - sr = sp[1].split('@') + sr = name_and_realm.split('@') if len(sr) > 2: raise errors.MalformedServicePrincipal( reason=_('unable to determine realm')) @@ -212,7 +217,13 @@ def split_principal(principal): realm = api.env.realm # Note that realm may be None. - return (service, hostname, realm) + return service, hostname, realm + +def split_principal(principal): + service, name, realm = split_any_principal(principal) + if service is None: + raise errors.MalformedServicePrincipal(reason=_('missing service')) + return service, name, realm def validate_principal(ugettext, principal): (service, hostname, principal) = split_principal(principal) -- 2.1.0 -------------- next part -------------- From 2ae7a19202939f82bf64a11ab9e65ca4d83984da Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 8 May 2015 02:23:24 -0400 Subject: [PATCH 09/13] Add profile_id parameter to 'request_certificate' Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 --- API.txt | 2 +- checks/check-ra.py | 2 +- ipalib/plugins/cert.py | 2 +- ipapython/dogtag.py | 2 ++ ipaserver/install/certs.py | 2 +- ipaserver/plugins/dogtag.py | 7 +++++-- ipaserver/plugins/rabase.py | 3 ++- 7 files changed, 13 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 81aca14afcaa5234ad218b8d84f3bc8efc734c9d..644c7d7de75475a01638bfb7fa2fb4479ac2e885 100644 --- a/API.txt +++ b/API.txt @@ -485,7 +485,7 @@ arg: Str('serial_number') option: Str('version?', exclude='webui') output: Output('result', None, None) command: cert_request -args: 1,4,1 +args: 1,5,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) option: Str('principal') diff --git a/checks/check-ra.py b/checks/check-ra.py index a1df50ba4a4ad7fc0b6d2118e40977b1da6edf65..28929545ab7f0a63e47a3829c53cf08d784c9524 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) if verbose: print "request_result=\n%s" % request_result assert_equal(request_result, {'subject' : subject, diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 7e2c77622b3627e9e57bbcb69291f723ecf509bf..e4cb6dc0aa8b89368806b08674aae277b3653e8f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -436,7 +436,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, request_type=request_type) + csr, 'caIPAserviceCert', request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 2b4d233354b974884c88d13a3a1b437915ba0776..53085f7762fc828ed9fc6621fbf3a0c67ec6a656 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -47,6 +47,8 @@ INCLUDED_PROFILES = { (u'caIPAserviceCert', u'Standard profile for network services', True), } +DEFAULT_PROFILE = u'caIPAserviceCert' + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bc7dccf805386e9fa84b58d2ff9346085e1b93b1..564332e6fde0698a23884922c5018fab59da7e4d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -386,7 +386,7 @@ class CertDB(object): # We just want the CSR bits, make sure there is nothing else csr = pkcs10.strip_header(csr) - params = {'profileId': 'caIPAserviceCert', + params = {'profileId': dogtag.DEFAULT_PROFILE, 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', 'cert_request': csr, diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 880b319d68728a40f4479626d5a7c2b8c56ced02..e6668bb43b994863a14fdd347635753422ed9388 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1284,6 +1284,8 @@ class ra(rabase.rabase): """ Request Authority backend plugin. """ + DEFAULT_PROFILE = dogtag.DEFAULT_PROFILE + def __init__(self): if api.env.in_tree: self.sec_dir = api.env.dot_ipa + os.sep + 'alias' @@ -1541,9 +1543,10 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ :param csr: The certificate signing request. + :param profile_id: The profile to use for the request. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1575,7 +1578,7 @@ class ra(rabase.rabase): http_status, http_reason_phrase, http_headers, http_body = \ self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, - profileId='caIPAserviceCert', + profileId=profile_id, cert_request_type=request_type, cert_request=csr, xml='true') diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index e14969970ef5b402d06b766f895200c6eb4fc76f..cf4426235b02866a3f565c51c52c44aabbdc1153 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -67,11 +67,12 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. + :param profile_id: Profile to use for this request. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.1.0 -------------- next part -------------- From d366ab715099623bfb0d5a2cc5f9c14f687448a6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 18 May 2015 22:11:52 -0400 Subject: [PATCH 10/13] Add usercertificate attribute to user plugin Part of: https://fedorahosted.org/freeipa/tickets/4938 --- ACI.txt | 2 +- API.txt | 18 ++++++++++++------ install/share/default-aci.ldif | 1 + install/updates/20-aci.update | 4 ++++ ipalib/plugins/baseuser.py | 10 ++++++++-- ipalib/plugins/user.py | 2 +- 6 files changed, 27 insertions(+), 10 deletions(-) diff --git a/ACI.txt b/ACI.txt index 543d8da69fb2adf79dc9821fb24028717670326a..59173ac1b593f15e079c7b1fce43ec9b0084ec91 100644 --- a/ACI.txt +++ b/ACI.txt @@ -297,7 +297,7 @@ aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sam dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || usercertificate || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 644c7d7de75475a01638bfb7fa2fb4479ac2e885..78b9a743edb332b904d48cd12b1ef018a4de32dc 100644 --- a/API.txt +++ b/API.txt @@ -3960,7 +3960,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: stageuser_add -args: 1,43,3 +args: 1,44,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4002,6 +4002,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4017,7 +4018,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: stageuser_find -args: 1,52,4 +args: 1,53,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -4068,6 +4069,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -4076,7 +4078,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: stageuser_mod -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4119,6 +4121,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4746,7 +4749,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_add -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4789,6 +4792,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4820,7 +4824,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_find -args: 1,55,4 +args: 1,56,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -4873,6 +4877,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -4882,7 +4887,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,45,3 +args: 1,46,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4926,6 +4931,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b174e774aae3ea012a431fe4a2535fb4230e402 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -10,6 +10,7 @@ changetype: modify add: aci aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) +aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) dn: cn=etc,$SUFFIX changetype: modify diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index fde3afeee59e4d4dc0bd6a9c0eb24ab255c4e637..4a8b67c6579da4dab74d02861640264446153f87 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -79,3 +79,7 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";) + +# User certificates +dn: $SUFFIX +add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py index a1be29d83550a0412ed37cfde47ac74c6ca478fd..d2bc68f45ad9a3632a237c01961a30592514d96d 100644 --- a/ipalib/plugins/baseuser.py +++ b/ipalib/plugins/baseuser.py @@ -23,10 +23,11 @@ import posixpath import os from ipalib import api, errors -from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime +from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes from ipalib.plugable import Registry from ipalib.plugins.baseldap import DN, LDAPObject, \ LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve +from ipalib.plugins.service import validate_certificate from ipalib.plugins import baseldap from ipalib.request import context from ipalib import _, ngettext @@ -188,7 +189,7 @@ class baseuser(LDAPObject): 'telephonenumber', 'title', 'memberof', 'nsaccountlock', 'memberofindirect', 'ipauserauthtype', 'userclass', 'ipatokenradiusconfiglink', 'ipatokenradiususername', - 'krbprincipalexpiration' + 'krbprincipalexpiration', 'usercertificate', ] search_display_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', @@ -383,6 +384,11 @@ class baseuser(LDAPObject): + '(\s*,\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\=((0(\.[0-9]{0,3})?)|(1(\.0{0,3})?)))?)*)|(\*))$', pattern_errmsg='must match RFC 2068 - 14.4, e.g., "da, en-gb;q=0.8, en;q=0.7"', ), + Bytes('usercertificate*', validate_certificate, + cli_name='certificate', + label=_('Certificate'), + doc=_('Base-64 encoded server certificate'), + ), ) def normalize_and_validate_email(self, email, config=None): diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 54d47bb01450ec462577e552315e3d680b7648c3..119294b19f54a395a2df65c6cfd47cd8eb844297 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -267,7 +267,7 @@ class user(baseuser): 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager', 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title', 'userclass', - 'preferredlanguage', + 'preferredlanguage', 'usercertificate', }, 'replaces': [ '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)', -- 2.1.0 -------------- next part -------------- From 06e5f0bfe15ff9edf25a9bc7874de34960947754 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:45:16 -0400 Subject: [PATCH 11/13] Update cert-request to support user certs and profiles Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 --- API.txt | 1 + ipalib/pkcs10.py | 1 + ipalib/plugins/cert.py | 220 +++++++++++++++++++++++++++++-------------------- 3 files changed, 134 insertions(+), 88 deletions(-) diff --git a/API.txt b/API.txt index 78b9a743edb332b904d48cd12b1ef018a4de32dc..7574bc900e7a962b8e67fd773743879e4e5b8c7e 100644 --- a/API.txt +++ b/API.txt @@ -489,6 +489,7 @@ args: 1,5,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) option: Str('principal') +option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') option: Str('version?', exclude='webui') output: Output('result', , None) diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index f35e200a2c1b47e2a2c8cffcf9b723f398fe3221..6299dfea43b7a3f4104f0b0ec78c4f105d9daf62 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -30,6 +30,7 @@ PEM = 0 DER = 1 SAN_DNSNAME = 'DNS name' +SAN_RFC822NAME = 'RFC822 Name' SAN_OTHERNAME_UPN = 'Other Name (OID.1.3.6.1.4.1.311.20.2.3)' SAN_OTHERNAME_KRB5PRINCIPALNAME = 'Other Name (OID.1.3.6.1.5.2.2)' diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index e4cb6dc0aa8b89368806b08674aae277b3653e8f..d122900175db41ba5af429fd47af6cac6533cb6f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -31,7 +31,8 @@ from ipalib import ngettext from ipalib.plugable import Registry from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value -from ipalib.plugins.service import split_principal +from ipalib.plugins.service import split_any_principal +from ipalib.plugins.certprofile import validate_profile_id import base64 import traceback from ipalib.text import _ @@ -122,6 +123,8 @@ http://www.ietf.org/rfc/rfc5280.txt """) +USER, HOST, SERVICE = range(3) + register = Registry() def validate_pkidate(ugettext, value): @@ -232,7 +235,7 @@ class cert_request(VirtualCommand): takes_options = ( Str('principal', label=_('Principal'), - doc=_('Service principal for this certificate (e.g. HTTP/test.example.com)'), + doc=_('Principal for this certificate (e.g. HTTP/test.example.com)'), ), Str('request_type', default=u'pkcs10', @@ -243,6 +246,10 @@ class cert_request(VirtualCommand): default=False, autofill=True ), + Str('profile_id?', validate_profile_id, + label=_("Profile ID"), + doc=_("Certificate Profile to use"), + ) ) has_output_params = ( @@ -294,10 +301,9 @@ class cert_request(VirtualCommand): ca_enabled_check() ldap = self.api.Backend.ldap2 - principal = kw.get('principal') add = kw.get('add') request_type = kw.get('request_type') - service = None + profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) """ Access control is partially handled by the ACI titled @@ -310,9 +316,28 @@ class cert_request(VirtualCommand): taskgroup (directly or indirectly via role membership). """ - bind_principal = getattr(context, 'principal') - # Can this user request certs? - if not bind_principal.startswith('host/'): + principal_string = kw.get('principal') + principal = split_any_principal(principal_string) + servicename, principal_name, realm = principal + if servicename is None: + principal_type = USER + elif servicename == 'host': + principal_type = HOST + else: + principal_type = SERVICE + + bind_principal = split_any_principal(getattr(context, 'principal')) + bind_service, bind_name, bind_realm = bind_principal + + if bind_service is None: + bind_principal_type = USER + elif bind_service == 'host': + bind_principal_type = HOST + else: + bind_principal_type = SERVICE + + if bind_principal != principal and bind_principal_type != HOST: + # Can the bound principal request certs for another principal? self.check_access() try: @@ -323,57 +348,71 @@ class cert_request(VirtualCommand): raise errors.CertificateOperationError( error=_("Failure decoding Certificate Signing Request: %s") % e) - if not bind_principal.startswith('host/'): + # host principals may bypass allowed ext check + if bind_principal_type != HOST: for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: self.check_access(operation) - # Ensure that the hostname in the CSR matches the principal - subject_host = subject.common_name #pylint: disable=E1101 - if not subject_host: + dn = None + principal_obj = None + # See if the service exists and punt if it doesn't and we aren't + # going to add it + try: + if principal_type == SERVICE: + principal_obj = api.Command['service_show'](principal_string, all=True) + elif principal_type == HOST: + principal_obj = api.Command['host_show'](principal_name, all=True) + elif principal_type == USER: + principal_obj = api.Command['user_show'](principal_name, all=True) + except errors.NotFound as e: + if principal_type == SERVICE and add: + principal_obj = api.Command['service_add'](principal_string, force=True) + else: + raise errors.NotFound( + reason=_("The principal for this request doesn't exist.")) + principal_obj = principal_obj['result'] + dn = principal_obj['dn'] + + # Ensure that the DN in the CSR matches the principal + cn = subject.common_name #pylint: disable=E1101 + if not cn: raise errors.ValidationError(name='csr', - error=_("No hostname was found in subject of request.")) + error=_("No Common Name was found in subject of request.")) - (servicename, hostname, realm) = split_principal(principal) - if subject_host.lower() != hostname.lower(): - raise errors.ACIError( - info=_("hostname in subject of request '%(subject_host)s' " - "does not match principal hostname '%(hostname)s'") % dict( - subject_host=subject_host, hostname=hostname)) + if principal_type in (SERVICE, HOST): + if cn.lower() != principal_name.lower(): + raise errors.ACIError( + info=_("hostname in subject of request '%(cn)s' " + "does not match principal hostname '%(hostname)s'") + % dict(cn=cn, hostname=principal_name)) + elif principal_type == USER: + # check user name + if cn != principal_name: + raise errors.ValidationError( + name='csr', + error=_( + "DN commonName does not match " + "any of user's email addresses") + ) + + # check email address + mail = subject.email_address #pylint: disable=E1101 + if mail is not None and mail not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "DN emailAddress does not match " + "any of user's email addresses") + ) for ext in extensions: if ext not in self._allowed_extensions: raise errors.ValidationError( name='csr', error=_("extension %s is forbidden") % ext) - for name_type, name in subjectaltname: - if name_type not in (pkcs10.SAN_DNSNAME, - pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, - pkcs10.SAN_OTHERNAME_UPN): - raise errors.ValidationError( - name='csr', - error=_("subject alt name type %s is forbidden") % - name_type) - - dn = None - service = None - # See if the service exists and punt if it doesn't and we aren't - # going to add it - try: - if servicename != 'host': - service = api.Command['service_show'](principal, all=True) - else: - service = api.Command['host_show'](hostname, all=True) - except errors.NotFound, e: - if not add: - raise errors.NotFound(reason=_("The service principal for " - "this request doesn't exist.")) - service = api.Command['service_add'](principal, force=True) - service = service['result'] - dn = service['dn'] - - # We got this far so the service entry exists, can we write it? + # We got this far so the principal entry exists, can we write it? if not ldap.can_write(dn, "usercertificate"): raise errors.ACIError(info=_("Insufficient 'write' privilege " "to the 'userCertificate' attribute of entry '%s'.") % dn) @@ -382,13 +421,20 @@ class cert_request(VirtualCommand): for name_type, name in subjectaltname: if name_type == pkcs10.SAN_DNSNAME: name = unicode(name) + alt_principal_obj = None try: - if servicename == 'host': - altservice = api.Command['host_show'](name, all=True) - else: + if principal_type == HOST: + alt_principal_obj = api.Command['host_show'](name, all=True) + elif principal_type == SERVICE: altprincipal = '%s/%s@%s' % (servicename, name, realm) - altservice = api.Command['service_show']( + alt_principal_obj = api.Command['service_show']( altprincipal, all=True) + elif principal_type == USER: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for user principals") % name_type + ) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -396,47 +442,41 @@ class cert_request(VirtualCommand): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not ' 'exist') % name) - altdn = altservice['result']['dn'] - if not ldap.can_write(altdn, "usercertificate"): - raise errors.ACIError(info=_( - "Insufficient privilege to create a certificate with " - "subject alt name '%s'.") % name) + if alt_principal_obj is not None: + altdn = alt_principal_obj['result']['dn'] + if not ldap.can_write(altdn, "usercertificate"): + raise errors.ACIError(info=_( + "Insufficient privilege to create a certificate " + "with subject alt name '%s'.") % name) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): - if name != principal: + if name != principal_string: raise errors.ACIError( info=_("Principal '%s' in subject alt name does not " - "match requested service principal") % name) + "match requested principal") % name) + elif name_type == pkcs10.SAN_RFC822NAME: + if principal_type == USER: + if name not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "RFC822Name does not match " + "any of user's email addresses") + ) + else: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for non-user principals") % name_type + ) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden") % name_type) - if 'usercertificate' in service: - serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER) - # revoke the certificate and remove it from the service - # entry before proceeding. First we retrieve the certificate to - # see if it is already revoked, if not then we revoke it. - try: - result = api.Command['cert_show'](unicode(serial))['result'] - if 'revocation_reason' not in result: - try: - api.Command['cert_revoke'](unicode(serial), revocation_reason=4) - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except errors.NotImplementedError: - # some CA's might not implement get - pass - if not principal.startswith('host/'): - api.Command['service_mod'](principal, usercertificate=None) - else: - hostname = get_host_from_principal(principal) - api.Command['host_mod'](hostname, usercertificate=None) - # Request the certificate result = self.Backend.ra.request_certificate( - csr, 'caIPAserviceCert', request_type=request_type) + csr, profile_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -444,15 +484,19 @@ class cert_request(VirtualCommand): result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) - # Success? Then add it to the service entry. - if 'certificate' in result: - if not principal.startswith('host/'): - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['service_mod'](principal, **skw) - else: - hostname = get_host_from_principal(principal) - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['host_mod'](hostname, **skw) + # Success? Then add it to the principal's entry + # (unless the profile tells us not to) + profile = api.Command['certprofile_show'](profile_id) + store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE' + if store and 'certificate' in result: + cert = str(result.get('certificate')) + kwargs = dict(addattr=u'usercertificate={}'.format(cert)) + if principal_type == SERVICE: + api.Command['service_mod'](principal_string, **kwargs) + elif principal_type == HOST: + api.Command['host_mod'](principal_name, **kwargs) + elif principal_type == USER: + api.Command['user_mod'](principal_name, **kwargs) return dict( result=result -- 2.1.0 -------------- next part -------------- From 1a82ff0ea955522a43018d7d1f47c23ac0de94b2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also add a default CA ACL that permitS certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 171 +++++++++++++++ VERSION | 4 +- install/share/60certificate-profiles.ldif | 8 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 12 ++ install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 343 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + 12 files changed, 563 insertions(+), 2 deletions(-) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..88c8529f92becbbc0704d0888cd901b4e6c3da65 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "ipacaaclallhosts || ipacaaclallservices || ipacaaclallusers || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacaaclallcas || ipacaaclallprofiles || ipacaaclcaref || ipacaaclprofileid || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaaclallcas || ipacaaclallhosts || ipacaaclallprofiles || ipacaaclallservices || ipacaaclallusers || ipacaaclcaref || ipacaaclprofileid || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 7574bc900e7a962b8e67fd773743879e4e5b8c7e..25b083addd2660b8ab787f0e6d0bdde13bc7dd4c 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,177 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,15,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, cli_name='ca_ref', multivalue=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, cli_name='profile_id', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,17,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, query=True, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, query=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, autofill=False, cli_name='profile_id', multivalue=True, query=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,17,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, required=False) +option: Str('ipacaaclprofileid', attribute=True, autofill=False, cli_name='profile_id', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/VERSION b/VERSION index 2ad3827923bc0f404513300edc8498ed6717c571..3dad789f0b673c1dc11cf6e938c5f7096078027e 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=123 -# Last change: rcritten - added service constraint delegation plugin +IPA_API_VERSION_MINOR=124 +# Last change: ftweedal - add certprofile and caacl plugins diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..d8f008c5baed4e0021944bcbaa7256aa250e5c23 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,11 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaCaAclCaRef' DESC 'Certificate Authority Reference' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaCaAclProfileId' DESC 'Certificate Profile ID' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaAclAllCAs' DESC 'Allow use of all CAs' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCaAclAllProfiles' DESC 'Allow ues of all profiles' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaAclAllUsers' DESC 'Allow all users' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaAclAllHosts' DESC 'Allow all hosts' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaAclAllServices' DESC 'Allow all services' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaAclCaRef $ ipaCaAclProfileId $ ipaCaAclAllCAs $ ipaCaAclAllProfiles $ ipaCaAclAllUsers $ ipaCaAclAllHosts $ ipaCaAclAllServices $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..b902c2f84a6898ae51e8123956496d64b6356d3e --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,12 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +ipacaaclcaref: . +ipacaaclprofileid: caIPAserviceCert +ipacaaclallhosts: TRUE +ipacaaclallservices: TRUE diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 96396a236b8694b3dd988dfe28c1b0c3cc9e3180..9812f843e1e4ced9244f3efd6a9bb6f4c2769655 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -119,6 +119,7 @@ DEFAULT_CONFIG = ( ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..84dc6d3c4db5f46d76bed560023b7cb63c5513b1 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,343 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + pkey_to_value) +from ipalib.plugins.certprofile import validate_profile_id +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --profile-id=UserCert --allusers=1 + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add john_dnp3 --profile-id=DNP3 + ipa caacl-add-user --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclprofileid', 'ipacaaclcaref', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'memberuser', 'memberhost', 'memberservice', 'memberhostgroup', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclprofileid', 'ipacaaclcaref', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'memberhost', 'memberservice', 'memberuser', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + }, + 'replaces': [ + '(targetattr = "memberuser || memberservice || memberhost || ipacaaclallusers || ipacaaclallhosts || ipacaaclallservices")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclprofileid', 'ipacaaclcaref', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag || ipacaaclprofileid || ipacaaclcaref || ipacaaclallcas || ipacaaclallprofiles")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + Str('ipacaaclprofileid*', validate_profile_id, + cli_name='profile_id', + label=_('Profile ID'), + ), + Str('ipacaaclcaref*', # validate sub-CA handle syntax + cli_name='ca_ref', + label=_('CA Reference'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallcas?', + cli_name='allcas', + label=_('Allow use of all CAs'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallprofiles?', + cli_name='allprofiles', + label=_('Allow use of all profiles'), + ), + Bool('ipacaaclallusers?', + cli_name='allusers', + label=_('Allow all users'), + ), + Bool('ipacaaclallhosts?', + cli_name='allhosts', + label=_('Allow all hosts'), + ), + Bool('ipacaaclallservices?', + cli_name='allservices', + label=_('Allow all services'), + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + entry_attrs['ipacaaclcaref'] = ['.'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove service and service groups from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) -- 2.1.0 -------------- next part -------------- From eae62b6e9280b1e7fefcec6e80e9a12fdd4b7c48 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 72 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 ++++++++++++ 2 files changed, 89 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 84dc6d3c4db5f46d76bed560023b7cb63c5513b1..a9dde862b35eff0eced2aa3e2328687373fa15b9 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str from ipalib.plugable import Registry @@ -10,6 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, pkey_to_value) from ipalib.plugins.certprofile import validate_profile_id +from ipalib.plugins.service import normalize_principal, split_any_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -49,6 +52,75 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + service, hostname, realm = split_any_principal(principal) + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + if 'ipacaaclallcas' in obj and obj['ipacaaclallcas'][0] == 'TRUE': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'ipacaaclallprofiles' in obj and obj['ipacaaclallprofiles'][0] == 'TRUE': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.services.names = obj.get('ipacaaclprofileid', []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + all_principals_attr = 'ipacaaclall{}s'.format(principal_type) + if all_principals_attr in obj and obj[all_principals_attr][0] == 'TRUE': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index d122900175db41ba5af429fd47af6cac6533cb6f..1878e5ad5f80fa93e1a77b0a88711c1da0016681 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From lkrispen at redhat.com Wed Jun 3 14:19:55 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 03 Jun 2015 16:19:55 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556F0AEF.6000108@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556F0AEF.6000108@redhat.com> Message-ID: <556F0D0B.8040106@redhat.com> On 06/03/2015 04:10 PM, Petr Vobornik wrote: > On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >> replicas installed from older versions do not have a binddn group >> just accept the errror > > ACK > > Pushed to master: 8457edc14dade724b486540800bcdafb7d9a6f76 > > Note that this group will be populated later. if you start with 4.2 the group is created and populated when the ldap principals are added to the replica as binddns. Only if you install the replica from an older version the database is initialized from the older master and it is gone. so it has to be populated later. > IMHO it should be done as a part of domain-level raise procedure > before setting the new level. It could also be populated as soon as the first 4.2 replica is installed, it doesn't require any schema changes and can be added/replicated to older serevrs as well From edewata at redhat.com Wed Jun 3 14:33:55 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Jun 2015 09:33:55 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <20150603135219.GA10162@redhat.com> References: <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556D48F3.7040902@redhat.com> <556D9C66.2080706@redhat.com> <556DC639.7090403@redhat.com> <556E19C6.8090907@redhat.com> <20150602212203.GR15837@redhat.com> <556EA1A2.70809@redhat.com> <556F019D.9020000@redhat.com> <20150603135219.GA10162@redhat.com> Message-ID: <556F1053.8030600@redhat.com> On 6/3/2015 8:52 AM, Alexander Bokovoy wrote: >> Having to use the same plugins for client and server is a framework >> limitation/poor design. Having to use conditional imports to work >> around the limitation is a bad programming practice. The fact that >> trust plugin has to implement a similar workaround is not a >> justification, it just shows that the problem is not vault-specific. > There is another thing. Even when splitting client/server sides, we'll > need to check on the server side that certain functionality is > available. In trust case we have ID Views (a separate plugin) which does > use information about trusts to resolve users from AD to their > normalized references (SIDs) and few other places would be depending on > functionality only provided when Samba packages are installed. > > To continue your approach, we would need to split also server-side parts > of plugins into separate callable units that would only be provided and > called when appropriate rpm subpackages are installed. This is unneeded > complication in place where we can simply handle dependencies in run > time and make sure the packaging deps are managed separately. So there are two issues: 1. Conditional imports due to combined client and server plugin. 2. Conditional imports due to feature availability. Issue #1 is generic and I think we pretty much agree that this is supposed to be fixed somehow. Issue #2 is plugin-specific. I think there are different ways to solve this, some might be better than others. The solution that you pick will only affect that particular plugin and should not be generalized to other plugins or to justify #1. In my opinion a code should have a fixed dependency, but some features can be enabled/disabled based on the configuration. Enabling a feature shouldn't be based on package installation because people might install a package for different reasons. So the code may look something like this: import if : It shouldn't be like this: if : import if : Of course this assumes that the package is lightweight enough to be installed regardless whether it will be used. I don't know if it's applicable to your case, but again, there are different ways to address issue #2. -- Endi S. Dewata From mkosek at redhat.com Wed Jun 3 14:50:34 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 16:50:34 +0200 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556F0AEF.6000108@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556F0AEF.6000108@redhat.com> Message-ID: <556F143A.7090103@redhat.com> On 06/03/2015 04:10 PM, Petr Vobornik wrote: > On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >> replicas installed from older versions do not have a binddn group >> just accept the errror > > ACK > > Pushed to master: 8457edc14dade724b486540800bcdafb7d9a6f76 > > Note that this group will be populated later. IMHO it should be done as a part > of domain-level raise procedure before setting the new level. As said in other mail, I am not sure why we should be overloading domain-level raise command that way. I thought, we will create this group when the first replica upgrades to 4.2. Whenever a new replica is added/upgraded, it's principal will be added to the group also (even if Domain Level is 0). Domain Level 1 means that all replicas are 4.2 and thus the group is fully populated and Topology can be used. From mbasti at redhat.com Wed Jun 3 15:14:27 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 17:14:27 +0200 Subject: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation In-Reply-To: <556EF9C4.9020406@redhat.com> References: <553A3D88.6080200@redhat.com> <55423032.9080505@redhat.com> <5548BED1.1060806@redhat.com> <554A1539.3040002@redhat.com> <554B0D69.5040008@redhat.com> <554B3C19.9080002@redhat.com> <554B8F01.9010501@redhat.com> <55561ACD.6070306@redhat.com> <5559D191.4070406@redhat.com> <556EF9C4.9020406@redhat.com> Message-ID: <556F19D3.70109@redhat.com> On 03/06/15 14:57, Petr Spacek wrote: > On 18.5.2015 13:48, Martin Basti wrote: >> On 15/05/15 18:11, Petr Spacek wrote: >>> On 7.5.2015 18:12, Martin Basti wrote: >>>> On 07/05/15 12:19, Petr Spacek wrote: >>>>> On 7.5.2015 08:59, David Kupka wrote: >>>>>> On 05/06/2015 03:20 PM, Martin Basti wrote: >>>>>>> On 05/05/15 15:00, Martin Basti wrote: >>>>>>>> On 30/04/15 15:37, David Kupka wrote: >>>>>>>>> On 04/24/2015 02:56 PM, Martin Basti wrote: >>>>>>>>>> Patches attached. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> thanks for patches. >>>>>>>>> >>>>>>>>> 1. You changed message in DNSServerNotRespondingWarning class but not >>>>>>>>> the test in ipatest/test_xmlrpc/test_dns_plugin.py >>>>>>>>> >>>>>>>>> nitpick. Please spell 'edns' correctly. I've seen several instances >>>>>>>>> of 'ends'. >>>>>>>>> >>>>>>>> Thank you, >>>>>>>> >>>>>>>> updated patches attached: >>>>>>>> * new error messages >>>>>>>> * logging to debug log server output if exception was raised >>>>>>>> * fixed test >>>>>>>> * fixed spelling >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Fixed tests (again) >>>>>>> >>>>>>> Updated patches attached >>>>>>> >>>>>> The code looks good to me and tests are no longer broken. (I would prefer >>>>>> better fix of the tests but given that the priorities are different now >>>>>> it can >>>>>> wait.) >>>>>> >>>>>> Petr, can you please confirm that the patch set works for you? >>>>> Sorry, NACK: >>>>> >>>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>>> Server will check DNS forwarder(s). >>>>> This may take some time, please wait ... >>>>> ipa: ERROR: an internal error has occurred >>>>> >>>>> # /var/log/httpd/error_log >>>>> ipa: ERROR: non-public: AssertionError: >>>>> Traceback (most recent call last): >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line >>>>> 350, in >>>>> wsgi_execute >>>>> result = self.Command[name](*args, **options) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >>>>> __call__ >>>>> ret = self.run(*args, **options) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, >>>>> in run >>>>> return self.execute(*args, **options) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>>> 4444, in >>>>> execute >>>>> **options) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>>> 4405, in >>>>> _warning_if_forwarders_do_not_work >>>>> log=self.log) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 715, in >>>>> validate_dnssec_zone_forwarder_step2 >>>>> timeout=timeout) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 610, in >>>>> _resolve_record >>>>> assert isinstance(nameserver_ip, basestring) >>>>> AssertionError >>>>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(>>>> name ptr.test.>, idnsforwarders=(u'10.34.47.236',), all=False, raw=False, >>>>> version=u'2.116'): AssertionError >>>>> >>>>> This is constantly reproducible in my vm-090.abc. Let me know if you want to >>>>> take a look. >>>>> >>>>> >>>>> I'm attaching little response.patch which improves compatibility with older >>>>> python-dns packages. This patch allows IPA to work while error messages are >>>>> simply not as nice as they could be with latest python-dns :-) >>>>> >>>>> check_fwd_msg.patch is a little nitpick, just to make sure everyone >>>>> understands the message. >>>>> >>>>> BTW why some messages in check_forwarders() are printed using 'print' and >>>>> others using logger? I would prefer to use logger for everything to make sure >>>>> that logs contain all the information, including warnings. >>>>> >>>>> Thank you for your time! >>>>> >>>> Thank you, fixed. >>>> >>>> I added missing except block after forwarders validation step2. >>> I confirm that this works but I just discovered another deficiency. >>> >>> Setup: >>> - DNSSEC validation is enabled on IPA server >>> - forwarders uses fake TLD, e.g. 'test.' >>> - remote DNS server is responding, supports EDNS0 and so on >>> >>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>> Server will check DNS forwarder(s). >>> This may take some time, please wait ... >>> ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query >>> name does not exist: ptr.test.. >>> >>> Huh? Let's check named log: >>> forward zone 'ptr.test': loaded >>> validating ./SOA: got insecure response; parent indicates it should be secure >>> >>> Sometimes I get SERVFAIL from IPA server, too. >>> >>> >>> Unfortunately this check was the main reason for writing this patchset so we >>> need to improve it. >>> >>> Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and >>> print the DNSSEC-validation-failed error, too? The problem is that it could >>> trigger some false positives because NXDOMAIN may simply be caused by a delay >>> somewhere. >>> >>> Any ideas? >> I add catch block for NXDOMAIN >>> By the way, this is also weird: >>> >>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>> Server will check DNS forwarder(s). >>> This may take some time, please wait ... >>> ipa: ERROR: DNS forward zone with name "ptr.test." already exists >>> >>> Is it actually doing the check even if the forward zone exists already? (This >>> is just nitpick, not a blocker!) >>> >> The first part is written by IPA client, it is not response from server. >> It is just written when user use --forwarder option. >> >> Updated patch attached. > NACK, it does not work for me - it explodes when I try to add a forward zone: > > $ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1 > > ipa: ERROR: non-public: TypeError: _warning_if_forwarders_do_not_work() got > multiple values for keyword argument 'new_zone' > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in > wsgi_execute > result = self.Command[name](*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in > __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run > return self.execute(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 4461, in > execute > result, new_zone=True, *keys, **options) > TypeError: _warning_if_forwarders_do_not_work() got multiple values for > keyword argument 'new_zone' > ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add( name ptr.test.>, idnsforwarders=(u'192.0.2.1',), all=False, raw=False, > version=u'2.123'): TypeError > updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0234.6-DNSSEC-validate-forward-zone-forwarders.patch Type: text/x-patch Size: 17642 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0233.6-DNSSEC-Improve-global-forwarders-validation.patch Type: text/x-patch Size: 16323 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 3 15:28:02 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 17:28:02 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556F06E1.2040400@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> <556EC036.2070700@redhat.com> <556EC1EA.4010701@redhat.com> <556EE62C.8010109@redhat.com> <556EF52A.7090907@redhat.com> <556F06E1.2040400@redhat.com> Message-ID: <556F1D02.6050708@redhat.com> On 06/03/2015 03:53 PM, Petr Vobornik wrote: > On 06/03/2015 02:38 PM, Martin Babinsky wrote: >> On 06/03/2015 01:34 PM, Petr Vobornik wrote: >>> On 06/03/2015 10:59 AM, Martin Babinsky wrote: >>>> On 06/03/2015 10:52 AM, Martin Babinsky wrote: >>>>> On 05/26/2015 03:31 PM, Petr Vobornik wrote: >>>>>> On 05/26/2015 12:19 PM, Petr Vobornik wrote: >>>>>>> this patch is based on top of my patch #856 and tbabej' >>>>>>> s 325-9. >>>>>>> >>>>>>> Obsoletes Ludwig's 0006. >>>>>>> >>>>>>> ipalib part of topology management >>>>>>> >>>>>>> Design: >>>>>>> - http://www.freeipa.org/page/V4/Manage_replication_topology >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/4302 >>>>>>> >>>>>>> >>>>>> >>>>>> New version attached: >>>>>> - domainlevel_show usage changed to domainlevel_get >>>>>> - updated VERSION >>>>>> - added more attrs to default_attributes >>>>>> >>>>>> >>>>> >>>>> Hi Petr, >>>>> >>>>> the commands themselves seem to work just fine. I had encountered some >>>>> quirks in the underlying topology plugin, but I will address them in a >>>>> different thread in order to keep the discussion relevant to the >>>>> reviewed patch. >>>>> >>>>> I have some minor coomments below: >>>>> >>>>> 1.) >>>>> IPA_API_VERSION_MAJOR=2 >>>>> -IPA_API_VERSION_MINOR=121 >>>>> -# Last change: pvoborni - added server-find and server-show >>>>> +IPA_API_VERSION_MINOR=122 >>>>> +# Last change: pvoborni - added topology management commands >>>>> >>>>> Several people were touching API in the meantime so please >>>>> double-check >>>>> that you have correct VERSION and regenerate API.txt >>> >>> Patch rebased. >>> >>>>> >>>>> 2.) >>>>> >>>>> + Str( >>>>> + 'nsds5replicatedattributelist?', >>>>> + cli_name='replattrs', >>>>> + label='Attributes to replicate', >>>>> + doc=_('Attributes that are not replicated to a consumer >>>>> server ' >>>>> + 'during a fractional update. E.g., >>>>> `(objectclass=*) ' >>>>> + '$ EXCLUDE accountlockout memberof'), >>>>> + ), >>>>> + Str( >>>>> + 'nsds5replicatedattributelisttotal?', >>>>> + cli_name='replattrstotal', >>>>> + label=_('Attributes for total update'), >>>>> + doc=_('Attributes that are not replicated to a consumer >>>>> server ' >>>>> + 'during a total update. E.g. (objectclass=*) $ >>>>> EXCLUDE ' >>>>> + 'accountlockout'), >>>>> >>>>> The descriptions of these two options confused me greatly, are these >>>>> attributes supposed to be replicated or not, or is there some more >>>>> complex logic behind them that I failed to grasp? I am cc'ing >>>>> Ludwig, he >>>>> can probably explain them to us and then we can decide whether we may >>>>> alter the descriptions to be less confusing. >>>>> >>>>> 3.) >>>>> >>>>> + takes_params = ( >>>>> + Str( >>>>> + 'cn', >>>>> + cli_name='name', >>>>> + primary_key=True, >>>>> + label=_('Suffix name'), >>>>> + ), >>>>> + Str( >>>>> + 'iparepltopoconfroot', >>>>> + maxlength=255, >>>>> + cli_name='suffix', >>>>> + label=_('Suffix to be managed'), >>>>> + normalizer=lambda value: value.lower(), >>>>> + ), >>>>> + ) >>>>> >>>>> This also confused me at first, I suggest to change the label of >>>>> 'iparepltopoconfroot' to something like 'LDAP suffix to be managed' or >>>>> 'LDAP subtree to be managed'. >>> >>> Changed to 'LDAP suffix to be managed' >>> >>>>> >>>>> 4.) >>>>> >>>>> There is currently no way to rename existing topology >>>>> segments/suffixes. >>>>> In the case of hosts with funky FQDN's (pointing at you, ABC lab), the >>>>> segment cn's created during replica installs are mearly impossible to >>>>> remember and it would be nice to rename them to something more >>>>> manageable. However, this is not related to core functionality and can >>>>> be a subject of a separate patch once this gets pushed. >>>>> >>>>> That's all from my side. >>>>> >>>> >>>> I also forgot to ask what is the expected policy when deleting a >>>> non-empty topology suffix. If this is not supported and you have to >>>> first remove all segments and then the suffix itself, the >>>> 'topologysuffix-del' command should issue an error pointing the user to >>>> correct procedure. >>>> >>> >>> Do we have a use case for creation or deletion of topology suffix? >> That's a good question. >> >> Anyway, I have noticed couple more things: >> >> 1.) it seems that there some of unused imports in topology.py. Please >> investigate whether all of them are really needed. > > Fixed > >> >> 2.) >> >> +from ipalib.plugins.baseldap import * >> +from ipalib.plugins import baseldap >> >> I do not like that starred import at all. Either import the particular >> classes you use (like e.g. in basuser.py), or just leave the second >> import statetement and use the appropriate namespace >> (baseldap.LDAPObject etc.). > > Fixed > >> >> 3.) there are couple of pep8 complaints, please try to fix them unless >> it impairs readability: >> >> ./ipalib/constants.py:121:80: E501 line too long (81 > 79 characters) >> ./ipalib/plugins/topology.py:72:80: E501 line too long (88 > 79 >> characters) >> ./ipalib/plugins/topology.py:73:26: E131 continuation line unaligned for >> hanging indent >> ./ipalib/plugins/topology.py:73:80: E501 line too long (93 > 79 >> characters) >> ./ipalib/plugins/topology.py:103:80: E501 line too long (80 > 79 >> characters) >> ./ipalib/plugins/topology.py:111:80: E501 line too long (80 > 79 >> characters) >> ./ipalib/plugins/topology.py:207:80: E501 line too long (80 > 79 >> characters) >> ./ipalib/plugins/topology.py:232:80: E501 line too long (80 > 79 >> characters) > > won't fix > >> ./ipalib/plugins/topology.py:269:80: E501 line too long (84 > 79 >> characters) >> ./ipalib/plugins/topology.py:278:80: E501 line too long (89 > 79 >> characters) > > fixed > >> ./ipalib/plugins/topology.py:363:80: E501 line too long (80 > 79 >> characters) >> ./ipalib/plugins/topology.py:375:80: E501 line too long (80 > 79 >> characters) >> > won't fix > ACK -- Martin^3 Babinsky From mbasti at redhat.com Wed Jun 3 15:44:34 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 17:44:34 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <20150603132147.GY23523@dhcp-40-8.bne.redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> <556D8713.5030101@redhat.com> <556DB7BB.5090600@redhat.com> <556EE262.9070204@redhat.com> <556EEB43.7020108@redhat.com> <20150603132147.GY23523@dhcp-40-8.bne.redhat.com> Message-ID: <556F20E2.4010504@redhat.com> On 03/06/15 15:21, Fraser Tweedale wrote: > On Wed, Jun 03, 2015 at 01:55:47PM +0200, Milan Kubik wrote: >> On 06/03/2015 01:17 PM, Martin Basti wrote: >>> On 02/06/15 16:03, Jan Cholasta wrote: >>>> Dne 2.6.2015 v 12:36 Martin Basti napsal(a): >>>>> On 02/06/15 11:42, Fraser Tweedale wrote: >>>>>> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: >>>>>>> On 01/06/15 06:40, Fraser Tweedale wrote: >>>>>>>> New version of patch; ``{host,service}-show --out=FILE`` now writes >>>>>>>> all certs to FILE. Rebased on latest master. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Fraser >>>>>>>> >>>>>>>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >>>>>>>>> Updated patch attached. Notably restores/adds revocation behaviour >>>>>>>>> to host-mod and service-mod. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Fraser >>>>>>>>> >>>>>>>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>>>>>>>>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>>>>>>>>> This patch adds supports for multiple user / host >>>>>>>>>>> certificates. No >>>>>>>>>>> schema change is needed ('usercertificate' attribute is already >>>>>>>>>>> multi-value). The revoke-previous-cert behaviour of host-mod and >>>>>>>>>>> user-mod has been removed but revocation behaviour of -del and >>>>>>>>>>> -disable is preserved. >>>>>>>>>>> >>>>>>>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends >>>>>>>>>>> on this >>>>>>>>>>> patch for correct cert-request behaviour. >>>>>>>>>>> >>>>>>>>>>> There is one design question (or maybe more, let me know): the >>>>>>>>>>> `--out=FILENAME' option to {host,service} show saves ONE >>>>>>>>>>> certificate >>>>>>>>>>> to the named file. I propose to either: >>>>>>>>>>> >>>>>>>>>>> a) write all certs, suffixing suggested filename with either a >>>>>>>>>>> sequential numerical index, e.g. "cert.pem" becomes >>>>>>>>>>> "cert.pem.1", "cert.pem.2", and so on; or >>>>>>>>>>> >>>>>>>>>>> b) as above, but suffix with serial number and, if there are >>>>>>>>>>> different issues, some issuer-identifying information. >>>>>>>>>>> >>>>>>>>>>> Let me know your thoughts. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Fraser >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Is there a possible way how to store certificates into one file? >>>>>>>>>> I read about possibilities to have multiple certs in one .pem >>>>>>>>>> file, but I'm >>>>>>>>>> not cert guru :) >>>>>>>>>> >>>>>>>>>> I personally vote for serial number in case there are multiple >>>>>>>>>> certificates, >>>>>>>>>> if ^ is no possible. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1) >>>>>>>>>> + if len(certs) > 0: >>>>>>>>>> >>>>>>>>>> please use only, >>>>>>>>>> if certs: >>>>>>>>>> >>>>>>>>>> 2) >>>>>>>>>> You need to re-generate API/ACI.txt in this patch >>>>>>>>>> >>>>>>>>>> 3) >>>>>>>>>> syntax error: >>>>>>>>>> + for dercert in certs_der >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 4) >>>>>>>>>> command >>>>>>>>>> ipa user-mod ca_user --certificate= >>>>>>>>>> >>>>>>>>>> removes the current certificate from the LDAP, by design. >>>>>>>>>> Should be the old certificate(s) revoked? You removed that part in >>>>>>>>>> the code. >>>>>>>>>> >>>>>>>>>> only the --addattr='usercertificate=' appends new >>>>>>>>>> value there >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Martin Basti >>>>>>>>>> >>>>>>> My objections/proposed solutions in attached patch. >>>>>>> >>>>>>> * VERSION >>>>>>> * In the previous version normalized values was stored in LDAP, so I >>>>>>> added >>>>>>> it back. (I dont know why there is no normalization in param >>>>>>> settings, but >>>>>>> normalization for every certificate is done in callback. I will >>>>>>> file a >>>>>>> ticket for this) >>>>>>> * IMO only normalized certificates should be compared in the old >>>>>>> certificates detection >>>>>>> >>>>>> I incorporated your suggested changes in new patch (attached). >>>>>> >>>>>> There were no proposed changes to the other patchset (0001..0013) >>>>>> since rebase. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>> Thank you, >>>>> ACK >>>>> Martin^2 >>>>> >>>> Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212 >>>> >>> Regression found. >>> >>> Patch to fix the issue is attached. >>> >> The fix works, thanks. >> >> Milan > Thanks for finding, fixing and testing! ACK from me. > > I also present a fix of my own. It fixes a problem where > service-mod deleted all certificates when > '--addattr usercertificate=XXX' was used instead of > '--usercertificate=XXX' options. > > Cheers, > Fraser ACK -- Martin Basti From dkupka at redhat.com Wed Jun 3 15:49:01 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 03 Jun 2015 17:49:01 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. Message-ID: <556F21ED.8020908@redhat.com> -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0049-Move-CA-installation-code-into-single-module.patch Type: text/x-patch Size: 31711 bytes Desc: not available URL: From simo at redhat.com Wed Jun 3 16:06:47 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 12:06:47 -0400 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556EDC44.8050006@redhat.com> References: <556ECADC.3090303@redhat.com> <556EDC44.8050006@redhat.com> Message-ID: <1433347607.3020.37.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 12:51 +0200, Petr Vobornik wrote: > On 06/03/2015 11:37 AM, Martin Babinsky wrote: > > Hi everyone, > > > > I have been playing with the topology related patches and I have > > encountered a few issues that I would like to address in this thread: > > > > Additional stuff: > > 1. was able to add duplicate segment > - same left and right node > - same direction > - different cn > > It did not allow me to remove it: > """ > Server is unwilling to perform: Removal of Segment disconnects > topology.Deletion not allowed. > """ Odd, I would think that if you have 2 segments then either one would satisfy the topology requirement. Ludwig, why is the plugin allowing 2 segments and then does not recognize there is another one at removal time ? > 2. topology plugin allows to create reflexive relation from the invalid > duplicates(#1): > > A -> B > A -> B > to > A -> A > B -> B > > I.E. effective disconnect > > it is forbidden in `ipa topologysegment-mod` but I think that even the > plugin should not allow that Yes, the plugin must forbid this case on its own. > 3. attempt to delete the invalid reflexive or duplicate segment ends with: > """ > Server is unwilling to perform: Removal of Segment disconnects > topology.Deletion not allowed."" The plugin should not allow duplicates or reflexive segments in the first place, so this should never be required then. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 3 16:09:04 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 12:09:04 -0400 Subject: [Freeipa-devel] Topology plugin quirks In-Reply-To: <556ECADC.3090303@redhat.com> References: <556ECADC.3090303@redhat.com> Message-ID: <1433347744.3020.38.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 11:37 +0200, Martin Babinsky wrote: > 3.) It seems that the removal of topology suffixes containing > functioning segments is not handled well. I once tried to do this and > it > led to segmentation fault on the dirsrv instance. What is the > expected > behavior in this scenario? Dirsrv crashes are always critical bugs, please file tickets if you see any. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 3 16:16:49 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 12:16:49 -0400 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556F0AEF.6000108@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556F0AEF.6000108@redhat.com> Message-ID: <1433348209.3020.40.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 16:10 +0200, Petr Vobornik wrote: > On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: > > replicas installed from older versions do not have a binddn group > > just accept the errror > > ACK > > Pushed to master: 8457edc14dade724b486540800bcdafb7d9a6f76 > > Note that this group will be populated later. IMHO it should be done as > a part of domain-level raise procedure before setting the new level. Creating this group and populating it should be part of ipa-ldap-update (sorry forgot the right name) and should be done when we install new rpms. Each server must care by itself to populate this group with its own membership. In particular this *should* not be done when the domain level is raised, it is already late then. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 3 16:18:50 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 12:18:50 -0400 Subject: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation In-Reply-To: <556F143A.7090103@redhat.com> References: <556D80E5.6050802@redhat.com> <556D9F9A.1060802@redhat.com> <556F0AEF.6000108@redhat.com> <556F143A.7090103@redhat.com> Message-ID: <1433348330.3020.41.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 16:50 +0200, Martin Kosek wrote: > On 06/03/2015 04:10 PM, Petr Vobornik wrote: > > On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: > >> replicas installed from older versions do not have a binddn group > >> just accept the errror > > > > ACK > > > > Pushed to master: 8457edc14dade724b486540800bcdafb7d9a6f76 > > > > Note that this group will be populated later. IMHO it should be done as a part > > of domain-level raise procedure before setting the new level. > > As said in other mail, I am not sure why we should be overloading domain-level > raise command that way. +1 > I thought, we will create this group when the first replica upgrades to 4.2. > Whenever a new replica is added/upgraded, it's principal will be added to the > group also (even if Domain Level is 0). +1 > Domain Level 1 means that all replicas are 4.2 and thus the group is fully > populated and Topology can be used. +1 -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 3 16:20:18 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 12:20:18 -0400 Subject: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments In-Reply-To: <556EF8BD.1000906@redhat.com> References: <556EF8BD.1000906@redhat.com> Message-ID: <1433348418.3020.42.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote: > Hi, > > this should prevent adding duplicate segments or segments with same > start and end node LGTM! Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Wed Jun 3 16:23:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 18:23:20 +0200 Subject: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates In-Reply-To: <556DC403.3010300@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <556DC403.3010300@redhat.com> Message-ID: <556F29F8.6050906@redhat.com> On 02/06/15 16:56, Petr Vobornik wrote: > On 05/27/2015 03:53 PM, Fraser Tweedale wrote: >> This patch adds supports for multiple user / host certificates. No >> schema change is needed ('usercertificate' attribute is already >> multi-value). The revoke-previous-cert behaviour of host-mod and >> user-mod has been removed but revocation behaviour of -del and >> -disable is preserved. >> >> The latest profiles/caacl patchset (0001..0013 v5) depends on this >> patch for correct cert-request behaviour. >> >> There is one design question (or maybe more, let me know): the >> `--out=FILENAME' option to {host,service} show saves ONE certificate >> to the named file. I propose to either: >> >> a) write all certs, suffixing suggested filename with either a >> sequential numerical index, e.g. "cert.pem" becomes >> "cert.pem.1", "cert.pem.2", and so on; or >> >> b) as above, but suffix with serial number and, if there are >> different issues, some issuer-identifying information. >> >> Let me know your thoughts. >> >> Thanks, >> Fraser >> > > Has anybody tried it with Web UI? > > Currently Web UI is designed only for one cert. I wonder if it still > works even with just one. > > We should probably file a ticket. If there are 2 certificates in a host entry, then the WebUI just shows: Status Valid Certificate Present Then 'view certificate' shows the second certificate the 'Get certificate' shows the first certificate I will file a ticket. Martin^2 -- Martin Basti From mbasti at redhat.com Wed Jun 3 16:49:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 03 Jun 2015 18:49:13 +0200 Subject: [Freeipa-devel] [PATCHES 0001-0013 v7] Profiles and CA ACLs In-Reply-To: <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> References: <20150527140434.GD24915@dhcp-40-8.bne.redhat.com> <5566E484.7080809@redhat.com> <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> Message-ID: <556F3009.1090503@redhat.com> On 03/06/15 16:17, Fraser Tweedale wrote: > On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: >> On 02/06/15 14:11, Fraser Tweedale wrote: >>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>>>> Hello all, >>>>>>>>>>> >>>>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>>>> >>>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>>>> >>>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>>>> >>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>>>> copr? SRPM lives at >>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>>>> >>>>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>>>> email address, if either of those is present. >>>>>>>>>>> >>>>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>>>> >>>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>>>> and improvement to earlier patches. >>>>>>>>>>>> >>>>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>>>> in case it has been modified. >>>>>>>>>>>> >>>>>>>>>>>> Other notes: >>>>>>>>>>>> >>>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>>>> though) >>>>>>>>>>>> >>>>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>>>> >>>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>>>> >>>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>>>> >>>>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>>>> :) >>>>>>>>>>>> >>>>>>>>>>>> Cheers, Fraser >>>>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>>>> password: >>>>>>>>>> >>>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>>>> (invalid token): line 2, column 14 >>>>>>>>>> >>>>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>>>> the newer version of dogtag. >>>>>>>>>> >>>>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>>>> investigate with new RPM from master branch. >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>>>> pki-ca 10.2.4-1 >>>>>>>>> >>>>>>>>> So something in your patches is breaking it >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Fraser >>>>>>> I can not reproduce it today. And I already recycled the VMs from yesterday. :-( >>>>>>> >>>>>> In that case I would suggest ACKing&pushing the patch and fixing the bug if >>>>>> it comes again. The tree may now be a bit unstable, given the number of >>>>>> patches going in. >>>>>> >>>>>> My main motivation here is to unblock Fraser. >>>>>> >>>>>> Thanks, >>>>>> Martin >>>>> Rebased patchset attached; no other changes. >>>> Heads up: I just discovered I have introduced a bug with >>>> ipa-replica-install, when it is spawning the CA instance. I think >>>> replication it only causes issues with ``--setup-ca``. >>>> >>>> I will try and sort it out tomorrow or later tonight (I have to head >>>> out for a few hours now, though); and I'm not suggesting it should >>>> block the push but it's something to be aware of. >>>> >>>> Cheers, >>>> Fraser >>>> >>> New patchset attached ; haven't gotten to the bottom of the >>> ipa-replica-install issue mentioned above, but it fixes an upgrade >>> bug. >>> >>> The change is: >>> >>> diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py >>> index c288282..c5f4d37 100644 >>> --- a/ipaserver/install/server/upgrade.py >>> +++ b/ipaserver/install/server/upgrade.py >>> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>> caconfig.CS_CFG_PATH, >>> directive, >>> separator='=') >>> - if value == 'ProfileSubsystem': >>> + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': >>> needs_update = True >>> break >>> except OSError, e: >>> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>> installutils.set_directive( >>> caconfig.CS_CFG_PATH, >>> directive, >>> - 'LDAPProfileSubsystem', >>> + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', >>> quotes=False, >>> separator='=') >>> >>> Cheers, >>> Fraser >>> >>> >> Thank you, >> >> 1) >> ipa-getcert request (getcert -c IPA) >> doesnt work, >> >> Request ID '20150602145845': >> status: CA_REJECTED >> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >> request, giving up: 3007 (RPC failed at server. 'profile_id' is required). >> >> 2) >> Error from rpm install >> Unexpected error - see /var/log/ipaupgrade.log for details: >> SkipPluginModule: dogtag not selected as RA plugin >> >> Just for record as known issue, this will be fixed later in a new patch. >> >> 3) >> + Str('profile_id', validate_profile_id, >> + label=_("Profile ID"), >> + doc=_("Certificate Profile to use"), >> + ) >> Please mark this param as optional. ('profile_id?') >> This will fix issue 1, but 1 will need a option to specify profile_id >> >> Also move API related change from patch 9 to patch 11 + increment VERSION >> >> 4) >> * Maybe I do everything wrong :) >> >> I'm not able to create certificate stored in FILE, via ipa-getcert request. >> I'm getting error: >> status: CA_UNREACHABLE >> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, >> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host >> not found). >> >> or error: >> Request ID '20150602154115': >> status: CA_REJECTED >> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >> request, giving up: 2100 (RPC failed at server. Insufficient access: not >> allowed to perform this command). >> (I'm root and kinited as admin) >> >> Maybe additional ACI is required for cert_request as it is VirtualCommand >> >> >> -- >> Martin Basti >> > Thanks for report. Attached patchset should fix the certmonger > issues, and also makes cert-request --profile-id argument optional. > > The changes were fixup'd into the appropriate patches but the > combined diff follows. (Note that the API.txt and VERSION changes > you recommended were executed but are missing from this diff.) > > Thanks, > Fraser > > diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py > index c09df86..a9dde86 100644 > --- a/ipalib/plugins/caacl.py > +++ b/ipalib/plugins/caacl.py > @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( > LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, > pkey_to_value) > from ipalib.plugins.certprofile import validate_profile_id > -from ipalib.plugins.service import normalize_principal > +from ipalib.plugins.service import normalize_principal, split_any_principal > from ipalib import _, ngettext > from ipapython.dn import DN > > @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): > groups = user_obj.get('memberof_group', []) > groups += user_obj.get('memberofindirect_group', []) > elif principal_type == 'host': > - hostname = principal[5:] > + service, hostname, realm = split_any_principal(principal) > host_obj = api.Command.host_show(hostname)['result'] > groups = host_obj.get('memberof_hostgroup', []) > groups += host_obj.get('memberofindirect_hostgroup', []) > diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py > index 70ae610..1878e5a 100644 > --- a/ipalib/plugins/cert.py > +++ b/ipalib/plugins/cert.py > @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): > default=False, > autofill=True > ), > - Str('profile_id', validate_profile_id, > + Str('profile_id?', validate_profile_id, > label=_("Profile ID"), > doc=_("Certificate Profile to use"), > ) > @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): > bind_principal = split_any_principal(getattr(context, 'principal')) > bind_service, bind_name, bind_realm = bind_principal > > - if bind_principal != principal: > + if bind_service is None: > + bind_principal_type = USER > + elif bind_service == 'host': > + bind_principal_type = HOST > + else: > + bind_principal_type = SERVICE > + > + if bind_principal != principal and bind_principal_type != HOST: > # Can the bound principal request certs for another principal? > self.check_access() > > @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): > error=_("Failure decoding Certificate Signing Request: %s") % e) > > # host principals may bypass allowed ext check > - if bind_service != 'host': > + if bind_principal_type != HOST: > for ext in extensions: > operation = self._allowed_extensions.get(ext) > if operation: > diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py > index 659751e..53085f7 100644 > --- a/ipapython/dogtag.py > +++ b/ipapython/dogtag.py > @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { > (u'caIPAserviceCert', u'Standard profile for network services', True), > } > > -DEFAULT_PROFILE = 'caIPAserviceCert' > +DEFAULT_PROFILE = u'caIPAserviceCert' > > class Dogtag10Constants(object): > DOGTAG_VERSION = 10 Should the user certificates behave in the same way as host and service certificates, i.e should be revoked after user-del or user-mod operation?? If yes it would be an additional patch. Please move API.txt fragment from patch 9 to patch 11 With this change ACK for patches 1-11, to unblock testing. For patches 12-13 I need more time. -- Martin Basti From mbabinsk at redhat.com Wed Jun 3 16:51:37 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 03 Jun 2015 18:51:37 +0200 Subject: [Freeipa-devel] [PATCH] 822 webui: topology plugin In-Reply-To: <5565D148.4080807@redhat.com> References: <55365A0B.1030305@redhat.com> <5555DD7F.10000@redhat.com> <55644980.9020209@redhat.com> <5565D148.4080807@redhat.com> Message-ID: <556F3099.8040300@redhat.com> On 05/27/2015 04:14 PM, Petr Vobornik wrote: > On 05/26/2015 12:22 PM, Petr Vobornik wrote: >> On 05/15/2015 01:50 PM, Petr Vobornik wrote: >>> On 04/21/2015 04:09 PM, Petr Vobornik wrote: >>>> First iteration of Topology plugin Web UI. >>>> >>>> It reflects current state of topology plugin python part which is >>>> implemented in "[PATCH] manage replication topology in the shared tree" >>>> and my wip patch. >>>> >>>> I expect that the server API part will change a bit therefore this will >>>> as well. >>>> >>>> Graphical visualization/management (ticket 4286) will be >>>> implemented in >>>> separate patch. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4997 >>>> http://www.freeipa.org/page/V4/Manage_replication_topology >>>> >>>> >>> >>> New version attached. It requires stage user web ui patches in order to >>> apply (I expect that user life cycle backend will be pushed sooner than >>> topology) >>> >>> Changes: >>> - Left host and Right host fields are now host comboboxes >>> - Connectivity are radio buttons with "both, left-right, right-left, >>> none" options >>> - segment name is not a required field in its adder dialog >>> >>> IMHO "Attributes to strip", "Attributes to replicate", "Attributes for >>> total update", "Initialize replica", "Session timeout", "Replication >>> agreement enabled" fields should not be just free-form textboxes, but >>> they should be more specific, e.g. a checkbox for "Replication agreement >>> enabled" or integer for "Session timeout", but that should be modified >>> first in the backend python plugin. >>> >>> >> >> New patchset which replaces the old patch. >> >> Contains Web UI for: >> - topologysuffix, topologysegment, domain level, server >> >> Backend is implemented in patches: >> - tbabej 325-9 >> - pvoborni 855, 857 >> >> > > New update which reflects the API change in domain level patches. > (domainlevel-show changed to domainlevel-get). > > Now it depends only on pvoborni 857-2, the rest was pushed. > > The patches seem to do what they are supposed to do. However, I have not found any UI element implementing the 'topologysegment-refresh' functionality. Was this only an oversight or do you plan to implement it in next patch? -- Martin^3 Babinsky From jcholast at redhat.com Wed Jun 3 17:54:13 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 03 Jun 2015 19:54:13 +0200 Subject: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates In-Reply-To: <556F20E2.4010504@redhat.com> References: <20150527135315.GC24915@dhcp-40-8.bne.redhat.com> <5565ED02.6060709@redhat.com> <20150528111804.GA23523@dhcp-40-8.bne.redhat.com> <20150601044027.GH23523@dhcp-40-8.bne.redhat.com> <556C5525.8080305@redhat.com> <20150602094227.GR23523@dhcp-40-8.bne.redhat.com> <556D8713.5030101@redhat.com> <556DB7BB.5090600@redhat.com> <556EE262.9070204@redhat.com> <556EEB43.7020108@redhat.com> <20150603132147.GY23523@dhcp-40-8.bne.redhat.com> <556F20E2.4010504@redhat.com> Message-ID: <556F3F45.1030606@redhat.com> Dne 3.6.2015 v 17:44 Martin Basti napsal(a): > On 03/06/15 15:21, Fraser Tweedale wrote: >> On Wed, Jun 03, 2015 at 01:55:47PM +0200, Milan Kubik wrote: >>> On 06/03/2015 01:17 PM, Martin Basti wrote: >>>> On 02/06/15 16:03, Jan Cholasta wrote: >>>>> Dne 2.6.2015 v 12:36 Martin Basti napsal(a): >>>>>> On 02/06/15 11:42, Fraser Tweedale wrote: >>>>>>> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: >>>>>>>> On 01/06/15 06:40, Fraser Tweedale wrote: >>>>>>>>> New version of patch; ``{host,service}-show --out=FILE`` now >>>>>>>>> writes >>>>>>>>> all certs to FILE. Rebased on latest master. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Fraser >>>>>>>>> >>>>>>>>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: >>>>>>>>>> Updated patch attached. Notably restores/adds revocation >>>>>>>>>> behaviour >>>>>>>>>> to host-mod and service-mod. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Fraser >>>>>>>>>> >>>>>>>>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: >>>>>>>>>>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>>>>>>>>>> This patch adds supports for multiple user / host >>>>>>>>>>>> certificates. No >>>>>>>>>>>> schema change is needed ('usercertificate' attribute is already >>>>>>>>>>>> multi-value). The revoke-previous-cert behaviour of >>>>>>>>>>>> host-mod and >>>>>>>>>>>> user-mod has been removed but revocation behaviour of -del and >>>>>>>>>>>> -disable is preserved. >>>>>>>>>>>> >>>>>>>>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends >>>>>>>>>>>> on this >>>>>>>>>>>> patch for correct cert-request behaviour. >>>>>>>>>>>> >>>>>>>>>>>> There is one design question (or maybe more, let me know): the >>>>>>>>>>>> `--out=FILENAME' option to {host,service} show saves ONE >>>>>>>>>>>> certificate >>>>>>>>>>>> to the named file. I propose to either: >>>>>>>>>>>> >>>>>>>>>>>> a) write all certs, suffixing suggested filename with either a >>>>>>>>>>>> sequential numerical index, e.g. "cert.pem" becomes >>>>>>>>>>>> "cert.pem.1", "cert.pem.2", and so on; or >>>>>>>>>>>> >>>>>>>>>>>> b) as above, but suffix with serial number and, if there are >>>>>>>>>>>> different issues, some issuer-identifying information. >>>>>>>>>>>> >>>>>>>>>>>> Let me know your thoughts. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Fraser >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Is there a possible way how to store certificates into one file? >>>>>>>>>>> I read about possibilities to have multiple certs in one .pem >>>>>>>>>>> file, but I'm >>>>>>>>>>> not cert guru :) >>>>>>>>>>> >>>>>>>>>>> I personally vote for serial number in case there are multiple >>>>>>>>>>> certificates, >>>>>>>>>>> if ^ is no possible. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 1) >>>>>>>>>>> + if len(certs) > 0: >>>>>>>>>>> >>>>>>>>>>> please use only, >>>>>>>>>>> if certs: >>>>>>>>>>> >>>>>>>>>>> 2) >>>>>>>>>>> You need to re-generate API/ACI.txt in this patch >>>>>>>>>>> >>>>>>>>>>> 3) >>>>>>>>>>> syntax error: >>>>>>>>>>> + for dercert in certs_der >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 4) >>>>>>>>>>> command >>>>>>>>>>> ipa user-mod ca_user --certificate= >>>>>>>>>>> >>>>>>>>>>> removes the current certificate from the LDAP, by design. >>>>>>>>>>> Should be the old certificate(s) revoked? You removed that >>>>>>>>>>> part in >>>>>>>>>>> the code. >>>>>>>>>>> >>>>>>>>>>> only the --addattr='usercertificate=' appends new >>>>>>>>>>> value there >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Martin Basti >>>>>>>>>>> >>>>>>>> My objections/proposed solutions in attached patch. >>>>>>>> >>>>>>>> * VERSION >>>>>>>> * In the previous version normalized values was stored in LDAP, >>>>>>>> so I >>>>>>>> added >>>>>>>> it back. (I dont know why there is no normalization in param >>>>>>>> settings, but >>>>>>>> normalization for every certificate is done in callback. I will >>>>>>>> file a >>>>>>>> ticket for this) >>>>>>>> * IMO only normalized certificates should be compared in the old >>>>>>>> certificates detection >>>>>>>> >>>>>>> I incorporated your suggested changes in new patch (attached). >>>>>>> >>>>>>> There were no proposed changes to the other patchset (0001..0013) >>>>>>> since rebase. >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>> Thank you, >>>>>> ACK >>>>>> Martin^2 >>>>>> >>>>> Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212 >>>>> >>>> Regression found. >>>> >>>> Patch to fix the issue is attached. >>>> >>> The fix works, thanks. >>> >>> Milan >> Thanks for finding, fixing and testing! ACK from me. >> >> I also present a fix of my own. It fixes a problem where >> service-mod deleted all certificates when >> '--addattr usercertificate=XXX' was used instead of >> '--usercertificate=XXX' options. >> >> Cheers, >> Fraser > ACK > Pushed both to master: 62e98671142cbc30366109a2a1b631c1ef0cae5c -- Jan Cholasta From derny at redhat.com Wed Jun 3 18:40:08 2015 From: derny at redhat.com (Drew Erny) Date: Wed, 03 Jun 2015 14:40:08 -0400 Subject: [Freeipa-devel] [PATCH 0001 v2] Migrate now accepts scope as argument Message-ID: <556F4A08.1040202@redhat.com> Hi, all, This is an updated patch, with the code changes suggested by Martin Batsi in my test email. The biggest difference is that I had to do >> from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE To get access to those constants in the global scope. This seems like a fairly clean solution, but if it's a code smell, feel free to suggest improvements. This should have identical behavior to the last patch, except it will autofill scope and no longer prompt interactively. Thanks, Drew Erny derny at redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-derny-0001-2-Migration-now-accepts-scope-as-argument.patch Type: text/x-patch Size: 4246 bytes Desc: not available URL: From mrniranjan at fedoraproject.org Thu Jun 4 04:28:00 2015 From: mrniranjan at fedoraproject.org (Niranjan) Date: Thu, 4 Jun 2015 09:58:00 +0530 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of BaseException In-Reply-To: <556EF5A3.3080903@redhat.com> References: <20150601043325.GA5783@mniranja.pnq.redhat.com> <556EF5A3.3080903@redhat.com> Message-ID: <20150604042800.GA4971@mniranja.pnq.redhat.com> Petr Viktorin wrote: > On 06/01/2015 06:33 AM, Niranjan wrote: > > Greetings, > > > > I would like to present patch for replacing StandardError exception > > with Exception class in ipapython/adminutil.py. Also replacing > > BaseException class with Exception class. > > > > Though the use of StandardError is many places. I would like to start > > with ipapython/adminutil.py > > > > This is my first patch. Please let me know if my approach on this is > > correct. > > > > Regards > > Niranjan > > > > > > 0001-Use-Exception-class-instead-of-BaseException.patch > > > > > > From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 > > From: Niranjan Mallapadi > > Date: Mon, 1 Jun 2015 09:41:05 +0530 > > Subject: [PATCH] Use Exception class instead of BaseException > > > > 1. Replace BaseException with Exception class. > > I don't see a reason for this change. This is top-level CLI code that > handles calling our Python library. We really do want to catch all > exceptions here, including KeyboardInterrupt and SystemExit. > > > 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) > > I'm okay with this change, as long as tests still pass. > > > 3 .From python3.0 use of , is not recommended, instead > > use "as" keyword (PEP 3110) > > +1 I will send a modified patch and also run tests before sending them, Thanks a lot for the review. > > > -- > Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 311 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jun 4 06:59:44 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 4 Jun 2015 16:59:44 +1000 Subject: [Freeipa-devel] [PATCHES 0001-0013 v7] Profiles and CA ACLs In-Reply-To: <556F3009.1090503@redhat.com> References: <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> Message-ID: <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: > On 03/06/15 16:17, Fraser Tweedale wrote: > >On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: > >>On 02/06/15 14:11, Fraser Tweedale wrote: > >>>On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: > >>>>On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: > >>>>>On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: > >>>>>>On 05/29/2015 11:21 AM, Martin Basti wrote: > >>>>>>>On 29/05/15 06:17, Fraser Tweedale wrote: > >>>>>>>>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > >>>>>>>>>On 28/05/15 11:48, Martin Basti wrote: > >>>>>>>>>>On 27/05/15 16:04, Fraser Tweedale wrote: > >>>>>>>>>>>Hello all, > >>>>>>>>>>> > >>>>>>>>>>>Fresh certificate management patchset; Changelog: > >>>>>>>>>>> > >>>>>>>>>>>- Now depends on patch freeipa-ftweedal-0014 for correct > >>>>>>>>>>>cert-request behaviour with host and service principals. > >>>>>>>>>>> > >>>>>>>>>>>- Updated Dogtag dependency to 10.2.4-1. Should should be in > >>>>>>>>>>>f22 soon, but for f22 right now or for f21, please grab from my > >>>>>>>>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > >>>>>>>>>>> > >>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa > >>>>>>>>>>> copr? SRPM lives at > >>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > >>>>>>>>>>> > >>>>>>>>>>>- cert-request now verifies that for user principals, CSR CN > >>>>>>>>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's > >>>>>>>>>>>email address, if either of those is present. > >>>>>>>>>>> > >>>>>>>>>>>- Fixed one or two other sneaky little bugs. > >>>>>>>>>>> > >>>>>>>>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > >>>>>>>>>>>>Hi all, > >>>>>>>>>>>> > >>>>>>>>>>>>Please find attached the latest certificate management > >>>>>>>>>>>>patchset, which introduces the `caacl' plugin and various fixes > >>>>>>>>>>>>and improvement to earlier patches. > >>>>>>>>>>>> > >>>>>>>>>>>>One important change to earlier patches is reverting the name > >>>>>>>>>>>>of the default profile to 'caIPAserviceCert' and using the > >>>>>>>>>>>>existing instance of this profile on upgrade (but not install) > >>>>>>>>>>>>in case it has been modified. > >>>>>>>>>>>> > >>>>>>>>>>>>Other notes: > >>>>>>>>>>>> > >>>>>>>>>>>>- Still have changes in ipa-server-install (fewer lines now, > >>>>>>>>>>>>though) > >>>>>>>>>>>> > >>>>>>>>>>>>- Still have the ugly import hack. It is not a high priority > >>>>>>>>>>>>for me, i.e. I think it should wait until after alpha > >>>>>>>>>>>> > >>>>>>>>>>>>- Still need to update 'service' and 'host' plugins to support > >>>>>>>>>>>>multiple certificates. (The userCertificate attribute schema > >>>>>>>>>>>>itself is multi-valued, so there are no schema issues here) > >>>>>>>>>>>> > >>>>>>>>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and > >>>>>>>>>>>>supporting multiple profiles for hosts and services (which > >>>>>>>>>>>>requires changes to framework only, not schema). [1]: > >>>>>>>>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > >>>>>>>>>>>> > >>>>>>>>>>>>Happy reviewing! I am pleased with the initial cut of the > >>>>>>>>>>>>caacl plugin but I'm sure you will find some things to be fixed > >>>>>>>>>>>>:) > >>>>>>>>>>>> > >>>>>>>>>>>>Cheers, Fraser > >>>>>>>>>>[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com > >>>>>>>>>>--ip-address 10.34.78.94 Directory Manager (existing master) > >>>>>>>>>>password: > >>>>>>>>>> > >>>>>>>>>>Preparing replica for vm-094.example.com from vm-093.example.com > >>>>>>>>>>Creating SSL certificate for the Directory Server not well-formed > >>>>>>>>>>(invalid token): line 2, column 14 > >>>>>>>>>> > >>>>>>>>>>I cannot create replica file. It work on the upgraded server, > >>>>>>>>>>but it doesn't work on the newly installed server. I'm not sure > >>>>>>>>>>if this causes your patches which modifies the ca-installer, or > >>>>>>>>>>the newer version of dogtag. > >>>>>>>>>> > >>>>>>>>>>Or if there was any other changes in master, I will continue to > >>>>>>>>>>investigate with new RPM from master branch. > >>>>>>>>>> > >>>>>>>>>>Martin^2 > >>>>>>>>>> > >>>>>>>>>ipa-replica-prepare works for: * master branch * master branch + > >>>>>>>>>pki-ca 10.2.4-1 > >>>>>>>>> > >>>>>>>>>So something in your patches is breaking it > >>>>>>>>> > >>>>>>>>>Martin^2 > >>>>>>>>> > >>>>>>>>Martin, master + my patches with pki 10.2.4-1 is working for me on > >>>>>>>>f21 and f22. Can you provide ipa-replica-prepare --debug output and > >>>>>>>>Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) > >>>>>>>> > >>>>>>>>Thanks, > >>>>>>>>Fraser > >>>>>>>I can not reproduce it today. And I already recycled the VMs from yesterday. :-( > >>>>>>> > >>>>>>In that case I would suggest ACKing&pushing the patch and fixing the bug if > >>>>>>it comes again. The tree may now be a bit unstable, given the number of > >>>>>>patches going in. > >>>>>> > >>>>>>My main motivation here is to unblock Fraser. > >>>>>> > >>>>>>Thanks, > >>>>>>Martin > >>>>>Rebased patchset attached; no other changes. > >>>>Heads up: I just discovered I have introduced a bug with > >>>>ipa-replica-install, when it is spawning the CA instance. I think > >>>>replication it only causes issues with ``--setup-ca``. > >>>> > >>>>I will try and sort it out tomorrow or later tonight (I have to head > >>>>out for a few hours now, though); and I'm not suggesting it should > >>>>block the push but it's something to be aware of. > >>>> > >>>>Cheers, > >>>>Fraser > >>>> > >>>New patchset attached ; haven't gotten to the bottom of the > >>>ipa-replica-install issue mentioned above, but it fixes an upgrade > >>>bug. > >>> > >>>The change is: > >>> > >>>diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py > >>>index c288282..c5f4d37 100644 > >>>--- a/ipaserver/install/server/upgrade.py > >>>+++ b/ipaserver/install/server/upgrade.py > >>>@@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): > >>> caconfig.CS_CFG_PATH, > >>> directive, > >>> separator='=') > >>>- if value == 'ProfileSubsystem': > >>>+ if value == 'com.netscape.cmscore.profile.ProfileSubsystem': > >>> needs_update = True > >>> break > >>> except OSError, e: > >>>@@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): > >>> installutils.set_directive( > >>> caconfig.CS_CFG_PATH, > >>> directive, > >>>- 'LDAPProfileSubsystem', > >>>+ 'com.netscape.cmscore.profile.LDAPProfileSubsystem', > >>> quotes=False, > >>> separator='=') > >>> > >>>Cheers, > >>>Fraser > >>> > >>> > >>Thank you, > >> > >>1) > >>ipa-getcert request (getcert -c IPA) > >>doesnt work, > >> > >>Request ID '20150602145845': > >> status: CA_REJECTED > >> ca-error: Server at https://vm-137.example.com/ipa/xml denied our > >>request, giving up: 3007 (RPC failed at server. 'profile_id' is required). > >> > >>2) > >>Error from rpm install > >>Unexpected error - see /var/log/ipaupgrade.log for details: > >>SkipPluginModule: dogtag not selected as RA plugin > >> > >>Just for record as known issue, this will be fixed later in a new patch. > >> > >>3) > >>+ Str('profile_id', validate_profile_id, > >>+ label=_("Profile ID"), > >>+ doc=_("Certificate Profile to use"), > >>+ ) > >>Please mark this param as optional. ('profile_id?') > >>This will fix issue 1, but 1 will need a option to specify profile_id > >> > >>Also move API related change from patch 9 to patch 11 + increment VERSION > >> > >>4) > >>* Maybe I do everything wrong :) > >> > >> I'm not able to create certificate stored in FILE, via ipa-getcert request. > >>I'm getting error: > >>status: CA_UNREACHABLE > >> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, > >>will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host > >>not found). > >> > >>or error: > >>Request ID '20150602154115': > >> status: CA_REJECTED > >> ca-error: Server at https://vm-137.example.com/ipa/xml denied our > >>request, giving up: 2100 (RPC failed at server. Insufficient access: not > >>allowed to perform this command). > >>(I'm root and kinited as admin) > >> > >>Maybe additional ACI is required for cert_request as it is VirtualCommand > >> > >> > >>-- > >>Martin Basti > >> > >Thanks for report. Attached patchset should fix the certmonger > >issues, and also makes cert-request --profile-id argument optional. > > > >The changes were fixup'd into the appropriate patches but the > >combined diff follows. (Note that the API.txt and VERSION changes > >you recommended were executed but are missing from this diff.) > > > >Thanks, > >Fraser > > > >diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py > >index c09df86..a9dde86 100644 > >--- a/ipalib/plugins/caacl.py > >+++ b/ipalib/plugins/caacl.py > >@@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( > > LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, > > pkey_to_value) > > from ipalib.plugins.certprofile import validate_profile_id > >-from ipalib.plugins.service import normalize_principal > >+from ipalib.plugins.service import normalize_principal, split_any_principal > > from ipalib import _, ngettext > > from ipapython.dn import DN > >@@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): > > groups = user_obj.get('memberof_group', []) > > groups += user_obj.get('memberofindirect_group', []) > > elif principal_type == 'host': > >- hostname = principal[5:] > >+ service, hostname, realm = split_any_principal(principal) > > host_obj = api.Command.host_show(hostname)['result'] > > groups = host_obj.get('memberof_hostgroup', []) > > groups += host_obj.get('memberofindirect_hostgroup', []) > >diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py > >index 70ae610..1878e5a 100644 > >--- a/ipalib/plugins/cert.py > >+++ b/ipalib/plugins/cert.py > >@@ -247,7 +247,7 @@ class cert_request(VirtualCommand): > > default=False, > > autofill=True > > ), > >- Str('profile_id', validate_profile_id, > >+ Str('profile_id?', validate_profile_id, > > label=_("Profile ID"), > > doc=_("Certificate Profile to use"), > > ) > >@@ -346,7 +346,14 @@ class cert_request(VirtualCommand): > > bind_principal = split_any_principal(getattr(context, 'principal')) > > bind_service, bind_name, bind_realm = bind_principal > >- if bind_principal != principal: > >+ if bind_service is None: > >+ bind_principal_type = USER > >+ elif bind_service == 'host': > >+ bind_principal_type = HOST > >+ else: > >+ bind_principal_type = SERVICE > >+ > >+ if bind_principal != principal and bind_principal_type != HOST: > > # Can the bound principal request certs for another principal? > > self.check_access() > >@@ -359,7 +366,7 @@ class cert_request(VirtualCommand): > > error=_("Failure decoding Certificate Signing Request: %s") % e) > > # host principals may bypass allowed ext check > >- if bind_service != 'host': > >+ if bind_principal_type != HOST: > > for ext in extensions: > > operation = self._allowed_extensions.get(ext) > > if operation: > >diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py > >index 659751e..53085f7 100644 > >--- a/ipapython/dogtag.py > >+++ b/ipapython/dogtag.py > >@@ -47,7 +47,7 @@ INCLUDED_PROFILES = { > > (u'caIPAserviceCert', u'Standard profile for network services', True), > > } > >-DEFAULT_PROFILE = 'caIPAserviceCert' > >+DEFAULT_PROFILE = u'caIPAserviceCert' > > class Dogtag10Constants(object): > > DOGTAG_VERSION = 10 > > Should the user certificates behave in the same way as host and service > certificates, i.e should be revoked after user-del or user-mod operation?? > If yes it would be an additional patch. > > Please move API.txt fragment from patch 9 to patch 11 > With this change ACK for patches 1-11, to unblock testing. For patches 12-13 > I need more time. > > -- > Martin Basti > Updated patches attached. Only your requested change for 1-11. For 12-13 (caacl plugin) it was updated to LDAPAddMember and LDAPRemoveMember functionality for adding profiles to ACL - this has the desirable effect of making sure the profile actually exists :) Thanks, Fraser -------------- next part -------------- From 21763ac6410533ab49d036b698623f8617b6d2db Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 20 Apr 2015 23:20:19 -0400 Subject: [PATCH 01/13] Install CA with LDAP profiles backend Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 --- freeipa.spec.in | 6 +++--- ipaserver/install/cainstance.py | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 09dd66eec71cec714a31a42809c940ac08a5a84e..2f259234945be874aede64ca7c3ce04bdf467b64 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,7 +92,7 @@ BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0b1-3 BuildRequires: openssl-devel BuildRequires: p11-kit-devel -BuildRequires: pki-base >= 10.2.1-0.1 +BuildRequires: pki-base >= 10.2.4-1 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder @@ -135,8 +135,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.1-0.2 -Requires: pki-kra >= 10.2.1-0.1 +Requires: pki-ca >= 10.2.4-1 +Requires: pki-kra >= 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5133940687204b615eec56b6a89542ddd5617539..030c9f12daba4b38b748da8940e38d3cf2109788 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -503,6 +503,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_restart_configured_instance", "False") config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) + config.set("CA", "pki_profiles_in_ldap", "True") # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) -- 2.1.0 -------------- next part -------------- From a4dcac5c7d431fedac0ca3105bd7e4659f76512e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Apr 2015 02:24:10 -0400 Subject: [PATCH 02/13] Add schema for certificate profiles The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/share/60certificate-profiles.ldif | 3 +++ install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 12 ++++++++++++ ipaserver/install/dsinstance.py | 1 + 4 files changed, 17 insertions(+) create mode 100644 install/share/60certificate-profiles.ldif diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif new file mode 100644 index 0000000000000000000000000000000000000000..f1281949e53386e5bfe8b35e0c15858c693c5467 --- /dev/null +++ b/install/share/60certificate-profiles.ldif @@ -0,0 +1,3 @@ +dn: cn=schema +attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 8d336690f184025f8199ed1d2c57d8274f0d3886..f44772b20c173c6fe43503716f40454f6f6b6f11 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,6 +16,7 @@ app_DATA = \ 60basev3.ldif \ 60ipadns.ldif \ 60ipapk11.ldif \ + 60certificate-profiles.ldif \ 61kerberos-ipav3.ldif \ 65ipacertstore.ldif \ 65ipasudo.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..c5d4bad8b80640881f4631e4873a12c82b0ea48a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -429,3 +429,15 @@ cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE ipaRangeType: ipa-local + +dn: cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 064a2ab1db61b465638a77e13e1d9ea43b1cce63..2acab13f247ed18a750f0e1cbbd98f4e63718c03 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -57,6 +57,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif", "60basev3.ldif", "60ipapk11.ldif", "60ipadns.ldif", + "60certificate-profiles.ldif", "61kerberos-ipav3.ldif", "65ipacertstore.ldif", "65ipasudo.ldif", -- 2.1.0 -------------- next part -------------- From 7871cfc930520cdb030fb8288c484e480f529e44 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Apr 2015 06:07:58 -0400 Subject: [PATCH 03/13] ipa-pki-proxy: provide access to profiles REST API Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/conf/ipa-pki-proxy.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 5d21156848f3b5ddf14c42d92a26a30a9f94af36..366ca15a1868758547f9f1d3334fddba38793083 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 5 - DO NOT REMOVE THIS LINE +# VERSION 6 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -11,7 +11,7 @@ ProxyRequests Off # matches for admin port and installer - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -26,5 +26,13 @@ ProxyRequests Off ProxyPassReverse ajp://localhost:$DOGTAG_PORT +# matches for REST API + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT + + # Only enable this on servers that are not generating a CRL ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] -- 2.1.0 -------------- next part -------------- From eeb025018019910f56e9395bb3d94f50e85497e2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 23:50:41 -0400 Subject: [PATCH 04/13] Add ACL to allow CA agent to modify profiles Part of: https://fedorahosted.org/freeipa/ticket/57 --- ipaserver/install/cainstance.py | 29 +++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 11 +++++++++++ 2 files changed, 40 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 030c9f12daba4b38b748da8940e38d3cf2109788..871581b4afc5df854b9a090ef51bb0ad3b3871ee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,6 +469,7 @@ class CAInstance(DogtagInstance): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -940,6 +941,10 @@ class CAInstance(DogtagInstance): conn.unbind() + def __configure_profiles_acl(self): + """Allow the Certificate Manager Agents group to modify profiles.""" + configure_profiles_acl() + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db @@ -1825,6 +1830,30 @@ def update_people_entry(dercert): return True +def configure_profiles_acl(): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + updated = False + + dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) + rule = ( + 'certServer.profile.configuration:read,modify:allow (read,modify) ' + 'group="Certificate Manager Agents":' + 'Certificate Manager agents may modify (create/update/delete) and read profiles' + ) + modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] + + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + rules = conn.get_entry(dn).get('resourceACLS', []) + if rule not in rules: + conn.conn.modify_s(str(dn), modlist) + updated = True + + conn.disconnect() + return updated + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9d1fd92b73eaf673ddfef01dc86b8dae5efc028a..0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -289,6 +289,16 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def ca_configure_profiles_acl(ca): + root_logger.info('[Authorizing RA Agent to modify profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.configure_profiles_acl() + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1370,6 +1380,7 @@ def upgrade_configuration(): upgrade_ipa_profile(ca, api.env.domain, fqdn), certificate_renewal_update(ca), ca_enable_pkix(ca), + ca_configure_profiles_acl(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From e02b1388cf8f3d3ba1a991172f0cd7d6535e5b34 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Apr 2015 04:55:29 -0400 Subject: [PATCH 05/13] Add certprofile plugin Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 --- ACI.txt | 8 ++ API.txt | 62 +++++++++ install/updates/40-certprofile.update | 9 ++ install/updates/40-delegation.update | 8 ++ install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/certprofile.py | 253 ++++++++++++++++++++++++++++++++++ ipapython/dogtag.py | 29 ++-- ipaserver/plugins/dogtag.py | 176 ++++++++++++++++++++++- 9 files changed, 534 insertions(+), 13 deletions(-) create mode 100644 install/updates/40-certprofile.update create mode 100644 ipalib/plugins/certprofile.py diff --git a/ACI.txt b/ACI.txt index 1821696fda912fdd11149062f9feaf4edcf0adfd..543d8da69fb2adf79dc9821fb24028717670326a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certprofiles,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=costemplates,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 6520f2c428342cdd30b0db830ed4ddbc89e4302a..81aca14afcaa5234ad218b8d84f3bc8efc734c9d 100644 --- a/API.txt +++ b/API.txt @@ -509,6 +509,68 @@ args: 1,1,1 arg: Str('request_id') option: Str('version?', exclude='webui') output: Output('result', None, None) +command: certprofile_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: certprofile_find +args: 1,9,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='id', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False) +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: certprofile_import +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) +option: File('file', cli_name='file') +option: Bool('ipacertprofilestoreissued', attribute=True, cli_name='store', default=True, multivalue=False, required=True) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_mod +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: certprofile_show +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: compat_is_enabled args: 0,1,1 option: Str('version?', exclude='webui') diff --git a/install/updates/40-certprofile.update b/install/updates/40-certprofile.update new file mode 100644 index 0000000000000000000000000000000000000000..6b0a81d0ff6d69dabe82138227d105fc780ee17d --- /dev/null +++ b/install/updates/40-certprofile.update @@ -0,0 +1,9 @@ +dn: cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: certprofiles diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 975929bd70400b2f9cf407d6faedb246003d7f58..bc0736c5b6c07747586a56c2cbde9596c7522d1c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -237,3 +237,11 @@ default:ipapermissiontype: SYSTEM dn: cn=config add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";) + +# CA Administrators +dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: CA Administrator +default:description: CA Administrator diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 4e2da05d61a41543914e79c4634331df6018c041..fc6bd624eac619cdddeba29b85440571d85fd69f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ 40-replication.update \ 40-dns.update \ 40-automember.update \ + 40-certprofile.update \ 40-otp.update \ 40-vault.update \ 45-roles.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 95dec54a51f38ae63eba667daacf35dcd7500cf3..96396a236b8694b3dd988dfe28c1b0c3cc9e3180 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -118,6 +118,7 @@ DEFAULT_CONFIG = ( ('container_radiusproxy', DN(('cn', 'radiusproxy'))), ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py new file mode 100644 index 0000000000000000000000000000000000000000..1a2d143882469858f225b37ba4ff2dd368fb8853 --- /dev/null +++ b/ipalib/plugins/certprofile.py @@ -0,0 +1,253 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import re + +from ipalib import api, Bool, File, Str +from ipalib import output +from ipalib.plugable import Registry +from ipalib.plugins.virtual import VirtualCommand +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, + LDAPDelete, LDAPUpdate, LDAPRetrieve) +from ipalib import ngettext +from ipalib.text import _ + +from ipalib import errors + + +__doc__ = _(""" +Manage Certificate Profiles + +Certificate Profiles are used by Certificate Authority (CA) in the signing of +certificates to determine if a Certificate Signing Request (CSR) is acceptable, +and if so what features and extensions will be present on the certificate. + +The Certificate Profile format is the property-list format understood by the +Dogtag or Red Hat Certificate System CA. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Import a profile that will not store issued certificates: + ipa certprofile-import ShortLivedUserCert \\ + --file UserCert.profile --summary "User Certificates" \\ + --store=false + + Delete a certificate profile: + ipa certprofile-del ShortLivedUserCert + + Show information about a profile: + ipa certprofile-show ShortLivedUserCert + + Search for profiles that do not store certificates: + ipa certprofile-find --store=false + +""") + + +register = Registry() + + +def ca_enabled_check(): + """Raise NotFound if CA is not enabled. + + This function is defined in multiple plugins to avoid circular imports + (cert depends on certprofile, so we cannot import cert here). + + """ + if not api.Command.ca_is_enabled()['result']: + raise errors.NotFound(reason=_('CA is not configured')) + + +profile_id_pattern = re.compile('^[a-zA-Z]\w*$') + + +def validate_profile_id(ugettext, value): + """Ensure profile ID matches form required by CA.""" + if profile_id_pattern.match(value) is None: + return _('invalid Profile ID') + else: + return None + + + at register() +class certprofile(LDAPObject): + """ + Certificate Profile object. + """ + container_dn = api.env.container_certprofile + object_name = _('Certificate Profile') + object_name_plural = _('Certificate Profiles') + object_class = ['ipacertprofile'] + default_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + search_attributes = [ + 'cn', 'description', 'ipacertprofilestoreissued' + ] + rdn_is_primary_key = True + label = _('Certificate Profiles') + label_singular = _('Certificate Profile') + + takes_params = ( + Str('cn', validate_profile_id, + primary_key=True, + cli_name='id', + label=_('Profile ID'), + doc=_('Profile ID for referring to this profile'), + ), + Str('description', + required=True, + cli_name='desc', + label=_('Profile description'), + doc=_('Brief description of this profile'), + ), + Bool('ipacertprofilestoreissued', + default=True, + cli_name='store', + label=_('Store issued certificates'), + doc=_('Whether to store certs issued using this profile'), + ), + ) + + permission_filter_objectclasses = ['ipacertprofile'] + managed_permissions = { + 'System: Read Certificate Profiles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + 'objectclass', + }, + }, + 'System: Import Certificate Profile': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Import Certificate Profile";allow (add) groupdn = "ldap:///cn=Import Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete Certificate Profile': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=Delete Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify Certificate Profile': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacertprofilestoreissued', + }, + 'replaces': [ + '(targetattr = "cn || description || ipacertprofilestoreissued")(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=Modify Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + + at register() +class certprofile_find(LDAPSearch): + __doc__ = _("Search for Certificate Profiles.") + msg_summary = ngettext( + '%(count)d profile matched', '%(count)d profiles matched', 0 + ) + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_find, self).execute(*args, **kwargs) + + + at register() +class certprofile_show(LDAPRetrieve): + __doc__ = _("Display the properties of a Certificate Profile.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_show, self).execute(*args, **kwargs) + + + at register() +class certprofile_import(LDAPCreate): + __doc__ = _("Import a Certificate Profile.") + msg_summary = _('Imported profile "%(value)s"') + takes_options = ( + File('file', + label=_('Filename'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + PROFILE_ID_PATTERN = re.compile('^profileId=([a-zA-Z]\w*)', re.MULTILINE) + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + + match = self.PROFILE_ID_PATTERN.search(options['file']) + if match is None: + raise errors.ValidationError(name='file', + error=_("Profile ID is not present in profile data")) + elif keys[0] != match.group(1): + raise errors.ValidationError(name='file', + error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'") + % {'cli_value': keys[0], 'file_value': match.group(1)} + ) + return dn + + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + """Import the profile into Dogtag and enable it. + + If the operation succeeds, update the LDAP entry to 'enabled'. + If the operation fails, remove the LDAP entry. + """ + try: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.create_profile(options['file']) + profile_api.enable_profile(keys[0]) + except: + # something went wrong ; delete entry + ldap.delete_entry(dn) + raise + + return dn + + + at register() +class certprofile_del(LDAPDelete): + __doc__ = _("Delete a Certificate Profile.") + msg_summary = _('Deleted profile "%(value)s"') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_del, self).execute(*args, **kwargs) + + def post_callback(self, ldap, dn, *keys, **options): + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.delete_profile(keys[0]) + return dn + + + at register() +class certprofile_mod(LDAPUpdate): + __doc__ = _("Modify Certificate Profile configuration.") + msg_summary = _('Modified Certificate Profile "%(value)s') + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(certprofile_mod, self).execute(*args, **kwargs) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index c74b8736a4b15f7bf081206b52b9876a8c4928af..11311cf7b55d7b84e9434a698dbfd60b0eb142a1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -233,9 +233,12 @@ def ca_status(ca_host=None, use_proxy=True): return _parse_ca_status(body) -def https_request(host, port, url, secdir, password, nickname, **kw): +def https_request(host, port, url, secdir, password, nickname, + method='POST', headers=None, body=None, **kw): """ + :param method: HTTP request method (defalut: 'POST') :param url: The path (not complete URL!) to post to. + :param body: The request body (encodes kw if None) :param kw: Keyword arguments to encode into POST body. :return: (http_status, http_reason_phrase, http_headers, http_body) as (integer, unicode, dict, str) @@ -254,9 +257,11 @@ def https_request(host, port, url, secdir, password, nickname, **kw): nickname, password, nss.get_default_certdb()) return conn - body = urlencode(kw) + if body is None: + body = urlencode(kw) return _httplib_request( - 'https', host, port, url, connection_factory, body) + 'https', host, port, url, connection_factory, body, + method=method, headers=headers) def http_request(host, port, url, **kw): @@ -288,11 +293,13 @@ def unauthenticated_https_request(host, port, url, **kw): def _httplib_request( - protocol, host, port, path, connection_factory, request_body): + protocol, host, port, path, connection_factory, request_body, + method='POST', headers=None): """ :param request_body: Request body :param connection_factory: Connection class to use. Will be called with the host and port arguments. + :param method: HTTP request method (default: 'POST') Perform a HTTP(s) request. """ @@ -301,13 +308,17 @@ def _httplib_request( uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) root_logger.debug('request %r', uri) root_logger.debug('request body %r', request_body) + + headers = headers or {} + if ( + method == 'POST' + and 'content-type' not in (str(k).lower() for k in headers.viewkeys()) + ): + headers['content-type'] = 'application/x-www-form-urlencoded' + try: conn = connection_factory(host, port) - conn.request( - 'POST', uri, - body=request_body, - headers={'Content-type': 'application/x-www-form-urlencoded'}, - ) + conn.request(method, uri, body=request_body, headers=headers) res = conn.getresponse() http_status = res.status diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 52bdb0d4245594785e718c63242e27cee0e59322..9654123b16d8e417398d49bf1305fd41880bc3a7 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -4,8 +4,9 @@ # Jason Gerard DeRose # Rob Crittenden # John Dennis +# Fraser Tweedale # -# Copyright (C) 2014 Red Hat +# Copyright (C) 2014, 2015 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -238,17 +239,21 @@ digits and nothing else follows. ''' import datetime +import json from lxml import etree +import os import tempfile import time import urllib2 +import pki from pki.client import PKIConnection import pki.crypto as cryptoutil from pki.kra import KRAClient from ipalib import Backend from ipapython.dn import DN +import ipapython.cookie import ipapython.dogtag from ipapython import ipautil from ipaserver.install.certs import CertDB @@ -1262,13 +1267,12 @@ def select_any_master(ldap2, service='CA'): #------------------------------------------------------------------------------- -from ipalib import api, SkipPluginModule +from ipalib import api, errors, SkipPluginModule if api.env.ra_plugin != 'dogtag': # In this case, abort loading this plugin module... raise SkipPluginModule(reason='dogtag not selected as RA plugin') import os, random from ipaserver.plugins import rabase -from ipalib.errors import CertificateOperationError from ipalib.constants import TYPE_ERROR from ipalib.util import cachedproperty from ipapython import dogtag @@ -1318,7 +1322,7 @@ class ra(rabase.rabase): err_msg = u'%s (%s)' % (err_msg, detail) self.error('%s.%s(): %s', self.fullname, func_name, err_msg) - raise CertificateOperationError(error=err_msg) + raise errors.CertificateOperationError(error=err_msg) @cachedproperty def ca_host(self): @@ -1923,3 +1927,167 @@ class kra(Backend): return KRAClient(connection, crypto) api.register(kra) + + +class RestClient(Backend): + """Simple Dogtag REST client to be subclassed by other backends. + + This class is a context manager. Authenticated calls must be + executed in a ``with`` suite:: + + class ra_certprofile(RestClient): + path = 'profile' + ... + + api.register(ra_certprofile) + + with api.Backend.ra_certprofile as profile_api: + # REST client is now logged in + profile_api.create_profile(...) + + """ + path = None + + @staticmethod + def _parse_dogtag_error(body): + try: + return pki.PKIException.from_json(json.loads(body)) + except: + return None + + def __init__(self): + if api.env.in_tree: + self.sec_dir = api.env.dot_ipa + os.sep + 'alias' + self.pwd_file = self.sec_dir + os.sep + '.pwd' + else: + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT + self.noise_file = self.sec_dir + os.sep + '.noise' + self.ipa_key_size = "2048" + self.ipa_certificate_nickname = "ipaCert" + self.ca_certificate_nickname = "caCert" + try: + f = open(self.pwd_file, "r") + self.password = f.readline().strip() + f.close() + except IOError: + self.password = '' + super(RestClient, self).__init__() + + # session cookie + self.cookie = None + + @cachedproperty + def ca_host(self): + """ + :return: host + as str + + Select our CA host. + """ + ldap2 = self.api.Backend.ldap2 + if host_has_service(api.env.ca_host, ldap2, "CA"): + return api.env.ca_host + if api.env.host != api.env.ca_host: + if host_has_service(api.env.host, ldap2, "CA"): + return api.env.host + host = select_any_master(ldap2) + if host: + return host + else: + return api.env.ca_host + + def __enter__(self): + """Log into the REST API""" + if self.cookie is not None: + return + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) + if status != 200 or len(cookies) == 0: + raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) + self.cookie = str(cookies[0]) + return self + + def __exit__(self, exc_type, exc_value, traceback): + """Log out of the REST API""" + dogtag.https_request( + self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + self.cookie = None + + def _ssldo(self, method, path, headers=None, body=None): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. + :return: (http_status, http_reason_phrase, http_headers, http_body) + as (integer, unicode, dict, str) + + Perform an HTTPS request + """ + if self.cookie is None: + raise errors.RemoteRetrieveError( + reason=_("REST API is not logged in.")) + + headers = headers or {} + headers['Cookie'] = self.cookie + + resource = os.path.join('/ca/rest', self.path, path) + + # perform main request + status, status_text, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.env.ca_agent_port, resource, + self.sec_dir, self.password, self.ipa_certificate_nickname, + method=method, headers=headers, body=body + ) + if status < 200 or status >= 300: + explanation = self._parse_dogtag_error(resp_body) or '' + raise errors.RemoteRetrieveError( + reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') + % {'status': status, 'status_text': status_text, 'explanation': explanation} + ) + return (status, status_text, resp_headers, resp_body) + + +class ra_certprofile(RestClient): + """ + Profile management backend plugin. + """ + path = 'profiles' + + def create_profile(self, profile_data): + """ + Import the profile into Dogtag + """ + self._ssldo('POST', 'raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + + def enable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=enable') + + def disable_profile(self, profile_id): + """ + Enable the profile in Dogtag + """ + self._ssldo('POST', profile_id + '?action=disable') + + def delete_profile(self, profile_id): + """ + Delete the profile from Dogtag + """ + self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + +api.register(ra_certprofile) -- 2.1.0 -------------- next part -------------- From 76a7bf36532d33633f4bf4b9a42cb02f2e726d99 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 23:38:41 -0400 Subject: [PATCH 06/13] Enable LDAP-based profiles in CA on upgrade Part of: https://fedorahosted.org/freeipa/ticket/4560 --- ipaserver/install/server/upgrade.py | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0ea6bd7b4db70caf43637a60ddd1ad1f58b6e48e..820533d6fa34218282941b8dcfcd3c0a192fdfb7 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -299,6 +299,45 @@ def ca_configure_profiles_acl(ca): return cainstance.configure_profiles_acl() +def ca_enable_ldap_profile_subsystem(ca): + root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + caconfig = dogtag.configured_constants() + + needs_update = False + directive = None + try: + for i in range(15): + directive = "subsystem.{}.class".format(i) + value = installutils.get_directive( + caconfig.CS_CFG_PATH, + directive, + separator='=') + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': + needs_update = True + break + except OSError, e: + root_logger.error('Cannot read CA configuration file "%s": %s', + caconfig.CS_CFG_PATH, e) + return False + + if needs_update: + installutils.set_directive( + caconfig.CS_CFG_PATH, + directive, + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', + quotes=False, + separator='=') + + # TODO import file-based profiles into Dogtag + # More code needed on Dogtag side for this. + + return needs_update + + def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -1381,6 +1420,7 @@ def upgrade_configuration(): certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), + ca_enable_ldap_profile_subsystem(ca), ]) if ca_restart: -- 2.1.0 -------------- next part -------------- From bb4fd946dbcd33110eff4e8346e892e5581ec93d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 May 2015 21:17:48 -0400 Subject: [PATCH 07/13] Import included profiles during install or upgrade Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 --- freeipa.spec.in | 2 + install/configure.ac | 1 + install/share/Makefile.am | 1 + install/share/profiles/Makefile.am | 14 ++ install/share/profiles/caIPAserviceCert.cfg | 109 ++++++++++++ install/tools/ipa-upgradeconfig | 1 - ipapython/dogtag.py | 7 +- ipaserver/install/cainstance.py | 253 +++++++--------------------- ipaserver/install/ipa_server_upgrade.py | 1 + ipaserver/install/server/install.py | 6 + ipaserver/install/server/upgrade.py | 42 ++--- ipaserver/plugins/dogtag.py | 14 +- 12 files changed, 228 insertions(+), 223 deletions(-) create mode 100644 install/share/profiles/Makefile.am create mode 100644 install/share/profiles/caIPAserviceCert.cfg diff --git a/freeipa.spec.in b/freeipa.spec.in index 2f259234945be874aede64ca7c3ce04bdf467b64..a9757a194b1bf3bdcced4fd29e7fbae8b0211c94 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -720,6 +720,8 @@ fi %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 2e48aa5cc67b30f2582de987a12d4e7043256679..57f4219b66bbe1dadaed3e89c3e84b1c8240399e 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -88,6 +88,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile + share/profiles/Makefile ui/Makefile ui/css/Makefile ui/src/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f44772b20c173c6fe43503716f40454f6f6b6f11..31f391be25c58b76cc71971852074d80c5514745 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + profiles \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am new file mode 100644 index 0000000000000000000000000000000000000000..4e6cf975a0f51d02ec29bd07ac8cb9ccc8320818 --- /dev/null +++ b/install/share/profiles/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/profiles +app_DATA = \ + caIPAserviceCert.cfg \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg new file mode 100644 index 0000000000000000000000000000000000000000..6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c --- /dev/null +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -0,0 +1,109 @@ +profileId=caIPAserviceCert +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 43292966a29c9077443913bdda1c81aa3de06a10..5f3a2b4a2f3864c2809178815c244c2012333fc8 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -21,7 +21,6 @@ import sys - if __name__ == '__main__': sys.exit("Please run the 'ipa-server-upgrade' command to upgrade the " "IPA server.") diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 11311cf7b55d7b84e9434a698dbfd60b0eb142a1..2b4d233354b974884c88d13a3a1b437915ba0776 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -42,6 +42,11 @@ from ipapython.ipa_log_manager import * # the configured version. +INCLUDED_PROFILES = { + # ( profile_id , description , store_issued) + (u'caIPAserviceCert', u'Standard profile for network services', True), + } + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 @@ -71,7 +76,6 @@ class Dogtag10Constants(object): RACERT_LINE_SEP = '\n' - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = True DS_USER = "dirsrv" @@ -110,7 +114,6 @@ class Dogtag9Constants(object): EE_CLIENT_AUTH_PORT = 9446 TOMCAT_SERVER_PORT = 9701 - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = False DS_USER = "pkisrv" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 871581b4afc5df854b9a090ef51bb0ad3b3871ee..ca0b6df5db80bc842a78f614872831ddd82330b1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -459,10 +459,6 @@ class CAInstance(DogtagInstance): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("set certificate subject base", self.__set_subject_in_config) - self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) - self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) - self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) if not self.clone: self.step("restarting certificate server", self.restart_instance) @@ -1125,94 +1121,6 @@ class CAInstance(DogtagInstance): return publishdir - def __set_crl_ocsp_extensions(self): - self.set_crl_ocsp_extensions(self.domain, self.fqdn) - - def set_crl_ocsp_extensions(self, domain, fqdn): - """ - Configure CRL and OCSP extensions in default IPA certificate profile - if not done already. - """ - changed = False - - # OCSP extension - ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - ocsp_location_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - separator='=') - - if ocsp_location_0 != ocsp_url: - # Set the first OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - ocsp_url, quotes=False, separator='=') - changed = True - - ocsp_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - separator='=') - - if ocsp_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '1', quotes=False, separator='=') - changed = True - - - # CRL extension - crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - crl_point_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - separator='=') - - if crl_point_0 != crl_url: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - crl_url, quotes=False, separator='=') - changed = True - - crl_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - separator='=') - - if crl_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '1', quotes=False, separator='=') - changed = True - - # CRL extension is not enabled by default - setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - new_set_list = None - - if setlist == '1,2,3,4,5,6,7,8': - new_set_list = '1,2,3,4,5,6,7,8,9' - elif setlist == '1,2,3,4,5,6,7,8,10': - new_set_list = '1,2,3,4,5,6,7,8,9,10' - elif setlist == '1,2,3,4,5,6,7,8,10,11': - new_set_list = '1,2,3,4,5,6,7,8,9,10,11' - - if new_set_list: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - new_set_list, quotes=False, separator='=') - changed = True - - return changed - def __enable_crl_publish(self): """ @@ -1267,13 +1175,6 @@ class CAInstance(DogtagInstance): installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') - def __set_subject_in_config(self): - # dogtag ships with an IPA-specific profile that forces a subject - # format. We need to update that template with our base subject - if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'OU=pki-ipa, O=IPA', str(self.subject_base)): - print "Updating subject_base in CA template failed" - def uninstall(self): # just eat state self.restore_state("enabled") @@ -1407,100 +1308,6 @@ class CAInstance(DogtagInstance): services.knownservices.certmonger.stop() - def enable_subject_key_identifier(self): - """ - See if Subject Key Identifier is set in the profile and if not, add it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist += ',10' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.class_id', - 'subjectKeyIdentifierExtDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.name', - 'Subject Key Identifier Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.params.critical', - 'false', - quotes=False, separator='=') - return True - - # No update was done - return False - - def enable_subject_alternative_name(self): - """ - See if Subject Alternative Name is set in the profile and if not, add - it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': - setlist += ',11' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.class_id', - 'userExtensionDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.name', - 'User Supplied Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.params.userExtOID', - '2.5.29.17', - quotes=False, separator='=') - return True - - # No update was done - return False def set_audit_renewal(self): """ @@ -1586,7 +1393,6 @@ class CAInstance(DogtagInstance): master_entry['ipaConfigString'].append('caRenewalMaster') self.admin_conn.update_entry(master_entry) - @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): """ @@ -1854,6 +1660,65 @@ def configure_profiles_acl(): conn.disconnect() return updated +def import_included_profiles(): + sub_dict = dict( + DOMAIN=ipautil.format_netloc(api.env.domain), + IPA_CA_RECORD=IPA_CA_RECORD, + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=str(DN(('O', api.env.realm))), + ) + + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), + api.env.container_certprofile, api.env.basedn) + try: + conn.get_entry(dn) + continue # the profile is present + except errors.NotFound: + # profile not found; add it + profile_data = ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + + entry = conn.make_entry( + dn, + objectclass=['ipacertprofile'], + cn=[profile_id], + description=[desc], + ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], + ) + conn.add_entry(entry) + api.Backend.ra_certprofile._read_password() + with api.Backend.ra_certprofile as profile_api: + # import the profile + try: + profile_api.create_profile(profile_data) + except errors.RemoteRetrieveError: + # conflicting profile; replace it if we are + # installing IPA, but keep it for upgrades + if api.env.context == 'installer': + try: + profile_api.disable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + profile_api.delete_profile(profile_id) + profile_api.create_profile(profile_data) + + # enable the profile + try: + profile_api.enable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + + root_logger.info("Imported profile '%s'", profile_id) + + conn.disconnect() + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a316317622894e5b56896f91a9e29bb8..8373b213411c34c59e838c586ff46e99efb43f58 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -41,6 +41,7 @@ class ServerUpgrade(admintool.AdminTool): super(ServerUpgrade, self).run() api.bootstrap(in_server=True, context='updates') + import ipaserver.plugins.dogtag # ensure profile backend gets loaded api.finalize() try: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index aea1f9915f16a55c44183b0cebb41c04622be503..955e4cc11fba20475a07126f4101edbf1024290e 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -748,6 +748,9 @@ def install(options): api.env.ca_host = host_name api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet @@ -903,6 +906,9 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + service.print_msg("Importing certificate profiles") + cainstance.import_included_profiles() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 820533d6fa34218282941b8dcfcd3c0a192fdfb7..c5f4d37cc02658334d5c26f269ec5dd5e386df1d 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -338,32 +338,28 @@ def ca_enable_ldap_profile_subsystem(ca): return needs_update -def upgrade_ipa_profile(ca, domain, fqdn): +def ca_import_included_profiles(ca): + root_logger.info('[Ensuring presence of included profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.import_included_profiles() + + +def upgrade_ca_audit_cert_validity(ca): """ - Update the IPA Profile provided by dogtag + Update the Dogtag audit signing certificate. Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA service certificate profile is updated]') + root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): - ski = ca.enable_subject_key_identifier() - if ski: - root_logger.debug('Subject Key Identifier updated.') - else: - root_logger.debug('Subject Key Identifier already set.') - san = ca.enable_subject_alternative_name() - if san: - root_logger.debug('Subject Alternative Name updated.') - else: - root_logger.debug('Subject Alternative Name already set.') - audit = ca.set_audit_renewal() - uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or san or uri: - return True + return ca.set_audit_renewal() else: root_logger.info('CA is not configured') - - return False + return False def named_remove_deprecated_options(): @@ -1416,7 +1412,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, - upgrade_ipa_profile(ca, api.env.domain, fqdn), + upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), @@ -1430,6 +1426,12 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + # This step MUST be done after ca_enable_ldap_profile_subsystem and + # ca_configure_profiles_acl, and the consequent restart, but does not + # itself require a restart. + # + ca_import_included_profiles(ca) + set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9654123b16d8e417398d49bf1305fd41880bc3a7..880b319d68728a40f4479626d5a7c2b8c56ced02 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1966,17 +1966,19 @@ class RestClient(Backend): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" - try: - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() - except IOError: - self.password = '' + self._read_password() super(RestClient, self).__init__() # session cookie self.cookie = None + def _read_password(self): + try: + with open(self.pwd_file) as f: + self.password = f.readline().strip() + except IOError: + self.password = '' + @cachedproperty def ca_host(self): """ -- 2.1.0 -------------- next part -------------- From e07fe7a89023185d4ef1ab12c26017010f316421 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 7 May 2015 21:26:24 -0400 Subject: [PATCH 08/13] Add generic split_any_principal method There exist methods to split user or service/host principals, but there is no method to split any kind of principal and allow the caller to decide what to do. Generalize ``ipalib.plugins.service.split_principal`` to return a service of ``None`` if the principal is a user principal, rename it ``split_any_principal`` and reimplement ``split_principal`` to preserve existing behaviour. Part of: https://fedorahosted.org/freeipa/ticket/4938 --- ipalib/plugins/service.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 2d34eac7db5b97b7a969175f488a547dde54010a..166d978a248e7c5da6f8df4b534edad0a0799b7e 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -185,19 +185,24 @@ _ticket_flags_map = { _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth'] -def split_principal(principal): +def split_any_principal(principal): service = hostname = realm = None # Break down the principal into its component parts, which may or # may not include the realm. sp = principal.split('/') - if len(sp) != 2: - raise errors.MalformedServicePrincipal(reason=_('missing service')) + name_and_realm = None + if len(sp) > 2: + raise errors.MalformedServicePrincipal(reason=_('unable to determine service')) + elif len(sp) == 2: + service = sp[0] + if len(service) == 0: + raise errors.MalformedServicePrincipal(reason=_('blank service')) + name_and_realm = sp[1] + else: + name_and_realm = sp[0] - service = sp[0] - if len(service) == 0: - raise errors.MalformedServicePrincipal(reason=_('blank service')) - sr = sp[1].split('@') + sr = name_and_realm.split('@') if len(sr) > 2: raise errors.MalformedServicePrincipal( reason=_('unable to determine realm')) @@ -212,7 +217,13 @@ def split_principal(principal): realm = api.env.realm # Note that realm may be None. - return (service, hostname, realm) + return service, hostname, realm + +def split_principal(principal): + service, name, realm = split_any_principal(principal) + if service is None: + raise errors.MalformedServicePrincipal(reason=_('missing service')) + return service, name, realm def validate_principal(ugettext, principal): (service, hostname, principal) = split_principal(principal) -- 2.1.0 -------------- next part -------------- From ab743104189fd1bad9a4b2066c94ed2600deedbe Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 8 May 2015 02:23:24 -0400 Subject: [PATCH 09/13] Add profile_id parameter to 'request_certificate' Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 --- checks/check-ra.py | 2 +- ipalib/plugins/cert.py | 2 +- ipapython/dogtag.py | 2 ++ ipaserver/install/certs.py | 2 +- ipaserver/plugins/dogtag.py | 7 +++++-- ipaserver/plugins/rabase.py | 3 ++- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index a1df50ba4a4ad7fc0b6d2118e40977b1da6edf65..28929545ab7f0a63e47a3829c53cf08d784c9524 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) if verbose: print "request_result=\n%s" % request_result assert_equal(request_result, {'subject' : subject, diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 7e2c77622b3627e9e57bbcb69291f723ecf509bf..e4cb6dc0aa8b89368806b08674aae277b3653e8f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -436,7 +436,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, request_type=request_type) + csr, 'caIPAserviceCert', request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 2b4d233354b974884c88d13a3a1b437915ba0776..53085f7762fc828ed9fc6621fbf3a0c67ec6a656 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -47,6 +47,8 @@ INCLUDED_PROFILES = { (u'caIPAserviceCert', u'Standard profile for network services', True), } +DEFAULT_PROFILE = u'caIPAserviceCert' + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bc7dccf805386e9fa84b58d2ff9346085e1b93b1..564332e6fde0698a23884922c5018fab59da7e4d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -386,7 +386,7 @@ class CertDB(object): # We just want the CSR bits, make sure there is nothing else csr = pkcs10.strip_header(csr) - params = {'profileId': 'caIPAserviceCert', + params = {'profileId': dogtag.DEFAULT_PROFILE, 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', 'cert_request': csr, diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 880b319d68728a40f4479626d5a7c2b8c56ced02..e6668bb43b994863a14fdd347635753422ed9388 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1284,6 +1284,8 @@ class ra(rabase.rabase): """ Request Authority backend plugin. """ + DEFAULT_PROFILE = dogtag.DEFAULT_PROFILE + def __init__(self): if api.env.in_tree: self.sec_dir = api.env.dot_ipa + os.sep + 'alias' @@ -1541,9 +1543,10 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ :param csr: The certificate signing request. + :param profile_id: The profile to use for the request. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1575,7 +1578,7 @@ class ra(rabase.rabase): http_status, http_reason_phrase, http_headers, http_body = \ self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, - profileId='caIPAserviceCert', + profileId=profile_id, cert_request_type=request_type, cert_request=csr, xml='true') diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index e14969970ef5b402d06b766f895200c6eb4fc76f..cf4426235b02866a3f565c51c52c44aabbdc1153 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -67,11 +67,12 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, request_type='pkcs10'): + def request_certificate(self, csr, profile_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. + :param profile_id: Profile to use for this request. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.1.0 -------------- next part -------------- From dc50cb1b0881df76c2dddbe5c29e0b412d53d44d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 18 May 2015 22:11:52 -0400 Subject: [PATCH 10/13] Add usercertificate attribute to user plugin Part of: https://fedorahosted.org/freeipa/tickets/4938 --- ACI.txt | 2 +- API.txt | 18 ++++++++++++------ install/share/default-aci.ldif | 1 + install/updates/20-aci.update | 4 ++++ ipalib/plugins/baseuser.py | 10 ++++++++-- ipalib/plugins/user.py | 2 +- 6 files changed, 27 insertions(+), 10 deletions(-) diff --git a/ACI.txt b/ACI.txt index 543d8da69fb2adf79dc9821fb24028717670326a..59173ac1b593f15e079c7b1fce43ec9b0084ec91 100644 --- a/ACI.txt +++ b/ACI.txt @@ -297,7 +297,7 @@ aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sam dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || usercertificate || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 81aca14afcaa5234ad218b8d84f3bc8efc734c9d..abd9407af31aa511d767afd6dcc4f3470c7bcae9 100644 --- a/API.txt +++ b/API.txt @@ -3960,7 +3960,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: stageuser_add -args: 1,43,3 +args: 1,44,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4002,6 +4002,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4017,7 +4018,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: stageuser_find -args: 1,52,4 +args: 1,53,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -4068,6 +4069,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -4076,7 +4078,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: stageuser_mod -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4119,6 +4121,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4746,7 +4749,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_add -args: 1,44,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4789,6 +4792,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') @@ -4820,7 +4824,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_find -args: 1,55,4 +args: 1,56,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False) @@ -4873,6 +4877,7 @@ option: Int('timelimit?', autofill=False, minvalue=0) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False) option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, query=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') @@ -4882,7 +4887,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,45,3 +args: 1,46,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4926,6 +4931,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False) option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) option: Str('version?', exclude='webui') diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b174e774aae3ea012a431fe4a2535fb4230e402 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -10,6 +10,7 @@ changetype: modify add: aci aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) +aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) dn: cn=etc,$SUFFIX changetype: modify diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index fde3afeee59e4d4dc0bd6a9c0eb24ab255c4e637..4a8b67c6579da4dab74d02861640264446153f87 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -79,3 +79,7 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";) + +# User certificates +dn: $SUFFIX +add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py index a1be29d83550a0412ed37cfde47ac74c6ca478fd..d2bc68f45ad9a3632a237c01961a30592514d96d 100644 --- a/ipalib/plugins/baseuser.py +++ b/ipalib/plugins/baseuser.py @@ -23,10 +23,11 @@ import posixpath import os from ipalib import api, errors -from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime +from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes from ipalib.plugable import Registry from ipalib.plugins.baseldap import DN, LDAPObject, \ LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve +from ipalib.plugins.service import validate_certificate from ipalib.plugins import baseldap from ipalib.request import context from ipalib import _, ngettext @@ -188,7 +189,7 @@ class baseuser(LDAPObject): 'telephonenumber', 'title', 'memberof', 'nsaccountlock', 'memberofindirect', 'ipauserauthtype', 'userclass', 'ipatokenradiusconfiglink', 'ipatokenradiususername', - 'krbprincipalexpiration' + 'krbprincipalexpiration', 'usercertificate', ] search_display_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', @@ -383,6 +384,11 @@ class baseuser(LDAPObject): + '(\s*,\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\=((0(\.[0-9]{0,3})?)|(1(\.0{0,3})?)))?)*)|(\*))$', pattern_errmsg='must match RFC 2068 - 14.4, e.g., "da, en-gb;q=0.8, en;q=0.7"', ), + Bytes('usercertificate*', validate_certificate, + cli_name='certificate', + label=_('Certificate'), + doc=_('Base-64 encoded server certificate'), + ), ) def normalize_and_validate_email(self, email, config=None): diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 54d47bb01450ec462577e552315e3d680b7648c3..119294b19f54a395a2df65c6cfd47cd8eb844297 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -267,7 +267,7 @@ class user(baseuser): 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager', 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title', 'userclass', - 'preferredlanguage', + 'preferredlanguage', 'usercertificate', }, 'replaces': [ '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)', -- 2.1.0 -------------- next part -------------- From 82ebf9d81d7363adf87996e100fc72349444447a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:45:16 -0400 Subject: [PATCH 11/13] Update cert-request to support user certs and profiles Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 --- API.txt | 3 +- ipalib/pkcs10.py | 1 + ipalib/plugins/cert.py | 220 +++++++++++++++++++++++++++++-------------------- 3 files changed, 135 insertions(+), 89 deletions(-) diff --git a/API.txt b/API.txt index abd9407af31aa511d767afd6dcc4f3470c7bcae9..7574bc900e7a962b8e67fd773743879e4e5b8c7e 100644 --- a/API.txt +++ b/API.txt @@ -485,10 +485,11 @@ arg: Str('serial_number') option: Str('version?', exclude='webui') output: Output('result', None, None) command: cert_request -args: 1,4,1 +args: 1,5,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) option: Str('principal') +option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') option: Str('version?', exclude='webui') output: Output('result', , None) diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index f35e200a2c1b47e2a2c8cffcf9b723f398fe3221..6299dfea43b7a3f4104f0b0ec78c4f105d9daf62 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -30,6 +30,7 @@ PEM = 0 DER = 1 SAN_DNSNAME = 'DNS name' +SAN_RFC822NAME = 'RFC822 Name' SAN_OTHERNAME_UPN = 'Other Name (OID.1.3.6.1.4.1.311.20.2.3)' SAN_OTHERNAME_KRB5PRINCIPALNAME = 'Other Name (OID.1.3.6.1.5.2.2)' diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index e4cb6dc0aa8b89368806b08674aae277b3653e8f..d122900175db41ba5af429fd47af6cac6533cb6f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -31,7 +31,8 @@ from ipalib import ngettext from ipalib.plugable import Registry from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value -from ipalib.plugins.service import split_principal +from ipalib.plugins.service import split_any_principal +from ipalib.plugins.certprofile import validate_profile_id import base64 import traceback from ipalib.text import _ @@ -122,6 +123,8 @@ http://www.ietf.org/rfc/rfc5280.txt """) +USER, HOST, SERVICE = range(3) + register = Registry() def validate_pkidate(ugettext, value): @@ -232,7 +235,7 @@ class cert_request(VirtualCommand): takes_options = ( Str('principal', label=_('Principal'), - doc=_('Service principal for this certificate (e.g. HTTP/test.example.com)'), + doc=_('Principal for this certificate (e.g. HTTP/test.example.com)'), ), Str('request_type', default=u'pkcs10', @@ -243,6 +246,10 @@ class cert_request(VirtualCommand): default=False, autofill=True ), + Str('profile_id?', validate_profile_id, + label=_("Profile ID"), + doc=_("Certificate Profile to use"), + ) ) has_output_params = ( @@ -294,10 +301,9 @@ class cert_request(VirtualCommand): ca_enabled_check() ldap = self.api.Backend.ldap2 - principal = kw.get('principal') add = kw.get('add') request_type = kw.get('request_type') - service = None + profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) """ Access control is partially handled by the ACI titled @@ -310,9 +316,28 @@ class cert_request(VirtualCommand): taskgroup (directly or indirectly via role membership). """ - bind_principal = getattr(context, 'principal') - # Can this user request certs? - if not bind_principal.startswith('host/'): + principal_string = kw.get('principal') + principal = split_any_principal(principal_string) + servicename, principal_name, realm = principal + if servicename is None: + principal_type = USER + elif servicename == 'host': + principal_type = HOST + else: + principal_type = SERVICE + + bind_principal = split_any_principal(getattr(context, 'principal')) + bind_service, bind_name, bind_realm = bind_principal + + if bind_service is None: + bind_principal_type = USER + elif bind_service == 'host': + bind_principal_type = HOST + else: + bind_principal_type = SERVICE + + if bind_principal != principal and bind_principal_type != HOST: + # Can the bound principal request certs for another principal? self.check_access() try: @@ -323,57 +348,71 @@ class cert_request(VirtualCommand): raise errors.CertificateOperationError( error=_("Failure decoding Certificate Signing Request: %s") % e) - if not bind_principal.startswith('host/'): + # host principals may bypass allowed ext check + if bind_principal_type != HOST: for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: self.check_access(operation) - # Ensure that the hostname in the CSR matches the principal - subject_host = subject.common_name #pylint: disable=E1101 - if not subject_host: + dn = None + principal_obj = None + # See if the service exists and punt if it doesn't and we aren't + # going to add it + try: + if principal_type == SERVICE: + principal_obj = api.Command['service_show'](principal_string, all=True) + elif principal_type == HOST: + principal_obj = api.Command['host_show'](principal_name, all=True) + elif principal_type == USER: + principal_obj = api.Command['user_show'](principal_name, all=True) + except errors.NotFound as e: + if principal_type == SERVICE and add: + principal_obj = api.Command['service_add'](principal_string, force=True) + else: + raise errors.NotFound( + reason=_("The principal for this request doesn't exist.")) + principal_obj = principal_obj['result'] + dn = principal_obj['dn'] + + # Ensure that the DN in the CSR matches the principal + cn = subject.common_name #pylint: disable=E1101 + if not cn: raise errors.ValidationError(name='csr', - error=_("No hostname was found in subject of request.")) + error=_("No Common Name was found in subject of request.")) - (servicename, hostname, realm) = split_principal(principal) - if subject_host.lower() != hostname.lower(): - raise errors.ACIError( - info=_("hostname in subject of request '%(subject_host)s' " - "does not match principal hostname '%(hostname)s'") % dict( - subject_host=subject_host, hostname=hostname)) + if principal_type in (SERVICE, HOST): + if cn.lower() != principal_name.lower(): + raise errors.ACIError( + info=_("hostname in subject of request '%(cn)s' " + "does not match principal hostname '%(hostname)s'") + % dict(cn=cn, hostname=principal_name)) + elif principal_type == USER: + # check user name + if cn != principal_name: + raise errors.ValidationError( + name='csr', + error=_( + "DN commonName does not match " + "any of user's email addresses") + ) + + # check email address + mail = subject.email_address #pylint: disable=E1101 + if mail is not None and mail not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "DN emailAddress does not match " + "any of user's email addresses") + ) for ext in extensions: if ext not in self._allowed_extensions: raise errors.ValidationError( name='csr', error=_("extension %s is forbidden") % ext) - for name_type, name in subjectaltname: - if name_type not in (pkcs10.SAN_DNSNAME, - pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, - pkcs10.SAN_OTHERNAME_UPN): - raise errors.ValidationError( - name='csr', - error=_("subject alt name type %s is forbidden") % - name_type) - - dn = None - service = None - # See if the service exists and punt if it doesn't and we aren't - # going to add it - try: - if servicename != 'host': - service = api.Command['service_show'](principal, all=True) - else: - service = api.Command['host_show'](hostname, all=True) - except errors.NotFound, e: - if not add: - raise errors.NotFound(reason=_("The service principal for " - "this request doesn't exist.")) - service = api.Command['service_add'](principal, force=True) - service = service['result'] - dn = service['dn'] - - # We got this far so the service entry exists, can we write it? + # We got this far so the principal entry exists, can we write it? if not ldap.can_write(dn, "usercertificate"): raise errors.ACIError(info=_("Insufficient 'write' privilege " "to the 'userCertificate' attribute of entry '%s'.") % dn) @@ -382,13 +421,20 @@ class cert_request(VirtualCommand): for name_type, name in subjectaltname: if name_type == pkcs10.SAN_DNSNAME: name = unicode(name) + alt_principal_obj = None try: - if servicename == 'host': - altservice = api.Command['host_show'](name, all=True) - else: + if principal_type == HOST: + alt_principal_obj = api.Command['host_show'](name, all=True) + elif principal_type == SERVICE: altprincipal = '%s/%s@%s' % (servicename, name, realm) - altservice = api.Command['service_show']( + alt_principal_obj = api.Command['service_show']( altprincipal, all=True) + elif principal_type == USER: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for user principals") % name_type + ) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -396,47 +442,41 @@ class cert_request(VirtualCommand): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not ' 'exist') % name) - altdn = altservice['result']['dn'] - if not ldap.can_write(altdn, "usercertificate"): - raise errors.ACIError(info=_( - "Insufficient privilege to create a certificate with " - "subject alt name '%s'.") % name) + if alt_principal_obj is not None: + altdn = alt_principal_obj['result']['dn'] + if not ldap.can_write(altdn, "usercertificate"): + raise errors.ACIError(info=_( + "Insufficient privilege to create a certificate " + "with subject alt name '%s'.") % name) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): - if name != principal: + if name != principal_string: raise errors.ACIError( info=_("Principal '%s' in subject alt name does not " - "match requested service principal") % name) + "match requested principal") % name) + elif name_type == pkcs10.SAN_RFC822NAME: + if principal_type == USER: + if name not in principal_obj.get('mail', []): + raise errors.ValidationError( + name='csr', + error=_( + "RFC822Name does not match " + "any of user's email addresses") + ) + else: + raise errors.ValidationError( + name='csr', + error=_("subject alt name type %s is forbidden " + "for non-user principals") % name_type + ) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden") % name_type) - if 'usercertificate' in service: - serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER) - # revoke the certificate and remove it from the service - # entry before proceeding. First we retrieve the certificate to - # see if it is already revoked, if not then we revoke it. - try: - result = api.Command['cert_show'](unicode(serial))['result'] - if 'revocation_reason' not in result: - try: - api.Command['cert_revoke'](unicode(serial), revocation_reason=4) - except errors.NotImplementedError: - # some CA's might not implement revoke - pass - except errors.NotImplementedError: - # some CA's might not implement get - pass - if not principal.startswith('host/'): - api.Command['service_mod'](principal, usercertificate=None) - else: - hostname = get_host_from_principal(principal) - api.Command['host_mod'](hostname, usercertificate=None) - # Request the certificate result = self.Backend.ra.request_certificate( - csr, 'caIPAserviceCert', request_type=request_type) + csr, profile_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -444,15 +484,19 @@ class cert_request(VirtualCommand): result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) - # Success? Then add it to the service entry. - if 'certificate' in result: - if not principal.startswith('host/'): - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['service_mod'](principal, **skw) - else: - hostname = get_host_from_principal(principal) - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['host_mod'](hostname, **skw) + # Success? Then add it to the principal's entry + # (unless the profile tells us not to) + profile = api.Command['certprofile_show'](profile_id) + store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE' + if store and 'certificate' in result: + cert = str(result.get('certificate')) + kwargs = dict(addattr=u'usercertificate={}'.format(cert)) + if principal_type == SERVICE: + api.Command['service_mod'](principal_string, **kwargs) + elif principal_type == HOST: + api.Command['host_mod'](principal_name, **kwargs) + elif principal_type == USER: + api.Command['user_mod'](principal_name, **kwargs) return dict( result=result -- 2.1.0 -------------- next part -------------- From c00f627594a9c7e25495ab730c3559a08770724f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. This rule is added during install but not upgrade. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 190 +++++++++++++++ VERSION | 4 +- install/share/60certificate-profiles.ldif | 8 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 12 + install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 371 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + 12 files changed, 610 insertions(+), 2 deletions(-) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..316fb34faba18d77b820ff2fb730ea07a4c5b8ec 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "ipacaaclallhosts || ipacaaclallprofiles || ipacaaclallservices || ipacaaclallusers || ipacaaclmembercertprofile || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacaaclallcas || ipacaaclcaref || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaaclallcas || ipacaaclallhosts || ipacaaclallprofiles || ipacaaclallservices || ipacaaclallusers || ipacaaclcaref || ipacaaclmembercertprofile || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 7574bc900e7a962b8e67fd773743879e4e5b8c7e..1b3044d1737df59f7cb16f98fd5bbdfd88ccf5c1 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,196 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,14,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, cli_name='ca_ref', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,16,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, query=True, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, query=True, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, query=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,16,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bool('ipacaaclallcas', attribute=True, autofill=False, cli_name='allcas', multivalue=False, required=False) +option: Bool('ipacaaclallhosts', attribute=True, autofill=False, cli_name='allhosts', multivalue=False, required=False) +option: Bool('ipacaaclallprofiles', attribute=True, autofill=False, cli_name='allprofiles', multivalue=False, required=False) +option: Bool('ipacaaclallservices', attribute=True, autofill=False, cli_name='allservices', multivalue=False, required=False) +option: Bool('ipacaaclallusers', attribute=True, autofill=False, cli_name='allusers', multivalue=False, required=False) +option: Str('ipacaaclcaref', attribute=True, autofill=False, cli_name='ca_ref', multivalue=True, required=False) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/VERSION b/VERSION index 2ad3827923bc0f404513300edc8498ed6717c571..3dad789f0b673c1dc11cf6e938c5f7096078027e 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=123 -# Last change: rcritten - added service constraint delegation plugin +IPA_API_VERSION_MINOR=124 +# Last change: ftweedal - add certprofile and caacl plugins diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..2afd93ee9c0f92dc4073d4be9164734f524423de 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,11 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaCaAclCaRef' DESC 'Certificate Authority Reference' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaCaAclMemberCertprofile' DESC 'CA ACL certificate profile members' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaAclAllCAs' DESC 'Allow use of all CAs' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCaAclAllProfiles' DESC 'Allow ues of all profiles' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaAclAllUsers' DESC 'Allow all users' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaAclAllHosts' DESC 'Allow all hosts' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaAclAllServices' DESC 'Allow all services' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaAclCaRef $ ipaCaAclAllCAs $ ipaCaAclAllProfiles $ ipaCaAclAllUsers $ ipaCaAclAllHosts $ ipaCaAclAllServices $ ipaCaAclMemberCertprofile $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..4b6613cb216057d91533832e675bdb0d2007e995 --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,12 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +ipacaaclcaref: . +ipacaaclmembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX +ipacaaclallhosts: TRUE +ipacaaclallservices: TRUE diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 96396a236b8694b3dd988dfe28c1b0c3cc9e3180..9812f843e1e4ced9244f3efd6a9bb6f4c2769655 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -119,6 +119,7 @@ DEFAULT_CONFIG = ( ('container_views', DN(('cn', 'views'), ('cn', 'accounts'))), ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..f9bf7a3e411c110a0a103d9681fd9ee58fc38b72 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,371 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + global_output_params, pkey_to_value) +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --profile-id=UserCert --allusers=1 + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add john_dnp3 --profile-id=DNP3 + ipa caacl-add-user --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclcaref', 'ipacaaclmembercertprofile', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'memberuser', 'memberhost', 'memberservice', 'memberhostgroup', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + 'ipacaaclmembercertprofile': ['certprofile'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclcaref', 'ipacaaclmembercertprofile', + 'ipacaaclallcas', 'ipacaaclallprofiles', + 'ipacaaclallusers', 'ipacaaclallhosts', 'ipacaaclallservices', + 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'memberuser', 'ipacaaclallusers', + 'memberhost', 'ipacaaclallhosts', + 'memberservice', 'ipacaaclallservices', + 'ipacaaclmembercertprofile', 'ipacaaclallprofiles', + }, + 'replaces': [ + '(targetattr = "memberuser || memberservice || memberhost || ipacaaclmembercertprofile || ipacaaclallprofiles || ipacaaclallusers || ipacaaclallhosts || ipacaaclallservices")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'ipacaaclallcas', 'ipacaaclcaref', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag || ipacaaclcaref || ipacaaclallcas || ipacaaclallprofiles")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + Str('ipacaaclcaref*', # validate sub-CA handle syntax + cli_name='ca_ref', + label=_('CA Reference'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallcas?', + cli_name='allcas', + label=_('Allow use of all CAs'), + flags=['no_option', 'no_output'], # until sub-CAs are implemented + ), + Bool('ipacaaclallprofiles?', + cli_name='allprofiles', + label=_('Allow use of all profiles'), + ), + Bool('ipacaaclallusers?', + cli_name='allusers', + label=_('Allow all users'), + ), + Bool('ipacaaclallhosts?', + cli_name='allhosts', + label=_('Allow all hosts'), + ), + Bool('ipacaaclallservices?', + cli_name='allservices', + label=_('Allow all services'), + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('ipacaaclmembercertprofile_certprofile?', + label=_('Profiles'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + entry_attrs['ipacaaclcaref'] = ['.'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ('%i object removed.', '%i objects removed.') + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove services from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') + + +caacl_output_params = global_output_params + ( + Str('ipacaaclmembercertprofile', + label=_('Failed profiles'), + ), +) + + + at register() +class caacl_add_profile(LDAPAddMember): + __doc__ = _('Add profiles to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipacaaclmembercertprofile'] + member_count_out = ('%i object added.', '%i objects added.') + + + at register() +class caacl_remove_profile(LDAPRemoveMember): + __doc__ = _('Remove profiles from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipacaaclmembercertprofile'] + member_count_out = ('%i object removed.', '%i objects removed.') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) -- 2.1.0 -------------- next part -------------- From 2bd1b7146e5fa633a4f2ae6e851b0756930e21be Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 73 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 ++++++++++++ 2 files changed, 90 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index f9bf7a3e411c110a0a103d9681fd9ee58fc38b72..6a0c38cf0b39ebcb70452333b2bc4bad9e54ccbf 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str from ipalib.plugable import Registry @@ -9,6 +11,7 @@ from ipalib.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, global_output_params, pkey_to_value) +from ipalib.plugins.service import normalize_principal, split_any_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -48,6 +51,76 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + service, hostname, realm = split_any_principal(principal) + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + if 'ipacaaclallcas' in obj and obj['ipacaaclallcas'][0] == 'TRUE': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'ipacaaclallprofiles' in obj and obj['ipacaaclallprofiles'][0] == 'TRUE': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + attr = 'ipacaaclmembercertprofile_certprofile' + rule.services.names = obj.get(attr, []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + all_principals_attr = 'ipacaaclall{}s'.format(principal_type) + if all_principals_attr in obj and obj[all_principals_attr][0] == 'TRUE': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index d122900175db41ba5af429fd47af6cac6533cb6f..1878e5ad5f80fa93e1a77b0a88711c1da0016681 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From ofayans at redhat.com Thu Jun 4 07:57:47 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 04 Jun 2015 09:57:47 +0200 Subject: [Freeipa-devel] f22 issues with freeipa installation Message-ID: <557004FB.30404@redhat.com> Hi everyone, The following problems raise when I try to install the latest FreeIPA code on a fresh f22 machine: root at f22master:/home/ofayans/rpms]$ rpm -ihv *.rpm error: Failed dependencies: libunistring.so.0()(64bit) is needed by freeipa-server-4.1.99.201506031339GITa923284-0.fc21.x86_64 libpdb.so.0()(64bit) is needed by freeipa-server-trust-ad-4.1.99.201506031339GITa923284-0.fc21.x86_64 libpdb.so.0(PDB_0)(64bit) is needed by freeipa-server-trust-ad-4.1.99.201506031339GITa923284-0.fc21.x86_64 root at f22master:/home/ofayans/rpms]$ dnf install libunistring Last metadata expiration check performed 0:10:50 ago on Thu Jun 4 03:17:10 2015. Package libunistring-0.9.4-1.fc22.x86_64 is already installed, skipping. Dependencies resolved. Nothing to do. Complete! root at f22master:/home/ofayans/rpms]$ rpm -ql libunistring /usr/lib64/libunistring.so.2 /usr/lib64/libunistring.so.2.0.0 /usr/share/doc/libunistring /usr/share/doc/libunistring/AUTHORS /usr/share/doc/libunistring/NEWS /usr/share/doc/libunistring/README So, here are essentially 2 problems: 1. The system has a /usr/lib64/libunistring.so.2, while freeipa-server searches for /usr/lib64/libunistring.so.0 2. freeipa-server-trust-ad searches for a library (libpdb.so.0), that used to be provided by samba4-common long ago: http://rpm.pbone.net/index.php3/stat/4/idpl/24227742/dir/fedora_17/com/samba4-common-4.0.0-47alpha18.fc17.x86_64.rpm.html But now samba-common does not provide it at all: root at f22master:/home/ofayans/rpms]$ rpm -ql samba-common /etc/logrotate.d /etc/logrotate.d/samba /etc/samba /etc/samba/lmhosts /etc/samba/smb.conf /etc/sysconfig/samba /usr/lib/tmpfiles.d/samba.conf /usr/share/samba/codepages /usr/share/samba/codepages/lowcase.dat /usr/share/samba/codepages/upcase.dat /usr/share/samba/codepages/valid.dat /var/lib/samba/private /var/log/samba /var/log/samba/old /var/run/samba /var/run/winbindd -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Thu Jun 4 08:28:13 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 04 Jun 2015 10:28:13 +0200 Subject: [Freeipa-devel] [PATCHES 0001-0013 v7] Profiles and CA ACLs In-Reply-To: <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> References: <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> Message-ID: <55700C1D.8080208@redhat.com> Dne 4.6.2015 v 08:59 Fraser Tweedale napsal(a): > On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: >> On 03/06/15 16:17, Fraser Tweedale wrote: >>> On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: >>>> On 02/06/15 14:11, Fraser Tweedale wrote: >>>>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>>>>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>>>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>>>>>> Hello all, >>>>>>>>>>>>> >>>>>>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>>>>>> >>>>>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>>>>>> >>>>>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>>>>>> copr? SRPM lives at >>>>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>>>>>> >>>>>>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>>>>>> email address, if either of those is present. >>>>>>>>>>>>> >>>>>>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>>>>>> and improvement to earlier patches. >>>>>>>>>>>>>> >>>>>>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>>>>>> in case it has been modified. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Other notes: >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>>>>>> though) >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>>>>>> >>>>>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>>>>>> >>>>>>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>>>>>> :) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Cheers, Fraser >>>>>>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>>>>>> password: >>>>>>>>>>>> >>>>>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>>>>>> (invalid token): line 2, column 14 >>>>>>>>>>>> >>>>>>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>>>>>> the newer version of dogtag. >>>>>>>>>>>> >>>>>>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>>>>>> investigate with new RPM from master branch. >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>>>>>> pki-ca 10.2.4-1 >>>>>>>>>>> >>>>>>>>>>> So something in your patches is breaking it >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Fraser >>>>>>>>> I can not reproduce it today. And I already recycled the VMs from yesterday. :-( >>>>>>>>> >>>>>>>> In that case I would suggest ACKing&pushing the patch and fixing the bug if >>>>>>>> it comes again. The tree may now be a bit unstable, given the number of >>>>>>>> patches going in. >>>>>>>> >>>>>>>> My main motivation here is to unblock Fraser. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Martin >>>>>>> Rebased patchset attached; no other changes. >>>>>> Heads up: I just discovered I have introduced a bug with >>>>>> ipa-replica-install, when it is spawning the CA instance. I think >>>>>> replication it only causes issues with ``--setup-ca``. >>>>>> >>>>>> I will try and sort it out tomorrow or later tonight (I have to head >>>>>> out for a few hours now, though); and I'm not suggesting it should >>>>>> block the push but it's something to be aware of. >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>>> >>>>> New patchset attached ; haven't gotten to the bottom of the >>>>> ipa-replica-install issue mentioned above, but it fixes an upgrade >>>>> bug. >>>>> >>>>> The change is: >>>>> >>>>> diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py >>>>> index c288282..c5f4d37 100644 >>>>> --- a/ipaserver/install/server/upgrade.py >>>>> +++ b/ipaserver/install/server/upgrade.py >>>>> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>> caconfig.CS_CFG_PATH, >>>>> directive, >>>>> separator='=') >>>>> - if value == 'ProfileSubsystem': >>>>> + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': >>>>> needs_update = True >>>>> break >>>>> except OSError, e: >>>>> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>> installutils.set_directive( >>>>> caconfig.CS_CFG_PATH, >>>>> directive, >>>>> - 'LDAPProfileSubsystem', >>>>> + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', >>>>> quotes=False, >>>>> separator='=') >>>>> >>>>> Cheers, >>>>> Fraser >>>>> >>>>> >>>> Thank you, >>>> >>>> 1) >>>> ipa-getcert request (getcert -c IPA) >>>> doesnt work, >>>> >>>> Request ID '20150602145845': >>>> status: CA_REJECTED >>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>> request, giving up: 3007 (RPC failed at server. 'profile_id' is required). >>>> >>>> 2) >>>> Error from rpm install >>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>> SkipPluginModule: dogtag not selected as RA plugin >>>> >>>> Just for record as known issue, this will be fixed later in a new patch. >>>> >>>> 3) >>>> + Str('profile_id', validate_profile_id, >>>> + label=_("Profile ID"), >>>> + doc=_("Certificate Profile to use"), >>>> + ) >>>> Please mark this param as optional. ('profile_id?') >>>> This will fix issue 1, but 1 will need a option to specify profile_id >>>> >>>> Also move API related change from patch 9 to patch 11 + increment VERSION >>>> >>>> 4) >>>> * Maybe I do everything wrong :) >>>> >>>> I'm not able to create certificate stored in FILE, via ipa-getcert request. >>>> I'm getting error: >>>> status: CA_UNREACHABLE >>>> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, >>>> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host >>>> not found). >>>> >>>> or error: >>>> Request ID '20150602154115': >>>> status: CA_REJECTED >>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>> request, giving up: 2100 (RPC failed at server. Insufficient access: not >>>> allowed to perform this command). >>>> (I'm root and kinited as admin) >>>> >>>> Maybe additional ACI is required for cert_request as it is VirtualCommand >>>> >>>> >>>> -- >>>> Martin Basti >>>> >>> Thanks for report. Attached patchset should fix the certmonger >>> issues, and also makes cert-request --profile-id argument optional. >>> >>> The changes were fixup'd into the appropriate patches but the >>> combined diff follows. (Note that the API.txt and VERSION changes >>> you recommended were executed but are missing from this diff.) >>> >>> Thanks, >>> Fraser >>> >>> diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py >>> index c09df86..a9dde86 100644 >>> --- a/ipalib/plugins/caacl.py >>> +++ b/ipalib/plugins/caacl.py >>> @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( >>> LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, >>> pkey_to_value) >>> from ipalib.plugins.certprofile import validate_profile_id >>> -from ipalib.plugins.service import normalize_principal >>> +from ipalib.plugins.service import normalize_principal, split_any_principal >>> from ipalib import _, ngettext >>> from ipapython.dn import DN >>> @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): >>> groups = user_obj.get('memberof_group', []) >>> groups += user_obj.get('memberofindirect_group', []) >>> elif principal_type == 'host': >>> - hostname = principal[5:] >>> + service, hostname, realm = split_any_principal(principal) >>> host_obj = api.Command.host_show(hostname)['result'] >>> groups = host_obj.get('memberof_hostgroup', []) >>> groups += host_obj.get('memberofindirect_hostgroup', []) >>> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py >>> index 70ae610..1878e5a 100644 >>> --- a/ipalib/plugins/cert.py >>> +++ b/ipalib/plugins/cert.py >>> @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): >>> default=False, >>> autofill=True >>> ), >>> - Str('profile_id', validate_profile_id, >>> + Str('profile_id?', validate_profile_id, >>> label=_("Profile ID"), >>> doc=_("Certificate Profile to use"), >>> ) >>> @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): >>> bind_principal = split_any_principal(getattr(context, 'principal')) >>> bind_service, bind_name, bind_realm = bind_principal >>> - if bind_principal != principal: >>> + if bind_service is None: >>> + bind_principal_type = USER >>> + elif bind_service == 'host': >>> + bind_principal_type = HOST >>> + else: >>> + bind_principal_type = SERVICE >>> + >>> + if bind_principal != principal and bind_principal_type != HOST: >>> # Can the bound principal request certs for another principal? >>> self.check_access() >>> @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): >>> error=_("Failure decoding Certificate Signing Request: %s") % e) >>> # host principals may bypass allowed ext check >>> - if bind_service != 'host': >>> + if bind_principal_type != HOST: >>> for ext in extensions: >>> operation = self._allowed_extensions.get(ext) >>> if operation: >>> diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py >>> index 659751e..53085f7 100644 >>> --- a/ipapython/dogtag.py >>> +++ b/ipapython/dogtag.py >>> @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { >>> (u'caIPAserviceCert', u'Standard profile for network services', True), >>> } >>> -DEFAULT_PROFILE = 'caIPAserviceCert' >>> +DEFAULT_PROFILE = u'caIPAserviceCert' >>> class Dogtag10Constants(object): >>> DOGTAG_VERSION = 10 >> >> Should the user certificates behave in the same way as host and service >> certificates, i.e should be revoked after user-del or user-mod operation?? >> If yes it would be an additional patch. >> >> Please move API.txt fragment from patch 9 to patch 11 >> With this change ACK for patches 1-11, to unblock testing. For patches 12-13 >> I need more time. >> >> -- >> Martin Basti >> > Updated patches attached. Only your requested change for 1-11. For > 12-13 (caacl plugin) it was updated to LDAPAddMember and > LDAPRemoveMember functionality for adding profiles to ACL - this has > the desirable effect of making sure the profile actually exists :) Pushed 1 to 11 to master: a931d3edc00f7578223df2afeebdf2da3dd85a68 -- Jan Cholasta From ofayans at redhat.com Thu Jun 4 08:29:02 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 04 Jun 2015 10:29:02 +0200 Subject: [Freeipa-devel] f22 issues with freeipa installation In-Reply-To: <557004FB.30404@redhat.com> References: <557004FB.30404@redhat.com> Message-ID: <55700C4E.4040502@redhat.com> Resolved, the packages were built on f21. My bad On 06/04/2015 09:57 AM, Oleg Fayans wrote: > Hi everyone, > > The following problems raise when I try to install the latest FreeIPA > code on a fresh f22 machine: > > root at f22master:/home/ofayans/rpms]$ rpm -ihv *.rpm > error: Failed dependencies: > libunistring.so.0()(64bit) is needed by > freeipa-server-4.1.99.201506031339GITa923284-0.fc21.x86_64 > libpdb.so.0()(64bit) is needed by > freeipa-server-trust-ad-4.1.99.201506031339GITa923284-0.fc21.x86_64 > libpdb.so.0(PDB_0)(64bit) is needed by > freeipa-server-trust-ad-4.1.99.201506031339GITa923284-0.fc21.x86_64 > root at f22master:/home/ofayans/rpms]$ dnf install libunistring > Last metadata expiration check performed 0:10:50 ago on Thu Jun 4 > 03:17:10 2015. > Package libunistring-0.9.4-1.fc22.x86_64 is already installed, skipping. > Dependencies resolved. > Nothing to do. > Complete! > root at f22master:/home/ofayans/rpms]$ rpm -ql libunistring > /usr/lib64/libunistring.so.2 > /usr/lib64/libunistring.so.2.0.0 > /usr/share/doc/libunistring > /usr/share/doc/libunistring/AUTHORS > /usr/share/doc/libunistring/NEWS > /usr/share/doc/libunistring/README > > So, here are essentially 2 problems: > 1. The system has a /usr/lib64/libunistring.so.2, while freeipa-server > searches for /usr/lib64/libunistring.so.0 > 2. freeipa-server-trust-ad searches for a library (libpdb.so.0), that > used to be provided by samba4-common long ago: > http://rpm.pbone.net/index.php3/stat/4/idpl/24227742/dir/fedora_17/com/samba4-common-4.0.0-47alpha18.fc17.x86_64.rpm.html > > > But now samba-common does not provide it at all: > root at f22master:/home/ofayans/rpms]$ rpm -ql samba-common > /etc/logrotate.d > /etc/logrotate.d/samba > /etc/samba > /etc/samba/lmhosts > /etc/samba/smb.conf > /etc/sysconfig/samba > /usr/lib/tmpfiles.d/samba.conf > /usr/share/samba/codepages > /usr/share/samba/codepages/lowcase.dat > /usr/share/samba/codepages/upcase.dat > /usr/share/samba/codepages/valid.dat > /var/lib/samba/private > /var/log/samba > /var/log/samba/old > /var/run/samba > /var/run/winbindd > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pvoborni at redhat.com Thu Jun 4 09:44:20 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 11:44:20 +0200 Subject: [Freeipa-devel] [PATCH 0008-0009] use 1 as domain level to activate plugin, fix a crash when removing a replica In-Reply-To: <20150602105905.GS23523@dhcp-40-8.bne.redhat.com> References: <556D63A7.4090307@redhat.com> <20150602105905.GS23523@dhcp-40-8.bne.redhat.com> Message-ID: <55701DF4.2020703@redhat.com> On 06/02/2015 12:59 PM, Fraser Tweedale wrote: > On Tue, Jun 02, 2015 at 10:04:55AM +0200, Ludwig Krispenz wrote: >> Hi, >> >> with the first patch the topo plugin no longer uses plugin version to >> compare to set domainlevel, always gets activated if dom level >= 1 >> the second patch fixes a crash at replica removal >> >> Ludwig > > These patches fix the issue for me. > > I don't know what is (supposed to be) happening in the code. Is my > testing enough for the ACK? The code looks good to me. pushed to master: * 4e05ffa22c4880e393f4770fe64035fa93cb5fd1 plugin uses 1 as minimum domain level to become active no calculation based on plugin version * f87324df546055df1e7d038e63c04bb0d2250f55 crash when removing a replica > > Cheers, > Fraser -- Petr Vobornik From pvoborni at redhat.com Thu Jun 4 10:09:02 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 12:09:02 +0200 Subject: [Freeipa-devel] [PATCH] 857 topology: ipa management commands In-Reply-To: <556F1D02.6050708@redhat.com> References: <556448B3.9050105@redhat.com> <556475AF.7060301@redhat.com> <556EC036.2070700@redhat.com> <556EC1EA.4010701@redhat.com> <556EE62C.8010109@redhat.com> <556EF52A.7090907@redhat.com> <556F06E1.2040400@redhat.com> <556F1D02.6050708@redhat.com> Message-ID: <557023BE.5040407@redhat.com> On 06/03/2015 05:28 PM, Martin Babinsky wrote: > On 06/03/2015 03:53 PM, Petr Vobornik wrote: >> On 06/03/2015 02:38 PM, Martin Babinsky wrote: >>> On 06/03/2015 01:34 PM, Petr Vobornik wrote: >>>> On 06/03/2015 10:59 AM, Martin Babinsky wrote: >>>>> On 06/03/2015 10:52 AM, Martin Babinsky wrote: >>>>>> On 05/26/2015 03:31 PM, Petr Vobornik wrote: >>>>>>> On 05/26/2015 12:19 PM, Petr Vobornik wrote: >>>>>>>> this patch is based on top of my patch #856 and tbabej' >>>>>>>> s 325-9. >>>>>>>> >>>>>>>> Obsoletes Ludwig's 0006. >>>>>>>> >>>>>>>> ipalib part of topology management >>>>>>>> >>>>>>>> Design: >>>>>>>> - http://www.freeipa.org/page/V4/Manage_replication_topology >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4302 >>>>>>>> snip >> > ACK > Pushed to master: b189e66298816c3414e027c914b5e62f30512330 -- Petr Vobornik From dkupka at redhat.com Thu Jun 4 10:20:46 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 04 Jun 2015 12:20:46 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. Message-ID: <5570267E.1040402@redhat.com> -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0050-Allow-to-skip-lint-when-building-FreeIPA.patch Type: text/x-patch Size: 1188 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jun 4 10:43:11 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 Jun 2015 13:43:11 +0300 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <5570267E.1040402@redhat.com> References: <5570267E.1040402@redhat.com> Message-ID: <20150604104311.GC10162@redhat.com> On Thu, 04 Jun 2015, David Kupka wrote: > >-- >David Kupka >From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >From: David Kupka >Date: Thu, 4 Jun 2015 12:10:37 +0200 >Subject: [PATCH] Allow to skip lint when building FreeIPA. > >Target 'lint' does nothing when SKIP_LINT is set to anything else than "no". >By default the variable is unset and lint is executed as always was. Is there any reason to support this? I personally don't like to be able to skip lint as Python gives you too many ways of shooting yourself. -- / Alexander Bokovoy From pspacek at redhat.com Thu Jun 4 10:58:00 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 04 Jun 2015 12:58:00 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <20150604104311.GC10162@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> Message-ID: <55702F38.8030801@redhat.com> On 4.6.2015 12:43, Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, David Kupka wrote: >> >> -- >> David Kupka > >> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >> From: David Kupka >> Date: Thu, 4 Jun 2015 12:10:37 +0200 >> Subject: [PATCH] Allow to skip lint when building FreeIPA. >> >> Target 'lint' does nothing when SKIP_LINT is set to anything else than "no". >> By default the variable is unset and lint is executed as always was. > Is there any reason to support this? > > I personally don't like to be able to skip lint as Python gives you too > many ways of shooting yourself. Lint is costly and you might not necessarily need to run it all the time, especially in our resource-constrained VMs. The original behavior stays the same as long as you do not define the variable so I would personally not spend more time on this. -- Petr^2 Spacek From mbasti at redhat.com Thu Jun 4 10:59:08 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 12:59:08 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <20150604104311.GC10162@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> Message-ID: <55702F7C.9030808@redhat.com> On 04/06/15 12:43, Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, David Kupka wrote: >> >> -- >> David Kupka > >> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >> From: David Kupka >> Date: Thu, 4 Jun 2015 12:10:37 +0200 >> Subject: [PATCH] Allow to skip lint when building FreeIPA. >> >> Target 'lint' does nothing when SKIP_LINT is set to anything else >> than "no". >> By default the variable is unset and lint is executed as always was. > Is there any reason to support this? > > I personally don't like to be able to skip lint as Python gives you too > many ways of shooting yourself. > I always wanted this, lint takes a lot of time and memory. I sometimes need fast build. (Now I just remove link from Makefile) If I need I can test it using the ./make-lint. And this patch keeps the default behavior the same as was before. -- Martin Basti From dkupka at redhat.com Thu Jun 4 11:00:36 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 04 Jun 2015 13:00:36 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <20150604104311.GC10162@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> Message-ID: <55702FD4.1050607@redhat.com> On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, David Kupka wrote: >> >> -- >> David Kupka > >> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >> From: David Kupka >> Date: Thu, 4 Jun 2015 12:10:37 +0200 >> Subject: [PATCH] Allow to skip lint when building FreeIPA. >> >> Target 'lint' does nothing when SKIP_LINT is set to anything else than >> "no". >> By default the variable is unset and lint is executed as always was. > Is there any reason to support this? > > I personally don't like to be able to skip lint as Python gives you too > many ways of shooting yourself. > On the other hand, running lint every time even when building unchanged master is waste of (a lot of) time. I really prefer running ./make-lint (or make lint) to check the code and 'make rpms' to build packages. Moreover, the default behavior stays the same, lint is always run. -- David Kupka From lslebodn at redhat.com Thu Jun 4 11:06:11 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 4 Jun 2015 13:06:11 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <5570267E.1040402@redhat.com> References: <5570267E.1040402@redhat.com> Message-ID: <20150604110611.GC2793@mail.corp.redhat.com> On (04/06/15 12:20), David Kupka wrote: > >-- >David Kupka >From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >From: David Kupka >Date: Thu, 4 Jun 2015 12:10:37 +0200 >Subject: [PATCH] Allow to skip lint when building FreeIPA. > >Target 'lint' does nothing when SKIP_LINT is set to anything else than "no". >By default the variable is unset and lint is executed as always was. >--- > Makefile | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > >diff --git a/Makefile b/Makefile >index abf58382960099a54b8920dd0e741b9fda17682f..4ad1d69dfc330c3a48a13a0b525e1f533183236d 100644 >--- a/Makefile >+++ b/Makefile >@@ -53,6 +53,8 @@ ifneq ($(DEVELOPER_MODE),0) > LINT_OPTIONS=--no-fail > endif > >+SKIP_LINT ?= no >+ > PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python2) > > CFLAGS := -g -O2 -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS) >@@ -116,9 +118,10 @@ client-dirs: > fi > > lint: bootstrap-autogen >- ./make-lint $(LINT_OPTIONS) >- $(MAKE) -C install/po validate-src-strings >- >+ if [ "$(SKIP_LINT)" == "no" ]; then \ ^^ It's better to use just one character. man test says: STRING1 = STRING2 the strings are equal STRING1 != STRING2 the strings are not equal LS From abokovoy at redhat.com Thu Jun 4 11:10:42 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 Jun 2015 14:10:42 +0300 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <55702FD4.1050607@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> <55702FD4.1050607@redhat.com> Message-ID: <20150604111042.GD10162@redhat.com> On Thu, 04 Jun 2015, David Kupka wrote: >On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: >>On Thu, 04 Jun 2015, David Kupka wrote: >>> >>>-- >>>David Kupka >> >>>From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >>>From: David Kupka >>>Date: Thu, 4 Jun 2015 12:10:37 +0200 >>>Subject: [PATCH] Allow to skip lint when building FreeIPA. >>> >>>Target 'lint' does nothing when SKIP_LINT is set to anything else than >>>"no". >>>By default the variable is unset and lint is executed as always was. >>Is there any reason to support this? >> >>I personally don't like to be able to skip lint as Python gives you too >>many ways of shooting yourself. >> > >On the other hand, running lint every time even when building >unchanged master is waste of (a lot of) time. I really prefer running >./make-lint (or make lint) to check the code and 'make rpms' to build >packages. > >Moreover, the default behavior stays the same, lint is always run. So you can add a hook to use a git committish and check the change between them so that only when there is indeed a change, you run lint. And for cases when you are running off a tarball, simply disable lint -- automatically. What in reality will happen if we allow setting SKIP_LINT permanently in the environment, we'd be less careful on the code checks. Sorry to be harsh here but that is how it goes. If lint is costly to run, optimize to run it only when it really is needed but not disable it voluntarily. -- / Alexander Bokovoy From pvoborni at redhat.com Thu Jun 4 11:23:43 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 13:23:43 +0200 Subject: [Freeipa-devel] [PATCH] 822 webui: topology plugin In-Reply-To: <556F3099.8040300@redhat.com> References: <55365A0B.1030305@redhat.com> <5555DD7F.10000@redhat.com> <55644980.9020209@redhat.com> <5565D148.4080807@redhat.com> <556F3099.8040300@redhat.com> Message-ID: <5570353F.2080901@redhat.com> On 06/03/2015 06:51 PM, Martin Babinsky wrote: > On 05/27/2015 04:14 PM, Petr Vobornik wrote: >> On 05/26/2015 12:22 PM, Petr Vobornik wrote: >>> On 05/15/2015 01:50 PM, Petr Vobornik wrote: >>>> On 04/21/2015 04:09 PM, Petr Vobornik wrote: >>>>> First iteration of Topology plugin Web UI. >>>>> >>>>> It reflects current state of topology plugin python part which is >>>>> implemented in "[PATCH] manage replication topology in the shared >>>>> tree" >>>>> and my wip patch. >>>>> >>>>> I expect that the server API part will change a bit therefore this >>>>> will >>>>> as well. >>>>> >>>>> Graphical visualization/management (ticket 4286) will be >>>>> implemented in >>>>> separate patch. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4997 >>>>> http://www.freeipa.org/page/V4/Manage_replication_topology >>>>> >>>>> >>>> >>>> New version attached. It requires stage user web ui patches in order to >>>> apply (I expect that user life cycle backend will be pushed sooner than >>>> topology) >>>> >>>> Changes: >>>> - Left host and Right host fields are now host comboboxes >>>> - Connectivity are radio buttons with "both, left-right, right-left, >>>> none" options >>>> - segment name is not a required field in its adder dialog >>>> >>>> IMHO "Attributes to strip", "Attributes to replicate", "Attributes for >>>> total update", "Initialize replica", "Session timeout", "Replication >>>> agreement enabled" fields should not be just free-form textboxes, but >>>> they should be more specific, e.g. a checkbox for "Replication >>>> agreement >>>> enabled" or integer for "Session timeout", but that should be modified >>>> first in the backend python plugin. >>>> >>>> >>> >>> New patchset which replaces the old patch. >>> >>> Contains Web UI for: >>> - topologysuffix, topologysegment, domain level, server >>> >>> Backend is implemented in patches: >>> - tbabej 325-9 >>> - pvoborni 855, 857 >>> >>> >> >> New update which reflects the API change in domain level patches. >> (domainlevel-show changed to domainlevel-get). >> >> Now it depends only on pvoborni 857-2, the rest was pushed. >> >> > > The patches seem to do what they are supposed to do. I've got an offline ACK from Martin3. pushed to master: * 604331f0bedf65b6c61a9c1b2d743d5d965576a9 webui: IPA.command_dialog - a new dialog base class * ed78dcfa3acde7aeb1f381f49988c6911c5277ee webui: use command_dialog as a base class for password dialog * 55bf33cce2ff6bcd49e2281dff31b2a2e24e6fb2 webui: make usage of --all in details facet optional * 538178b53dcb6ecb7a2f1892d648a86202afb7ce webui: topology plugin * 0138595f581d4b8ed76622d067e8dba0c29fd62f webui: configurable refresh command > > However, I have not found any UI element implementing the > 'topologysegment-refresh' functionality. Was this only an oversight or > do you plan to implement it in next patch? > Will be fixed separately: https://fedorahosted.org/freeipa/ticket/5048 -- Petr Vobornik From mbabinsk at redhat.com Thu Jun 4 11:27:25 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 04 Jun 2015 13:27:25 +0200 Subject: [Freeipa-devel] [PATCH] 822 webui: topology plugin In-Reply-To: <5570353F.2080901@redhat.com> References: <55365A0B.1030305@redhat.com> <5555DD7F.10000@redhat.com> <55644980.9020209@redhat.com> <5565D148.4080807@redhat.com> <556F3099.8040300@redhat.com> <5570353F.2080901@redhat.com> Message-ID: <5570361D.1050105@redhat.com> On 06/04/2015 01:23 PM, Petr Vobornik wrote: > On 06/03/2015 06:51 PM, Martin Babinsky wrote: >> On 05/27/2015 04:14 PM, Petr Vobornik wrote: >>> On 05/26/2015 12:22 PM, Petr Vobornik wrote: >>>> On 05/15/2015 01:50 PM, Petr Vobornik wrote: >>>>> On 04/21/2015 04:09 PM, Petr Vobornik wrote: >>>>>> First iteration of Topology plugin Web UI. >>>>>> >>>>>> It reflects current state of topology plugin python part which is >>>>>> implemented in "[PATCH] manage replication topology in the shared >>>>>> tree" >>>>>> and my wip patch. >>>>>> >>>>>> I expect that the server API part will change a bit therefore this >>>>>> will >>>>>> as well. >>>>>> >>>>>> Graphical visualization/management (ticket 4286) will be >>>>>> implemented in >>>>>> separate patch. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4997 >>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology >>>>>> >>>>>> >>>>> >>>>> New version attached. It requires stage user web ui patches in >>>>> order to >>>>> apply (I expect that user life cycle backend will be pushed sooner >>>>> than >>>>> topology) >>>>> >>>>> Changes: >>>>> - Left host and Right host fields are now host comboboxes >>>>> - Connectivity are radio buttons with "both, left-right, right-left, >>>>> none" options >>>>> - segment name is not a required field in its adder dialog >>>>> >>>>> IMHO "Attributes to strip", "Attributes to replicate", "Attributes for >>>>> total update", "Initialize replica", "Session timeout", "Replication >>>>> agreement enabled" fields should not be just free-form textboxes, but >>>>> they should be more specific, e.g. a checkbox for "Replication >>>>> agreement >>>>> enabled" or integer for "Session timeout", but that should be modified >>>>> first in the backend python plugin. >>>>> >>>>> >>>> >>>> New patchset which replaces the old patch. >>>> >>>> Contains Web UI for: >>>> - topologysuffix, topologysegment, domain level, server >>>> >>>> Backend is implemented in patches: >>>> - tbabej 325-9 >>>> - pvoborni 855, 857 >>>> >>>> >>> >>> New update which reflects the API change in domain level patches. >>> (domainlevel-show changed to domainlevel-get). >>> >>> Now it depends only on pvoborni 857-2, the rest was pushed. >>> >>> >> >> The patches seem to do what they are supposed to do. > > I've got an offline ACK from Martin3. I confirm the offline ACK, rest assured that Petr is not doing anything shady ;). > > pushed to master: > * 604331f0bedf65b6c61a9c1b2d743d5d965576a9 webui: IPA.command_dialog - a > new dialog base class > * ed78dcfa3acde7aeb1f381f49988c6911c5277ee webui: use command_dialog as > a base class for password dialog > * 55bf33cce2ff6bcd49e2281dff31b2a2e24e6fb2 webui: make usage of --all in > details facet optional > * 538178b53dcb6ecb7a2f1892d648a86202afb7ce webui: topology plugin > * 0138595f581d4b8ed76622d067e8dba0c29fd62f webui: configurable refresh > command > >> >> However, I have not found any UI element implementing the >> 'topologysegment-refresh' functionality. Was this only an oversight or >> do you plan to implement it in next patch? >> > > Will be fixed separately: https://fedorahosted.org/freeipa/ticket/5048 -- Martin^3 Babinsky From rcritten at redhat.com Thu Jun 4 13:11:53 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 09:11:53 -0400 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <20150604111042.GD10162@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> <55702FD4.1050607@redhat.com> <20150604111042.GD10162@redhat.com> Message-ID: <55704E99.4010008@redhat.com> Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, David Kupka wrote: >> On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: >>> On Thu, 04 Jun 2015, David Kupka wrote: >>>> >>>> -- >>>> David Kupka >>> >>>> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >>>> From: David Kupka >>>> Date: Thu, 4 Jun 2015 12:10:37 +0200 >>>> Subject: [PATCH] Allow to skip lint when building FreeIPA. >>>> >>>> Target 'lint' does nothing when SKIP_LINT is set to anything else than >>>> "no". >>>> By default the variable is unset and lint is executed as always was. >>> Is there any reason to support this? >>> >>> I personally don't like to be able to skip lint as Python gives you too >>> many ways of shooting yourself. >>> >> >> On the other hand, running lint every time even when building >> unchanged master is waste of (a lot of) time. I really prefer running >> ./make-lint (or make lint) to check the code and 'make rpms' to build >> packages. >> >> Moreover, the default behavior stays the same, lint is always run. > So you can add a hook to use a git committish and check the change > between them so that only when there is indeed a change, you run lint. > And for cases when you are running off a tarball, simply disable lint -- > automatically. > > What in reality will happen if we allow setting SKIP_LINT permanently in > the environment, we'd be less careful on the code checks. Sorry to be > harsh here but that is how it goes. If lint is costly to run, optimize > to run it only when it really is needed but not disable it voluntarily. > +1 I totally agree that it is getting out of hand speed/resource-wise. I had more than one build fail due to OOM. But I don't think disabling it is the right way because, as Alexander said, once disabled always disabled. rob From mbasti at redhat.com Thu Jun 4 13:40:18 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 15:40:18 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> References: <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> Message-ID: <55705542.4000002@redhat.com> On 04/06/15 08:59, Fraser Tweedale wrote: > On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: >> On 03/06/15 16:17, Fraser Tweedale wrote: >>> On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: >>>> On 02/06/15 14:11, Fraser Tweedale wrote: >>>>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>>>>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>>>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>>>>>> Hello all, >>>>>>>>>>>>> >>>>>>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>>>>>> >>>>>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>>>>>> >>>>>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>>>>>> copr? SRPM lives at >>>>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>>>>>> >>>>>>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>>>>>> email address, if either of those is present. >>>>>>>>>>>>> >>>>>>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>>>>>> and improvement to earlier patches. >>>>>>>>>>>>>> >>>>>>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>>>>>> in case it has been modified. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Other notes: >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>>>>>> though) >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>>>>>> >>>>>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>>>>>> >>>>>>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>>>>>> :) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Cheers, Fraser >>>>>>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>>>>>> password: >>>>>>>>>>>> >>>>>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>>>>>> (invalid token): line 2, column 14 >>>>>>>>>>>> >>>>>>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>>>>>> the newer version of dogtag. >>>>>>>>>>>> >>>>>>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>>>>>> investigate with new RPM from master branch. >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>>>>>> pki-ca 10.2.4-1 >>>>>>>>>>> >>>>>>>>>>> So something in your patches is breaking it >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Fraser >>>>>>>>> I can not reproduce it today. And I already recycled the VMs from yesterday. :-( >>>>>>>>> >>>>>>>> In that case I would suggest ACKing&pushing the patch and fixing the bug if >>>>>>>> it comes again. The tree may now be a bit unstable, given the number of >>>>>>>> patches going in. >>>>>>>> >>>>>>>> My main motivation here is to unblock Fraser. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Martin >>>>>>> Rebased patchset attached; no other changes. >>>>>> Heads up: I just discovered I have introduced a bug with >>>>>> ipa-replica-install, when it is spawning the CA instance. I think >>>>>> replication it only causes issues with ``--setup-ca``. >>>>>> >>>>>> I will try and sort it out tomorrow or later tonight (I have to head >>>>>> out for a few hours now, though); and I'm not suggesting it should >>>>>> block the push but it's something to be aware of. >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>>> >>>>> New patchset attached ; haven't gotten to the bottom of the >>>>> ipa-replica-install issue mentioned above, but it fixes an upgrade >>>>> bug. >>>>> >>>>> The change is: >>>>> >>>>> diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py >>>>> index c288282..c5f4d37 100644 >>>>> --- a/ipaserver/install/server/upgrade.py >>>>> +++ b/ipaserver/install/server/upgrade.py >>>>> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>> caconfig.CS_CFG_PATH, >>>>> directive, >>>>> separator='=') >>>>> - if value == 'ProfileSubsystem': >>>>> + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': >>>>> needs_update = True >>>>> break >>>>> except OSError, e: >>>>> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>> installutils.set_directive( >>>>> caconfig.CS_CFG_PATH, >>>>> directive, >>>>> - 'LDAPProfileSubsystem', >>>>> + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', >>>>> quotes=False, >>>>> separator='=') >>>>> >>>>> Cheers, >>>>> Fraser >>>>> >>>>> >>>> Thank you, >>>> >>>> 1) >>>> ipa-getcert request (getcert -c IPA) >>>> doesnt work, >>>> >>>> Request ID '20150602145845': >>>> status: CA_REJECTED >>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>> request, giving up: 3007 (RPC failed at server. 'profile_id' is required). >>>> >>>> 2) >>>> Error from rpm install >>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>> SkipPluginModule: dogtag not selected as RA plugin >>>> >>>> Just for record as known issue, this will be fixed later in a new patch. >>>> >>>> 3) >>>> + Str('profile_id', validate_profile_id, >>>> + label=_("Profile ID"), >>>> + doc=_("Certificate Profile to use"), >>>> + ) >>>> Please mark this param as optional. ('profile_id?') >>>> This will fix issue 1, but 1 will need a option to specify profile_id >>>> >>>> Also move API related change from patch 9 to patch 11 + increment VERSION >>>> >>>> 4) >>>> * Maybe I do everything wrong :) >>>> >>>> I'm not able to create certificate stored in FILE, via ipa-getcert request. >>>> I'm getting error: >>>> status: CA_UNREACHABLE >>>> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, >>>> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host >>>> not found). >>>> >>>> or error: >>>> Request ID '20150602154115': >>>> status: CA_REJECTED >>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>> request, giving up: 2100 (RPC failed at server. Insufficient access: not >>>> allowed to perform this command). >>>> (I'm root and kinited as admin) >>>> >>>> Maybe additional ACI is required for cert_request as it is VirtualCommand >>>> >>>> >>>> -- >>>> Martin Basti >>>> >>> Thanks for report. Attached patchset should fix the certmonger >>> issues, and also makes cert-request --profile-id argument optional. >>> >>> The changes were fixup'd into the appropriate patches but the >>> combined diff follows. (Note that the API.txt and VERSION changes >>> you recommended were executed but are missing from this diff.) >>> >>> Thanks, >>> Fraser >>> >>> diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py >>> index c09df86..a9dde86 100644 >>> --- a/ipalib/plugins/caacl.py >>> +++ b/ipalib/plugins/caacl.py >>> @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( >>> LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, >>> pkey_to_value) >>> from ipalib.plugins.certprofile import validate_profile_id >>> -from ipalib.plugins.service import normalize_principal >>> +from ipalib.plugins.service import normalize_principal, split_any_principal >>> from ipalib import _, ngettext >>> from ipapython.dn import DN >>> @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): >>> groups = user_obj.get('memberof_group', []) >>> groups += user_obj.get('memberofindirect_group', []) >>> elif principal_type == 'host': >>> - hostname = principal[5:] >>> + service, hostname, realm = split_any_principal(principal) >>> host_obj = api.Command.host_show(hostname)['result'] >>> groups = host_obj.get('memberof_hostgroup', []) >>> groups += host_obj.get('memberofindirect_hostgroup', []) >>> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py >>> index 70ae610..1878e5a 100644 >>> --- a/ipalib/plugins/cert.py >>> +++ b/ipalib/plugins/cert.py >>> @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): >>> default=False, >>> autofill=True >>> ), >>> - Str('profile_id', validate_profile_id, >>> + Str('profile_id?', validate_profile_id, >>> label=_("Profile ID"), >>> doc=_("Certificate Profile to use"), >>> ) >>> @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): >>> bind_principal = split_any_principal(getattr(context, 'principal')) >>> bind_service, bind_name, bind_realm = bind_principal >>> - if bind_principal != principal: >>> + if bind_service is None: >>> + bind_principal_type = USER >>> + elif bind_service == 'host': >>> + bind_principal_type = HOST >>> + else: >>> + bind_principal_type = SERVICE >>> + >>> + if bind_principal != principal and bind_principal_type != HOST: >>> # Can the bound principal request certs for another principal? >>> self.check_access() >>> @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): >>> error=_("Failure decoding Certificate Signing Request: %s") % e) >>> # host principals may bypass allowed ext check >>> - if bind_service != 'host': >>> + if bind_principal_type != HOST: >>> for ext in extensions: >>> operation = self._allowed_extensions.get(ext) >>> if operation: >>> diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py >>> index 659751e..53085f7 100644 >>> --- a/ipapython/dogtag.py >>> +++ b/ipapython/dogtag.py >>> @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { >>> (u'caIPAserviceCert', u'Standard profile for network services', True), >>> } >>> -DEFAULT_PROFILE = 'caIPAserviceCert' >>> +DEFAULT_PROFILE = u'caIPAserviceCert' >>> class Dogtag10Constants(object): >>> DOGTAG_VERSION = 10 >> Should the user certificates behave in the same way as host and service >> certificates, i.e should be revoked after user-del or user-mod operation?? >> If yes it would be an additional patch. >> >> Please move API.txt fragment from patch 9 to patch 11 >> With this change ACK for patches 1-11, to unblock testing. For patches 12-13 >> I need more time. >> >> -- >> Martin Basti >> > Updated patches attached. Only your requested change for 1-11. For > 12-13 (caacl plugin) it was updated to LDAPAddMember and > LDAPRemoveMember functionality for adding profiles to ACL - this has > the desirable effect of making sure the profile actually exists :) > > Thanks, > Fraser Hello, design page needs upgrade Please fix 1) ngettext/ugettext missing? (several times) ('%i object added.', '%i objects added.') 2) --allprofiles=BOOL Allow use of all profiles --allusers=BOOL Allow all users --allhosts=BOOL Allow all hosts --allservices=BOOL Allow all services Other commands use the separate words with '-', I suggest to use --all-profiles=True, etc.. 3) In the following example, there is missing ACL name: + ipa caacl-add-user --user=alice 4) attributes 'ipaCaAclAllCAs', 'ipaCaAclAllProfiles', 'ipaCaAclAllUsers', 'ipaCaAclAllHosts', 'ipaCaAclAllServices' should be called ipaCaAclCAsCategory, etc... to be consistent, please reuse usercategory, hostcategory, etc. and create new category attribute definitions for the rest. Please read sudorule.py for details. Respectively instead BOOLEAN True, the value 'all' should be there. This allows to extend it in future. 5) Missing referint plugin configuration for attribute 'ipacaaclmembercertprofile' Please add it into install/updates/25-referint.update (+ other member attributes if missing) 6) ACI: 'memberhostgroup' is not virtual nor real attribute, please remove it from there (Honza told me there is an error in HBAC ipa plugin, I will send fix) -- Martin Basti From mkosek at redhat.com Thu Jun 4 13:48:43 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 04 Jun 2015 15:48:43 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <55705542.4000002@redhat.com> References: <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> Message-ID: <5570573B.2010408@redhat.com> On 06/04/2015 03:40 PM, Martin Basti wrote: > On 04/06/15 08:59, Fraser Tweedale wrote: >> On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: >>> On 03/06/15 16:17, Fraser Tweedale wrote: >>>> On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: >>>>> On 02/06/15 14:11, Fraser Tweedale wrote: >>>>>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>>>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>>>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>>>>>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>>>>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>>>> >>>>>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>>>>>>> copr? SRPM lives at >>>>>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>>>>>>> >>>>>>>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>>>>>>> email address, if either of those is present. >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>>>>>>> and improvement to earlier patches. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>>>>>>> in case it has been modified. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Other notes: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>>>>>>> though) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>>>>>>> :) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Cheers, Fraser >>>>>>>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>>>>>>> password: >>>>>>>>>>>>> >>>>>>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>>>>>>> (invalid token): line 2, column 14 >>>>>>>>>>>>> >>>>>>>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>>>>>>> the newer version of dogtag. >>>>>>>>>>>>> >>>>>>>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>>>>>>> investigate with new RPM from master branch. >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>>>>>>> pki-ca 10.2.4-1 >>>>>>>>>>>> >>>>>>>>>>>> So something in your patches is breaking it >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>>>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>>>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Fraser >>>>>>>>>> I can not reproduce it today. And I already recycled the VMs from >>>>>>>>>> yesterday. :-( >>>>>>>>>> >>>>>>>>> In that case I would suggest ACKing&pushing the patch and fixing the >>>>>>>>> bug if >>>>>>>>> it comes again. The tree may now be a bit unstable, given the number of >>>>>>>>> patches going in. >>>>>>>>> >>>>>>>>> My main motivation here is to unblock Fraser. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Martin >>>>>>>> Rebased patchset attached; no other changes. >>>>>>> Heads up: I just discovered I have introduced a bug with >>>>>>> ipa-replica-install, when it is spawning the CA instance. I think >>>>>>> replication it only causes issues with ``--setup-ca``. >>>>>>> >>>>>>> I will try and sort it out tomorrow or later tonight (I have to head >>>>>>> out for a few hours now, though); and I'm not suggesting it should >>>>>>> block the push but it's something to be aware of. >>>>>>> >>>>>>> Cheers, >>>>>>> Fraser >>>>>>> >>>>>> New patchset attached ; haven't gotten to the bottom of the >>>>>> ipa-replica-install issue mentioned above, but it fixes an upgrade >>>>>> bug. >>>>>> >>>>>> The change is: >>>>>> >>>>>> diff --git a/ipaserver/install/server/upgrade.py >>>>>> b/ipaserver/install/server/upgrade.py >>>>>> index c288282..c5f4d37 100644 >>>>>> --- a/ipaserver/install/server/upgrade.py >>>>>> +++ b/ipaserver/install/server/upgrade.py >>>>>> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>>> caconfig.CS_CFG_PATH, >>>>>> directive, >>>>>> separator='=') >>>>>> - if value == 'ProfileSubsystem': >>>>>> + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': >>>>>> needs_update = True >>>>>> break >>>>>> except OSError, e: >>>>>> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>>> installutils.set_directive( >>>>>> caconfig.CS_CFG_PATH, >>>>>> directive, >>>>>> - 'LDAPProfileSubsystem', >>>>>> + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', >>>>>> quotes=False, >>>>>> separator='=') >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>>> >>>>>> >>>>> Thank you, >>>>> >>>>> 1) >>>>> ipa-getcert request (getcert -c IPA) >>>>> doesnt work, >>>>> >>>>> Request ID '20150602145845': >>>>> status: CA_REJECTED >>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>>> request, giving up: 3007 (RPC failed at server. 'profile_id' is required). >>>>> >>>>> 2) >>>>> Error from rpm install >>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>> SkipPluginModule: dogtag not selected as RA plugin >>>>> >>>>> Just for record as known issue, this will be fixed later in a new patch. >>>>> >>>>> 3) >>>>> + Str('profile_id', validate_profile_id, >>>>> + label=_("Profile ID"), >>>>> + doc=_("Certificate Profile to use"), >>>>> + ) >>>>> Please mark this param as optional. ('profile_id?') >>>>> This will fix issue 1, but 1 will need a option to specify profile_id >>>>> >>>>> Also move API related change from patch 9 to patch 11 + increment VERSION >>>>> >>>>> 4) >>>>> * Maybe I do everything wrong :) >>>>> >>>>> I'm not able to create certificate stored in FILE, via ipa-getcert request. >>>>> I'm getting error: >>>>> status: CA_UNREACHABLE >>>>> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, >>>>> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host >>>>> not found). >>>>> >>>>> or error: >>>>> Request ID '20150602154115': >>>>> status: CA_REJECTED >>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>>> request, giving up: 2100 (RPC failed at server. Insufficient access: not >>>>> allowed to perform this command). >>>>> (I'm root and kinited as admin) >>>>> >>>>> Maybe additional ACI is required for cert_request as it is VirtualCommand >>>>> >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>> Thanks for report. Attached patchset should fix the certmonger >>>> issues, and also makes cert-request --profile-id argument optional. >>>> >>>> The changes were fixup'd into the appropriate patches but the >>>> combined diff follows. (Note that the API.txt and VERSION changes >>>> you recommended were executed but are missing from this diff.) >>>> >>>> Thanks, >>>> Fraser >>>> >>>> diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py >>>> index c09df86..a9dde86 100644 >>>> --- a/ipalib/plugins/caacl.py >>>> +++ b/ipalib/plugins/caacl.py >>>> @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( >>>> LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, >>>> pkey_to_value) >>>> from ipalib.plugins.certprofile import validate_profile_id >>>> -from ipalib.plugins.service import normalize_principal >>>> +from ipalib.plugins.service import normalize_principal, split_any_principal >>>> from ipalib import _, ngettext >>>> from ipapython.dn import DN >>>> @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, >>>> profile_id): >>>> groups = user_obj.get('memberof_group', []) >>>> groups += user_obj.get('memberofindirect_group', []) >>>> elif principal_type == 'host': >>>> - hostname = principal[5:] >>>> + service, hostname, realm = split_any_principal(principal) >>>> host_obj = api.Command.host_show(hostname)['result'] >>>> groups = host_obj.get('memberof_hostgroup', []) >>>> groups += host_obj.get('memberofindirect_hostgroup', []) >>>> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py >>>> index 70ae610..1878e5a 100644 >>>> --- a/ipalib/plugins/cert.py >>>> +++ b/ipalib/plugins/cert.py >>>> @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): >>>> default=False, >>>> autofill=True >>>> ), >>>> - Str('profile_id', validate_profile_id, >>>> + Str('profile_id?', validate_profile_id, >>>> label=_("Profile ID"), >>>> doc=_("Certificate Profile to use"), >>>> ) >>>> @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): >>>> bind_principal = split_any_principal(getattr(context, 'principal')) >>>> bind_service, bind_name, bind_realm = bind_principal >>>> - if bind_principal != principal: >>>> + if bind_service is None: >>>> + bind_principal_type = USER >>>> + elif bind_service == 'host': >>>> + bind_principal_type = HOST >>>> + else: >>>> + bind_principal_type = SERVICE >>>> + >>>> + if bind_principal != principal and bind_principal_type != HOST: >>>> # Can the bound principal request certs for another principal? >>>> self.check_access() >>>> @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): >>>> error=_("Failure decoding Certificate Signing Request: >>>> %s") % e) >>>> # host principals may bypass allowed ext check >>>> - if bind_service != 'host': >>>> + if bind_principal_type != HOST: >>>> for ext in extensions: >>>> operation = self._allowed_extensions.get(ext) >>>> if operation: >>>> diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py >>>> index 659751e..53085f7 100644 >>>> --- a/ipapython/dogtag.py >>>> +++ b/ipapython/dogtag.py >>>> @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { >>>> (u'caIPAserviceCert', u'Standard profile for network services', True), >>>> } >>>> -DEFAULT_PROFILE = 'caIPAserviceCert' >>>> +DEFAULT_PROFILE = u'caIPAserviceCert' >>>> class Dogtag10Constants(object): >>>> DOGTAG_VERSION = 10 >>> Should the user certificates behave in the same way as host and service >>> certificates, i.e should be revoked after user-del or user-mod operation?? >>> If yes it would be an additional patch. >>> >>> Please move API.txt fragment from patch 9 to patch 11 >>> With this change ACK for patches 1-11, to unblock testing. For patches 12-13 >>> I need more time. >>> >>> -- >>> Martin Basti >>> >> Updated patches attached. Only your requested change for 1-11. For >> 12-13 (caacl plugin) it was updated to LDAPAddMember and >> LDAPRemoveMember functionality for adding profiles to ACL - this has >> the desirable effect of making sure the profile actually exists :) >> >> Thanks, >> Fraser > Hello, > > design page needs upgrade > > Please fix > 1) > ngettext/ugettext missing? (several times) > ('%i object added.', '%i objects added.') > > 2) > --allprofiles=BOOL Allow use of all profiles > --allusers=BOOL Allow all users > --allhosts=BOOL Allow all hosts > --allservices=BOOL Allow all services > > Other commands use the separate words with '-', I suggest to use > --all-profiles=True, etc.. For these, should we follow the example in hbacrule or sudorule: # ipa hbacrule-mod --help Usage: ipa [global-options] hbacrule-mod NAME [options] Modify an HBAC rule. Options: -h, --help show this help message and exit --usercat=['all'] User category the rule applies to --hostcat=['all'] Host category the rule applies to --servicecat=['all'] Service category the rule applies to i.e. what I think Martin describes in 4) > > 3) > In the following example, there is missing ACL name: > + ipa caacl-add-user --user=alice > > 4) > attributes 'ipaCaAclAllCAs', 'ipaCaAclAllProfiles', 'ipaCaAclAllUsers', > 'ipaCaAclAllHosts', 'ipaCaAclAllServices' should be called ipaCaAclCAsCategory, > etc... to be consistent, please reuse usercategory, hostcategory, etc. and > create new category attribute definitions for the rest. > Please read sudorule.py for details. > Respectively instead BOOLEAN True, the value 'all' should be there. This allows > to extend it in future. > > 5) > Missing referint plugin configuration for attribute 'ipacaaclmembercertprofile' > Please add it into install/updates/25-referint.update (+ other member > attributes if missing) > > 6) > ACI: > 'memberhostgroup' is not virtual nor real attribute, please remove it from > there (Honza told me there is an error in HBAC ipa plugin, I will send fix) > From ofayans at redhat.com Thu Jun 4 13:55:55 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 04 Jun 2015 15:55:55 +0200 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation Message-ID: <557058EB.2010703@redhat.com> Hi everybody The following error was raised during the installation of the freeipa packages built from the current master branch: ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm Preparing... ################################# [100%] Updating / installing... 1:freeipa-python-4.1.99.20150604133################################# [ 14%] 2:freeipa-client-4.1.99.20150604133################################# [ 29%] 3:freeipa-admintools-4.1.99.2015060################################# [ 43%] 4:freeipa-server-4.1.99.20150604133################################# [ 57%] 5:freeipa-server-trust-ad-4.1.99.20################################# [ 71%] 6:freeipa-tests-4.1.99.201506041338################################# [ 86%] 7:freeipa-debuginfo-4.1.99.20150604################################# [100%] Unexpected error - see /var/log/ipaupgrade.log for details: SkipPluginModule: dogtag not selected as RA plugin The corresponding part of the ipaupgrade.log is as follows: 2015-06-04T13:48:36Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 44, in run import ipaserver.plugins.dogtag # ensure profile backend gets loaded File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1273, in raise SkipPluginModule(reason='dogtag not selected as RA plugin') 2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command failed, exception: SkipPluginModule: dogtag not selected as RA plugin This error is observed both on f22 and f21 machines. the only patch that I applied on top of the master branch is this: freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Thu Jun 4 13:58:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 15:58:25 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <5570573B.2010408@redhat.com> References: <55670D4D.9080302@redhat.com> <20150529041754.GE23523@dhcp-40-8.bne.redhat.com> <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <5570573B.2010408@redhat.com> Message-ID: <55705981.2040105@redhat.com> On 04/06/15 15:48, Martin Kosek wrote: > On 06/04/2015 03:40 PM, Martin Basti wrote: >> On 04/06/15 08:59, Fraser Tweedale wrote: >>> On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: >>>> On 03/06/15 16:17, Fraser Tweedale wrote: >>>>> On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: >>>>>> On 02/06/15 14:11, Fraser Tweedale wrote: >>>>>>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>>>>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>>>>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>>>>>>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>>>>>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>>>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>>>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>>>>>>>> copr? SRPM lives at >>>>>>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>>>>>>>> email address, if either of those is present. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>>>>>>>> and improvement to earlier patches. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>>>>>>>> in case it has been modified. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Other notes: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>>>>>>>> though) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>>>>>>>> :) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Cheers, Fraser >>>>>>>>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>>>>>>>> password: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>>>>>>>> (invalid token): line 2, column 14 >>>>>>>>>>>>>> >>>>>>>>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>>>>>>>> the newer version of dogtag. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>>>>>>>> investigate with new RPM from master branch. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>> >>>>>>>>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>>>>>>>> pki-ca 10.2.4-1 >>>>>>>>>>>>> >>>>>>>>>>>>> So something in your patches is breaking it >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>>>>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>>>>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Fraser >>>>>>>>>>> I can not reproduce it today. And I already recycled the VMs from >>>>>>>>>>> yesterday. :-( >>>>>>>>>>> >>>>>>>>>> In that case I would suggest ACKing&pushing the patch and fixing the >>>>>>>>>> bug if >>>>>>>>>> it comes again. The tree may now be a bit unstable, given the number of >>>>>>>>>> patches going in. >>>>>>>>>> >>>>>>>>>> My main motivation here is to unblock Fraser. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Martin >>>>>>>>> Rebased patchset attached; no other changes. >>>>>>>> Heads up: I just discovered I have introduced a bug with >>>>>>>> ipa-replica-install, when it is spawning the CA instance. I think >>>>>>>> replication it only causes issues with ``--setup-ca``. >>>>>>>> >>>>>>>> I will try and sort it out tomorrow or later tonight (I have to head >>>>>>>> out for a few hours now, though); and I'm not suggesting it should >>>>>>>> block the push but it's something to be aware of. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Fraser >>>>>>>> >>>>>>> New patchset attached ; haven't gotten to the bottom of the >>>>>>> ipa-replica-install issue mentioned above, but it fixes an upgrade >>>>>>> bug. >>>>>>> >>>>>>> The change is: >>>>>>> >>>>>>> diff --git a/ipaserver/install/server/upgrade.py >>>>>>> b/ipaserver/install/server/upgrade.py >>>>>>> index c288282..c5f4d37 100644 >>>>>>> --- a/ipaserver/install/server/upgrade.py >>>>>>> +++ b/ipaserver/install/server/upgrade.py >>>>>>> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>>>> caconfig.CS_CFG_PATH, >>>>>>> directive, >>>>>>> separator='=') >>>>>>> - if value == 'ProfileSubsystem': >>>>>>> + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': >>>>>>> needs_update = True >>>>>>> break >>>>>>> except OSError, e: >>>>>>> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>>>> installutils.set_directive( >>>>>>> caconfig.CS_CFG_PATH, >>>>>>> directive, >>>>>>> - 'LDAPProfileSubsystem', >>>>>>> + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', >>>>>>> quotes=False, >>>>>>> separator='=') >>>>>>> >>>>>>> Cheers, >>>>>>> Fraser >>>>>>> >>>>>>> >>>>>> Thank you, >>>>>> >>>>>> 1) >>>>>> ipa-getcert request (getcert -c IPA) >>>>>> doesnt work, >>>>>> >>>>>> Request ID '20150602145845': >>>>>> status: CA_REJECTED >>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>>>> request, giving up: 3007 (RPC failed at server. 'profile_id' is required). >>>>>> >>>>>> 2) >>>>>> Error from rpm install >>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>> SkipPluginModule: dogtag not selected as RA plugin >>>>>> >>>>>> Just for record as known issue, this will be fixed later in a new patch. >>>>>> >>>>>> 3) >>>>>> + Str('profile_id', validate_profile_id, >>>>>> + label=_("Profile ID"), >>>>>> + doc=_("Certificate Profile to use"), >>>>>> + ) >>>>>> Please mark this param as optional. ('profile_id?') >>>>>> This will fix issue 1, but 1 will need a option to specify profile_id >>>>>> >>>>>> Also move API related change from patch 9 to patch 11 + increment VERSION >>>>>> >>>>>> 4) >>>>>> * Maybe I do everything wrong :) >>>>>> >>>>>> I'm not able to create certificate stored in FILE, via ipa-getcert request. >>>>>> I'm getting error: >>>>>> status: CA_UNREACHABLE >>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, >>>>>> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host >>>>>> not found). >>>>>> >>>>>> or error: >>>>>> Request ID '20150602154115': >>>>>> status: CA_REJECTED >>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>>>> request, giving up: 2100 (RPC failed at server. Insufficient access: not >>>>>> allowed to perform this command). >>>>>> (I'm root and kinited as admin) >>>>>> >>>>>> Maybe additional ACI is required for cert_request as it is VirtualCommand >>>>>> >>>>>> >>>>>> -- >>>>>> Martin Basti >>>>>> >>>>> Thanks for report. Attached patchset should fix the certmonger >>>>> issues, and also makes cert-request --profile-id argument optional. >>>>> >>>>> The changes were fixup'd into the appropriate patches but the >>>>> combined diff follows. (Note that the API.txt and VERSION changes >>>>> you recommended were executed but are missing from this diff.) >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>>> diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py >>>>> index c09df86..a9dde86 100644 >>>>> --- a/ipalib/plugins/caacl.py >>>>> +++ b/ipalib/plugins/caacl.py >>>>> @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( >>>>> LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, >>>>> pkey_to_value) >>>>> from ipalib.plugins.certprofile import validate_profile_id >>>>> -from ipalib.plugins.service import normalize_principal >>>>> +from ipalib.plugins.service import normalize_principal, split_any_principal >>>>> from ipalib import _, ngettext >>>>> from ipapython.dn import DN >>>>> @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, >>>>> profile_id): >>>>> groups = user_obj.get('memberof_group', []) >>>>> groups += user_obj.get('memberofindirect_group', []) >>>>> elif principal_type == 'host': >>>>> - hostname = principal[5:] >>>>> + service, hostname, realm = split_any_principal(principal) >>>>> host_obj = api.Command.host_show(hostname)['result'] >>>>> groups = host_obj.get('memberof_hostgroup', []) >>>>> groups += host_obj.get('memberofindirect_hostgroup', []) >>>>> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py >>>>> index 70ae610..1878e5a 100644 >>>>> --- a/ipalib/plugins/cert.py >>>>> +++ b/ipalib/plugins/cert.py >>>>> @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): >>>>> default=False, >>>>> autofill=True >>>>> ), >>>>> - Str('profile_id', validate_profile_id, >>>>> + Str('profile_id?', validate_profile_id, >>>>> label=_("Profile ID"), >>>>> doc=_("Certificate Profile to use"), >>>>> ) >>>>> @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): >>>>> bind_principal = split_any_principal(getattr(context, 'principal')) >>>>> bind_service, bind_name, bind_realm = bind_principal >>>>> - if bind_principal != principal: >>>>> + if bind_service is None: >>>>> + bind_principal_type = USER >>>>> + elif bind_service == 'host': >>>>> + bind_principal_type = HOST >>>>> + else: >>>>> + bind_principal_type = SERVICE >>>>> + >>>>> + if bind_principal != principal and bind_principal_type != HOST: >>>>> # Can the bound principal request certs for another principal? >>>>> self.check_access() >>>>> @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): >>>>> error=_("Failure decoding Certificate Signing Request: >>>>> %s") % e) >>>>> # host principals may bypass allowed ext check >>>>> - if bind_service != 'host': >>>>> + if bind_principal_type != HOST: >>>>> for ext in extensions: >>>>> operation = self._allowed_extensions.get(ext) >>>>> if operation: >>>>> diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py >>>>> index 659751e..53085f7 100644 >>>>> --- a/ipapython/dogtag.py >>>>> +++ b/ipapython/dogtag.py >>>>> @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { >>>>> (u'caIPAserviceCert', u'Standard profile for network services', True), >>>>> } >>>>> -DEFAULT_PROFILE = 'caIPAserviceCert' >>>>> +DEFAULT_PROFILE = u'caIPAserviceCert' >>>>> class Dogtag10Constants(object): >>>>> DOGTAG_VERSION = 10 >>>> Should the user certificates behave in the same way as host and service >>>> certificates, i.e should be revoked after user-del or user-mod operation?? >>>> If yes it would be an additional patch. >>>> >>>> Please move API.txt fragment from patch 9 to patch 11 >>>> With this change ACK for patches 1-11, to unblock testing. For patches 12-13 >>>> I need more time. >>>> >>>> -- >>>> Martin Basti >>>> >>> Updated patches attached. Only your requested change for 1-11. For >>> 12-13 (caacl plugin) it was updated to LDAPAddMember and >>> LDAPRemoveMember functionality for adding profiles to ACL - this has >>> the desirable effect of making sure the profile actually exists :) >>> >>> Thanks, >>> Fraser >> Hello, >> >> design page needs upgrade >> >> Please fix >> 1) >> ngettext/ugettext missing? (several times) >> ('%i object added.', '%i objects added.') >> >> 2) >> --allprofiles=BOOL Allow use of all profiles >> --allusers=BOOL Allow all users >> --allhosts=BOOL Allow all hosts >> --allservices=BOOL Allow all services >> >> Other commands use the separate words with '-', I suggest to use >> --all-profiles=True, etc.. > For these, should we follow the example in hbacrule or sudorule: > > # ipa hbacrule-mod --help > Usage: ipa [global-options] hbacrule-mod NAME [options] > > Modify an HBAC rule. > Options: > -h, --help show this help message and exit > --usercat=['all'] User category the rule applies to > --hostcat=['all'] Host category the rule applies to > --servicecat=['all'] Service category the rule applies to > > i.e. what I think Martin describes in 4) > >> 3) >> In the following example, there is missing ACL name: >> + ipa caacl-add-user --user=alice >> >> 4) >> attributes 'ipaCaAclAllCAs', 'ipaCaAclAllProfiles', 'ipaCaAclAllUsers', >> 'ipaCaAclAllHosts', 'ipaCaAclAllServices' should be called ipaCaAclCAsCategory, >> etc... to be consistent, please reuse usercategory, hostcategory, etc. and >> create new category attribute definitions for the rest. >> Please read sudorule.py for details. >> Respectively instead BOOLEAN True, the value 'all' should be there. This allows >> to extend it in future. >> >> 5) >> Missing referint plugin configuration for attribute 'ipacaaclmembercertprofile' >> Please add it into install/updates/25-referint.update (+ other member >> attributes if missing) >> >> 6) >> ACI: >> 'memberhostgroup' is not virtual nor real attribute, please remove it from >> there (Honza told me there is an error in HBAC ipa plugin, I will send fix) >> 7) Missing upgrade? + self.step("creating default CA ACL rule", self.add_caacl) This was added to dsinstance, but I cannot found it in upgrade. -- Martin Basti From pspacek at redhat.com Thu Jun 4 14:03:22 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 04 Jun 2015 16:03:22 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <55704E99.4010008@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> <55702FD4.1050607@redhat.com> <20150604111042.GD10162@redhat.com> <55704E99.4010008@redhat.com> Message-ID: <55705AAA.7050600@redhat.com> On 4.6.2015 15:11, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Thu, 04 Jun 2015, David Kupka wrote: >>> On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: >>>> On Thu, 04 Jun 2015, David Kupka wrote: >>>>> >>>>> -- >>>>> David Kupka >>>> >>>>> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >>>>> From: David Kupka >>>>> Date: Thu, 4 Jun 2015 12:10:37 +0200 >>>>> Subject: [PATCH] Allow to skip lint when building FreeIPA. >>>>> >>>>> Target 'lint' does nothing when SKIP_LINT is set to anything else than >>>>> "no". >>>>> By default the variable is unset and lint is executed as always was. >>>> Is there any reason to support this? >>>> >>>> I personally don't like to be able to skip lint as Python gives you too >>>> many ways of shooting yourself. >>>> >>> >>> On the other hand, running lint every time even when building >>> unchanged master is waste of (a lot of) time. I really prefer running >>> ./make-lint (or make lint) to check the code and 'make rpms' to build >>> packages. >>> >>> Moreover, the default behavior stays the same, lint is always run. >> So you can add a hook to use a git committish and check the change >> between them so that only when there is indeed a change, you run lint. >> And for cases when you are running off a tarball, simply disable lint -- >> automatically. >> >> What in reality will happen if we allow setting SKIP_LINT permanently in >> the environment, we'd be less careful on the code checks. Sorry to be >> harsh here but that is how it goes. If lint is costly to run, optimize >> to run it only when it really is needed but not disable it voluntarily. >> > > +1 > > I totally agree that it is getting out of hand speed/resource-wise. I had more > than one build fail due to OOM. But I don't think disabling it is the right > way because, as Alexander said, once disabled always disabled. Sorry, I do not agree. All automated build systems will not have the variable defined so arbitrary pylint-detectable error will be *in the worst case* (where no developer ever runs pylint) caught by: - Jenkins builds (after each commit) - Coverity build (every day) - COPR (as needed) - Koji (before packages for Fedora are built). That sounds like a good resource trade-off, especially if we agree that automated tests are necessary anyway because pylint cannot uncover semantical errors. -- Petr^2 Spacek From pvoborni at redhat.com Thu Jun 4 14:03:52 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 16:03:52 +0200 Subject: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update Message-ID: <55705AC8.4070502@redhat.com> - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM" ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '1Profile caIPAserviceCert Not Found' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 338, in run self.copy_ds_certificate() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 383, in copy_ds_certificate self.export_certdb("dscert", passwd_fname) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 419, in issue_server_cert raise RuntimeError("Certificate issuance failed") -- Petr Vobornik From mbasti at redhat.com Thu Jun 4 14:08:45 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 16:08:45 +0200 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <557058EB.2010703@redhat.com> References: <557058EB.2010703@redhat.com> Message-ID: <55705BED.80506@redhat.com> On 04/06/15 15:55, Oleg Fayans wrote: > Hi everybody > > The following error was raised during the installation of the freeipa > packages built from the current master branch: > > ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm > Preparing... ################################# [100%] > Updating / installing... > 1:freeipa-python-4.1.99.20150604133################################# [ > 14%] > 2:freeipa-client-4.1.99.20150604133################################# [ > 29%] > 3:freeipa-admintools-4.1.99.2015060################################# [ > 43%] > 4:freeipa-server-4.1.99.20150604133################################# [ > 57%] > 5:freeipa-server-trust-ad-4.1.99.20################################# [ > 71%] > 6:freeipa-tests-4.1.99.201506041338################################# [ > 86%] > 7:freeipa-debuginfo-4.1.99.20150604################################# > [100%] > Unexpected error - see /var/log/ipaupgrade.log for details: > SkipPluginModule: dogtag not selected as RA plugin > > The corresponding part of the ipaupgrade.log is as follows: > > 2015-06-04T13:48:36Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 44, in run > import ipaserver.plugins.dogtag # ensure profile backend gets loaded > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", > line 1273, in > raise SkipPluginModule(reason='dogtag not selected as RA plugin') > > 2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command failed, > exception: SkipPluginModule: dogtag not selected as RA plugin > > This error is observed both on f22 and f21 machines. > > the only patch that I applied on top of the master branch is this: > freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch > > Known issue, caused by CA profiles patches. Fix for this requires additional patches for IPA api from Honza. -- Martin Basti From rcritten at redhat.com Thu Jun 4 14:09:30 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 10:09:30 -0400 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <55705AAA.7050600@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> <55702FD4.1050607@redhat.com> <20150604111042.GD10162@redhat.com> <55704E99.4010008@redhat.com> <55705AAA.7050600@redhat.com> Message-ID: <55705C1A.6000100@redhat.com> Petr Spacek wrote: > On 4.6.2015 15:11, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On Thu, 04 Jun 2015, David Kupka wrote: >>>> On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: >>>>> On Thu, 04 Jun 2015, David Kupka wrote: >>>>>> >>>>>> -- >>>>>> David Kupka >>>>> >>>>>> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >>>>>> From: David Kupka >>>>>> Date: Thu, 4 Jun 2015 12:10:37 +0200 >>>>>> Subject: [PATCH] Allow to skip lint when building FreeIPA. >>>>>> >>>>>> Target 'lint' does nothing when SKIP_LINT is set to anything else than >>>>>> "no". >>>>>> By default the variable is unset and lint is executed as always was. >>>>> Is there any reason to support this? >>>>> >>>>> I personally don't like to be able to skip lint as Python gives you too >>>>> many ways of shooting yourself. >>>>> >>>> >>>> On the other hand, running lint every time even when building >>>> unchanged master is waste of (a lot of) time. I really prefer running >>>> ./make-lint (or make lint) to check the code and 'make rpms' to build >>>> packages. >>>> >>>> Moreover, the default behavior stays the same, lint is always run. >>> So you can add a hook to use a git committish and check the change >>> between them so that only when there is indeed a change, you run lint. >>> And for cases when you are running off a tarball, simply disable lint -- >>> automatically. >>> >>> What in reality will happen if we allow setting SKIP_LINT permanently in >>> the environment, we'd be less careful on the code checks. Sorry to be >>> harsh here but that is how it goes. If lint is costly to run, optimize >>> to run it only when it really is needed but not disable it voluntarily. >>> >> >> +1 >> >> I totally agree that it is getting out of hand speed/resource-wise. I had more >> than one build fail due to OOM. But I don't think disabling it is the right >> way because, as Alexander said, once disabled always disabled. > > Sorry, I do not agree. All automated build systems will not have the variable > defined so arbitrary pylint-detectable error will be *in the worst case* > (where no developer ever runs pylint) caught by: > - Jenkins builds (after each commit) > - Coverity build (every day) > - COPR (as needed) > - Koji (before packages for Fedora are built). > > That sounds like a good resource trade-off, especially if we agree that > automated tests are necessary anyway because pylint cannot uncover semantical > errors. > We did this specifically to keep bad changes out of the tree. You're suggesting catching them after commit rather than before. We tried that, it didn't work out so well. rob From ofayans at redhat.com Thu Jun 4 14:14:48 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 04 Jun 2015 16:14:48 +0200 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <55705BED.80506@redhat.com> References: <557058EB.2010703@redhat.com> <55705BED.80506@redhat.com> Message-ID: <55705D58.5030706@redhat.com> Thanks! Is it critical for using the code? On 06/04/2015 04:08 PM, Martin Basti wrote: > On 04/06/15 15:55, Oleg Fayans wrote: >> Hi everybody >> >> The following error was raised during the installation of the >> freeipa packages built from the current master branch: >> >> ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm >> Preparing... ################################# [100%] >> Updating / installing... >> 1:freeipa-python-4.1.99.20150604133################################# >> [ 14%] >> 2:freeipa-client-4.1.99.20150604133################################# >> [ 29%] >> 3:freeipa-admintools-4.1.99.2015060################################# >> [ 43%] >> 4:freeipa-server-4.1.99.20150604133################################# >> [ 57%] >> 5:freeipa-server-trust-ad-4.1.99.20################################# >> [ 71%] >> 6:freeipa-tests-4.1.99.201506041338################################# >> [ 86%] >> 7:freeipa-debuginfo-4.1.99.20150604################################# >> [100%] >> Unexpected error - see /var/log/ipaupgrade.log for details: >> SkipPluginModule: dogtag not selected as RA plugin >> >> The corresponding part of the ipaupgrade.log is as follows: >> >> 2015-06-04T13:48:36Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 44, in run >> import ipaserver.plugins.dogtag # ensure profile backend gets >> loaded >> File >> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >> 1273, in >> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >> >> 2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command failed, >> exception: SkipPluginModule: dogtag not selected as RA plugin >> >> This error is observed both on f22 and f21 machines. >> >> the only patch that I applied on top of the master branch is this: >> freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch >> >> > > Known issue, caused by CA profiles patches. > > Fix for this requires additional patches for IPA api from Honza. > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From tbabej at redhat.com Thu Jun 4 14:14:47 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 04 Jun 2015 16:14:47 +0200 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <557058EB.2010703@redhat.com> References: <557058EB.2010703@redhat.com> Message-ID: <55705D57.1000107@redhat.com> On 06/04/2015 03:55 PM, Oleg Fayans wrote: > Hi everybody > > The following error was raised during the installation of the freeipa > packages built from the current master branch: > > ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm > Preparing... ################################# [100%] > Updating / installing... > 1:freeipa-python-4.1.99.20150604133################################# [ 14%] > 2:freeipa-client-4.1.99.20150604133################################# [ 29%] > 3:freeipa-admintools-4.1.99.2015060################################# [ 43%] > 4:freeipa-server-4.1.99.20150604133################################# [ 57%] > 5:freeipa-server-trust-ad-4.1.99.20################################# [ 71%] > 6:freeipa-tests-4.1.99.201506041338################################# [ 86%] > 7:freeipa-debuginfo-4.1.99.20150604################################# [100%] > Unexpected error - see /var/log/ipaupgrade.log for details: > SkipPluginModule: dogtag not selected as RA plugin > > The corresponding part of the ipaupgrade.log is as follows: > > 2015-06-04T13:48:36Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 44, in run > import ipaserver.plugins.dogtag # ensure profile backend gets loaded > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", > line 1273, in > raise SkipPluginModule(reason='dogtag not selected as RA plugin') > > 2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command failed, > exception: SkipPluginModule: dogtag not selected as RA plugin > > This error is observed both on f22 and f21 machines. > > the only patch that I applied on top of the master branch is this: > freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch > > Hi Oleg, please make sure the values in the .ipa/default.conf and /etc/ipa/default.conf are valid. The exception you encountered is raised in this part of the code: if api.env.ra_plugin != 'dogtag': # In this case, abort loading this plugin module... raise SkipPluginModule(reason='dogtag not selected as RA plugin') For a newly installed IPA master, I am not hitting this issue. I can see that /etc/ipa/default.conf does contain correct value on my machine: [global] ... ra_plugin=dogtag ... Additionally, you can try running: $ ipa console (Custom IPA interactive Python console) >>> from ipalib import api >>> api.env.ra_plugin u'dogtag' >>> HTH, Tomas From mbasti at redhat.com Thu Jun 4 14:16:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 16:16:06 +0200 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <55705D58.5030706@redhat.com> References: <557058EB.2010703@redhat.com> <55705BED.80506@redhat.com> <55705D58.5030706@redhat.com> Message-ID: <55705DA6.8090408@redhat.com> On 04/06/15 16:14, Oleg Fayans wrote: > Thanks! > > Is it critical for using the code? No, this exception is raised only when IPA is not installed, and you do not need IPA upgrade without installed IPA. > > On 06/04/2015 04:08 PM, Martin Basti wrote: >> On 04/06/15 15:55, Oleg Fayans wrote: >>> Hi everybody >>> >>> The following error was raised during the installation of the >>> freeipa packages built from the current master branch: >>> >>> ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm >>> Preparing... ################################# [100%] >>> Updating / installing... >>> 1:freeipa-python-4.1.99.20150604133################################# >>> [ 14%] >>> 2:freeipa-client-4.1.99.20150604133################################# >>> [ 29%] >>> 3:freeipa-admintools-4.1.99.2015060################################# >>> [ 43%] >>> 4:freeipa-server-4.1.99.20150604133################################# >>> [ 57%] >>> 5:freeipa-server-trust-ad-4.1.99.20################################# >>> [ 71%] >>> 6:freeipa-tests-4.1.99.201506041338################################# >>> [ 86%] >>> 7:freeipa-debuginfo-4.1.99.20150604################################# >>> [100%] >>> Unexpected error - see /var/log/ipaupgrade.log for details: >>> SkipPluginModule: dogtag not selected as RA plugin >>> >>> The corresponding part of the ipaupgrade.log is as follows: >>> >>> 2015-06-04T13:48:36Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>> in execute >>> return_value = self.run() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 44, in run >>> import ipaserver.plugins.dogtag # ensure profile backend gets >>> loaded >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >>> 1273, in >>> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >>> >>> 2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command failed, >>> exception: SkipPluginModule: dogtag not selected as RA plugin >>> >>> This error is observed both on f22 and f21 machines. >>> >>> the only patch that I applied on top of the master branch is this: >>> freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch >>> >>> >> >> Known issue, caused by CA profiles patches. >> >> Fix for this requires additional patches for IPA api from Honza. >> > -- Martin Basti From abokovoy at redhat.com Thu Jun 4 14:18:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 Jun 2015 17:18:44 +0300 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <55705AAA.7050600@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> <55702FD4.1050607@redhat.com> <20150604111042.GD10162@redhat.com> <55704E99.4010008@redhat.com> <55705AAA.7050600@redhat.com> Message-ID: <20150604141844.GE10162@redhat.com> On Thu, 04 Jun 2015, Petr Spacek wrote: >On 4.6.2015 15:11, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On Thu, 04 Jun 2015, David Kupka wrote: >>>> On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: >>>>> On Thu, 04 Jun 2015, David Kupka wrote: >>>>>> >>>>>> -- >>>>>> David Kupka >>>>> >>>>>> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >>>>>> From: David Kupka >>>>>> Date: Thu, 4 Jun 2015 12:10:37 +0200 >>>>>> Subject: [PATCH] Allow to skip lint when building FreeIPA. >>>>>> >>>>>> Target 'lint' does nothing when SKIP_LINT is set to anything else than >>>>>> "no". >>>>>> By default the variable is unset and lint is executed as always was. >>>>> Is there any reason to support this? >>>>> >>>>> I personally don't like to be able to skip lint as Python gives you too >>>>> many ways of shooting yourself. >>>>> >>>> >>>> On the other hand, running lint every time even when building >>>> unchanged master is waste of (a lot of) time. I really prefer running >>>> ./make-lint (or make lint) to check the code and 'make rpms' to build >>>> packages. >>>> >>>> Moreover, the default behavior stays the same, lint is always run. >>> So you can add a hook to use a git committish and check the change >>> between them so that only when there is indeed a change, you run lint. >>> And for cases when you are running off a tarball, simply disable lint -- >>> automatically. >>> >>> What in reality will happen if we allow setting SKIP_LINT permanently in >>> the environment, we'd be less careful on the code checks. Sorry to be >>> harsh here but that is how it goes. If lint is costly to run, optimize >>> to run it only when it really is needed but not disable it voluntarily. >>> >> >> +1 >> >> I totally agree that it is getting out of hand speed/resource-wise. I had more >> than one build fail due to OOM. But I don't think disabling it is the right >> way because, as Alexander said, once disabled always disabled. > >Sorry, I do not agree. All automated build systems will not have the variable >defined so arbitrary pylint-detectable error will be *in the worst case* >(where no developer ever runs pylint) caught by: >- Jenkins builds (after each commit) Let them run make-lint >- Coverity build (every day) >- COPR (as needed) >- Koji (before packages for Fedora are built). None of the above run off the git repo directly and none of the above run 'make rpms'. >That sounds like a good resource trade-off, especially if we agree that >automated tests are necessary anyway because pylint cannot uncover semantical >errors. Sorry, this all looks fine until you actually look at the flow in Makefile. lint target is called by rpms: rpmroot rpmdistdir version-update lint tarballs client-rpms: rpmroot rpmdistdir version-update lint tarballs srpms: rpmroot rpmdistdir version-update lint tarballs None of these targets is called when running 'make all' or 'make client' -- / Alexander Bokovoy From pspacek at redhat.com Thu Jun 4 14:23:33 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 04 Jun 2015 16:23:33 +0200 Subject: [Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA. In-Reply-To: <20150604141844.GE10162@redhat.com> References: <5570267E.1040402@redhat.com> <20150604104311.GC10162@redhat.com> <55702FD4.1050607@redhat.com> <20150604111042.GD10162@redhat.com> <55704E99.4010008@redhat.com> <55705AAA.7050600@redhat.com> <20150604141844.GE10162@redhat.com> Message-ID: <55705F65.7040406@redhat.com> On 4.6.2015 16:18, Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, Petr Spacek wrote: >> On 4.6.2015 15:11, Rob Crittenden wrote: >>> Alexander Bokovoy wrote: >>>> On Thu, 04 Jun 2015, David Kupka wrote: >>>>> On 06/04/2015 12:43 PM, Alexander Bokovoy wrote: >>>>>> On Thu, 04 Jun 2015, David Kupka wrote: >>>>>>> >>>>>>> -- >>>>>>> David Kupka >>>>>> >>>>>>> From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 >>>>>>> From: David Kupka >>>>>>> Date: Thu, 4 Jun 2015 12:10:37 +0200 >>>>>>> Subject: [PATCH] Allow to skip lint when building FreeIPA. >>>>>>> >>>>>>> Target 'lint' does nothing when SKIP_LINT is set to anything else than >>>>>>> "no". >>>>>>> By default the variable is unset and lint is executed as always was. >>>>>> Is there any reason to support this? >>>>>> >>>>>> I personally don't like to be able to skip lint as Python gives you too >>>>>> many ways of shooting yourself. >>>>>> >>>>> >>>>> On the other hand, running lint every time even when building >>>>> unchanged master is waste of (a lot of) time. I really prefer running >>>>> ./make-lint (or make lint) to check the code and 'make rpms' to build >>>>> packages. >>>>> >>>>> Moreover, the default behavior stays the same, lint is always run. >>>> So you can add a hook to use a git committish and check the change >>>> between them so that only when there is indeed a change, you run lint. >>>> And for cases when you are running off a tarball, simply disable lint -- >>>> automatically. >>>> >>>> What in reality will happen if we allow setting SKIP_LINT permanently in >>>> the environment, we'd be less careful on the code checks. Sorry to be >>>> harsh here but that is how it goes. If lint is costly to run, optimize >>>> to run it only when it really is needed but not disable it voluntarily. >>>> >>> >>> +1 >>> >>> I totally agree that it is getting out of hand speed/resource-wise. I had more >>> than one build fail due to OOM. But I don't think disabling it is the right >>> way because, as Alexander said, once disabled always disabled. >> >> Sorry, I do not agree. All automated build systems will not have the variable >> defined so arbitrary pylint-detectable error will be *in the worst case* >> (where no developer ever runs pylint) caught by: >> - Jenkins builds (after each commit) > Let them run make-lint > >> - Coverity build (every day) >> - COPR (as needed) >> - Koji (before packages for Fedora are built). > None of the above run off the git repo directly and none of the above > run 'make rpms'. > >> That sounds like a good resource trade-off, especially if we agree that >> automated tests are necessary anyway because pylint cannot uncover semantical >> errors. > Sorry, this all looks fine until you actually look at the flow in > Makefile. > > lint target is called by > > rpms: rpmroot rpmdistdir version-update lint tarballs > client-rpms: rpmroot rpmdistdir version-update lint tarballs > srpms: rpmroot rpmdistdir version-update lint tarballs > > None of these targets is called when running 'make all' or 'make client' It is surely better to let developers building RPMs 10x a day to just replace make-lint with an empty file and *then* let them forgot about this change. This discussion costed me too much time so I'm giving up. Have a nice day! -- Petr^2 Spacek From pvoborni at redhat.com Thu Jun 4 14:32:40 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 16:32:40 +0200 Subject: [Freeipa-devel] [PATCH] 863 move replications managers group to, cn=sysaccounts, cn=etc, $SUFFIX Message-ID: <55706188.2090906@redhat.com> https://fedorahosted.org/freeipa/ticket/4302 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0863-move-replications-managers-group-to-cn-sysaccounts-c.patch Type: text/x-patch Size: 2629 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 4 14:32:57 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 16:32:57 +0200 Subject: [Freeipa-devel] [PATCH] 864 add entries required by topology plugin on update Message-ID: <55706199.8090104@redhat.com> requires patch 863 These entries were not added on upgrade from old IPA servers and on replica creation. https://fedorahosted.org/freeipa/ticket/4302 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0864-add-entries-required-by-topology-plugin-on-update.patch Type: text/x-patch Size: 1447 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 4 15:19:13 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Jun 2015 17:19:13 +0200 Subject: [Freeipa-devel] [PATCH] 865 fix handling of ldap.LDAPError in installer Message-ID: <55706C71.5020702@redhat.com> based on: http://fpaste.org/228856/25049143/ The patch is not tested. Description: 'info' is optional component in LDAPError http://www.python-ldap.org/doc/html/ldap.html#exceptions -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0865-fix-handling-of-ldap.LDAPError-in-installer.patch Type: text/x-patch Size: 1573 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 4 15:28:22 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 04 Jun 2015 17:28:22 +0200 Subject: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation In-Reply-To: <556F19D3.70109@redhat.com> References: <553A3D88.6080200@redhat.com> <55423032.9080505@redhat.com> <5548BED1.1060806@redhat.com> <554A1539.3040002@redhat.com> <554B0D69.5040008@redhat.com> <554B3C19.9080002@redhat.com> <554B8F01.9010501@redhat.com> <55561ACD.6070306@redhat.com> <5559D191.4070406@redhat.com> <556EF9C4.9020406@redhat.com> <556F19D3.70109@redhat.com> Message-ID: <55706E96.8000807@redhat.com> On 3.6.2015 17:14, Martin Basti wrote: > On 03/06/15 14:57, Petr Spacek wrote: >> On 18.5.2015 13:48, Martin Basti wrote: >>> On 15/05/15 18:11, Petr Spacek wrote: >>>> On 7.5.2015 18:12, Martin Basti wrote: >>>>> On 07/05/15 12:19, Petr Spacek wrote: >>>>>> On 7.5.2015 08:59, David Kupka wrote: >>>>>>> On 05/06/2015 03:20 PM, Martin Basti wrote: >>>>>>>> On 05/05/15 15:00, Martin Basti wrote: >>>>>>>>> On 30/04/15 15:37, David Kupka wrote: >>>>>>>>>> On 04/24/2015 02:56 PM, Martin Basti wrote: >>>>>>>>>>> Patches attached. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> thanks for patches. >>>>>>>>>> >>>>>>>>>> 1. You changed message in DNSServerNotRespondingWarning class but not >>>>>>>>>> the test in ipatest/test_xmlrpc/test_dns_plugin.py >>>>>>>>>> >>>>>>>>>> nitpick. Please spell 'edns' correctly. I've seen several instances >>>>>>>>>> of 'ends'. >>>>>>>>>> >>>>>>>>> Thank you, >>>>>>>>> >>>>>>>>> updated patches attached: >>>>>>>>> * new error messages >>>>>>>>> * logging to debug log server output if exception was raised >>>>>>>>> * fixed test >>>>>>>>> * fixed spelling >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Fixed tests (again) >>>>>>>> >>>>>>>> Updated patches attached >>>>>>>> >>>>>>> The code looks good to me and tests are no longer broken. (I would prefer >>>>>>> better fix of the tests but given that the priorities are different now >>>>>>> it can >>>>>>> wait.) >>>>>>> >>>>>>> Petr, can you please confirm that the patch set works for you? >>>>>> Sorry, NACK: >>>>>> >>>>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>>>> Server will check DNS forwarder(s). >>>>>> This may take some time, please wait ... >>>>>> ipa: ERROR: an internal error has occurred >>>>>> >>>>>> # /var/log/httpd/error_log >>>>>> ipa: ERROR: non-public: AssertionError: >>>>>> Traceback (most recent call last): >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line >>>>>> 350, in >>>>>> wsgi_execute >>>>>> result = self.Command[name](*args, **options) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >>>>>> 443, in >>>>>> __call__ >>>>>> ret = self.run(*args, **options) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, >>>>>> in run >>>>>> return self.execute(*args, **options) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>>>> 4444, in >>>>>> execute >>>>>> **options) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>>>> 4405, in >>>>>> _warning_if_forwarders_do_not_work >>>>>> log=self.log) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 715, in >>>>>> validate_dnssec_zone_forwarder_step2 >>>>>> timeout=timeout) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 610, in >>>>>> _resolve_record >>>>>> assert isinstance(nameserver_ip, basestring) >>>>>> AssertionError >>>>>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(>>>>> name ptr.test.>, idnsforwarders=(u'10.34.47.236',), all=False, raw=False, >>>>>> version=u'2.116'): AssertionError >>>>>> >>>>>> This is constantly reproducible in my vm-090.abc. Let me know if you >>>>>> want to >>>>>> take a look. >>>>>> >>>>>> >>>>>> I'm attaching little response.patch which improves compatibility with older >>>>>> python-dns packages. This patch allows IPA to work while error messages are >>>>>> simply not as nice as they could be with latest python-dns :-) >>>>>> >>>>>> check_fwd_msg.patch is a little nitpick, just to make sure everyone >>>>>> understands the message. >>>>>> >>>>>> BTW why some messages in check_forwarders() are printed using 'print' and >>>>>> others using logger? I would prefer to use logger for everything to make >>>>>> sure >>>>>> that logs contain all the information, including warnings. >>>>>> >>>>>> Thank you for your time! >>>>>> >>>>> Thank you, fixed. >>>>> >>>>> I added missing except block after forwarders validation step2. >>>> I confirm that this works but I just discovered another deficiency. >>>> >>>> Setup: >>>> - DNSSEC validation is enabled on IPA server >>>> - forwarders uses fake TLD, e.g. 'test.' >>>> - remote DNS server is responding, supports EDNS0 and so on >>>> >>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>> Server will check DNS forwarder(s). >>>> This may take some time, please wait ... >>>> ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query >>>> name does not exist: ptr.test.. >>>> >>>> Huh? Let's check named log: >>>> forward zone 'ptr.test': loaded >>>> validating ./SOA: got insecure response; parent indicates it should be >>>> secure >>>> >>>> Sometimes I get SERVFAIL from IPA server, too. >>>> >>>> >>>> Unfortunately this check was the main reason for writing this patchset so we >>>> need to improve it. >>>> >>>> Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and >>>> print the DNSSEC-validation-failed error, too? The problem is that it could >>>> trigger some false positives because NXDOMAIN may simply be caused by a delay >>>> somewhere. >>>> >>>> Any ideas? >>> I add catch block for NXDOMAIN >>>> By the way, this is also weird: >>>> >>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>> Server will check DNS forwarder(s). >>>> This may take some time, please wait ... >>>> ipa: ERROR: DNS forward zone with name "ptr.test." already exists >>>> >>>> Is it actually doing the check even if the forward zone exists already? (This >>>> is just nitpick, not a blocker!) >>>> >>> The first part is written by IPA client, it is not response from server. >>> It is just written when user use --forwarder option. >>> >>> Updated patch attached. >> NACK, it does not work for me - it explodes when I try to add a forward zone: >> >> $ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1 >> >> ipa: ERROR: non-public: TypeError: _warning_if_forwarders_do_not_work() got >> multiple values for keyword argument 'new_zone' >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in >> wsgi_execute >> result = self.Command[name](*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >> __call__ >> ret = self.run(*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run >> return self.execute(*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 4461, in >> execute >> result, new_zone=True, *keys, **options) >> TypeError: _warning_if_forwarders_do_not_work() got multiple values for >> keyword argument 'new_zone' >> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(> name ptr.test.>, idnsforwarders=(u'192.0.2.1',), all=False, raw=False, >> version=u'2.123'): TypeError >> > updated patch attached. Attached patch fixes the case where one domain is shadowed by another domain. ACK for your patches, please review my patch :-) -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0030-DNSSEC-Detect-zone-shadowing-with-incorrect-DNSSEC-s.patch Type: text/x-patch Size: 4106 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 4 15:35:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 17:35:22 +0200 Subject: [Freeipa-devel] [PATCH 0001 v2] Migrate now accepts scope as argument In-Reply-To: <556F4A08.1040202@redhat.com> References: <556F4A08.1040202@redhat.com> Message-ID: <5570703A.6080709@redhat.com> On 03/06/15 20:40, Drew Erny wrote: > Hi, all, > > This is an updated patch, with the code changes suggested by Martin > Batsi in my test email. The biggest difference is that I had to do > > >> from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE > > To get access to those constants in the global scope. This seems like > a fairly clean solution, but if it's a code smell, feel free to > suggest improvements. This should have identical behavior to the last > patch, except it will autofill scope and no longer prompt interactively. > > Thanks, > > Drew Erny > derny at redhat.com > > Hello, please continue discussion in the same thread :) API.txt was changed, please update VERSION file, increment minor version +1 and edit comment there. I forgot to tell you yesterday. Can you rebase your patch to current master? This patch is supposed to go to IPA 4.2. Is the tuple conversion needed? values=tuple(_supported_scopes.keys()), Otherwise patch looks good. Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jun 4 16:20:08 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 Jun 2015 19:20:08 +0300 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <55705DA6.8090408@redhat.com> References: <557058EB.2010703@redhat.com> <55705BED.80506@redhat.com> <55705D58.5030706@redhat.com> <55705DA6.8090408@redhat.com> Message-ID: <20150604162008.GH10162@redhat.com> On Thu, 04 Jun 2015, Martin Basti wrote: >On 04/06/15 16:14, Oleg Fayans wrote: >>Thanks! >> >>Is it critical for using the code? >No, this exception is raised only when IPA is not installed, and you >do not need IPA upgrade without installed IPA. I've got the same issue when installing IPA. Upgrade runs as one of few last steps during install and I get: 2015-06-04T11:10:23Z DEBUG Logging to /var/log/ipaupgrade.log 2015-06-04T11:10:23Z DEBUG ipa-server-upgrade was invoked with arguments [] and options: {'skip_version_check': False, 'log_file': None, 'force': False, 'verbose': False, 'quiet': True} 2015-06-04T11:10:23Z DEBUG IPA version 4.1.99.201506041059GIT8f0c945-0.fc22 2015-06-04T11:10:23Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 44, in run import ipaserver.plugins.dogtag # ensure profile backend gets loaded File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1273, in raise SkipPluginModule(reason='dogtag not selected as RA plugin') 2015-06-04T11:10:23Z DEBUG The ipa-server-upgrade command failed, exception: SkipPluginModule: dogtag not selected as RA plugin 2015-06-04T11:10:23Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: SkipPluginModule: dogtag not selected as RA plugin >> >>On 06/04/2015 04:08 PM, Martin Basti wrote: >>>On 04/06/15 15:55, Oleg Fayans wrote: >>>>Hi everybody >>>> >>>>The following error was raised during the installation of the >>>>freeipa packages built from the current master branch: >>>> >>>>ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm >>>>Preparing... ################################# [100%] >>>>Updating / installing... >>>>1:freeipa-python-4.1.99.20150604133################################# >>>>[ 14%] >>>>2:freeipa-client-4.1.99.20150604133################################# >>>>[ 29%] >>>>3:freeipa-admintools-4.1.99.2015060################################# >>>>[ 43%] >>>>4:freeipa-server-4.1.99.20150604133################################# >>>>[ 57%] >>>>5:freeipa-server-trust-ad-4.1.99.20################################# >>>>[ 71%] >>>>6:freeipa-tests-4.1.99.201506041338################################# >>>>[ 86%] >>>>7:freeipa-debuginfo-4.1.99.20150604################################# >>>>[100%] >>>>Unexpected error - see /var/log/ipaupgrade.log for details: >>>>SkipPluginModule: dogtag not selected as RA plugin >>>> >>>>The corresponding part of the ipaupgrade.log is as follows: >>>> >>>>2015-06-04T13:48:36Z DEBUG File >>>>"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>171, in execute >>>> return_value = self.run() >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>line 44, in run >>>> import ipaserver.plugins.dogtag # ensure profile backend >>>>gets loaded >>>> File >>>>"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", >>>>line 1273, in >>>> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >>>> >>>>2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command >>>>failed, exception: SkipPluginModule: dogtag not selected as RA >>>>plugin >>>> >>>>This error is observed both on f22 and f21 machines. >>>> >>>>the only patch that I applied on top of the master branch is this: >>>>freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch >>>> >>>> >>> >>>Known issue, caused by CA profiles patches. >>> >>>Fix for this requires additional patches for IPA api from Honza. >>> >> > > >-- >Martin Basti > >-- >Manage your subscription for the Freeipa-devel mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-devel >Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- / Alexander Bokovoy From mbasti at redhat.com Thu Jun 4 16:23:59 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 04 Jun 2015 18:23:59 +0200 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <20150604162008.GH10162@redhat.com> References: <557058EB.2010703@redhat.com> <55705BED.80506@redhat.com> <55705D58.5030706@redhat.com> <55705DA6.8090408@redhat.com> <20150604162008.GH10162@redhat.com> Message-ID: <55707B9F.2060004@redhat.com> On 04/06/15 18:20, Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, Martin Basti wrote: >> On 04/06/15 16:14, Oleg Fayans wrote: >>> Thanks! >>> >>> Is it critical for using the code? >> No, this exception is raised only when IPA is not installed, and you >> do not need IPA upgrade without installed IPA. > I've got the same issue when installing IPA. Upgrade runs as one of few > last steps during install and I get: > 2015-06-04T11:10:23Z DEBUG Logging to /var/log/ipaupgrade.log > 2015-06-04T11:10:23Z DEBUG ipa-server-upgrade was invoked with arguments > [] and options: {'skip_version_check': False, 'log_file': None, 'force': > False, 'verbose': False, 'quiet': True} > 2015-06-04T11:10:23Z DEBUG IPA version > 4.1.99.201506041059GIT8f0c945-0.fc22 > 2015-06-04T11:10:23Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 44, in run > import ipaserver.plugins.dogtag # ensure profile backend gets loaded > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", > line 1273, in > raise SkipPluginModule(reason='dogtag not selected as RA plugin') > > 2015-06-04T11:10:23Z DEBUG The ipa-server-upgrade command failed, > exception: SkipPluginModule: dogtag not selected as RA plugin > 2015-06-04T11:10:23Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > SkipPluginModule: dogtag not selected as RA plugin > > During ipa-server-install? ipa-server-upgrade is not executed during ipa-server-install. Martin^2 >>> >>> On 06/04/2015 04:08 PM, Martin Basti wrote: >>>> On 04/06/15 15:55, Oleg Fayans wrote: >>>>> Hi everybody >>>>> >>>>> The following error was raised during the installation of the >>>>> freeipa packages built from the current master branch: >>>>> >>>>> ofayans at f22master:~/freeipa/dist/rpms]$ sudo rpm -ihv *.rpm >>>>> Preparing... ################################# [100%] >>>>> Updating / installing... >>>>> 1:freeipa-python-4.1.99.20150604133################################# >>>>> [ 14%] >>>>> 2:freeipa-client-4.1.99.20150604133################################# >>>>> [ 29%] >>>>> 3:freeipa-admintools-4.1.99.2015060################################# >>>>> [ 43%] >>>>> 4:freeipa-server-4.1.99.20150604133################################# >>>>> [ 57%] >>>>> 5:freeipa-server-trust-ad-4.1.99.20################################# >>>>> [ 71%] >>>>> 6:freeipa-tests-4.1.99.201506041338################################# >>>>> [ 86%] >>>>> 7:freeipa-debuginfo-4.1.99.20150604################################# >>>>> [100%] >>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>> SkipPluginModule: dogtag not selected as RA plugin >>>>> >>>>> The corresponding part of the ipaupgrade.log is as follows: >>>>> >>>>> 2015-06-04T13:48:36Z DEBUG File >>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>> 171, in execute >>>>> return_value = self.run() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>> line 44, in run >>>>> import ipaserver.plugins.dogtag # ensure profile backend gets >>>>> loaded >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", >>>>> line 1273, in >>>>> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >>>>> >>>>> 2015-06-04T13:48:36Z DEBUG The ipa-server-upgrade command failed, >>>>> exception: SkipPluginModule: dogtag not selected as RA plugin >>>>> >>>>> This error is observed both on f22 and f21 machines. >>>>> >>>>> the only patch that I applied on top of the master branch is this: >>>>> freeipa-lkrispen-0011-check-for-existing-and-self-referential-segments.patch >>>>> >>>>> >>>>> >>>> >>>> Known issue, caused by CA profiles patches. >>>> >>>> Fix for this requires additional patches for IPA api from Honza. >>>> >>> >> >> >> -- >> Martin Basti >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Martin Basti From abokovoy at redhat.com Thu Jun 4 17:02:21 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 Jun 2015 20:02:21 +0300 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <55707B9F.2060004@redhat.com> References: <557058EB.2010703@redhat.com> <55705BED.80506@redhat.com> <55705D58.5030706@redhat.com> <55705DA6.8090408@redhat.com> <20150604162008.GH10162@redhat.com> <55707B9F.2060004@redhat.com> Message-ID: <20150604170221.GI10162@redhat.com> On Thu, 04 Jun 2015, Martin Basti wrote: >On 04/06/15 18:20, Alexander Bokovoy wrote: >>On Thu, 04 Jun 2015, Martin Basti wrote: >>>On 04/06/15 16:14, Oleg Fayans wrote: >>>>Thanks! >>>> >>>>Is it critical for using the code? >>>No, this exception is raised only when IPA is not installed, and >>>you do not need IPA upgrade without installed IPA. >>I've got the same issue when installing IPA. Upgrade runs as one of few >>last steps during install and I get: >>2015-06-04T11:10:23Z DEBUG Logging to /var/log/ipaupgrade.log >>2015-06-04T11:10:23Z DEBUG ipa-server-upgrade was invoked with arguments >>[] and options: {'skip_version_check': False, 'log_file': None, 'force': >>False, 'verbose': False, 'quiet': True} >>2015-06-04T11:10:23Z DEBUG IPA version >>4.1.99.201506041059GIT8f0c945-0.fc22 >>2015-06-04T11:10:23Z DEBUG File >>"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>in execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>line 44, in run >> import ipaserver.plugins.dogtag # ensure profile backend gets loaded >> File >>"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >>1273, in >> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >> >>2015-06-04T11:10:23Z DEBUG The ipa-server-upgrade command failed, >>exception: SkipPluginModule: dogtag not selected as RA plugin >>2015-06-04T11:10:23Z ERROR Unexpected error - see >>/var/log/ipaupgrade.log for details: >>SkipPluginModule: dogtag not selected as RA plugin >> >> >During ipa-server-install? >ipa-server-upgrade is not executed during ipa-server-install. Whatever is executed, this is what I get. When I run ipa-server-upgrade there is no such message but CA does not start. -- / Alexander Bokovoy From tbordaz at redhat.com Thu Jun 4 17:27:30 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 04 Jun 2015 19:27:30 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <556EC4BE.4080802@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> <556EC4BE.4080802@redhat.com> Message-ID: <55708A82.8050402@redhat.com> Hello Oleg, So far I have been unable to reproduce the problem. I tried various scenarios depending if the first update was on master/slave, or with 2 slaves, 1 slave, 1slave added later. Do you have any detail how you did your test ? If you can restart the remaining VM, I would be interested in the logs (access/errors). thanks thierry On 06/03/2015 11:11 AM, Oleg Fayans wrote: > Hi Martin, > > On 06/03/2015 10:46 AM, Martin Babinsky wrote: >> On 06/03/2015 10:33 AM, Oleg Fayans wrote: >>> Hi, >>> >>> With the latest freeipa code containing Topology plugin patches, I am >>> unable to make any changes in replicas. >>> >>> I have the following topology: >>> replica1 <=> master <=> replica3 >>> Here is the output of the ipa topologysegment-find command: >>> >>> Suffix name: realm >>> ------------------ >>> 2 segments matched >>> ------------------ >>> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >>> Left node: replica1.zaeba.li >>> Right node: testmaster.zaeba.li >>> Connectivity: both >>> >>> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >>> Left node: replica3.zaeba.li >>> Right node: testmaster.zaeba.li >>> Connectivity: both >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> >>> >>> Any changes on master get replicated to replicas successfully. However, >>> any attempts to change anything on replicas, for example, create a >>> user, >>> result in the error message about DatabaseError (attached). >>> >>> The corresponding part of the dirsrv log looks like this: >>> >>> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>> (Can't contact LDAP server) >>> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send >>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>> (Success) >>> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or >>> directory) >>> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>> (Can't contact LDAP server) >>> >>> The full log is attached >>> >>> >>> >> Hi Oleg, >> >> could you also post the output of 'journalctl -xe' related to dirsrv >> (on master and also on replicas)? I have seen a couple of segfaults >> there during reviewing Petr Vobornik's topology* commands. >> > Attached > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jun 4 17:38:18 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 Jun 2015 20:38:18 +0300 Subject: [Freeipa-devel] SkipPluginModule error raised during new code installation In-Reply-To: <20150604170221.GI10162@redhat.com> References: <557058EB.2010703@redhat.com> <55705BED.80506@redhat.com> <55705D58.5030706@redhat.com> <55705DA6.8090408@redhat.com> <20150604162008.GH10162@redhat.com> <55707B9F.2060004@redhat.com> <20150604170221.GI10162@redhat.com> Message-ID: <20150604173818.GJ10162@redhat.com> On Thu, 04 Jun 2015, Alexander Bokovoy wrote: >On Thu, 04 Jun 2015, Martin Basti wrote: >>On 04/06/15 18:20, Alexander Bokovoy wrote: >>>On Thu, 04 Jun 2015, Martin Basti wrote: >>>>On 04/06/15 16:14, Oleg Fayans wrote: >>>>>Thanks! >>>>> >>>>>Is it critical for using the code? >>>>No, this exception is raised only when IPA is not installed, and >>>>you do not need IPA upgrade without installed IPA. >>>I've got the same issue when installing IPA. Upgrade runs as one of few >>>last steps during install and I get: >>>2015-06-04T11:10:23Z DEBUG Logging to /var/log/ipaupgrade.log >>>2015-06-04T11:10:23Z DEBUG ipa-server-upgrade was invoked with arguments >>>[] and options: {'skip_version_check': False, 'log_file': None, 'force': >>>False, 'verbose': False, 'quiet': True} >>>2015-06-04T11:10:23Z DEBUG IPA version >>>4.1.99.201506041059GIT8f0c945-0.fc22 >>>2015-06-04T11:10:23Z DEBUG File >>>"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>171, in execute >>> return_value = self.run() >>>File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>line 44, in run >>> import ipaserver.plugins.dogtag # ensure profile backend gets loaded >>>File >>>"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", >>>line 1273, in >>> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >>> >>>2015-06-04T11:10:23Z DEBUG The ipa-server-upgrade command failed, >>>exception: SkipPluginModule: dogtag not selected as RA plugin >>>2015-06-04T11:10:23Z ERROR Unexpected error - see >>>/var/log/ipaupgrade.log for details: >>>SkipPluginModule: dogtag not selected as RA plugin >>> >>> >>During ipa-server-install? >>ipa-server-upgrade is not executed during ipa-server-install. >Whatever is executed, this is what I get. > >When I run ipa-server-upgrade there is no such message but CA does not >start. I've uninstalled and installed second time, no issue now. This is certainly something depending on a previously installed state. -- / Alexander Bokovoy From derny at redhat.com Thu Jun 4 19:36:00 2015 From: derny at redhat.com (Drew Erny) Date: Thu, 04 Jun 2015 15:36:00 -0400 Subject: [Freeipa-devel] [PATCH 0001 v2] Migrate now accepts scope as argument In-Reply-To: <5570A845.7020102@redhat.com> References: <556F4A08.1040202@redhat.com> <5570703A.6080709@redhat.com> <5570A845.7020102@redhat.com> Message-ID: <5570A8A0.8030600@redhat.com> Whoops, hit the wrong "reply". On 06/04/2015 03:34 PM, Drew Erny wrote: > This is the same patch sort of manually rebased on the master branch. > I couldn't get it to cleanly rebase using tools, so I apply my commit > line-by-line; the only changes I made were pulling the "scope = > _supported_scopes[options.get('scope')]" out of the for loop I'd > accidentally left it in, and moving the import statement to a > different spot. Everything else should be the same, excep I > incremented VERSION and edited the comment. > > I do have to convert to tuple, because that argument is expected to be > a tuple but .keys() returns a list. > > > On 06/04/2015 11:35 AM, Martin Basti wrote: >> On 03/06/15 20:40, Drew Erny wrote: >>> Hi, all, >>> >>> This is an updated patch, with the code changes suggested by Martin >>> Batsi in my test email. The biggest difference is that I had to do >>> >>> >> from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE >>> >>> To get access to those constants in the global scope. This seems >>> like a fairly clean solution, but if it's a code smell, feel free to >>> suggest improvements. This should have identical behavior to the >>> last patch, except it will autofill scope and no longer prompt >>> interactively. >>> >>> Thanks, >>> >>> Drew Erny >>> derny at redhat.com >>> >>> >> Hello, >> >> please continue discussion in the same thread :) >> >> API.txt was changed, please update VERSION file, increment minor >> version +1 and edit comment there. I forgot to tell you yesterday. >> >> Can you rebase your patch to current master? >> This patch is supposed to go to IPA 4.2. >> >> Is the tuple conversion needed? >> values=tuple(_supported_scopes.keys()), >> >> Otherwise patch looks good. >> >> Martin^2 >> -- >> Martin Basti > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-derny-0001-3-Migration-now-accepts-scope-as-argument.patch Type: text/x-patch Size: 4974 bytes Desc: not available URL: From derny at redhat.com Thu Jun 4 20:53:51 2015 From: derny at redhat.com (Drew Erny) Date: Thu, 04 Jun 2015 16:53:51 -0400 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days Message-ID: <5570BADF.5020002@redhat.com> https://fedorahosted.org/freeipa/ticket/2795 I've tracked down the source of this bug; it's nutty C stuff. So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you update password, the expiration time appears to be set in the function ipapwd_CheckPolicy on line 631, which looks like data->expireTime = data->timeNow + pol.max_pwd_life; So the bug has to be in how pol.max_pwd_life gets is value. So I check around, pol is initialized like this: struct ipapwd_policy pol = {0}; ... pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. But then the actual value of max_pwd_life is obtained by passing pol into the function ipapwd_getPolicy on line 577 or 590, depending on the password change type. Inside of ipapwd_getPolicy, there's a couple of lines starting at line 393 tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); if (tmpint != 0) { policy->max_pwd_life = tmpint; }: Which sets the max password life to the returned value, unless this function returns 0. However, the documentation from /usr/include/dirsrv/slapi-plugin.h says that that function, slapi_entry_attr_get_int, returns 0 if the entry does not contain that attribute. So, since the value 0 is returned, an error is assumed to have occurred that member of the struct is left untouched... which means it's still set to the value it was set to when it was initialized, 90 days. So, when the expireTime is set at line 631, it's set to 90 days because the value returned by slapi_entry_attr_get_int is 0. I've checked to see if we can get some error context out of the pe variable passed in, but it appears to be an opaque struct that the user isn't meant to see the internals of. I'm not really sure what to do with this knowledge. The only thing I can think would be to use another sentinel value, like -1, to indicate that the password does not expire; or, otherwise, to document that there is no way to have non-expiring passwords, and administrators can only set value to some far-future date, and then close this bug. Or, we could just set the default expiration date to be somewhere far in the future. I'm not really qualified to make a call on how to proceed with this, but I'm capable of making the change if someone more senior decides. I can also totally see this issue with the interface of slapi-plugin being the possible cause of many bugs. Opinions? From abokovoy at redhat.com Thu Jun 4 21:41:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 5 Jun 2015 00:41:23 +0300 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days In-Reply-To: <5570BADF.5020002@redhat.com> References: <5570BADF.5020002@redhat.com> Message-ID: <20150604214122.GK10162@redhat.com> On Thu, 04 Jun 2015, Drew Erny wrote: >https://fedorahosted.org/freeipa/ticket/2795 > >I've tracked down the source of this bug; it's nutty C stuff. > >So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you >update password, the expiration time appears to be set in the function >ipapwd_CheckPolicy on line 631, which looks like > > data->expireTime = data->timeNow + pol.max_pwd_life; > >So the bug has to be in how pol.max_pwd_life gets is value. So I check >around, pol is initialized like this: > > struct ipapwd_policy pol = {0}; > ... > pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; > >And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. > >But then the actual value of max_pwd_life is obtained by passing pol >into the function ipapwd_getPolicy on line 577 or 590, depending on >the password change type. > >Inside of ipapwd_getPolicy, there's a couple of lines starting at line 393 > > tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); > if (tmpint != 0) { > policy->max_pwd_life = tmpint; > }: > >Which sets the max password life to the returned value, unless this >function returns 0. However, the documentation from >/usr/include/dirsrv/slapi-plugin.h says that that function, >slapi_entry_attr_get_int, returns 0 if the entry does not contain that >attribute. So, since the value 0 is returned, an error is assumed to >have occurred that member of the struct is left untouched... which >means it's still set to the value it was set to when it was >initialized, 90 days. > >So, when the expireTime is set at line 631, it's set to 90 days >because the value returned by slapi_entry_attr_get_int is 0. > >I've checked to see if we can get some error context out of the pe >variable passed in, but it appears to be an opaque struct that the >user isn't meant to see the internals of. > >I'm not really sure what to do with this knowledge. The only thing I >can think would be to use another sentinel value, like -1, to indicate >that the password does not expire; or, otherwise, to document that >there is no way to have non-expiring passwords, and administrators can >only set value to some far-future date, and then close this bug. Or, >we could just set the default expiration date to be somewhere far in >the future. I'm not really qualified to make a call on how to proceed >with this, but I'm capable of making the change if someone more senior >decides. > >I can also totally see this issue with the interface of slapi-plugin >being the possible cause of many bugs. You can use slapi_entry_attr_exists() to check if attribute does exist and then treat result of slapi_entry_attr_get_int() as actual value. Otherwise, that's a great investigation! -- / Alexander Bokovoy From ftweedal at redhat.com Fri Jun 5 09:47:57 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 5 Jun 2015 19:47:57 +1000 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes Message-ID: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser -------------- next part -------------- From bc2b1d729c50dc1ae88a5e5709f655ea2f5ecd66 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 4 Jun 2015 22:49:01 -0400 Subject: [PATCH 16/18] Fix certificate subject base Profile management patches introduced a regression where a custom certificate subject base (if configured) is not used in the default profile. Use the configured subject base. Part of: https://fedorahosted.org/freeipa/ticket/4002 --- ipaserver/install/cainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ca0b6df5db80bc842a78f614872831ddd82330b1..42225c28c8201bbae8ac0e46f7791a7f6ed3d158 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1665,7 +1665,7 @@ def import_included_profiles(): DOMAIN=ipautil.format_netloc(api.env.domain), IPA_CA_RECORD=IPA_CA_RECORD, CRL_ISSUER='CN=Certificate Authority,o=ipaca', - SUBJECT_DN_O=str(DN(('O', api.env.realm))), + SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(), ) server_id = installutils.realm_to_serverid(api.env.realm) -- 2.1.0 -------------- next part -------------- From dcf1531b109a0ebacb060be4b443df013957c56e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 5 Jun 2015 02:57:48 -0400 Subject: [PATCH 17/18] Import profiles earlier during install Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 --- ipaserver/install/cainstance.py | 5 +++++ ipaserver/install/server/install.py | 3 --- ipaserver/plugins/dogtag.py | 10 +++++++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 42225c28c8201bbae8ac0e46f7791a7f6ed3d158..563a198ab472a58cc6fbeeceb7731486ce7ca6b5 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -473,6 +473,9 @@ class CAInstance(DogtagInstance): self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) + if not self.clone: + self.step("restarting certificate server", self.restart_instance) + self.step("Importing IPA certificate profiles", import_included_profiles) self.start_creation(runtime=210) @@ -1694,6 +1697,7 @@ def import_included_profiles(): ) conn.add_entry(entry) api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 with api.Backend.ra_certprofile as profile_api: # import the profile try: @@ -1715,6 +1719,7 @@ def import_included_profiles(): except errors.RemoteRetrieveError: pass + api.Backend.ra_certprofile.override_port = None root_logger.info("Imported profile '%s'", profile_id) conn.disconnect() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 955e4cc11fba20475a07126f4101edbf1024290e..999766d677a19768fdc31b256a2d026b2204dbb0 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -906,9 +906,6 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) - service.print_msg("Importing certificate profiles") - cainstance.import_included_profiles() - if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index e6668bb43b994863a14fdd347635753422ed9388..4b9d82a84e387758113066163c8346db69a734e1 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1973,6 +1973,7 @@ class RestClient(Backend): super(RestClient, self).__init__() # session cookie + self.override_port = None self.cookie = None def _read_password(self): @@ -2007,7 +2008,8 @@ class RestClient(Backend): if self.cookie is not None: return status, status_text, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self,ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/login', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2020,7 +2022,8 @@ class RestClient(Backend): def __exit__(self, exc_type, exc_value, traceback): """Log out of the REST API""" dogtag.https_request( - self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/logout', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2046,7 +2049,8 @@ class RestClient(Backend): # perform main request status, status_text, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.env.ca_agent_port, resource, + self.ca_host, self.override_port or self.env.ca_agent_port, + resource, self.sec_dir, self.password, self.ipa_certificate_nickname, method=method, headers=headers, body=body ) -- 2.1.0 -------------- next part -------------- From 166a55dddf89235799f2a19c5a709dc92a8a9ce7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 5 Jun 2015 05:02:58 -0400 Subject: [PATCH 18/18] ipa-pki-proxy: allow certificate and password authentication ipa-replica-install --setup-ca is failing because the security domain login attempts password authentication, but the current ipa-pki-proxy requires certificate authentication. Set NSSVerifyClient optional to allow both certificate and password authentication to work. --- install/conf/ipa-pki-proxy.conf | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 366ca15a1868758547f9f1d3334fddba38793083..354b340f0a57d3424c3c13fd4054ed71080552fe 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 6 - DO NOT REMOVE THIS LINE +# VERSION 7 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,9 +27,16 @@ ProxyRequests Off # matches for REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient require + NSSVerifyClient optional + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT + + + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassReverse ajp://localhost:$DOGTAG_PORT -- 2.1.0 From mbasti at redhat.com Fri Jun 5 10:39:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 12:39:13 +0200 Subject: [Freeipa-devel] [PATCH] 828 webui: don't log in back after logout In-Reply-To: <554B9FE9.2070503@redhat.com> References: <554B9FE9.2070503@redhat.com> Message-ID: <55717C51.30401@redhat.com> On 07/05/15 19:24, Petr Vobornik wrote: > Automatic login attempt is initiated by first failed xhr request which > happens in metadata phase. > > New phase was added before metadata phase. It interrupts UI load and > shows > login page if it's directly after logout(marked in session storage). > Successfull manual login resolves the phase so that metadata phase can > follow. > > https://fedorahosted.org/freeipa/ticket/5008 > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jun 5 10:54:17 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 05 Jun 2015 12:54:17 +0200 Subject: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server In-Reply-To: <555CAFAC.2050803@redhat.com> References: <555CAFAC.2050803@redhat.com> Message-ID: <55717FD9.6010002@redhat.com> On 20.5.2015 18:00, Martin Basti wrote: > This patch allows to disable DNSSEC key master on IPA server, or replace > current DNSSEC key master with another IPA server. > > Only for master branch. > > https://fedorahosted.org/freeipa/ticket/4657 > > Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 733, in run_script return_value = main_function() File "/sbin/ipa-dns-install", line 128, in main dns_installer.disable_dnssec_master(options.unattended) File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 112, in disable_dnssec_master ", ".join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found -- Petr^2 Spacek From mbasti at redhat.com Fri Jun 5 11:00:14 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 13:00:14 +0200 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes In-Reply-To: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> References: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> Message-ID: <5571813E.20105@redhat.com> On 05/06/15 11:47, Fraser Tweedale wrote: > Patches 16 and 17 fix regressions in the default profile. > > Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. > > Cheers, > Fraser > > NACK, sorry ./make-lint ************* Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), RestClient.__enter__] Argument 'method' passed by position and keyword in function call) ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), RestClient.__enter__] Undefined variable 'ca_host') -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 5 11:04:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 13:04:56 +0200 Subject: [Freeipa-devel] [PATCH] 831 webui: better error reporting In-Reply-To: <5555B63D.9040404@redhat.com> References: <5555B63D.9040404@redhat.com> Message-ID: <55718258.10109@redhat.com> On 15/05/15 11:02, Petr Vobornik wrote: > Helps in development and debugging. > > - ActionDropdownWidget - report error if required action is missing > - report build errors to console > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 5 11:50:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 13:50:25 +0200 Subject: [Freeipa-devel] [PATCH 0001 v2] Migrate now accepts scope as argument In-Reply-To: <5570A8A0.8030600@redhat.com> References: <556F4A08.1040202@redhat.com> <5570703A.6080709@redhat.com> <5570A845.7020102@redhat.com> <5570A8A0.8030600@redhat.com> Message-ID: <55718D01.2010609@redhat.com> On 04/06/15 21:36, Drew Erny wrote: > Whoops, hit the wrong "reply". > > On 06/04/2015 03:34 PM, Drew Erny wrote: >> This is the same patch sort of manually rebased on the master branch. >> I couldn't get it to cleanly rebase using tools, so I apply my commit >> line-by-line; the only changes I made were pulling the "scope = >> _supported_scopes[options.get('scope')]" out of the for loop I'd >> accidentally left it in, and moving the import statement to a >> different spot. Everything else should be the same, excep I >> incremented VERSION and edited the comment. >> >> I do have to convert to tuple, because that argument is expected to >> be a tuple but .keys() returns a list. Oh right, Enum requires explicitly tuple >> >> >> On 06/04/2015 11:35 AM, Martin Basti wrote: >>> On 03/06/15 20:40, Drew Erny wrote: >>>> Hi, all, >>>> >>>> This is an updated patch, with the code changes suggested by Martin >>>> Batsi in my test email. The biggest difference is that I had to do >>>> >>>> >> from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE >>>> >>>> To get access to those constants in the global scope. This seems >>>> like a fairly clean solution, but if it's a code smell, feel free >>>> to suggest improvements. This should have identical behavior to the >>>> last patch, except it will autofill scope and no longer prompt >>>> interactively. >>>> >>>> Thanks, >>>> >>>> Drew Erny >>>> derny at redhat.com >>>> >>>> >>> Hello, >>> >>> please continue discussion in the same thread :) >>> >>> API.txt was changed, please update VERSION file, increment minor >>> version +1 and edit comment there. I forgot to tell you yesterday. >>> >>> Can you rebase your patch to current master? >>> This patch is supposed to go to IPA 4.2. >>> >>> Is the tuple conversion needed? >>> values=tuple(_supported_scopes.keys()), >>> >>> Otherwise patch looks good. >>> >>> Martin^2 >>> -- >>> Martin Basti >> > > > Thank you. ACK, it works as expected. Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Fri Jun 5 11:53:39 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 5 Jun 2015 21:53:39 +1000 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes In-Reply-To: <5571813E.20105@redhat.com> References: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> <5571813E.20105@redhat.com> Message-ID: <20150605115339.GF23523@dhcp-40-8.bne.redhat.com> On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: > On 05/06/15 11:47, Fraser Tweedale wrote: > >Patches 16 and 17 fix regressions in the default profile. > > > >Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. > > > >Cheers, > >Fraser > > > > > NACK, sorry > > ./make-lint > ************* Module ipaserver.plugins.dogtag > ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), > RestClient.__enter__] Argument 'method' passed by position and keyword in > function call) > ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), > RestClient.__enter__] Undefined variable 'ca_host') > > -- > Martin Basti > Whoops. One wayward comma that should have been a period! Here's an updated 0017..0018. Thanks, Fraser -------------- next part -------------- From 61677911dec136e6d022622549c476f8ca5f6e5b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 5 Jun 2015 02:57:48 -0400 Subject: [PATCH 17/18] Import profiles earlier during install Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 --- ipaserver/install/cainstance.py | 5 +++++ ipaserver/install/server/install.py | 3 --- ipaserver/plugins/dogtag.py | 10 +++++++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 42225c28c8201bbae8ac0e46f7791a7f6ed3d158..563a198ab472a58cc6fbeeceb7731486ce7ca6b5 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -473,6 +473,9 @@ class CAInstance(DogtagInstance): self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) + if not self.clone: + self.step("restarting certificate server", self.restart_instance) + self.step("Importing IPA certificate profiles", import_included_profiles) self.start_creation(runtime=210) @@ -1694,6 +1697,7 @@ def import_included_profiles(): ) conn.add_entry(entry) api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 with api.Backend.ra_certprofile as profile_api: # import the profile try: @@ -1715,6 +1719,7 @@ def import_included_profiles(): except errors.RemoteRetrieveError: pass + api.Backend.ra_certprofile.override_port = None root_logger.info("Imported profile '%s'", profile_id) conn.disconnect() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 955e4cc11fba20475a07126f4101edbf1024290e..999766d677a19768fdc31b256a2d026b2204dbb0 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -906,9 +906,6 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) - service.print_msg("Importing certificate profiles") - cainstance.import_included_profiles() - if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index e6668bb43b994863a14fdd347635753422ed9388..e60cced1a35df821d900407df2d9b66371c61510 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1973,6 +1973,7 @@ class RestClient(Backend): super(RestClient, self).__init__() # session cookie + self.override_port = None self.cookie = None def _read_password(self): @@ -2007,7 +2008,8 @@ class RestClient(Backend): if self.cookie is not None: return status, status_text, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/login', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2020,7 +2022,8 @@ class RestClient(Backend): def __exit__(self, exc_type, exc_value, traceback): """Log out of the REST API""" dogtag.https_request( - self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/logout', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2046,7 +2049,8 @@ class RestClient(Backend): # perform main request status, status_text, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.env.ca_agent_port, resource, + self.ca_host, self.override_port or self.env.ca_agent_port, + resource, self.sec_dir, self.password, self.ipa_certificate_nickname, method=method, headers=headers, body=body ) -- 2.1.0 -------------- next part -------------- From b4252d8385f03558b335386a3827f1adb878308a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 5 Jun 2015 05:02:58 -0400 Subject: [PATCH 18/18] ipa-pki-proxy: allow certificate and password authentication ipa-replica-install --setup-ca is failing because the security domain login attempts password authentication, but the current ipa-pki-proxy requires certificate authentication. Set NSSVerifyClient optional to allow both certificate and password authentication to work. --- install/conf/ipa-pki-proxy.conf | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 366ca15a1868758547f9f1d3334fddba38793083..354b340f0a57d3424c3c13fd4054ed71080552fe 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 6 - DO NOT REMOVE THIS LINE +# VERSION 7 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,9 +27,16 @@ ProxyRequests Off # matches for REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient require + NSSVerifyClient optional + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT + + + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassReverse ajp://localhost:$DOGTAG_PORT -- 2.1.0 From jcholast at redhat.com Fri Jun 5 12:13:20 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 05 Jun 2015 14:13:20 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <556EF05E.90103@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> Message-ID: <55719260.8080300@redhat.com> Dne 3.6.2015 v 14:17 Jan Cholasta napsal(a): > Dne 2.6.2015 v 02:00 Endi Sukma Dewata napsal(a): >> Please take a look at the updated patch. >> >> On 5/27/2015 12:39 AM, Jan Cholasta wrote: >>>>>>>>> 21) vault_archive is not a retrieve operation, it should be >>>>>>>>> based on >>>>>>>>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it >>>>>>>>> does >>>>>>>>> not do anything with LDAP. The same applies to vault_retrieve. >>>>>>>> >>>>>>>> The vault_archive does not actually modify the LDAP entry >>>>>>>> because it >>>>>>>> stores the data in KRA. It is actually an LDAPRetrieve operation >>>>>>>> because >>>>>>>> it needs to get the vault info before it can perform the archival >>>>>>>> operation. Same thing with vault_retrieve. >>>>>>> >>>>>>> It is not a LDAPRetrieve operation, because it has different >>>>>>> semantics. >>>>>>> Please use Command as base class and either use ldap2 for direct >>>>>>> LDAP or >>>>>>> call vault_show instead of hacking around LDAPRetrieve. >>>>>> >>>>>> It's been changed to inherit from LDAPQuery instead. >>>>> >>>>> NACK, it's not a LDAPQuery operation, because it has different >>>>> semantics. There is more to a command than executing code, so you >>>>> should >>>>> use a correct base class. >>>> >>>> Changed to inherit from Command as requested. Now these commands no >>>> longer have a direct access to the vault object (self.obj) although >>>> they >>>> are accessing vault objects like other vault commands. Also now the >>>> vault name argument has to be added explicitly on each command. >>> >>> You can inherit from crud.Retrieve and crud.Update to get self.obj and >>> the argument back. >> >> I tried this: >> >> class vault_retrieve(Command, crud.Retrieve): >> >> and it gave me an error: >> >> TypeError: Error when calling the metaclass bases >> Cannot create a consistent method resolution >> order (MRO) for bases Retrieve, Command >> >> I'm sticking with the original code since it works fine although not >> ideal. I'm not a Python expert, so if you know how to fix this properly >> please feel free to post a patch on top of this. > > The class hierarchy is as follows: > > frontend.Command > frontend.Method > crud.PKQuery > crud.Retrieve > cdur.Update > > So removing Command from the list of base classes should fix it. > >> >>> If KRA is not installed, vault-archive and vault-retrieve fail with >>> internal error. >> >> Added a code to check KRA installation in all vault commands. If you >> know a way not to load the vault plugin if the KRA is not installed >> please let me know, that's probably even better. Not sure how that will >> work on the client side though. > > I see this has been already resolved in the other thread. > >> >>> The commands still behave differently based on whether they were called >>> from API which was initialized with in_server set to True or False. >> >> That is unfortunately a restriction imposed by the framework. In order >> to guarantee the security, the vault is designed to have separate client >> and server code. The client code encrypts the secret, the server code >> forwards the encrypted secret to KRA. To archive a secret into a vault >> properly, you are supposed to call the client code. If you're calling >> the server code directly, you are responsible to do your own encryption >> (i.e. generating session key, nonce, and vault data). > > I understand why the code has to be separated, what I don't understand > is why it is in fact *not* separated and crammed into a single command, > making weird and undefined behavior possible. > >> >> If another plugin wants to use vault, it should implement a client code >> which calls the vault client code to perform the archival from the >> client side. >> >> What is the use case for calling the vault API from the server side >> anyway? Wouldn't that defeat the purpose of having a vault? If a secret >> exists on the server side in an unencrypted form doesn't it mean the >> secret may already have been compromised? > > Server API is used not only by the server itself, but also by installers > for example. Anyway the point is that there *can't* be a broken API like > this, you should at least raise an error if the command is called from > server API, although actually separating it into client and server parts > would be preferable. > >> >>> There is no point in exposing the session_key, nonce and vault_data >>> options in CLI when their value is always overwritten in forward(). >> >> I agree there is no need to expose them in CLI, but in this framework >> the API also defines the CLI. If there's a way to keep them in the >> server API but not expose them in the CLI please let me know. Or, if >> there's a way to define completely separate server API (without a >> matching client CLI) and client CLI (without a matching server API) that >> will work too. > > As I suggested above, you can split the commands into separate client > and server commands. The client command should inherit from > frontend.Local so that it is always executed locally and the server > command should have a "NO_CLI = True" attribute so that it is not > available in the CLI. > >> >>> Will this always succeed? >>> >>> + # deactivate vault record in KRA >>> + response = kra_client.keys.list_keys( >>> + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) >> >> Yes. If there's no active keys it will return an empty collection. >> >>> + for key_info in response.key_infos: >>> + kra_client.keys.modify_key_status( >>> + key_info.get_key_id(), >>> + pki.key.KeyClient.KEY_STATUS_INACTIVE) >> >> This loop will do nothing given an empty collection. >> >>> If not, we might get into an inconsistent state, where the vault is >>> deleted in LDAP but still active in KRA. (I'm not sure if this is >>> actually a problem or not.) >> >> That can only happen if the server crashes after deleting the vault but >> before deactivating the key. Regardless, it will not be a problem >> because the key is identified by vault ID/path so it will not conflict >> with other vaults, and it will get overwritten if the same vault is >> recreated again. > > OK. > Attached is a patch including the requested changes. I have also changed vault_config to vaultconfig_show, for consistency with {,dns}config_show (it also makes the transport certificate retrieval code in vault_{archive,retrieve} simpler). I have noticed that triple-length DES is used for the session key. Wouldn't AES be better? # generate session key mechanism = nss.CKM_DES3_CBC_PAD BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with pki-core-10.2.1-3. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-vault-archive-and-vault-retrieve-commands.patch Type: text/x-patch Size: 26262 bytes Desc: not available URL: From ofayans at redhat.com Fri Jun 5 12:16:15 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 05 Jun 2015 14:16:15 +0200 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes In-Reply-To: <20150605115339.GF23523@dhcp-40-8.bne.redhat.com> References: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> <5571813E.20105@redhat.com> <20150605115339.GF23523@dhcp-40-8.bne.redhat.com> Message-ID: <5571930F.5020401@redhat.com> Is it supposeed to fis this issue? 2015-06-05T12:11:57Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 44, in run import ipaserver.plugins.dogtag # ensure profile backend gets loaded File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1273, in raise SkipPluginModule(reason='dogtag not selected as RA plugin') On 06/05/2015 01:53 PM, Fraser Tweedale wrote: > On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: >> On 05/06/15 11:47, Fraser Tweedale wrote: >>> Patches 16 and 17 fix regressions in the default profile. >>> >>> Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. >>> >>> Cheers, >>> Fraser >>> >>> >> NACK, sorry >> >> ./make-lint >> ************* Module ipaserver.plugins.dogtag >> ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), >> RestClient.__enter__] Argument 'method' passed by position and keyword in >> function call) >> ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), >> RestClient.__enter__] Undefined variable 'ca_host') >> >> -- >> Martin Basti >> > Whoops. One wayward comma that should have been a period! > > Here's an updated 0017..0018. > > Thanks, > Fraser > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Fri Jun 5 12:16:28 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 05 Jun 2015 14:16:28 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. In-Reply-To: <556F21ED.8020908@redhat.com> References: <556F21ED.8020908@redhat.com> Message-ID: <5571931C.1030103@redhat.com> On 06/03/2015 05:49 PM, David Kupka wrote: > Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0049.1-Move-CA-installation-code-into-single-module.patch Type: text/x-patch Size: 38573 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 5 12:18:18 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 14:18:18 +0200 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes In-Reply-To: <5571930F.5020401@redhat.com> References: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> <5571813E.20105@redhat.com> <20150605115339.GF23523@dhcp-40-8.bne.redhat.com> <5571930F.5020401@redhat.com> Message-ID: <5571938A.1050707@redhat.com> On 05/06/15 14:16, Oleg Fayans wrote: > Is it supposeed to fis this issue? > > 2015-06-05T12:11:57Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 44, in run > import ipaserver.plugins.dogtag # ensure profile backend gets loaded > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", > line 1273, in > raise SkipPluginModule(reason='dogtag not selected as RA plugin') > No > > On 06/05/2015 01:53 PM, Fraser Tweedale wrote: >> On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: >>> On 05/06/15 11:47, Fraser Tweedale wrote: >>>> Patches 16 and 17 fix regressions in the default profile. >>>> >>>> Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. >>>> >>>> Cheers, >>>> Fraser >>>> >>>> >>> NACK, sorry >>> >>> ./make-lint >>> ************* Module ipaserver.plugins.dogtag >>> ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), >>> RestClient.__enter__] Argument 'method' passed by position and keyword in >>> function call) >>> ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), >>> RestClient.__enter__] Undefined variable 'ca_host') >>> >>> -- >>> Martin Basti >>> >> Whoops. One wayward comma that should have been a period! >> >> Here's an updated 0017..0018. >> >> Thanks, >> Fraser >> >> > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jun 5 12:30:55 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 05 Jun 2015 14:30:55 +0200 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <56343345B145C043AE990701E3D193950BD1FBA1@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet><55407D25.9030505@redhat.com> <56343345B145C043AE990701E3D193950478E5A6@EXVS2.nrplc.localnet> <56343345B145C043AE990701E3D193950BD1FBA1@EXVS2.nrplc.localnet> Message-ID: <5571967F.2050402@redhat.com> On 06/02/2015 10:29 AM, Innes, Duncan wrote: > Just a bit of a head's up and a refresh of this with perhaps some new > data. > >> >> Good to hear :-) We recently also started investigating the Audit >> capabilities for (notice I write "for" and not "in") IPA. You can >> check my initial nudge to the freeipa-users list, which was >> unfortunately with no reply: >> >> https://www.redhat.com/archives/freeipa-users/2015-March/msg00940.html >> > > First up, just got round to reading this Martin. Not sure how I missed > it > when it first came out as it's a strong area of interest for me. We have more now! I created https://www.freeipa.org/page/Centralized_Logging where you can read more about this POC project and even see demo showing what the current POC ELK server can do (with link to Docker server container and sources of course). > The main part of what this message is about is a big change I made to > our > logging recently. I added in 4 of our main production IPA servers > (there > are 8 in total, but 4 sit beyond firewalls that take more scrutiny for > changes than I wanted for now). The 4 I've added, though, serve more > clients I figure. The amount of log traffic to the pair of Logstash > servers has now jumped from around 50k records/hour to around 250k. > > Doubtless this still doesn't push any of the parts to their limits, but > there has been a barely noticeably increase in CPU usage on the 2 > Logstash > servers. We've gone from around 2% CPU usage to 4%. > > Since the CPU usage on our 'loudest' IPA server rarely peaks above 10%, > this doesn't present nearly as much load as I had anticipated. I have > run > Logstash parsers on my DEV IPA boxes, but will now investigate running > them on my Prod servers too. Cool! > What I'm getting at is that perhaps clients sending logs back to the IPA > servers for parsing, then being sent on to a central DB for storage, > isn't > going to break the bank performance-wise. > > All of the systems in question here are 2vCPU with 4Gb vRAM running on > ESXi > hosts, so nothing special in the performance arena. > > It strikes me as a reasonably elegant solution to pair the > authentication > and log parsing services on the same set of servers. This would allow > each > client to use the same servers/failover etc for SSSD as for rsyslog. > > There may, of course, be other considerations, but I'm suggesting that > system load isn't necessarily one of them. Much as projects such as > Katello > can run with everything on the same server, or split out Postgres and > the > like onto separate servers when there are performance considerations. > > Thoughts? I'm not saying they should always be paired, but that if a > user > designs a system with enough horse power, this piggy-backing could work > well. Ah, interesting idea and measurement. We have not thought about this kind of architecture yet. What we did in our POC is to configure FreeIPA clients and servers to send the logs directly to the logging server which was on completely different machine (container) than rest of the infrastructure. It may be an alternative scheme, to have FreeIPA server containing the log processing and then forwarding further to other REK/ELK server and clients simply forwarding the logs to the same server as where they are authenticating. If all the log configuration is baked in ipa-{server,replica,client}-install, it would be extremely easy to integrate. I am not sure if the authentication+logging binding would be that easy, nor that it belong together that much. SSSD would need to dynamically export the address of the FreeIPA server it communicates with, maybe similarly as it does with Kerberos (http://linux.die.net/man/8/sssd_krb5_locator_plugin) - but that does not seem as a good fit either. In any case, CCing Jakub for reference. Thanks, Martin From dkupka at redhat.com Fri Jun 5 13:32:41 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 05 Jun 2015 15:32:41 +0200 Subject: [Freeipa-devel] [patch 0002] Abstract the HostTracker class from host plugin test In-Reply-To: <556D68EE.7010403@redhat.com> References: <556D68EE.7010403@redhat.com> Message-ID: <5571A4F9.7020505@redhat.com> On 06/02/2015 10:27 AM, Milan Kubik wrote: > Hello, > > this is the (first) patch with the Tracker class implementation based on > host plugin test. > > It is meant to be used as a base class to implement a helper class to > write xml-rpc (api) > tests for LDAP based plugins and to replace the Declarative class which > is used for > most of the xml-rpc tests at the moment. > > For an example usage take a look at the host plugin test. > > Cheers, > Milan > > Hello! Thanks for the patch. Works for me, ACK. -- David Kupka From redhatrises at gmail.com Fri Jun 5 14:13:59 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Fri, 5 Jun 2015 08:13:59 -0600 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client Message-ID: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5049 Thanks, Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0051-Clear-SSSD-caches-when-uninstalling-the-client.patch Type: text/x-patch Size: 2002 bytes Desc: not available URL: From Duncan.Innes at virginmoney.com Fri Jun 5 14:28:53 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Fri, 5 Jun 2015 15:28:53 +0100 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <5571967F.2050402@redhat.com> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet><55407D25.9030505@redhat.com> <56343345B145C043AE990701E3D193950478E5A6@EXVS2.nrplc.localnet> <56343345B145C043AE990701E3D193950BD1FBA1@EXVS2.nrplc.localnet> <5571967F.2050402@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950BD1FBC4@EXVS2.nrplc.localnet> -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: 05 June 2015 13:31 To: Innes, Duncan; freeipa-devel at redhat.com; Jakub Hrozek Subject: Re: [Freeipa-devel] Suggestion for the A part of IPA > On 06/02/2015 10:29 AM, Innes, Duncan wrote: > > Just a bit of a head's up and a refresh of this with perhaps some new > > data. > > > > We have more now! I created > > https://www.freeipa.org/page/Centralized_Logging > > where you can read more about this POC project and even see demo showing > what the current POC ELK server can do (with link to Docker server > container and sources of course). Excellent stuff - I fumbled together the page linked in your "Other Resources" section at the bottom. Will be upgrading my configs to replicate what you've done with respect to pulling in extra log files. > > > > Thoughts? I'm not saying they should always be paired, but that if a > > user designs a system with enough horse power, this piggy-backing > > could work well. > > Ah, interesting idea and measurement. We have not thought about this kind > of architecture yet. What we did in our POC is to configure FreeIPA > clients and servers to send the logs directly to the logging server which > was on completely different machine (container) than rest of the > infrastructure. > > It may be an alternative scheme, to have FreeIPA server containing the > log processing and then forwarding further to other REK/ELK server and > clients simply forwarding the logs to the same server as where they are > authenticating. > If all the log configuration is baked in > ipa-{server,replica,client}-install, it would be extremely easy to > integrate. > I was also thinking that this kind of setup would work well in a heavily firewalled environment. We have both hardware and host-based iptables firewalls across the estate. In our case, pairing the firewall rules for logging to the IPA servers is much easier than creating new servers and requesting separate rules for them. Every client need to talk to the IPA servers via the IPA ports after all. Adding in an extra port to the firewall rule group for IPA isn't hard to maintain. > > I am not sure if the authentication+logging binding would be that easy, > nor that it belong together that much. SSSD would need to dynamically > export the address of the FreeIPA server it communicates with, maybe > similarly as it does with Kerberos > (http://linux.die.net/man/8/sssd_krb5_locator_plugin) - but that does > not seem as a good fit either. > No - perhaps not. Again I'm thinking more from my current situation. We were not given access to create _SRV_ records by the AD team, so we have had to hard-code our IPA servers into the config files. i.e. [domain/unix.example.com] cache_credentials = True krb5_realm = UNIX.EXAMPLE.COM ipa_domain = unix.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client01.unix.example.com chpass_provider = ipa ipa_server = ipa01.unix.example.com, ipa02.unix.example.com ldap_tls_cacert = /etc/ipa/ca.crt We try and figure out which IPA servers we can see, then randomise the order of available servers and put it in the ipa_server setting. So relatively simple for our setup to copy this config into an rsyslog.d config file. Less easy if you just use _srv_ in there. Not sure how you'd do that to be fair. But if it's possible to parse the data coming back from the DNS _SRV_ query, couldn't all the potential IPA servers be included for rsyslog failover? If all my remote servers are down, my failover reverts to /dev/null, so no data will be written to disk if I'm isolated. That's for rsyslog of course. I'm also working on getting systemd-journal-upload to send direct to logstash (hopefully with the http input plugin). > > In any case, CCing Jakub for reference. > > Thanks, > Martin This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From derny at redhat.com Fri Jun 5 14:37:18 2015 From: derny at redhat.com (Drew Erny) Date: Fri, 05 Jun 2015 10:37:18 -0400 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days In-Reply-To: <20150604214122.GK10162@redhat.com> References: <5570BADF.5020002@redhat.com> <20150604214122.GK10162@redhat.com> Message-ID: <5571B41E.7030405@redhat.com> On 06/04/2015 05:41 PM, Alexander Bokovoy wrote: > On Thu, 04 Jun 2015, Drew Erny wrote: >> https://fedorahosted.org/freeipa/ticket/2795 >> >> I've tracked down the source of this bug; it's nutty C stuff. >> >> So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you >> update password, the expiration time appears to be set in the >> function ipapwd_CheckPolicy on line 631, which looks like >> >> data->expireTime = data->timeNow + pol.max_pwd_life; >> >> So the bug has to be in how pol.max_pwd_life gets is value. So I >> check around, pol is initialized like this: >> >> struct ipapwd_policy pol = {0}; >> ... >> pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; >> >> And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. >> >> But then the actual value of max_pwd_life is obtained by passing pol >> into the function ipapwd_getPolicy on line 577 or 590, depending on >> the password change type. >> >> Inside of ipapwd_getPolicy, there's a couple of lines starting at >> line 393 >> >> tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); >> if (tmpint != 0) { >> policy->max_pwd_life = tmpint; >> }: >> >> Which sets the max password life to the returned value, unless this >> function returns 0. However, the documentation from >> /usr/include/dirsrv/slapi-plugin.h says that that function, >> slapi_entry_attr_get_int, returns 0 if the entry does not contain >> that attribute. So, since the value 0 is returned, an error is >> assumed to have occurred that member of the struct is left >> untouched... which means it's still set to the value it was set to >> when it was initialized, 90 days. >> >> So, when the expireTime is set at line 631, it's set to 90 days >> because the value returned by slapi_entry_attr_get_int is 0. >> >> I've checked to see if we can get some error context out of the pe >> variable passed in, but it appears to be an opaque struct that the >> user isn't meant to see the internals of. >> >> I'm not really sure what to do with this knowledge. The only thing I >> can think would be to use another sentinel value, like -1, to >> indicate that the password does not expire; or, otherwise, to >> document that there is no way to have non-expiring passwords, and >> administrators can only set value to some far-future date, and then >> close this bug. Or, we could just set the default expiration date to >> be somewhere far in the future. I'm not really qualified to make a >> call on how to proceed with this, but I'm capable of making the >> change if someone more senior decides. >> >> I can also totally see this issue with the interface of slapi-plugin >> being the possible cause of many bugs. > You can use slapi_entry_attr_exists() to check if attribute does exist > and then treat result of slapi_entry_attr_get_int() as actual value. > > Otherwise, that's a great investigation! Using slapi_entry_attr_exists() clears us of having to worry about getting an error condition back, but I'm still not confident how to handle the 0 maximum. Should I just put in a far-future date? From mbasti at redhat.com Fri Jun 5 15:03:08 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 17:03:08 +0200 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: References: Message-ID: <5571BA2C.4050601@redhat.com> On 05/06/15 16:13, Gabe Alford wrote: > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5049 > > Thanks, > > Gabe > > Thank you. I dont think we should remove all SSSD caches. SSSD can have configured several providers not just IPA. IMO we should remove only IPA related caches, but wait for SSSD guys for their opinion. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jun 5 15:07:59 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2015 11:07:59 -0400 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days In-Reply-To: <5571B41E.7030405@redhat.com> References: <5570BADF.5020002@redhat.com> <20150604214122.GK10162@redhat.com> <5571B41E.7030405@redhat.com> Message-ID: <1433516879.10825.20.camel@willson.usersys.redhat.com> On Fri, 2015-06-05 at 10:37 -0400, Drew Erny wrote: > On 06/04/2015 05:41 PM, Alexander Bokovoy wrote: > > On Thu, 04 Jun 2015, Drew Erny wrote: > >> https://fedorahosted.org/freeipa/ticket/2795 > >> > >> I've tracked down the source of this bug; it's nutty C stuff. > >> > >> So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you > >> update password, the expiration time appears to be set in the > >> function ipapwd_CheckPolicy on line 631, which looks like > >> > >> data->expireTime = data->timeNow + pol.max_pwd_life; > >> > >> So the bug has to be in how pol.max_pwd_life gets is value. So I > >> check around, pol is initialized like this: > >> > >> struct ipapwd_policy pol = {0}; > >> ... > >> pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; > >> > >> And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. > >> > >> But then the actual value of max_pwd_life is obtained by passing pol > >> into the function ipapwd_getPolicy on line 577 or 590, depending on > >> the password change type. > >> > >> Inside of ipapwd_getPolicy, there's a couple of lines starting at > >> line 393 > >> > >> tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); > >> if (tmpint != 0) { > >> policy->max_pwd_life = tmpint; > >> }: > >> > >> Which sets the max password life to the returned value, unless this > >> function returns 0. However, the documentation from > >> /usr/include/dirsrv/slapi-plugin.h says that that function, > >> slapi_entry_attr_get_int, returns 0 if the entry does not contain > >> that attribute. So, since the value 0 is returned, an error is > >> assumed to have occurred that member of the struct is left > >> untouched... which means it's still set to the value it was set to > >> when it was initialized, 90 days. > >> > >> So, when the expireTime is set at line 631, it's set to 90 days > >> because the value returned by slapi_entry_attr_get_int is 0. > >> > >> I've checked to see if we can get some error context out of the pe > >> variable passed in, but it appears to be an opaque struct that the > >> user isn't meant to see the internals of. > >> > >> I'm not really sure what to do with this knowledge. The only thing I > >> can think would be to use another sentinel value, like -1, to > >> indicate that the password does not expire; or, otherwise, to > >> document that there is no way to have non-expiring passwords, and > >> administrators can only set value to some far-future date, and then > >> close this bug. Or, we could just set the default expiration date to > >> be somewhere far in the future. I'm not really qualified to make a > >> call on how to proceed with this, but I'm capable of making the > >> change if someone more senior decides. > >> > >> I can also totally see this issue with the interface of slapi-plugin > >> being the possible cause of many bugs. > > You can use slapi_entry_attr_exists() to check if attribute does exist > > and then treat result of slapi_entry_attr_get_int() as actual value. > > > > Otherwise, that's a great investigation! > > Using slapi_entry_attr_exists() clears us of having to worry about > getting an error condition back, but I'm still not confident how to > handle the 0 maximum. Should I just put in a far-future date? The current behavior is completely intentional, not a side effect of the code, the code was written that way intentionally. However me may consider an RFE that requests different behavior, we would have to devise a special value for krbMaxPwdLife that means "infinite". Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Fri Jun 5 15:08:36 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 5 Jun 2015 17:08:36 +0200 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: <5571BA2C.4050601@redhat.com> References: <5571BA2C.4050601@redhat.com> Message-ID: <20150605150836.GK9480@hendrix.arn.redhat.com> On Fri, Jun 05, 2015 at 05:03:08PM +0200, Martin Basti wrote: > On 05/06/15 16:13, Gabe Alford wrote: > >Hello, > > > > Fix for https://fedorahosted.org/freeipa/ticket/5049 > > > >Thanks, > > > >Gabe > > > > > Thank you. > > I dont think we should remove all SSSD caches. > > SSSD can have configured several providers not just IPA. > IMO we should remove only IPA related caches, but wait for SSSD guys for > their opinion. You could use the python configAPI SSSD has to query which SSSD domains are active. But if the uninstall script removes sss from nsswitch.conf maybe it's enough to remove the memcache (/var/lib/sss/mc/), the persistent cache will not be reachable at all. From mbasti at redhat.com Fri Jun 5 15:09:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 05 Jun 2015 17:09:13 +0200 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes In-Reply-To: <5571938A.1050707@redhat.com> References: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> <5571813E.20105@redhat.com> <20150605115339.GF23523@dhcp-40-8.bne.redhat.com> <5571930F.5020401@redhat.com> <5571938A.1050707@redhat.com> Message-ID: <5571BB99.3070900@redhat.com> On 05/06/15 14:18, Martin Basti wrote: > On 05/06/15 14:16, Oleg Fayans wrote: >> Is it supposeed to fis this issue? >> >> 2015-06-05T12:11:57Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 44, in run >> import ipaserver.plugins.dogtag # ensure profile backend gets loaded >> File >> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >> 1273, in >> raise SkipPluginModule(reason='dogtag not selected as RA plugin') >> > No >> >> On 06/05/2015 01:53 PM, Fraser Tweedale wrote: >>> On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: >>>> On 05/06/15 11:47, Fraser Tweedale wrote: >>>>> Patches 16 and 17 fix regressions in the default profile. >>>>> >>>>> Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. >>>>> >>>>> Cheers, >>>>> Fraser >>>>> >>>>> >>>> NACK, sorry >>>> >>>> ./make-lint >>>> ************* Module ipaserver.plugins.dogtag >>>> ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), >>>> RestClient.__enter__] Argument 'method' passed by position and keyword in >>>> function call) >>>> ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), >>>> RestClient.__enter__] Undefined variable 'ca_host') >>>> >>>> -- >>>> Martin Basti >>>> >>> Whoops. One wayward comma that should have been a period! >>> >>> Here's an updated 0017..0018. >>> >>> Thanks, >>> Fraser >>> >>> >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> >> > > > -- > Martin Basti > > ACK 16-1, 17-2, 18-2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From redhatrises at gmail.com Fri Jun 5 15:46:05 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Fri, 5 Jun 2015 09:46:05 -0600 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: <20150605150836.GK9480@hendrix.arn.redhat.com> References: <5571BA2C.4050601@redhat.com> <20150605150836.GK9480@hendrix.arn.redhat.com> Message-ID: How should ? https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be handled where the user cleared out the db cache? On Fri, Jun 5, 2015 at 9:08 AM, Jakub Hrozek wrote: > On Fri, Jun 05, 2015 at 05:03:08PM +0200, Martin Basti wrote: > > On 05/06/15 16:13, Gabe Alford wrote: > > >Hello, > > > > > > Fix for https://fedorahosted.org/freeipa/ticket/5049 > > > > > >Thanks, > > > > > >Gabe > > > > > > > > Thank you. > > > > I dont think we should remove all SSSD caches. > > > > SSSD can have configured several providers not just IPA. > > IMO we should remove only IPA related caches, but wait for SSSD guys for > > their opinion. > > You could use the python configAPI SSSD has to query which SSSD domains > are active. > > But if the uninstall script removes sss from nsswitch.conf maybe it's > enough to remove the memcache (/var/lib/sss/mc/), the persistent cache > will not be reachable at all. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jun 5 15:53:24 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 5 Jun 2015 17:53:24 +0200 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: References: <5571BA2C.4050601@redhat.com> <20150605150836.GK9480@hendrix.arn.redhat.com> Message-ID: <20150605155324.GL9480@hendrix.arn.redhat.com> On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: > How should ? > https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be > handled where the user cleared out the db cache? Ah, I confused that one with another issue Jan Pazdziora had, which was incidentally about client uninstall as well. In that case, you can just remove the single ldb file that corresponds to the domain that the client is leaving. Maybe it would be safer to mv the files instead of remove them, but I guess if you run --uninstall, you really want just to purge everything.. btw do the ipa installer tools support multiple domains at all? From rcritten at redhat.com Fri Jun 5 15:55:18 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Jun 2015 11:55:18 -0400 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: <20150605155324.GL9480@hendrix.arn.redhat.com> References: <5571BA2C.4050601@redhat.com> <20150605150836.GK9480@hendrix.arn.redhat.com> <20150605155324.GL9480@hendrix.arn.redhat.com> Message-ID: <5571C666.3040902@redhat.com> Jakub Hrozek wrote: > On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: >> How should ? >> https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be >> handled where the user cleared out the db cache? > > Ah, I confused that one with another issue Jan Pazdziora had, which was > incidentally about client uninstall as well. > > In that case, you can just remove the single ldb file that corresponds > to the domain that the client is leaving. Maybe it would be safer to mv > the files instead of remove them, but I guess if you run --uninstall, > you really want just to purge everything.. > > btw do the ipa installer tools support multiple domains at all? > Yes, unless specifically requested an attempt is made to preserve the existing sssd.conf. rob From pvoborni at redhat.com Fri Jun 5 17:11:03 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Jun 2015 19:11:03 +0200 Subject: [Freeipa-devel] [patch 0002] Abstract the HostTracker class from host plugin test In-Reply-To: <5571A4F9.7020505@redhat.com> References: <556D68EE.7010403@redhat.com> <5571A4F9.7020505@redhat.com> Message-ID: <5571D827.1050700@redhat.com> On 06/05/2015 03:32 PM, David Kupka wrote: > On 06/02/2015 10:27 AM, Milan Kubik wrote: >> Hello, >> >> this is the (first) patch with the Tracker class implementation based on >> host plugin test. >> >> It is meant to be used as a base class to implement a helper class to >> write xml-rpc (api) >> tests for LDAP based plugins and to replace the Declarative class which >> is used for >> most of the xml-rpc tests at the moment. >> >> For an example usage take a look at the host plugin test. >> >> Cheers, >> Milan >> >> > > Hello! > Thanks for the patch. Works for me, ACK. > Pushed to master: d25a45a9f99aa5d841f47baa0332f49223ecffca I'm not sure, if this patch fixes the ticket or if it's just first of a series. Milan, please close the ticket if it is fixed by this patch. -- Petr Vobornik From pvoborni at redhat.com Fri Jun 5 17:14:51 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Jun 2015 19:14:51 +0200 Subject: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes In-Reply-To: <5571BB99.3070900@redhat.com> References: <20150605094756.GD23523@dhcp-40-8.bne.redhat.com> <5571813E.20105@redhat.com> <20150605115339.GF23523@dhcp-40-8.bne.redhat.com> <5571930F.5020401@redhat.com> <5571938A.1050707@redhat.com> <5571BB99.3070900@redhat.com> Message-ID: <5571D90B.8020109@redhat.com> On 06/05/2015 05:09 PM, Martin Basti wrote: > On 05/06/15 14:18, Martin Basti wrote: snip >>>>>> >>>>>> >>>>> NACK, sorry >>>>> snip >>>>> Martin Basti >>>>> >>>> Whoops. One wayward comma that should have been a period! >>>> >>>> Here's an updated 0017..0018. >>>> >>>> Thanks, >>>> Fraser >>>> >>>> >> >> >> -- >> Martin Basti >> >> > ACK 16-1, 17-2, 18-2 > pushed to master: * ce33f82cfe528c17d3a1367172bb1475fe169b25 Fix certificate subject base * 8b3bc99a737edb9178e115c188d60d963f73e50c Import profiles earlier during install * 355b6d416d800692f7028e057ff76aab9f8c0470 ipa-pki-proxy: allow certificate and password authentication -- Petr Vobornik From pvoborni at redhat.com Fri Jun 5 17:19:12 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Jun 2015 19:19:12 +0200 Subject: [Freeipa-devel] [PATCH] 828 webui: don't log in back after logout In-Reply-To: <55717C51.30401@redhat.com> References: <554B9FE9.2070503@redhat.com> <55717C51.30401@redhat.com> Message-ID: <5571DA10.8000900@redhat.com> On 06/05/2015 12:39 PM, Martin Basti wrote: > On 07/05/15 19:24, Petr Vobornik wrote: >> Automatic login attempt is initiated by first failed xhr request which >> happens in metadata phase. >> >> New phase was added before metadata phase. It interrupts UI load and >> shows >> login page if it's directly after logout(marked in session storage). >> Successfull manual login resolves the phase so that metadata phase can >> follow. >> >> https://fedorahosted.org/freeipa/ticket/5008 >> >> > ACK > Pushed to master: cd5fe9b4079c848667b1e7c41b2f5d6ab173ee5f -- Petr Vobornik From pvoborni at redhat.com Fri Jun 5 17:21:26 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Jun 2015 19:21:26 +0200 Subject: [Freeipa-devel] [PATCH] 831 webui: better error reporting In-Reply-To: <55718258.10109@redhat.com> References: <5555B63D.9040404@redhat.com> <55718258.10109@redhat.com> Message-ID: <5571DA96.2090005@redhat.com> On 06/05/2015 01:04 PM, Martin Basti wrote: > On 15/05/15 11:02, Petr Vobornik wrote: >> Helps in development and debugging. >> >> - ActionDropdownWidget - report error if required action is missing >> - report build errors to console >> >> > ACK > Pushed to master: 847b5fd8d202e526c9d9599d5671808e9316aab7 -- Petr Vobornik From pvoborni at redhat.com Fri Jun 5 17:26:43 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Jun 2015 19:26:43 +0200 Subject: [Freeipa-devel] [PATCH 0026-0028] Fix nits in user-visible output In-Reply-To: <556F076B.5000305@redhat.com> References: <552BDB36.4090006@redhat.com> <552CBD6E.7080609@redhat.com> <552CC516.3030500@redhat.com> <556F076B.5000305@redhat.com> Message-ID: <5571DBD3.6010300@redhat.com> On 06/03/2015 03:55 PM, Martin Basti wrote: > On 14/04/15 09:43, Petr Spacek wrote: >> On 14.4.2015 09:10, Martin Kosek wrote: >>> On 04/13/2015 05:05 PM, Petr Spacek wrote: >>>> Hello, >>>> >>>> documentation team proposed few changes in user-visible messages so >>>> here it >>>> is. It was not worth a ticket and related overhead. >>> The changes look OK to me. I would just have one (prudish) request to >>> not add >>> nazi reference to our git history - whether they are grammar or not. >>> Please >>> keep the git technical :-) >> Sure, here is the same patch with modified commit message. >> >> >> > 0026 ACK > 0027-2 ACK > 0028 ACK > pushed to master: * a62b37cda271b74005198e4c8cecfb5528041cfd Clarify messages related to adding DNS forwarders * 5bb35c1a295f61828dde17b2cbc04c5fb494e450 Grammar fix in 'Estimated time' messages printed by installer * 13700d9d3f9abd25c80af5edf406e7057e04f318 Clarify host name output in ipa-client-install -- Petr Vobornik From redhatrises at gmail.com Fri Jun 5 17:31:54 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Fri, 5 Jun 2015 11:31:54 -0600 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: <20150605155324.GL9480@hendrix.arn.redhat.com> References: <5571BA2C.4050601@redhat.com> <20150605150836.GK9480@hendrix.arn.redhat.com> <20150605155324.GL9480@hendrix.arn.redhat.com> Message-ID: Thanks. Updated patch attached. On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek wrote: > On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: > > How should ? > > https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be > > handled where the user cleared out the db cache? > > Ah, I confused that one with another issue Jan Pazdziora had, which was > incidentally about client uninstall as well. > > In that case, you can just remove the single ldb file that corresponds > to the domain that the client is leaving. Maybe it would be safer to mv > the files instead of remove them, but I guess if you run --uninstall, > you really want just to purge everything.. > > btw do the ipa installer tools support multiple domains at all? > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0051-2-Clear-SSSD-caches-when-uninstalling-the-client.patch Type: text/x-patch Size: 2223 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 5 17:33:12 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Jun 2015 19:33:12 +0200 Subject: [Freeipa-devel] [PATCH 0001 v2] Migrate now accepts scope as argument In-Reply-To: <55718D01.2010609@redhat.com> References: <556F4A08.1040202@redhat.com> <5570703A.6080709@redhat.com> <5570A845.7020102@redhat.com> <5570A8A0.8030600@redhat.com> <55718D01.2010609@redhat.com> Message-ID: <5571DD58.5070406@redhat.com> On 06/05/2015 01:50 PM, Martin Basti wrote: > On 04/06/15 21:36, Drew Erny wrote: >> Whoops, hit the wrong "reply". >> >> On 06/04/2015 03:34 PM, Drew Erny wrote: >>> This is the same patch sort of manually rebased on the master branch. >>> I couldn't get it to cleanly rebase using tools, so I apply my commit >>> line-by-line; the only changes I made were pulling the "scope = >>> _supported_scopes[options.get('scope')]" out of the for loop I'd >>> accidentally left it in, and moving the import statement to a >>> different spot. Everything else should be the same, excep I >>> incremented VERSION and edited the comment. >>> >>> I do have to convert to tuple, because that argument is expected to >>> be a tuple but .keys() returns a list. > Oh right, Enum requires explicitly tuple >>> >>> >>> On 06/04/2015 11:35 AM, Martin Basti wrote: >>>> On 03/06/15 20:40, Drew Erny wrote: >>>>> Hi, all, >>>>> >>>>> This is an updated patch, with the code changes suggested by Martin >>>>> Batsi in my test email. The biggest difference is that I had to do >>>>> >>>>> >> from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE >>>>> >>>>> To get access to those constants in the global scope. This seems >>>>> like a fairly clean solution, but if it's a code smell, feel free >>>>> to suggest improvements. This should have identical behavior to the >>>>> last patch, except it will autofill scope and no longer prompt >>>>> interactively. >>>>> >>>>> Thanks, >>>>> >>>>> Drew Erny >>>>> derny at redhat.com >>>>> >>>>> >>>> Hello, >>>> >>>> please continue discussion in the same thread :) >>>> >>>> API.txt was changed, please update VERSION file, increment minor >>>> version +1 and edit comment there. I forgot to tell you yesterday. >>>> >>>> Can you rebase your patch to current master? >>>> This patch is supposed to go to IPA 4.2. >>>> >>>> Is the tuple conversion needed? >>>> values=tuple(_supported_scopes.keys()), >>>> >>>> Otherwise patch looks good. >>>> >>>> Martin^2 >>>> -- >>>> Martin Basti >>> >> >> >> > > Thank you. > ACK, it works as expected. > Martin^2 Pushed to master: a57998f51eb8b62052fe021a68503eed4714c6d3 next time, please, include full link to the ticket, i.e., with protocol, otherwise it is not clickable and ipa push tool doesn't recognize the ticket. -- Petr Vobornik From tbordaz at redhat.com Fri Jun 5 17:33:23 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 05 Jun 2015 19:33:23 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <55708A82.8050402@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> <556EC4BE.4080802@redhat.com> <55708A82.8050402@redhat.com> Message-ID: <5571DD63.8000300@redhat.com> Hi, So far I am still unable to reproduce the problem. Comparing the errors logs of failing replica vs successful replica they are very similar. Except this failure Failing one ... [03/Jun/2015:03:45:33 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: *LDAP error -1 (Can't contact LDAP server)* ((null)) errno 115 (Operation now in progress) [03/Jun/2015:03:45:33 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Jun/2015:03:45:33 -0400] NSMMReplicationPlugin - agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [03/Jun/2015:03:45:38 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or directory) ... Successful one: ... [05/Jun/2015:17:51:20 +0200] NSMMReplicationPlugin - agmt="cn=meTovm-229.idm.lab.eng.brq.redhat.com" (vm-229:389): Replication bind with GSSAPI auth failed: *LDAP error -2 (Local error)* (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [05/Jun/2015:17:51:23 +0200] NSMMReplicationPlugin - agmt="cn=meTovm-229.idm.lab.eng.brq.redhat.com" (vm-229:389): Replication bind with GSSAPI auth resumed [05/Jun/2015:18:47:26 +0200] - slapd shutting down - signaling operation threads - op stack size 7 max work q size 2 max work q stack size 2 [05/Jun/2015:18:47:26 +0200] - slapd shutting down - waiting for 1 thread to terminate [05/Jun/2015:18:47:26 +0200] - slapd shutting down - closing down internal subsystems and plugins [05/Jun/2015:18:47:26 +0200] - Waiting for 4 database threads to stop [05/Jun/2015:18:47:27 +0200] - All database threads now stopped [05/Jun/2015:18:47:27 +0200] - slapd shutting down - freed 2 work q stack objects - freed 8 op stack objects [05/Jun/2015:18:47:27 +0200] - slapd stopped. ... This is looking like in the failing case, the replica is not able to connect to the master. In the successful tests I did not install DNS while it was installed in the failing tests. We need to retry with DNS configuration, because it could be part of the failure to access the master host. thanks theirry On 06/04/2015 07:27 PM, thierry bordaz wrote: > Hello Oleg, > > So far I have been unable to reproduce the problem. > I tried various scenarios depending if the first update was on > master/slave, or with 2 slaves, 1 slave, 1slave added later. > > Do you have any detail how you did your test ? > > If you can restart the remaining VM, I would be interested in the logs > (access/errors). > > thanks > thierry > On 06/03/2015 11:11 AM, Oleg Fayans wrote: >> Hi Martin, >> >> On 06/03/2015 10:46 AM, Martin Babinsky wrote: >>> On 06/03/2015 10:33 AM, Oleg Fayans wrote: >>>> Hi, >>>> >>>> With the latest freeipa code containing Topology plugin patches, I am >>>> unable to make any changes in replicas. >>>> >>>> I have the following topology: >>>> replica1 <=> master <=> replica3 >>>> Here is the output of the ipa topologysegment-find command: >>>> >>>> Suffix name: realm >>>> ------------------ >>>> 2 segments matched >>>> ------------------ >>>> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >>>> Left node: replica1.zaeba.li >>>> Right node: testmaster.zaeba.li >>>> Connectivity: both >>>> >>>> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >>>> Left node: replica3.zaeba.li >>>> Right node: testmaster.zaeba.li >>>> Connectivity: both >>>> ---------------------------- >>>> Number of entries returned 2 >>>> ---------------------------- >>>> >>>> >>>> Any changes on master get replicated to replicas successfully. >>>> However, >>>> any attempts to change anything on replicas, for example, create a >>>> user, >>>> result in the error message about DatabaseError (attached). >>>> >>>> The corresponding part of the dirsrv log looks like this: >>>> >>>> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not perform >>>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>>> (Can't contact LDAP server) >>>> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send >>>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>>> (Success) >>>> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or >>>> directory) >>>> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not >>>> perform >>>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>>> (Can't contact LDAP server) >>>> >>>> The full log is attached >>>> >>>> >>>> >>> Hi Oleg, >>> >>> could you also post the output of 'journalctl -xe' related to dirsrv >>> (on master and also on replicas)? I have seen a couple of segfaults >>> there during reviewing Petr Vobornik's topology* commands. >>> >> Attached >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Jun 5 19:50:13 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Jun 2015 14:50:13 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <55719260.8080300@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> Message-ID: <5571FD75.5010708@redhat.com> On 6/5/2015 7:13 AM, Jan Cholasta wrote: >>>> If KRA is not installed, vault-archive and vault-retrieve fail with >>>> internal error. >>> >>> Added a code to check KRA installation in all vault commands. If you >>> know a way not to load the vault plugin if the KRA is not installed >>> please let me know, that's probably even better. Not sure how that will >>> work on the client side though. >> >> I see this has been already resolved in the other thread. The other thread was talking about removing the pki-base dependency on the client side, but the vault plugin is still loaded on both client and server regardless of KRA installation. Ideally the vault plugin should not even be loaded so you cannot even execute the commands. >>>> The commands still behave differently based on whether they were called >>>> from API which was initialized with in_server set to True or False. >>> >>> That is unfortunately a restriction imposed by the framework. In order >>> to guarantee the security, the vault is designed to have separate client >>> and server code. The client code encrypts the secret, the server code >>> forwards the encrypted secret to KRA. To archive a secret into a vault >>> properly, you are supposed to call the client code. If you're calling >>> the server code directly, you are responsible to do your own encryption >>> (i.e. generating session key, nonce, and vault data). >> >> I understand why the code has to be separated, what I don't understand >> is why it is in fact *not* separated and crammed into a single command, >> making weird and undefined behavior possible. >> >>> If another plugin wants to use vault, it should implement a client code >>> which calls the vault client code to perform the archival from the >>> client side. >>> >>> What is the use case for calling the vault API from the server side >>> anyway? Wouldn't that defeat the purpose of having a vault? If a secret >>> exists on the server side in an unencrypted form doesn't it mean the >>> secret may already have been compromised? >> >> Server API is used not only by the server itself, but also by installers >> for example. Anyway the point is that there *can't* be a broken API like >> this, you should at least raise an error if the command is called from >> server API, although actually separating it into client and server parts >> would be preferable. >> >>>> There is no point in exposing the session_key, nonce and vault_data >>>> options in CLI when their value is always overwritten in forward(). >>> >>> I agree there is no need to expose them in CLI, but in this framework >>> the API also defines the CLI. If there's a way to keep them in the >>> server API but not expose them in the CLI please let me know. Or, if >>> there's a way to define completely separate server API (without a >>> matching client CLI) and client CLI (without a matching server API) that >>> will work too. >> >> As I suggested above, you can split the commands into separate client >> and server commands. The client command should inherit from >> frontend.Local so that it is always executed locally and the server >> command should have a "NO_CLI = True" attribute so that it is not >> available in the CLI. I see the vault_archive and vault_retrieve now inherit from PKQuery, and there is a hack to execute the forward() even on the server side. A few things below: 1. Why didn't you use frontend.Local as you initially suggested? If there's a problem with frontend.Local please attach the ticket number in the code. 2. The forward() can be merged into run(). There is no need to keep the code in forward(). It would make more sense to have a run() method that runs both on client and server, rather than a forward() that is supposed to run on the client only but now forced to run on server too, semantically speaking. > Attached is a patch including the requested changes. > > I have also changed vault_config to vaultconfig_show, for consistency > with {,dns}config_show (it also makes the transport certificate > retrieval code in vault_{archive,retrieve} simpler). 3. The parameter description for nonce should be just 'Nonce' instead of 'Nonce encrypted'. 4. There's a PEP8 error. 5. The VERSION needs to be updated. Assuming the above issues are addressed, ACK. > I have noticed that triple-length DES is used for the session key. > Wouldn't AES be better? > > # generate session key > mechanism = nss.CKM_DES3_CBC_PAD That's the default used by the KRA's client library, and that's what the KRA has been tested with. We probably can change it to AES later. It shouldn't be blocking this patch. > BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with > pki-core-10.2.1-3. There's a bug in IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1228671 -- Endi S. Dewata From ftweedal at redhat.com Mon Jun 8 01:31:22 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 8 Jun 2015 11:31:22 +1000 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <55705542.4000002@redhat.com> References: <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> Message-ID: <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> New patches attached. Comments inline. On Thu, Jun 04, 2015 at 03:40:18PM +0200, Martin Basti wrote: > Hello, > > design page needs upgrade > > Please fix > 1) > ngettext/ugettext missing? (several times) > ('%i object added.', '%i objects added.') > Updated, and customed to say the actual things being added/removed. There seem to be many plugins still without internationalised `member_count_out' strings. > 2) > --allprofiles=BOOL Allow use of all profiles > --allusers=BOOL Allow all users > --allhosts=BOOL Allow all hosts > --allservices=BOOL Allow all services > > Other commands use the separate words with '-', I suggest to use > --all-profiles=True, etc.. > Subsumed by (4). > 3) > In the following example, there is missing ACL name: > + ipa caacl-add-user --user=alice > Thanks, fixed. > 4) > attributes 'ipaCaAclAllCAs', 'ipaCaAclAllProfiles', 'ipaCaAclAllUsers', > 'ipaCaAclAllHosts', 'ipaCaAclAllServices' should be called > ipaCaAclCAsCategory, etc... to be consistent, please reuse usercategory, > hostcategory, etc. and create new category attribute definitions for the > rest. > Please read sudorule.py for details. > Respectively instead BOOLEAN True, the value 'all' should be there. This > allows to extend it in future. > I made this change. Accordingly there is less schema now - but some new attributes 'caCategory', 'profileCategory', 'memberCa' and 'memberProfile' - and more code :) > 5) > Missing referint plugin configuration for attribute > 'ipacaaclmembercertprofile' > Please add it into install/updates/25-referint.update (+ other member > attributes if missing) > Added this. There is a comment in 25-referint.update: # pres and eq indexes defined in 20-indices.update must be set # for all the attributes Can you explain what is required here? Is it just to add: I see things for memberUser and memberHost in indices.ldif but nothing for memberService. Do I need to add to indices.ldif: dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: add cn: memberProfile ObjectClass: top ObjectClass: nsIndex nsSystemIndex: false nsIndexType: eq nsIndexType: pres nsIndexType: sub , and similarly for memberCa? Sorry I do not know much about LDAP indexing. > 6) > ACI: > 'memberhostgroup' is not virtual nor real attribute, please remove it from > there (Honza told me there is an error in HBAC ipa plugin, I will send fix) > Removed. Thanks for reviewing! Fraser -------------- next part -------------- From c8ca3e613487fa8f14ded1533588872205bbe1de Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. This rule is added during install but not upgrade. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 184 ++++++++++++ VERSION | 4 +- install/share/60certificate-profiles.ldif | 5 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 11 + install/updates/25-referint.update | 2 + install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 476 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + 13 files changed, 707 insertions(+), 2 deletions(-) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..bf63cb4caac09fb9d9697290e31afdee0a364882 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cacategory || hostcategory || memberca || memberhost || memberprofile || memberservice || memberuser || profilecategory || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cacategory || cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipauniqueid || member || memberca || memberhost || memberprofile || memberservice || memberuser || modifytimestamp || objectclass || profilecategory || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index eca4e302021316f9b02e543a9dc8b029286696cc..5263aa61f0981410534d28bf2ddde9020a971834 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,190 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,12,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: StrEnum('profilecategory', attribute=True, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,14,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: StrEnum('profilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,14,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: StrEnum('profilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/VERSION b/VERSION index fe746a7f5c47f02c838763bdda6cb1c61579f6ff..e188a8bc94e29b07eb1fea8c2e2975a1760565c6 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=125 -# Last change: derny - migration now accepts scope as argument +IPA_API_VERSION_MINOR=126 +# Last change: ftweedal - add caacl plugin diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..aa47c9b5d6b2db885b6273866cdf602df90c2e30 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,8 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'memberCa' DESC 'Reference to a CA member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'memberProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'caCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'profileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( caCategory $ profileCategory $ userCategory $ hostCategory $ serviceCategory $ memberCa $ memberProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..8acfb489522fe8c66afdc2ed6ac1105f249cd140 --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,11 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +memberprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX +hostcategory: all +servicecategory: all diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index 005cd0376d82c83b1b7ab368f992e209b0da5e9a..f173254e189f080e39b29ce214d684b35ae8057a 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -17,3 +17,5 @@ add: referint-membership-attr: ipasudorunasgroup add: referint-membership-attr: ipatokenradiusconfiglink add: referint-membership-attr: ipaassignedidview add: referint-membership-attr: ipaallowedtarget +add: referint-membership-attr: memberca +add: referint-membership-attr: memberprofile diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 93d7aaa7b0b5f0b47b8839e764ef168c1fe08c97..86b1ce8bd501845e7b5871773e86521d3c5d2ad9 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -120,6 +120,7 @@ DEFAULT_CONFIG = ( ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..c589e07b9b211d34239294baeddeee54178c68e6 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,476 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str, StrEnum +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + global_output_params, pkey_to_value) +from ipalib.plugins.hbacrule import is_all +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --usercat=all + ipa caacl-add-profile test --certprofiles UserCert + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 + ipa caacl-add-user alice_dnp3 --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + 'memberprofile': ['certprofile'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice', + 'ipauniqueid', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice' + }, + 'replaces': [ + '(targetattr = "memberca || memberprofile || memberuser || memberservice || memberhost || cacategory || profilecategory || usercategory || hostcategory || servicecategory")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + # Commented until subca plugin arrives + #StrEnum('cacategory?', + # cli_name='cacat', + # label=_('CA category'), + # doc=_('CA category the ACL applies to'), + # values=(u'all', ), + #), + StrEnum('profilecategory?', + cli_name='profilecat', + label=_('Profile category'), + doc=_('Profile category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('usercategory?', + cli_name='usercat', + label=_('User category'), + doc=_('User category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('hostcategory?', + cli_name='hostcat', + label=_('Host category'), + doc=_('Host category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('servicecategory?', + cli_name='servicecat', + label=_('Service category'), + doc=_('Service category the ACL applies to'), + values=(u'all', ), + ), + # Commented until subca plugin arrives + #Str('memberca_subca?', + # label=_('CAs'), + # flags=['no_create', 'no_update', 'no_search'], + #), + Str('memberprofile_certprofile?', + label=_('Profiles'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, attrs_list) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + + # Commented until subca plugin arrives + #if is_all(options, 'cacategory') and 'memberca' in entry_attrs: + # raise errors.MutuallyExclusiveError(reason=_( + # "CA category cannot be set to 'all' " + # "while there are allowed CAs")) + if is_all(options, 'profilecategory') and 'memberprofile' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "profile category cannot be set to 'all' " + "while there are allowed profiles")) + if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "user category cannot be set to 'all' " + "while there are allowed users")) + if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "host category cannot be set to 'all' " + "while there are allowed hosts")) + if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "service category cannot be set to 'all' " + "while there are allowed services")) + return dn + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ( + _('%i user or group added.'), + _('%i users or groups added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'usercategory'): + raise errors.MutuallyExclusiveError( + reason=_("users cannot be added when user category='all'")) + return dn + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ( + _('%i user or group removed.'), + _('%i users or groups removed.')) + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ( + _('%i host or hostgroup added.'), + _('%i hosts or hostgroups added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'hostcategory'): + raise errors.MutuallyExclusiveError( + reason=_("hosts cannot be added when host category='all'")) + return dn + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ( + _('%i host or hostgroup removed.'), + _('%i hosts or hostgroups removed.')) + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = (_('%i service added.'), _('%i services added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'servicecategory'): + raise errors.MutuallyExclusiveError(reason=_( + "services cannot be added when service category='all'")) + return dn + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove services from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = (_('%i service removed.'), _('%i services removed.')) + + +caacl_output_params = global_output_params + ( + Str('memberprofile', + label=_('Failed profiles'), + ), + # Commented until caacl plugin arrives + #Str('memberca', + # label=_('Failed CAs'), + #), +) + + + at register() +class caacl_add_profile(LDAPAddMember): + __doc__ = _('Add profiles to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['memberprofile'] + member_count_out = (_('%i profile added.'), _('%i profiles added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'profilecategory'): + raise errors.MutuallyExclusiveError(reason=_( + "profiles cannot be added when profile category='all'")) + return dn + + + at register() +class caacl_remove_profile(LDAPRemoveMember): + __doc__ = _('Remove profiles from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['memberprofile'] + member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) -- 2.1.0 -------------- next part -------------- From ad6ba46bb75269604432f7aac6606b88d667537b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 +++++++++++ 2 files changed, 92 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index c589e07b9b211d34239294baeddeee54178c68e6..520b506a36474cfb2e29e571fb2c289799c947f6 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum from ipalib.plugable import Registry @@ -10,6 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, global_output_params, pkey_to_value) from ipalib.plugins.hbacrule import is_all +from ipalib.plugins.service import normalize_principal, split_any_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -50,6 +53,78 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + service, hostname, realm = split_any_principal(principal) + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + # Hardcoded until caacl plugin arrives + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + #if 'cacategory' in obj and obj['cacategory'][0].lower() == 'all': + # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + #else: + # rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'profilecategory' in obj and obj['profilecategory'][0].lower() == 'all': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + attr = 'memberprofile_certprofile' + rule.services.names = obj.get(attr, []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + category_attr = '{}category'.format(principal_type) + if category_attr in obj and obj[category_attr][0].lower() == 'all': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index d122900175db41ba5af429fd47af6cac6533cb6f..1878e5ad5f80fa93e1a77b0a88711c1da0016681 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From jcholast at redhat.com Mon Jun 8 06:25:08 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 08:25:08 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. In-Reply-To: <5571931C.1030103@redhat.com> References: <556F21ED.8020908@redhat.com> <5571931C.1030103@redhat.com> Message-ID: <55753544.5040906@redhat.com> Dne 5.6.2015 v 14:16 David Kupka napsal(a): > On 06/03/2015 05:49 PM, David Kupka wrote: >> > Updated patch attached. > ACK. The patch needed a rebase and there was a bug in ipa-replica-install, I took care of both, see attachment. Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 There was also an unrelated problem in replicainstall.py which I also fixed, see the other attachment. Pushed to master under the one-liner rule: e01095dfb33aaef0ab1babf86a71d70410b666ed -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0049.1.fix-Move-CA-installation-code-into-single-module.patch Type: text/x-patch Size: 38617 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-435-install-Fix-missing-variable-initialization-in-repli.patch Type: text/x-patch Size: 828 bytes Desc: not available URL: From mkosek at redhat.com Mon Jun 8 06:42:49 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Jun 2015 08:42:49 +0200 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days In-Reply-To: <1433516879.10825.20.camel@willson.usersys.redhat.com> References: <5570BADF.5020002@redhat.com> <20150604214122.GK10162@redhat.com> <5571B41E.7030405@redhat.com> <1433516879.10825.20.camel@willson.usersys.redhat.com> Message-ID: <55753969.7000509@redhat.com> On 06/05/2015 05:07 PM, Simo Sorce wrote: > On Fri, 2015-06-05 at 10:37 -0400, Drew Erny wrote: >> On 06/04/2015 05:41 PM, Alexander Bokovoy wrote: >>> On Thu, 04 Jun 2015, Drew Erny wrote: >>>> https://fedorahosted.org/freeipa/ticket/2795 >>>> >>>> I've tracked down the source of this bug; it's nutty C stuff. >>>> >>>> So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you >>>> update password, the expiration time appears to be set in the >>>> function ipapwd_CheckPolicy on line 631, which looks like >>>> >>>> data->expireTime = data->timeNow + pol.max_pwd_life; >>>> >>>> So the bug has to be in how pol.max_pwd_life gets is value. So I >>>> check around, pol is initialized like this: >>>> >>>> struct ipapwd_policy pol = {0}; >>>> ... >>>> pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; >>>> >>>> And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. >>>> >>>> But then the actual value of max_pwd_life is obtained by passing pol >>>> into the function ipapwd_getPolicy on line 577 or 590, depending on >>>> the password change type. >>>> >>>> Inside of ipapwd_getPolicy, there's a couple of lines starting at >>>> line 393 >>>> >>>> tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); >>>> if (tmpint != 0) { >>>> policy->max_pwd_life = tmpint; >>>> }: >>>> >>>> Which sets the max password life to the returned value, unless this >>>> function returns 0. However, the documentation from >>>> /usr/include/dirsrv/slapi-plugin.h says that that function, >>>> slapi_entry_attr_get_int, returns 0 if the entry does not contain >>>> that attribute. So, since the value 0 is returned, an error is >>>> assumed to have occurred that member of the struct is left >>>> untouched... which means it's still set to the value it was set to >>>> when it was initialized, 90 days. >>>> >>>> So, when the expireTime is set at line 631, it's set to 90 days >>>> because the value returned by slapi_entry_attr_get_int is 0. >>>> >>>> I've checked to see if we can get some error context out of the pe >>>> variable passed in, but it appears to be an opaque struct that the >>>> user isn't meant to see the internals of. >>>> >>>> I'm not really sure what to do with this knowledge. The only thing I >>>> can think would be to use another sentinel value, like -1, to >>>> indicate that the password does not expire; or, otherwise, to >>>> document that there is no way to have non-expiring passwords, and >>>> administrators can only set value to some far-future date, and then >>>> close this bug. Or, we could just set the default expiration date to >>>> be somewhere far in the future. I'm not really qualified to make a >>>> call on how to proceed with this, but I'm capable of making the >>>> change if someone more senior decides. >>>> >>>> I can also totally see this issue with the interface of slapi-plugin >>>> being the possible cause of many bugs. >>> You can use slapi_entry_attr_exists() to check if attribute does exist >>> and then treat result of slapi_entry_attr_get_int() as actual value. >>> >>> Otherwise, that's a great investigation! >> >> Using slapi_entry_attr_exists() clears us of having to worry about >> getting an error condition back, but I'm still not confident how to >> handle the 0 maximum. Should I just put in a far-future date? > > The current behavior is completely intentional, not a side effect of the > code, the code was written that way intentionally. > > However me may consider an RFE that requests different behavior, we > would have to devise a special value for krbMaxPwdLife that means > "infinite". Maybe. If we do this, we should also ban "0" as krbMaxPwdLife as it confuses people. Let us say, that the user sets krbMaxPwdLife to "infinite", what is the wished effect on the user entry? Should krbPasswordExpiration be simply removed/not added when password is being set? As we cannot put any special word there, it is GeneralizedTime syntax. I assume that our LDAP BIND/kinit code would need to be checked that it reacts properly to missing value in that case. From mkosek at redhat.com Mon Jun 8 06:49:06 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Jun 2015 08:49:06 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> References: <55682FB0.1030807@redhat.com> <55684792.3070006@redhat.com> <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> Message-ID: <55753AE2.5030802@redhat.com> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: > New patches attached. Comments inline. Thanks Fraser! ... >> 5) >> Missing referint plugin configuration for attribute >> 'ipacaaclmembercertprofile' >> Please add it into install/updates/25-referint.update (+ other member >> attributes if missing) >> > Added this. There is a comment in 25-referint.update: > > # pres and eq indexes defined in 20-indices.update must be set > # for all the attributes > > Can you explain what is required here? Is it just to add: I see > things for memberUser and memberHost in indices.ldif but nothing for > memberService. Do I need to add to indices.ldif: > > dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > changetype: add > cn: memberProfile > ObjectClass: top > ObjectClass: nsIndex > nsSystemIndex: false > nsIndexType: eq > nsIndexType: pres > nsIndexType: sub > > , and similarly for memberCa? Sorry I do not know much about LDAP > indexing. AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive index to use and I now cannot think of memberProfile search where you would need a substring... Thanks, Martin From pspacek at redhat.com Mon Jun 8 07:17:55 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 08 Jun 2015 09:17:55 +0200 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <56343345B145C043AE990701E3D193950BD1FBC4@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet><55407D25.9030505@redhat.com> <56343345B145C043AE990701E3D193950478E5A6@EXVS2.nrplc.localnet> <56343345B145C043AE990701E3D193950BD1FBA1@EXVS2.nrplc.localnet> <5571967F.2050402@redhat.com> <56343345B145C043AE990701E3D193950BD1FBC4@EXVS2.nrplc.localnet> Message-ID: <557541A3.2050502@redhat.com> On 5.6.2015 16:28, Innes, Duncan wrote: > Not sure how you'd do that to be fair. But if it's possible to parse > the data coming back from the DNS _SRV_ query, couldn't all the > potential > IPA servers be included for rsyslog failover? I would rather use SRV records from _syslog._udp.$IPADOMAIN instead of creating dependency logging<->IPA servers. Of course, this new set of SRV records can be identical to SRV records for Kerberos if you wish, but it gives us more flexibility in long term. > If all my remote servers are down, my failover reverts to /dev/null, so > no data will be written to disk if I'm isolated. > > That's for rsyslog of course. I'm also working on getting > systemd-journal-upload to send direct to logstash (hopefully with the > http input plugin). -- Petr^2 Spacek From mkubik at redhat.com Mon Jun 8 09:11:03 2015 From: mkubik at redhat.com (Milan Kubik) Date: Mon, 08 Jun 2015 11:11:03 +0200 Subject: [Freeipa-devel] [PATCH] 801-806 webui-ci: otptoken tests In-Reply-To: <555607BD.3000704@redhat.com> References: <54E5F888.2000402@redhat.com> <554B4E9F.1070806@redhat.com> <5550919E.9090802@redhat.com> <5551EAB4.2000803@redhat.com> <555607BD.3000704@redhat.com> Message-ID: <55755C27.8080703@redhat.com> On 05/15/2015 04:50 PM, Milan Kubik wrote: > On 05/12/2015 01:57 PM, Petr Vobornik wrote: >> On 05/11/2015 01:25 PM, Milan Kubik wrote: >>> On 05/07/2015 01:38 PM, Petr Vobornik wrote: >>>> On 02/19/2015 03:51 PM, Petr Vobornik wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4307 >>>>> >>>>> For ipa-4-1 apply: >>>>> - patch 800 (different thread) >>>>> - patches 801-806 >>>>> >>>>> For master apply: >>>>> - patch 800 (different thread) >>>>> - patch 807 (different thread) >>>>> - patch 801-master >>>>> - patches 802-806 >>>>> >>>>> Patch 801 allows to use ipalib rpc client in Web UI test suite. >>>>> Patches 802-805 are various ui_driver fixes to allow stuff in >>>>> patch 806. >>>>> >>>>> == [PATCH] 806 webui-ci: otptoken tests == >>>>> >>>>> Basic otptoken Web UI CI coverage. >>>>> >>>>> tests: >>>>> * crud for otptokens as admin >>>>> * crud for normal users >>>>> * checks fields of adder dialog for both token types and user role >>>>> (admin/user) >>>>> * token actions as admin (enable, disable, delete) >>>>> * token actions as normal user (delete) >>>>> * login as normal user with hotp and totp token >>>>> * sync token hotp and totp token as normal user and then login >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4307 >>>>> >>>>> == [PATCH] 805 webui-ci: allow custom names for disable/enable >>>>> actions == >>>>> >>>>> Not all disable and enable actions are called 'disable' and 'enable'. >>>>> >>>>> == [PATCH] 804 webui-ci: allow to update pkey in post-add in >>>>> basic-crud >>>>> tests == >>>>> >>>>> == [PATCH] 803 webui-ci: add post_add_action == >>>>> >>>>> post add action allows to fill autogenerated values, e.g. a pkey >>>>> of new >>>>> otptoken. >>>>> >>>>> This value can be then used in other subsequent test which would >>>>> depend >>>>> on it - like crud tests. >>>>> >>>>> == [PATCH] 802 webui-ci: fix negative visibility check == >>>>> >>>>> Allow to define, that element doesn't have to be present on a page >>>>> for >>>>> negative visible checks. >>>>> >>>>> E.g. if element is added only if it's displayed and is removed >>>>> otherwise. >>>>> >>>>> == [PATCH] 801 webui-ci: support direct IPA API calls == >>>>> >>>>> Add IPA API support to ui_driver. It leverages new ipalib RPC >>>>> client's >>>>> forms based authentication. It then allows to call an IPA API while >>>>> the machine is not an IPA client nor is kerberized. >>>>> >>>>> api's environment values are taken from test configuration and >>>>> therefore duplication in ~/.ipa/default.conf is not required. >>>>> >>>>> Since the machine doesn't have to be IPA client, it then also doesn't >>>>> have nss database with IPA's CA certificate. Therefore on each API >>>>> initialization a new NSS database is created with a CA certificate >>>>> downloaded from IPA. This db is deleted in tearDown phase. >>>>> >>>>> Usage: >>>>> >>>>> 1. as admin one can immediately call rpc commands, api will be >>>>> initialized upon first request and is available under self.api >>>>> (assuming self is ui_driver): >>>>> self.api.Command.user_del(USER_ID, **{'continue': True}) >>>>> >>>>> 2. to reconnect as other user: >>>>> self.reconnect_api(USER_ID, USER_PW) >>>>> >>>>> 3. reconnect back as admin: >>>>> self.reconnect_api() >>>>> >>>> >>>> Patch #803 needed rebase. >>>> >>>> >>> Hi, thanks for the patches. >>> >>> Please, fix pep8 complaints in 803, 805 and 806. >> >> >> $ git diff HEAD~6 -U0 | pep8 --diff >> >> returns 20x E501 line too long >> >> IMO, it's better this way for better code readability. >> >> >>> Also, change the header in 806 to the shorter version, please. >> >> Fixed, patches were regenerated. >> >>> >>> # >>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>> # >>> >>> Patches 801, 802 and 804 look good to me. >>> The test cases in 806 look good to me as well. >>> >>> Milan >>> > I have reviewed the pep8 complaints closely and yes, readability would > suffer a little. > I don't like the line 317 after patch 806. > Fix it at your discretion. > Otherwise ACK. > > Thanks, > Milan > Bump. From jcholast at redhat.com Mon Jun 8 10:04:59 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 12:04:59 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <5571FD75.5010708@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> Message-ID: <557568CB.3040503@redhat.com> Dne 5.6.2015 v 21:50 Endi Sukma Dewata napsal(a): > On 6/5/2015 7:13 AM, Jan Cholasta wrote: >>>>> If KRA is not installed, vault-archive and vault-retrieve fail with >>>>> internal error. >>>> >>>> Added a code to check KRA installation in all vault commands. If you >>>> know a way not to load the vault plugin if the KRA is not installed >>>> please let me know, that's probably even better. Not sure how that will >>>> work on the client side though. >>> >>> I see this has been already resolved in the other thread. > > The other thread was talking about removing the pki-base dependency on > the client side, but the vault plugin is still loaded on both client and > server regardless of KRA installation. Ideally the vault plugin should > not even be loaded so you cannot even execute the commands. I don't agree - ideally the vault plugin should do the check at runtime, because it should work without httpd restart when KRA is installed on other replica. The KRA installer needs to be fixed in order to support this. I will provide a patch. > >>>>> The commands still behave differently based on whether they were >>>>> called >>>>> from API which was initialized with in_server set to True or False. >>>> >>>> That is unfortunately a restriction imposed by the framework. In order >>>> to guarantee the security, the vault is designed to have separate >>>> client >>>> and server code. The client code encrypts the secret, the server code >>>> forwards the encrypted secret to KRA. To archive a secret into a vault >>>> properly, you are supposed to call the client code. If you're calling >>>> the server code directly, you are responsible to do your own encryption >>>> (i.e. generating session key, nonce, and vault data). >>> >>> I understand why the code has to be separated, what I don't understand >>> is why it is in fact *not* separated and crammed into a single command, >>> making weird and undefined behavior possible. >>> >>>> If another plugin wants to use vault, it should implement a client code >>>> which calls the vault client code to perform the archival from the >>>> client side. >>>> >>>> What is the use case for calling the vault API from the server side >>>> anyway? Wouldn't that defeat the purpose of having a vault? If a secret >>>> exists on the server side in an unencrypted form doesn't it mean the >>>> secret may already have been compromised? >>> >>> Server API is used not only by the server itself, but also by installers >>> for example. Anyway the point is that there *can't* be a broken API like >>> this, you should at least raise an error if the command is called from >>> server API, although actually separating it into client and server parts >>> would be preferable. >>> >>>>> There is no point in exposing the session_key, nonce and vault_data >>>>> options in CLI when their value is always overwritten in forward(). >>>> >>>> I agree there is no need to expose them in CLI, but in this framework >>>> the API also defines the CLI. If there's a way to keep them in the >>>> server API but not expose them in the CLI please let me know. Or, if >>>> there's a way to define completely separate server API (without a >>>> matching client CLI) and client CLI (without a matching server API) >>>> that >>>> will work too. >>> >>> As I suggested above, you can split the commands into separate client >>> and server commands. The client command should inherit from >>> frontend.Local so that it is always executed locally and the server >>> command should have a "NO_CLI = True" attribute so that it is not >>> available in the CLI. > > I see the vault_archive and vault_retrieve now inherit from PKQuery, and > there is a hack to execute the forward() even on the server side. A few > things below: > > 1. Why didn't you use frontend.Local as you initially suggested? If > there's a problem with frontend.Local please attach the ticket number in > the code. > > 2. The forward() can be merged into run(). There is no need to keep the > code in forward(). It would make more sense to have a run() method that > runs both on client and server, rather than a forward() that is supposed > to run on the client only but now forced to run on server too, > semantically speaking. I have fixed the commands to inherit from Local. > >> Attached is a patch including the requested changes. >> >> I have also changed vault_config to vaultconfig_show, for consistency >> with {,dns}config_show (it also makes the transport certificate >> retrieval code in vault_{archive,retrieve} simpler). > > 3. The parameter description for nonce should be just 'Nonce' instead of > 'Nonce encrypted'. Fixed. > > 4. There's a PEP8 error. Fixed. > > 5. The VERSION needs to be updated. Fixed. > > Assuming the above issues are addressed, ACK. OK, pushed to master: df1bd39a43f30138cf55e0e7720fa3dec1d912e0 > >> I have noticed that triple-length DES is used for the session key. >> Wouldn't AES be better? >> >> # generate session key >> mechanism = nss.CKM_DES3_CBC_PAD > > That's the default used by the KRA's client library, and that's what the > KRA has been tested with. We probably can change it to AES later. It > shouldn't be blocking this patch. OK, no problem. > >> BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with >> pki-core-10.2.1-3. > > There's a bug in IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1228671 The patch needs a rebase and version bumb ("VERSION" line at the top of ipa-pki-proxy.conf). -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-vault-archive-and-vault-retrieve-commands.patch Type: text/x-patch Size: 26525 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 8 10:09:50 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 12:09:50 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. In-Reply-To: <55753544.5040906@redhat.com> References: <556F21ED.8020908@redhat.com> <5571931C.1030103@redhat.com> <55753544.5040906@redhat.com> Message-ID: <557569EE.9070009@redhat.com> Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): > Dne 5.6.2015 v 14:16 David Kupka napsal(a): >> On 06/03/2015 05:49 PM, David Kupka wrote: >>> >> Updated patch attached. >> > > ACK. The patch needed a rebase and there was a bug in > ipa-replica-install, I took care of both, see attachment. > > Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 > > There was also an unrelated problem in replicainstall.py which I also > fixed, see the other attachment. > > Pushed to master under the one-liner rule: > e01095dfb33aaef0ab1babf86a71d70410b666ed There are some more bugs in CA-less and external CA install, see the attached patches for fixes. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-436-install-Fix-CA-less-server-install.patch Type: text/x-patch Size: 1099 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-437-install-Fix-external-CA-server-install.patch Type: text/x-patch Size: 2363 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 8 10:12:22 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 12:12:22 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <556EFAE4.70908@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> <556EFAE4.70908@redhat.com> Message-ID: <55756A86.6090800@redhat.com> Dne 3.6.2015 v 15:02 Martin Basti napsal(a): > On 02/06/15 15:21, Jan Cholasta wrote: >> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >>> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>>> framework. >>>>>>>>>> >>>>>>>>>> As a next step, I plan to convert the install scripts to use the >>>>>>>>>> framework with their old code (the old code will be gradually >>>>>>>>>> ported to >>>>>>>>>> the framework later). >>>>>>>>>> >>>>>>>>>> (Note I didn't manage to write docstrings today, expect update >>>>>>>>>> tomorrow.) >>>>>>>>> >>>>>>>>> Added some docstrings. >>>>>>>>> >>>>>>>>> Also updated the patch to reflect little brainstorming David and I >>>>>>>>> had >>>>>>>>> this morning. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Honza >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Hello, see comments bellow: >>>>>>>> >>>>>>>> 1) We started using new shorter License header in files: >>>>>>>> # >>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>>>> # >>>>>>> >>>>>>> OK. >>>>>>> >>>>>>>> >>>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>>> + else: >>>>>>>> + if isinstance(value, from_): >>>>>>>> + value = None >>>>>>>> + stack.append(value.obj) >>>>>>>> + continue >>>>>>> >>>>>>> Right. >>>>>>> >>>>>>>> >>>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>>> >>>>>>> I guess you are antagonistic to multiple inheritance because of how >>>>>>> other languages (like C++) do it. In Python it can be pretty elegant >>>>>>> and >>>>>>> is basis for e.g. the mixin design pattern. >>>>>>> >>>>>>>> >>>>>>>> Installer and CompositeConfigurator inherites from Configurator >>>>>>>> class, >>>>>>>> and all of them implements _generator method. >>>>>>> >>>>>>> Both of them call super()._generator(), so it's no problem (same for >>>>>>> other methods). >>>>>>> >>>>>>>> >>>>>>>> If I understand correctly >>>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>>> Installer._generator method will be used in this case. >>>>>>>> However in case when CompositeConfigurator has more levels >>>>>>>> (respectively >>>>>>>> it is more specialized) of inheritance, it could take precedence >>>>>>>> and its >>>>>>>> _generator method may be used instead. >>>>>>> >>>>>>> The order of precedence is defined by the order of base classes >>>>>>> in the >>>>>>> class definition. >>>>>>> >>>>>>>> >>>>>>>> I'm afraid this may suddenly stop working. >>>>>>>> Maybe I'm wrong, please fix me. >>>>>>> >>>>>>> As long as you call the super class, it will work fine. >>>>>>> >>>>>>>> >>>>>>>> And Multiple inheritance is not easily readable, this is even a >>>>>>>> diamond >>>>>>>> inheritance model. >>>>>>> >>>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>>> readable if >>>>>>> you know how to read it. Every class defines a single bit of >>>>>>> behavior. >>>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>>> and/or >>>>>>> hacked around, which I wanted to avoid. >>>>>>> >>>>>>> This blog post explains it nicely: >>>>>>> . >>>>>>> >>>>>>> >>>>>> >>>>>> Updated patch attached. >>>>>> >>>>>> Also attached is patch 425 which migrates ipa-server-install to the >>>>>> install >>>>>> framework. >>>>> >>>>> Good job there. I am just curious, will this framework and new option >>>>> processing be friendly to other types of option passing than just via >>>>> options? >>>>> I mean tickets >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4517 >>>>> https://fedorahosted.org/freeipa/ticket/4468 >>>>> >>>>> Especially 4517 is important, we need to be able to run >>>>> >>>>> # cat install.conf >>>>> ds_password=Secret123 >>>>> admin_password=Secret456 >>>>> ip_address=123456 >>>>> setup_dns=False >>>>> >>>>> # ipa-server-install --unattended --conf install.conf >>>>> >>>>> I assume yes, but I am just making sure. >>>> >>>> Yes, definitely. >>>> >>> >>> Updated patches attached. >> >> Another update, patches attached. >> > thank you, > > 1) > ipa-server-install --uninstall prints 0 > ... > Unconfiguring ipa_memcached > Unconfiguring ipa-otpd > 0 > The ipa-server-install command was successful Fixed. > > > 2) > ipa-server-install --setup-dns > 'ServerOptions' object has no attribute 'dnssec_master' Fixed. > > 3) > For record, this will be fixed in extra patch. > info messages from ldapupdate are printed to console Could you provide the patch? > > 4) > + if default is not _missing: > + class_dict['default'] = default > > Why is new _missing object needed? Isn't NoneType enough? None is a valid value here, there needs to be a distinction between "value is not set" and "value is set to None". Updated patches attached. Note you first have to apply my patches 436-438. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-438-install-Move-private_ccache-from-ipaserver-to-ipapyt.patch Type: text/x-patch Size: 2900 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-424.5-install-Introduce-installer-framework-ipapython.inst.patch Type: text/x-patch Size: 34460 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-425.3-install-Migrate-ipa-server-install-to-the-install-fr.patch Type: text/x-patch Size: 61332 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 8 12:08:05 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 08 Jun 2015 14:08:05 +0200 Subject: [Freeipa-devel] [PATCH 0383] Fix metadb_iterator_destroy() to accept NULL iterators Message-ID: <557585A5.4010405@redhat.com> Hello, Fix metadb_iterator_destroy() to accept NULL iterators. This prevents potential crash in error handling, e.g. if memory allocation failed. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0383-Fix-metadb_iterator_destroy-to-accept-NULL-iterators.patch Type: text/x-patch Size: 925 bytes Desc: not available URL: From derny at redhat.com Mon Jun 8 12:28:20 2015 From: derny at redhat.com (Drew Erny) Date: Mon, 08 Jun 2015 08:28:20 -0400 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days In-Reply-To: <55753969.7000509@redhat.com> References: <5570BADF.5020002@redhat.com> <20150604214122.GK10162@redhat.com> <5571B41E.7030405@redhat.com> <1433516879.10825.20.camel@willson.usersys.redhat.com> <55753969.7000509@redhat.com> Message-ID: <55758A64.9060109@redhat.com> On 06/08/2015 02:42 AM, Martin Kosek wrote: > On 06/05/2015 05:07 PM, Simo Sorce wrote: >> On Fri, 2015-06-05 at 10:37 -0400, Drew Erny wrote: >>> On 06/04/2015 05:41 PM, Alexander Bokovoy wrote: >>>> On Thu, 04 Jun 2015, Drew Erny wrote: >>>>> https://fedorahosted.org/freeipa/ticket/2795 >>>>> >>>>> I've tracked down the source of this bug; it's nutty C stuff. >>>>> >>>>> So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you >>>>> update password, the expiration time appears to be set in the >>>>> function ipapwd_CheckPolicy on line 631, which looks like >>>>> >>>>> data->expireTime = data->timeNow + pol.max_pwd_life; >>>>> >>>>> So the bug has to be in how pol.max_pwd_life gets is value. So I >>>>> check around, pol is initialized like this: >>>>> >>>>> struct ipapwd_policy pol = {0}; >>>>> ... >>>>> pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; >>>>> >>>>> And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. >>>>> >>>>> But then the actual value of max_pwd_life is obtained by passing pol >>>>> into the function ipapwd_getPolicy on line 577 or 590, depending on >>>>> the password change type. >>>>> >>>>> Inside of ipapwd_getPolicy, there's a couple of lines starting at >>>>> line 393 >>>>> >>>>> tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); >>>>> if (tmpint != 0) { >>>>> policy->max_pwd_life = tmpint; >>>>> }: >>>>> >>>>> Which sets the max password life to the returned value, unless this >>>>> function returns 0. However, the documentation from >>>>> /usr/include/dirsrv/slapi-plugin.h says that that function, >>>>> slapi_entry_attr_get_int, returns 0 if the entry does not contain >>>>> that attribute. So, since the value 0 is returned, an error is >>>>> assumed to have occurred that member of the struct is left >>>>> untouched... which means it's still set to the value it was set to >>>>> when it was initialized, 90 days. >>>>> >>>>> So, when the expireTime is set at line 631, it's set to 90 days >>>>> because the value returned by slapi_entry_attr_get_int is 0. >>>>> >>>>> I've checked to see if we can get some error context out of the pe >>>>> variable passed in, but it appears to be an opaque struct that the >>>>> user isn't meant to see the internals of. >>>>> >>>>> I'm not really sure what to do with this knowledge. The only thing I >>>>> can think would be to use another sentinel value, like -1, to >>>>> indicate that the password does not expire; or, otherwise, to >>>>> document that there is no way to have non-expiring passwords, and >>>>> administrators can only set value to some far-future date, and then >>>>> close this bug. Or, we could just set the default expiration date to >>>>> be somewhere far in the future. I'm not really qualified to make a >>>>> call on how to proceed with this, but I'm capable of making the >>>>> change if someone more senior decides. >>>>> >>>>> I can also totally see this issue with the interface of slapi-plugin >>>>> being the possible cause of many bugs. >>>> You can use slapi_entry_attr_exists() to check if attribute does exist >>>> and then treat result of slapi_entry_attr_get_int() as actual value. >>>> >>>> Otherwise, that's a great investigation! >>> Using slapi_entry_attr_exists() clears us of having to worry about >>> getting an error condition back, but I'm still not confident how to >>> handle the 0 maximum. Should I just put in a far-future date? >> The current behavior is completely intentional, not a side effect of the >> code, the code was written that way intentionally. >> >> However me may consider an RFE that requests different behavior, we >> would have to devise a special value for krbMaxPwdLife that means >> "infinite". > Maybe. If we do this, we should also ban "0" as krbMaxPwdLife as it confuses > people. > > Let us say, that the user sets krbMaxPwdLife to "infinite", what is the wished > effect on the user entry? Should krbPasswordExpiration be simply removed/not > added when password is being set? As we cannot put any special word there, it > is GeneralizedTime syntax. I assume that our LDAP BIND/kinit code would need to > be checked that it reacts properly to missing value in that case. I think 0 or -1 are both good sentinel values to indicate no password life, and it's probably unlikely that anyone is relying on the functionality of 0=90 days (especially if that functionality is undocumented, but I'm not sure if it is), so it might be safe to change when we roll over to 4.2. Then, whichever flag we settle on, in the C code for password changes that sets the new expiration time, we just set that expiration time to the maximum value of time_t instead of adding the max lifetime. From simo at redhat.com Mon Jun 8 13:01:33 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2015 09:01:33 -0400 Subject: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days In-Reply-To: <55753969.7000509@redhat.com> References: <5570BADF.5020002@redhat.com> <20150604214122.GK10162@redhat.com> <5571B41E.7030405@redhat.com> <1433516879.10825.20.camel@willson.usersys.redhat.com> <55753969.7000509@redhat.com> Message-ID: <1433768493.19067.2.camel@willson.usersys.redhat.com> On Mon, 2015-06-08 at 08:42 +0200, Martin Kosek wrote: > On 06/05/2015 05:07 PM, Simo Sorce wrote: > > On Fri, 2015-06-05 at 10:37 -0400, Drew Erny wrote: > >> On 06/04/2015 05:41 PM, Alexander Bokovoy wrote: > >>> On Thu, 04 Jun 2015, Drew Erny wrote: > >>>> https://fedorahosted.org/freeipa/ticket/2795 > >>>> > >>>> I've tracked down the source of this bug; it's nutty C stuff. > >>>> > >>>> So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you > >>>> update password, the expiration time appears to be set in the > >>>> function ipapwd_CheckPolicy on line 631, which looks like > >>>> > >>>> data->expireTime = data->timeNow + pol.max_pwd_life; > >>>> > >>>> So the bug has to be in how pol.max_pwd_life gets is value. So I > >>>> check around, pol is initialized like this: > >>>> > >>>> struct ipapwd_policy pol = {0}; > >>>> ... > >>>> pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; > >>>> > >>>> And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days. > >>>> > >>>> But then the actual value of max_pwd_life is obtained by passing pol > >>>> into the function ipapwd_getPolicy on line 577 or 590, depending on > >>>> the password change type. > >>>> > >>>> Inside of ipapwd_getPolicy, there's a couple of lines starting at > >>>> line 393 > >>>> > >>>> tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); > >>>> if (tmpint != 0) { > >>>> policy->max_pwd_life = tmpint; > >>>> }: > >>>> > >>>> Which sets the max password life to the returned value, unless this > >>>> function returns 0. However, the documentation from > >>>> /usr/include/dirsrv/slapi-plugin.h says that that function, > >>>> slapi_entry_attr_get_int, returns 0 if the entry does not contain > >>>> that attribute. So, since the value 0 is returned, an error is > >>>> assumed to have occurred that member of the struct is left > >>>> untouched... which means it's still set to the value it was set to > >>>> when it was initialized, 90 days. > >>>> > >>>> So, when the expireTime is set at line 631, it's set to 90 days > >>>> because the value returned by slapi_entry_attr_get_int is 0. > >>>> > >>>> I've checked to see if we can get some error context out of the pe > >>>> variable passed in, but it appears to be an opaque struct that the > >>>> user isn't meant to see the internals of. > >>>> > >>>> I'm not really sure what to do with this knowledge. The only thing I > >>>> can think would be to use another sentinel value, like -1, to > >>>> indicate that the password does not expire; or, otherwise, to > >>>> document that there is no way to have non-expiring passwords, and > >>>> administrators can only set value to some far-future date, and then > >>>> close this bug. Or, we could just set the default expiration date to > >>>> be somewhere far in the future. I'm not really qualified to make a > >>>> call on how to proceed with this, but I'm capable of making the > >>>> change if someone more senior decides. > >>>> > >>>> I can also totally see this issue with the interface of slapi-plugin > >>>> being the possible cause of many bugs. > >>> You can use slapi_entry_attr_exists() to check if attribute does exist > >>> and then treat result of slapi_entry_attr_get_int() as actual value. > >>> > >>> Otherwise, that's a great investigation! > >> > >> Using slapi_entry_attr_exists() clears us of having to worry about > >> getting an error condition back, but I'm still not confident how to > >> handle the 0 maximum. Should I just put in a far-future date? > > > > The current behavior is completely intentional, not a side effect of the > > code, the code was written that way intentionally. > > > > However me may consider an RFE that requests different behavior, we > > would have to devise a special value for krbMaxPwdLife that means > > "infinite". > > Maybe. If we do this, we should also ban "0" as krbMaxPwdLife as it confuses > people. > > Let us say, that the user sets krbMaxPwdLife to "infinite", what is the wished > effect on the user entry? Should krbPasswordExpiration be simply removed/not > added when password is being set? As we cannot put any special word there, it > is GeneralizedTime syntax. I assume that our LDAP BIND/kinit code would need to > be checked that it reacts properly to missing value in that case. We should probably set a special value (MAX int or something) and then instruct the code to skip checks if that value is found. I do not think we should omit the expiration time, no exp time gives you the default policy as that may be the result of a partial import. Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Mon Jun 8 13:17:01 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 08 Jun 2015 15:17:01 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <55756A86.6090800@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> <556EFAE4.70908@redhat.com> <55756A86.6090800@redhat.com> Message-ID: <557595CD.90400@redhat.com> On 08/06/15 12:12, Jan Cholasta wrote: > Dne 3.6.2015 v 15:02 Martin Basti napsal(a): >> On 02/06/15 15:21, Jan Cholasta wrote: >>> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >>>> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>>>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>>>> framework. >>>>>>>>>>> >>>>>>>>>>> As a next step, I plan to convert the install scripts to use >>>>>>>>>>> the >>>>>>>>>>> framework with their old code (the old code will be gradually >>>>>>>>>>> ported to >>>>>>>>>>> the framework later). >>>>>>>>>>> >>>>>>>>>>> (Note I didn't manage to write docstrings today, expect update >>>>>>>>>>> tomorrow.) >>>>>>>>>> >>>>>>>>>> Added some docstrings. >>>>>>>>>> >>>>>>>>>> Also updated the patch to reflect little brainstorming David >>>>>>>>>> and I >>>>>>>>>> had >>>>>>>>>> this morning. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Honza >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Hello, see comments bellow: >>>>>>>>> >>>>>>>>> 1) We started using new shorter License header in files: >>>>>>>>> # >>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>> license >>>>>>>>> # >>>>>>>> >>>>>>>> OK. >>>>>>>> >>>>>>>>> >>>>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>>>> + else: >>>>>>>>> + if isinstance(value, from_): >>>>>>>>> + value = None >>>>>>>>> + stack.append(value.obj) >>>>>>>>> + continue >>>>>>>> >>>>>>>> Right. >>>>>>>> >>>>>>>>> >>>>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>>>> >>>>>>>> I guess you are antagonistic to multiple inheritance because of >>>>>>>> how >>>>>>>> other languages (like C++) do it. In Python it can be pretty >>>>>>>> elegant >>>>>>>> and >>>>>>>> is basis for e.g. the mixin design pattern. >>>>>>>> >>>>>>>>> >>>>>>>>> Installer and CompositeConfigurator inherites from Configurator >>>>>>>>> class, >>>>>>>>> and all of them implements _generator method. >>>>>>>> >>>>>>>> Both of them call super()._generator(), so it's no problem >>>>>>>> (same for >>>>>>>> other methods). >>>>>>>> >>>>>>>>> >>>>>>>>> If I understand correctly >>>>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>>>> Installer._generator method will be used in this case. >>>>>>>>> However in case when CompositeConfigurator has more levels >>>>>>>>> (respectively >>>>>>>>> it is more specialized) of inheritance, it could take precedence >>>>>>>>> and its >>>>>>>>> _generator method may be used instead. >>>>>>>> >>>>>>>> The order of precedence is defined by the order of base classes >>>>>>>> in the >>>>>>>> class definition. >>>>>>>> >>>>>>>>> >>>>>>>>> I'm afraid this may suddenly stop working. >>>>>>>>> Maybe I'm wrong, please fix me. >>>>>>>> >>>>>>>> As long as you call the super class, it will work fine. >>>>>>>> >>>>>>>>> >>>>>>>>> And Multiple inheritance is not easily readable, this is even a >>>>>>>>> diamond >>>>>>>>> inheritance model. >>>>>>>> >>>>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>>>> readable if >>>>>>>> you know how to read it. Every class defines a single bit of >>>>>>>> behavior. >>>>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>>>> and/or >>>>>>>> hacked around, which I wanted to avoid. >>>>>>>> >>>>>>>> This blog post explains it nicely: >>>>>>>> . >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Updated patch attached. >>>>>>> >>>>>>> Also attached is patch 425 which migrates ipa-server-install to the >>>>>>> install >>>>>>> framework. >>>>>> >>>>>> Good job there. I am just curious, will this framework and new >>>>>> option >>>>>> processing be friendly to other types of option passing than just >>>>>> via >>>>>> options? >>>>>> I mean tickets >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4517 >>>>>> https://fedorahosted.org/freeipa/ticket/4468 >>>>>> >>>>>> Especially 4517 is important, we need to be able to run >>>>>> >>>>>> # cat install.conf >>>>>> ds_password=Secret123 >>>>>> admin_password=Secret456 >>>>>> ip_address=123456 >>>>>> setup_dns=False >>>>>> >>>>>> # ipa-server-install --unattended --conf install.conf >>>>>> >>>>>> I assume yes, but I am just making sure. >>>>> >>>>> Yes, definitely. >>>>> >>>> >>>> Updated patches attached. >>> >>> Another update, patches attached. >>> >> thank you, >> >> 1) >> ipa-server-install --uninstall prints 0 >> ... >> Unconfiguring ipa_memcached >> Unconfiguring ipa-otpd >> 0 >> The ipa-server-install command was successful > > Fixed. > >> >> >> 2) >> ipa-server-install --setup-dns >> 'ServerOptions' object has no attribute 'dnssec_master' > > Fixed. > >> >> 3) >> For record, this will be fixed in extra patch. >> info messages from ldapupdate are printed to console > > Could you provide the patch? > >> >> 4) >> + if default is not _missing: >> + class_dict['default'] = default >> >> Why is new _missing object needed? Isn't NoneType enough? > > None is a valid value here, there needs to be a distinction between > "value is not set" and "value is set to None". > > Updated patches attached. Note you first have to apply my patches > 436-438. > NACK Please provide a realm name [ABC.EXAMPLE.COM]: 'installer(Server)' object has no attribute 'unattended' also please fix private_ccache import. This function should be imported directly from ipautil, not via installutils -- Martin Basti From mbasti at redhat.com Mon Jun 8 13:19:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 08 Jun 2015 15:19:06 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <557595CD.90400@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> <556EFAE4.70908@redhat.com> <55756A86.6090800@redhat.com> <557595CD.90400@redhat.com> Message-ID: <5575964A.3020904@redhat.com> On 08/06/15 15:17, Martin Basti wrote: > On 08/06/15 12:12, Jan Cholasta wrote: >> Dne 3.6.2015 v 15:02 Martin Basti napsal(a): >>> On 02/06/15 15:21, Jan Cholasta wrote: >>>> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >>>>> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>>>>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>>>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>>>>> framework. >>>>>>>>>>>> >>>>>>>>>>>> As a next step, I plan to convert the install scripts to >>>>>>>>>>>> use the >>>>>>>>>>>> framework with their old code (the old code will be gradually >>>>>>>>>>>> ported to >>>>>>>>>>>> the framework later). >>>>>>>>>>>> >>>>>>>>>>>> (Note I didn't manage to write docstrings today, expect update >>>>>>>>>>>> tomorrow.) >>>>>>>>>>> >>>>>>>>>>> Added some docstrings. >>>>>>>>>>> >>>>>>>>>>> Also updated the patch to reflect little brainstorming David >>>>>>>>>>> and I >>>>>>>>>>> had >>>>>>>>>>> this morning. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Honza >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Hello, see comments bellow: >>>>>>>>>> >>>>>>>>>> 1) We started using new shorter License header in files: >>>>>>>>>> # >>>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>> license >>>>>>>>>> # >>>>>>>>> >>>>>>>>> OK. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>>>>> + else: >>>>>>>>>> + if isinstance(value, from_): >>>>>>>>>> + value = None >>>>>>>>>> + stack.append(value.obj) >>>>>>>>>> + continue >>>>>>>>> >>>>>>>>> Right. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>>>>> >>>>>>>>> I guess you are antagonistic to multiple inheritance because >>>>>>>>> of how >>>>>>>>> other languages (like C++) do it. In Python it can be pretty >>>>>>>>> elegant >>>>>>>>> and >>>>>>>>> is basis for e.g. the mixin design pattern. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Installer and CompositeConfigurator inherites from Configurator >>>>>>>>>> class, >>>>>>>>>> and all of them implements _generator method. >>>>>>>>> >>>>>>>>> Both of them call super()._generator(), so it's no problem >>>>>>>>> (same for >>>>>>>>> other methods). >>>>>>>>> >>>>>>>>>> >>>>>>>>>> If I understand correctly >>>>>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>>>>> Installer._generator method will be used in this case. >>>>>>>>>> However in case when CompositeConfigurator has more levels >>>>>>>>>> (respectively >>>>>>>>>> it is more specialized) of inheritance, it could take precedence >>>>>>>>>> and its >>>>>>>>>> _generator method may be used instead. >>>>>>>>> >>>>>>>>> The order of precedence is defined by the order of base classes >>>>>>>>> in the >>>>>>>>> class definition. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> I'm afraid this may suddenly stop working. >>>>>>>>>> Maybe I'm wrong, please fix me. >>>>>>>>> >>>>>>>>> As long as you call the super class, it will work fine. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> And Multiple inheritance is not easily readable, this is even a >>>>>>>>>> diamond >>>>>>>>>> inheritance model. >>>>>>>>> >>>>>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>>>>> readable if >>>>>>>>> you know how to read it. Every class defines a single bit of >>>>>>>>> behavior. >>>>>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>>>>> and/or >>>>>>>>> hacked around, which I wanted to avoid. >>>>>>>>> >>>>>>>>> This blog post explains it nicely: >>>>>>>>> . >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Updated patch attached. >>>>>>>> >>>>>>>> Also attached is patch 425 which migrates ipa-server-install to >>>>>>>> the >>>>>>>> install >>>>>>>> framework. >>>>>>> >>>>>>> Good job there. I am just curious, will this framework and new >>>>>>> option >>>>>>> processing be friendly to other types of option passing than >>>>>>> just via >>>>>>> options? >>>>>>> I mean tickets >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/4517 >>>>>>> https://fedorahosted.org/freeipa/ticket/4468 >>>>>>> >>>>>>> Especially 4517 is important, we need to be able to run >>>>>>> >>>>>>> # cat install.conf >>>>>>> ds_password=Secret123 >>>>>>> admin_password=Secret456 >>>>>>> ip_address=123456 >>>>>>> setup_dns=False >>>>>>> >>>>>>> # ipa-server-install --unattended --conf install.conf >>>>>>> >>>>>>> I assume yes, but I am just making sure. >>>>>> >>>>>> Yes, definitely. >>>>>> >>>>> >>>>> Updated patches attached. >>>> >>>> Another update, patches attached. >>>> >>> thank you, >>> >>> 1) >>> ipa-server-install --uninstall prints 0 >>> ... >>> Unconfiguring ipa_memcached >>> Unconfiguring ipa-otpd >>> 0 >>> The ipa-server-install command was successful >> >> Fixed. >> >>> >>> >>> 2) >>> ipa-server-install --setup-dns >>> 'ServerOptions' object has no attribute 'dnssec_master' >> >> Fixed. >> >>> >>> 3) >>> For record, this will be fixed in extra patch. >>> info messages from ldapupdate are printed to console >> >> Could you provide the patch? >> >>> >>> 4) >>> + if default is not _missing: >>> + class_dict['default'] = default >>> >>> Why is new _missing object needed? Isn't NoneType enough? >> >> None is a valid value here, there needs to be a distinction between >> "value is not set" and "value is set to None". >> >> Updated patches attached. Note you first have to apply my patches >> 436-438. >> > > NACK > > Please provide a realm name [ABC.EXAMPLE.COM]: > 'installer(Server)' object has no attribute 'unattended' > > also please fix private_ccache import. This function should be > imported directly from ipautil, not via installutils > I forgot to paste the traceback, here it is: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 216, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501, in _configure validator.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1633, in main install_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 264, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 566, in install_check dns.install_check(False, False, options, host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 64, in install_check if not (bindinstance.check_inst(options.unattended) and -- Martin Basti From jcholast at redhat.com Mon Jun 8 13:53:07 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 15:53:07 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <5575964A.3020904@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> <556EFAE4.70908@redhat.com> <55756A86.6090800@redhat.com> <557595CD.90400@redhat.com> <5575964A.3020904@redhat.com> Message-ID: <55759E43.4080204@redhat.com> Dne 8.6.2015 v 15:19 Martin Basti napsal(a): > On 08/06/15 15:17, Martin Basti wrote: >> On 08/06/15 12:12, Jan Cholasta wrote: >>> Dne 3.6.2015 v 15:02 Martin Basti napsal(a): >>>> On 02/06/15 15:21, Jan Cholasta wrote: >>>>> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >>>>>> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>>>>>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>>>>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>>>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>>>>>> framework. >>>>>>>>>>>>> >>>>>>>>>>>>> As a next step, I plan to convert the install scripts to >>>>>>>>>>>>> use the >>>>>>>>>>>>> framework with their old code (the old code will be gradually >>>>>>>>>>>>> ported to >>>>>>>>>>>>> the framework later). >>>>>>>>>>>>> >>>>>>>>>>>>> (Note I didn't manage to write docstrings today, expect update >>>>>>>>>>>>> tomorrow.) >>>>>>>>>>>> >>>>>>>>>>>> Added some docstrings. >>>>>>>>>>>> >>>>>>>>>>>> Also updated the patch to reflect little brainstorming David >>>>>>>>>>>> and I >>>>>>>>>>>> had >>>>>>>>>>>> this morning. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Honza >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Hello, see comments bellow: >>>>>>>>>>> >>>>>>>>>>> 1) We started using new shorter License header in files: >>>>>>>>>>> # >>>>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>> license >>>>>>>>>>> # >>>>>>>>>> >>>>>>>>>> OK. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>>>>>> + else: >>>>>>>>>>> + if isinstance(value, from_): >>>>>>>>>>> + value = None >>>>>>>>>>> + stack.append(value.obj) >>>>>>>>>>> + continue >>>>>>>>>> >>>>>>>>>> Right. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>>>>>> >>>>>>>>>> I guess you are antagonistic to multiple inheritance because >>>>>>>>>> of how >>>>>>>>>> other languages (like C++) do it. In Python it can be pretty >>>>>>>>>> elegant >>>>>>>>>> and >>>>>>>>>> is basis for e.g. the mixin design pattern. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Installer and CompositeConfigurator inherites from Configurator >>>>>>>>>>> class, >>>>>>>>>>> and all of them implements _generator method. >>>>>>>>>> >>>>>>>>>> Both of them call super()._generator(), so it's no problem >>>>>>>>>> (same for >>>>>>>>>> other methods). >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If I understand correctly >>>>>>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>>>>>> Installer._generator method will be used in this case. >>>>>>>>>>> However in case when CompositeConfigurator has more levels >>>>>>>>>>> (respectively >>>>>>>>>>> it is more specialized) of inheritance, it could take precedence >>>>>>>>>>> and its >>>>>>>>>>> _generator method may be used instead. >>>>>>>>>> >>>>>>>>>> The order of precedence is defined by the order of base classes >>>>>>>>>> in the >>>>>>>>>> class definition. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I'm afraid this may suddenly stop working. >>>>>>>>>>> Maybe I'm wrong, please fix me. >>>>>>>>>> >>>>>>>>>> As long as you call the super class, it will work fine. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> And Multiple inheritance is not easily readable, this is even a >>>>>>>>>>> diamond >>>>>>>>>>> inheritance model. >>>>>>>>>> >>>>>>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>>>>>> readable if >>>>>>>>>> you know how to read it. Every class defines a single bit of >>>>>>>>>> behavior. >>>>>>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>>>>>> and/or >>>>>>>>>> hacked around, which I wanted to avoid. >>>>>>>>>> >>>>>>>>>> This blog post explains it nicely: >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Updated patch attached. >>>>>>>>> >>>>>>>>> Also attached is patch 425 which migrates ipa-server-install to >>>>>>>>> the >>>>>>>>> install >>>>>>>>> framework. >>>>>>>> >>>>>>>> Good job there. I am just curious, will this framework and new >>>>>>>> option >>>>>>>> processing be friendly to other types of option passing than >>>>>>>> just via >>>>>>>> options? >>>>>>>> I mean tickets >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4517 >>>>>>>> https://fedorahosted.org/freeipa/ticket/4468 >>>>>>>> >>>>>>>> Especially 4517 is important, we need to be able to run >>>>>>>> >>>>>>>> # cat install.conf >>>>>>>> ds_password=Secret123 >>>>>>>> admin_password=Secret456 >>>>>>>> ip_address=123456 >>>>>>>> setup_dns=False >>>>>>>> >>>>>>>> # ipa-server-install --unattended --conf install.conf >>>>>>>> >>>>>>>> I assume yes, but I am just making sure. >>>>>>> >>>>>>> Yes, definitely. >>>>>>> >>>>>> >>>>>> Updated patches attached. >>>>> >>>>> Another update, patches attached. >>>>> >>>> thank you, >>>> >>>> 1) >>>> ipa-server-install --uninstall prints 0 >>>> ... >>>> Unconfiguring ipa_memcached >>>> Unconfiguring ipa-otpd >>>> 0 >>>> The ipa-server-install command was successful >>> >>> Fixed. >>> >>>> >>>> >>>> 2) >>>> ipa-server-install --setup-dns >>>> 'ServerOptions' object has no attribute 'dnssec_master' >>> >>> Fixed. >>> >>>> >>>> 3) >>>> For record, this will be fixed in extra patch. >>>> info messages from ldapupdate are printed to console >>> >>> Could you provide the patch? >>> >>>> >>>> 4) >>>> + if default is not _missing: >>>> + class_dict['default'] = default >>>> >>>> Why is new _missing object needed? Isn't NoneType enough? >>> >>> None is a valid value here, there needs to be a distinction between >>> "value is not set" and "value is set to None". >>> >>> Updated patches attached. Note you first have to apply my patches >>> 436-438. >>> >> >> NACK >> >> Please provide a realm name [ABC.EXAMPLE.COM]: >> 'installer(Server)' object has no attribute 'unattended' >> >> also please fix private_ccache import. This function should be >> imported directly from ipautil, not via installutils Fixed. >> > I forgot to paste the traceback, here it is: > > DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", > line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > line 216, in run > cfgr.run() > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 278, in run > self.validate() > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 287, in validate > for nothing in self._validator(): > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 342, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 364, in _handle_exception > util.raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 332, in __runner > step() > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 501, in _configure > validator.next() > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 342, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 420, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 364, in _handle_exception > util.raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 417, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 364, in _handle_exception > util.raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 332, in __runner > step() > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > line 63, in _install > for nothing in self._installer(self.parent): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", > line 1633, in main > install_check(self) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", > line 264, in decorated > func(installer) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", > line 566, in install_check > dns.install_check(False, False, options, host_name) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", > line 64, in install_check > if not (bindinstance.check_inst(options.unattended) and Fixed. Updated patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-438.1-install-Move-private_ccache-from-ipaserver-to-ipapyt.patch Type: text/x-patch Size: 5270 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-424.5-install-Introduce-installer-framework-ipapython.inst.patch Type: text/x-patch Size: 34460 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-425.4-install-Migrate-ipa-server-install-to-the-install-fr.patch Type: text/x-patch Size: 61382 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 8 14:18:08 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 08 Jun 2015 16:18:08 +0200 Subject: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40 Message-ID: <5575A420.50006@redhat.com> Hello, Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Older code *cannot* work SoftHSM 2.0.0rc1 and newer. Symptoms include errors like this: On DNSSEC key master: ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer length: 0x70 On DNSSEC replicas: ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0031-Update-PKCS-11-mechanism-constants-for-AES-key-wrapp.patch Type: text/x-patch Size: 1598 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 8 14:23:13 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 16:23:13 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. In-Reply-To: <557569EE.9070009@redhat.com> References: <556F21ED.8020908@redhat.com> <5571931C.1030103@redhat.com> <55753544.5040906@redhat.com> <557569EE.9070009@redhat.com> Message-ID: <5575A551.3020207@redhat.com> Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a): > Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): >> Dne 5.6.2015 v 14:16 David Kupka napsal(a): >>> On 06/03/2015 05:49 PM, David Kupka wrote: >>>> >>> Updated patch attached. >>> >> >> ACK. The patch needed a rebase and there was a bug in >> ipa-replica-install, I took care of both, see attachment. >> >> Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 >> >> There was also an unrelated problem in replicainstall.py which I also >> fixed, see the other attachment. >> >> Pushed to master under the one-liner rule: >> e01095dfb33aaef0ab1babf86a71d70410b666ed > > There are some more bugs in CA-less and external CA install, see the > attached patches for fixes. Fixed an additional issue in patch 437, see attachment. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-436-install-Fix-CA-less-server-install.patch Type: text/x-patch Size: 1099 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-437.1-install-Fix-external-CA-server-install.patch Type: text/x-patch Size: 4147 bytes Desc: not available URL: From simo at redhat.com Mon Jun 8 14:24:32 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2015 10:24:32 -0400 Subject: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40 In-Reply-To: <5575A420.50006@redhat.com> References: <5575A420.50006@redhat.com> Message-ID: <1433773472.19067.3.camel@willson.usersys.redhat.com> On Mon, 2015-06-08 at 16:18 +0200, Petr Spacek wrote: > Hello, > > Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. > > SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with > Blowfish mechanisms. > > > Older code *cannot* work SoftHSM 2.0.0rc1 and newer. > > Symptoms include errors like this: > > On DNSSEC key master: > ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer > length: 0x70 > > On DNSSEC replicas: > ipa-dnskeysyncd: subprocess.CalledProcessError: Command > ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 > Does this affect domains where some replicas use older versions and some replicas newer versions ? Or is this a purely local issues confined to a specific replica ? Simo. -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Mon Jun 8 14:30:33 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 08 Jun 2015 16:30:33 +0200 Subject: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40 In-Reply-To: <1433773472.19067.3.camel@willson.usersys.redhat.com> References: <5575A420.50006@redhat.com> <1433773472.19067.3.camel@willson.usersys.redhat.com> Message-ID: <5575A709.3060107@redhat.com> On 8.6.2015 16:24, Simo Sorce wrote: > On Mon, 2015-06-08 at 16:18 +0200, Petr Spacek wrote: >> Hello, >> >> Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. >> >> SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with >> Blowfish mechanisms. >> >> >> Older code *cannot* work SoftHSM 2.0.0rc1 and newer. >> >> Symptoms include errors like this: >> >> On DNSSEC key master: >> ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer >> length: 0x70 >> >> On DNSSEC replicas: >> ipa-dnskeysyncd: subprocess.CalledProcessError: Command >> ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 >> > > Does this affect domains where some replicas use older versions and some > replicas newer versions ? Or is this a purely local issues confined to a > specific replica ? This should be just a local issue because LDAP stores named constants instead of numeric values. -- Petr^2 Spacek From simo at redhat.com Mon Jun 8 14:34:55 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2015 10:34:55 -0400 Subject: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40 In-Reply-To: <5575A709.3060107@redhat.com> References: <5575A420.50006@redhat.com> <1433773472.19067.3.camel@willson.usersys.redhat.com> <5575A709.3060107@redhat.com> Message-ID: <1433774095.19067.4.camel@willson.usersys.redhat.com> On Mon, 2015-06-08 at 16:30 +0200, Petr Spacek wrote: > On 8.6.2015 16:24, Simo Sorce wrote: > > On Mon, 2015-06-08 at 16:18 +0200, Petr Spacek wrote: > >> Hello, > >> > >> Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. > >> > >> SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with > >> Blowfish mechanisms. > >> > >> > >> Older code *cannot* work SoftHSM 2.0.0rc1 and newer. > >> > >> Symptoms include errors like this: > >> > >> On DNSSEC key master: > >> ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer > >> length: 0x70 > >> > >> On DNSSEC replicas: > >> ipa-dnskeysyncd: subprocess.CalledProcessError: Command > >> ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 > >> > > > > Does this affect domains where some replicas use older versions and some > > replicas newer versions ? Or is this a purely local issues confined to a > > specific replica ? > > This should be just a local issue because LDAP stores named constants instead > of numeric values. Excellent, thanks. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Mon Jun 8 14:47:58 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 08 Jun 2015 16:47:58 +0200 Subject: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments In-Reply-To: <1433348418.3020.42.camel@willson.usersys.redhat.com> References: <556EF8BD.1000906@redhat.com> <1433348418.3020.42.camel@willson.usersys.redhat.com> Message-ID: <5575AB1E.8090407@redhat.com> On 06/03/2015 06:20 PM, Simo Sorce wrote: > On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote: >> Hi, >> >> this should prevent adding duplicate segments or segments with same >> start and end node > > LGTM! > > Simo. > The self referential check is done only in ipa_topo_pre_add. But it is still possible to create self referential in mod. Interesting thing is if I: - have segment (A, B) - modify it to (A, A) (success) - add (A, B), got: "Server is unwilling to perform: Segment already exists in topology or is self referential. Add rejected." - removal of (A, A): "Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed." note that, there are also: (A, D) and (A, C) segments. ACK if it will be addressed in separate patch. -- Petr Vobornik From lkrispen at redhat.com Mon Jun 8 14:50:35 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 08 Jun 2015 16:50:35 +0200 Subject: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments In-Reply-To: <5575AB1E.8090407@redhat.com> References: <556EF8BD.1000906@redhat.com> <1433348418.3020.42.camel@willson.usersys.redhat.com> <5575AB1E.8090407@redhat.com> Message-ID: <5575ABBB.30208@redhat.com> On 06/08/2015 04:47 PM, Petr Vobornik wrote: > On 06/03/2015 06:20 PM, Simo Sorce wrote: >> On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote: >>> Hi, >>> >>> this should prevent adding duplicate segments or segments with same >>> start and end node >> >> LGTM! >> >> Simo. >> > > The self referential check is done only in ipa_topo_pre_add. But it is > still possible to create self referential in mod. > > Interesting thing is if I: > - have segment (A, B) > - modify it to (A, A) (success) > - add (A, B), got: "Server is unwilling to perform: Segment already > exists in topology or is self referential. Add rejected." > - removal of (A, A): "Server is unwilling to perform: Removal of > Segment disconnects topology.Deletion not allowed." note that, there > are also: (A, D) and (A, C) segments. > > ACK if it will be addressed in separate patch. yes, it will be. You find interesting scenarios :-) From pvoborni at redhat.com Mon Jun 8 14:54:36 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 08 Jun 2015 16:54:36 +0200 Subject: [Freeipa-devel] [PATCH] 863 move replications managers group to, cn=sysaccounts, cn=etc, $SUFFIX In-Reply-To: <55706188.2090906@redhat.com> References: <55706188.2090906@redhat.com> Message-ID: <5575ACAC.8020308@redhat.com> On 06/04/2015 04:32 PM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/4302 > > missed one occurrence. Updated patch attached. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0863-1-move-replications-managers-group-to-cn-sysaccounts-c.patch Type: text/x-patch Size: 3087 bytes Desc: not available URL: From dkupka at redhat.com Mon Jun 8 15:04:17 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 08 Jun 2015 17:04:17 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. In-Reply-To: <5575A551.3020207@redhat.com> References: <556F21ED.8020908@redhat.com> <5571931C.1030103@redhat.com> <55753544.5040906@redhat.com> <557569EE.9070009@redhat.com> <5575A551.3020207@redhat.com> Message-ID: <5575AEF1.7010001@redhat.com> On 06/08/2015 04:23 PM, Jan Cholasta wrote: > Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a): >> Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): >>> Dne 5.6.2015 v 14:16 David Kupka napsal(a): >>>> On 06/03/2015 05:49 PM, David Kupka wrote: >>>>> >>>> Updated patch attached. >>>> >>> >>> ACK. The patch needed a rebase and there was a bug in >>> ipa-replica-install, I took care of both, see attachment. >>> >>> Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 >>> >>> There was also an unrelated problem in replicainstall.py which I also >>> fixed, see the other attachment. >>> >>> Pushed to master under the one-liner rule: >>> e01095dfb33aaef0ab1babf86a71d70410b666ed >> >> There are some more bugs in CA-less and external CA install, see the >> attached patches for fixes. > > Fixed an additional issue in patch 437, see attachment. > Works for me, ACK. -- David Kupka From mbasti at redhat.com Mon Jun 8 15:27:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 08 Jun 2015 17:27:51 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <55759E43.4080204@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> <556EFAE4.70908@redhat.com> <55756A86.6090800@redhat.com> <557595CD.90400@redhat.com> <5575964A.3020904@redhat.com> <55759E43.4080204@redhat.com> Message-ID: <5575B477.3060605@redhat.com> On 08/06/15 15:53, Jan Cholasta wrote: > Dne 8.6.2015 v 15:19 Martin Basti napsal(a): >> On 08/06/15 15:17, Martin Basti wrote: >>> On 08/06/15 12:12, Jan Cholasta wrote: >>>> Dne 3.6.2015 v 15:02 Martin Basti napsal(a): >>>>> On 02/06/15 15:21, Jan Cholasta wrote: >>>>>> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >>>>>>> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>>>>>>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>>>>>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>>>>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>>>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>>>>>>> framework. >>>>>>>>>>>>>> >>>>>>>>>>>>>> As a next step, I plan to convert the install scripts to >>>>>>>>>>>>>> use the >>>>>>>>>>>>>> framework with their old code (the old code will be >>>>>>>>>>>>>> gradually >>>>>>>>>>>>>> ported to >>>>>>>>>>>>>> the framework later). >>>>>>>>>>>>>> >>>>>>>>>>>>>> (Note I didn't manage to write docstrings today, expect >>>>>>>>>>>>>> update >>>>>>>>>>>>>> tomorrow.) >>>>>>>>>>>>> >>>>>>>>>>>>> Added some docstrings. >>>>>>>>>>>>> >>>>>>>>>>>>> Also updated the patch to reflect little brainstorming David >>>>>>>>>>>>> and I >>>>>>>>>>>>> had >>>>>>>>>>>>> this morning. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Honza >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> Hello, see comments bellow: >>>>>>>>>>>> >>>>>>>>>>>> 1) We started using new shorter License header in files: >>>>>>>>>>>> # >>>>>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>>> license >>>>>>>>>>>> # >>>>>>>>>>> >>>>>>>>>>> OK. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>>>>>>> + else: >>>>>>>>>>>> + if isinstance(value, from_): >>>>>>>>>>>> + value = None >>>>>>>>>>>> + stack.append(value.obj) >>>>>>>>>>>> + continue >>>>>>>>>>> >>>>>>>>>>> Right. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>>>>>>> >>>>>>>>>>> I guess you are antagonistic to multiple inheritance because >>>>>>>>>>> of how >>>>>>>>>>> other languages (like C++) do it. In Python it can be pretty >>>>>>>>>>> elegant >>>>>>>>>>> and >>>>>>>>>>> is basis for e.g. the mixin design pattern. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Installer and CompositeConfigurator inherites from >>>>>>>>>>>> Configurator >>>>>>>>>>>> class, >>>>>>>>>>>> and all of them implements _generator method. >>>>>>>>>>> >>>>>>>>>>> Both of them call super()._generator(), so it's no problem >>>>>>>>>>> (same for >>>>>>>>>>> other methods). >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> If I understand correctly >>>>>>>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>>>>>>> Installer._generator method will be used in this case. >>>>>>>>>>>> However in case when CompositeConfigurator has more levels >>>>>>>>>>>> (respectively >>>>>>>>>>>> it is more specialized) of inheritance, it could take >>>>>>>>>>>> precedence >>>>>>>>>>>> and its >>>>>>>>>>>> _generator method may be used instead. >>>>>>>>>>> >>>>>>>>>>> The order of precedence is defined by the order of base classes >>>>>>>>>>> in the >>>>>>>>>>> class definition. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I'm afraid this may suddenly stop working. >>>>>>>>>>>> Maybe I'm wrong, please fix me. >>>>>>>>>>> >>>>>>>>>>> As long as you call the super class, it will work fine. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> And Multiple inheritance is not easily readable, this is >>>>>>>>>>>> even a >>>>>>>>>>>> diamond >>>>>>>>>>>> inheritance model. >>>>>>>>>>> >>>>>>>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>>>>>>> readable if >>>>>>>>>>> you know how to read it. Every class defines a single bit of >>>>>>>>>>> behavior. >>>>>>>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>>>>>>> and/or >>>>>>>>>>> hacked around, which I wanted to avoid. >>>>>>>>>>> >>>>>>>>>>> This blog post explains it nicely: >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Updated patch attached. >>>>>>>>>> >>>>>>>>>> Also attached is patch 425 which migrates ipa-server-install to >>>>>>>>>> the >>>>>>>>>> install >>>>>>>>>> framework. >>>>>>>>> >>>>>>>>> Good job there. I am just curious, will this framework and new >>>>>>>>> option >>>>>>>>> processing be friendly to other types of option passing than >>>>>>>>> just via >>>>>>>>> options? >>>>>>>>> I mean tickets >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4517 >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4468 >>>>>>>>> >>>>>>>>> Especially 4517 is important, we need to be able to run >>>>>>>>> >>>>>>>>> # cat install.conf >>>>>>>>> ds_password=Secret123 >>>>>>>>> admin_password=Secret456 >>>>>>>>> ip_address=123456 >>>>>>>>> setup_dns=False >>>>>>>>> >>>>>>>>> # ipa-server-install --unattended --conf install.conf >>>>>>>>> >>>>>>>>> I assume yes, but I am just making sure. >>>>>>>> >>>>>>>> Yes, definitely. >>>>>>>> >>>>>>> >>>>>>> Updated patches attached. >>>>>> >>>>>> Another update, patches attached. >>>>>> >>>>> thank you, >>>>> >>>>> 1) >>>>> ipa-server-install --uninstall prints 0 >>>>> ... >>>>> Unconfiguring ipa_memcached >>>>> Unconfiguring ipa-otpd >>>>> 0 >>>>> The ipa-server-install command was successful >>>> >>>> Fixed. >>>> >>>>> >>>>> >>>>> 2) >>>>> ipa-server-install --setup-dns >>>>> 'ServerOptions' object has no attribute 'dnssec_master' >>>> >>>> Fixed. >>>> >>>>> >>>>> 3) >>>>> For record, this will be fixed in extra patch. >>>>> info messages from ldapupdate are printed to console >>>> >>>> Could you provide the patch? >>>> >>>>> >>>>> 4) >>>>> + if default is not _missing: >>>>> + class_dict['default'] = default >>>>> >>>>> Why is new _missing object needed? Isn't NoneType enough? >>>> >>>> None is a valid value here, there needs to be a distinction between >>>> "value is not set" and "value is set to None". >>>> >>>> Updated patches attached. Note you first have to apply my patches >>>> 436-438. >>>> >>> >>> NACK >>> >>> Please provide a realm name [ABC.EXAMPLE.COM]: >>> 'installer(Server)' object has no attribute 'unattended' >>> >>> also please fix private_ccache import. This function should be >>> imported directly from ipautil, not via installutils > > Fixed. > >>> >> I forgot to paste the traceback, here it is: >> >> DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >> line 171, in execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 216, in run >> cfgr.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 278, in run >> self.validate() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 287, in validate >> for nothing in self._validator(): >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 342, in __runner >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 364, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 332, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 501, in _configure >> validator.next() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 342, in __runner >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 420, in _handle_exception >> self.__parent._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 364, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 417, in _handle_exception >> super(ComponentBase, self)._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 364, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 332, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> for nothing in self._installer(self.parent): >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", >> line 1633, in main >> install_check(self) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", >> line 264, in decorated >> func(installer) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", >> line 566, in install_check >> dns.install_check(False, False, options, host_name) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >> line 64, in install_check >> if not (bindinstance.check_inst(options.unattended) and > > Fixed. > > Updated patches attached. > ACK -- Martin Basti From jcholast at redhat.com Mon Jun 8 15:33:19 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 17:33:19 +0200 Subject: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module. In-Reply-To: <5575AEF1.7010001@redhat.com> References: <556F21ED.8020908@redhat.com> <5571931C.1030103@redhat.com> <55753544.5040906@redhat.com> <557569EE.9070009@redhat.com> <5575A551.3020207@redhat.com> <5575AEF1.7010001@redhat.com> Message-ID: <5575B5BF.309@redhat.com> Dne 8.6.2015 v 17:04 David Kupka napsal(a): > On 06/08/2015 04:23 PM, Jan Cholasta wrote: >> Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a): >>> Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): >>>> Dne 5.6.2015 v 14:16 David Kupka napsal(a): >>>>> On 06/03/2015 05:49 PM, David Kupka wrote: >>>>>> >>>>> Updated patch attached. >>>>> >>>> >>>> ACK. The patch needed a rebase and there was a bug in >>>> ipa-replica-install, I took care of both, see attachment. >>>> >>>> Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 >>>> >>>> There was also an unrelated problem in replicainstall.py which I also >>>> fixed, see the other attachment. >>>> >>>> Pushed to master under the one-liner rule: >>>> e01095dfb33aaef0ab1babf86a71d70410b666ed >>> >>> There are some more bugs in CA-less and external CA install, see the >>> attached patches for fixes. >> >> Fixed an additional issue in patch 437, see attachment. >> > Works for me, ACK. > Thanks. Pushed to master: 4c70590c2a78b6d2cbfed585502442f733f26389 -- Jan Cholasta From jcholast at redhat.com Mon Jun 8 15:34:44 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Jun 2015 17:34:44 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <5575B477.3060605@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> <554105ED.90204@redhat.com> <5549B079.5020007@redhat.com> <5549B319.2060109@redhat.com> <5550956F.9080002@redhat.com> <556DADCF.3010305@redhat.com> <556EFAE4.70908@redhat.com> <55756A86.6090800@redhat.com> <557595CD.90400@redhat.com> <5575964A.3020904@redhat.com> <55759E43.4080204@redhat.com> <5575B477.3060605@redhat.com> Message-ID: <5575B614.40902@redhat.com> Dne 8.6.2015 v 17:27 Martin Basti napsal(a): > On 08/06/15 15:53, Jan Cholasta wrote: >> Dne 8.6.2015 v 15:19 Martin Basti napsal(a): >>> On 08/06/15 15:17, Martin Basti wrote: >>>> On 08/06/15 12:12, Jan Cholasta wrote: >>>>> Dne 3.6.2015 v 15:02 Martin Basti napsal(a): >>>>>> On 02/06/15 15:21, Jan Cholasta wrote: >>>>>>> Dne 11.5.2015 v 13:41 Jan Cholasta napsal(a): >>>>>>>> Dne 6.5.2015 v 08:22 Jan Cholasta napsal(a): >>>>>>>>> Dne 6.5.2015 v 08:11 Martin Kosek napsal(a): >>>>>>>>>> On 04/29/2015 06:25 PM, Jan Cholasta wrote: >>>>>>>>>>> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >>>>>>>>>>>> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>>>>>>>>>>>> On 17/04/15 16:15, Jan Cholasta wrote: >>>>>>>>>>>>>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> the attached patch adds the basics of the new installer >>>>>>>>>>>>>>> framework. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> As a next step, I plan to convert the install scripts to >>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>> framework with their old code (the old code will be >>>>>>>>>>>>>>> gradually >>>>>>>>>>>>>>> ported to >>>>>>>>>>>>>>> the framework later). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> (Note I didn't manage to write docstrings today, expect >>>>>>>>>>>>>>> update >>>>>>>>>>>>>>> tomorrow.) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Added some docstrings. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Also updated the patch to reflect little brainstorming David >>>>>>>>>>>>>> and I >>>>>>>>>>>>>> had >>>>>>>>>>>>>> this morning. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Honza >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> Hello, see comments bellow: >>>>>>>>>>>>> >>>>>>>>>>>>> 1) We started using new shorter License header in files: >>>>>>>>>>>>> # >>>>>>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>>>> license >>>>>>>>>>>>> # >>>>>>>>>>>> >>>>>>>>>>>> OK. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2) IMO this will not work, NoneType has no 'obj' attribute >>>>>>>>>>>>> + else: >>>>>>>>>>>>> + if isinstance(value, from_): >>>>>>>>>>>>> + value = None >>>>>>>>>>>>> + stack.append(value.obj) >>>>>>>>>>>>> + continue >>>>>>>>>>>> >>>>>>>>>>>> Right. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 3) Multiple inheritance. I do not like it much. >>>>>>>>>>>>> +class CompositeInstaller(Installer, CompositeConfigurator): >>>>>>>>>>>> >>>>>>>>>>>> I guess you are antagonistic to multiple inheritance because >>>>>>>>>>>> of how >>>>>>>>>>>> other languages (like C++) do it. In Python it can be pretty >>>>>>>>>>>> elegant >>>>>>>>>>>> and >>>>>>>>>>>> is basis for e.g. the mixin design pattern. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Installer and CompositeConfigurator inherites from >>>>>>>>>>>>> Configurator >>>>>>>>>>>>> class, >>>>>>>>>>>>> and all of them implements _generator method. >>>>>>>>>>>> >>>>>>>>>>>> Both of them call super()._generator(), so it's no problem >>>>>>>>>>>> (same for >>>>>>>>>>>> other methods). >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> If I understand correctly >>>>>>>>>>>>> (https://www.python.org/download/releases/2.3/mro/) the >>>>>>>>>>>>> Installer._generator method will be used in this case. >>>>>>>>>>>>> However in case when CompositeConfigurator has more levels >>>>>>>>>>>>> (respectively >>>>>>>>>>>>> it is more specialized) of inheritance, it could take >>>>>>>>>>>>> precedence >>>>>>>>>>>>> and its >>>>>>>>>>>>> _generator method may be used instead. >>>>>>>>>>>> >>>>>>>>>>>> The order of precedence is defined by the order of base classes >>>>>>>>>>>> in the >>>>>>>>>>>> class definition. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I'm afraid this may suddenly stop working. >>>>>>>>>>>>> Maybe I'm wrong, please fix me. >>>>>>>>>>>> >>>>>>>>>>>> As long as you call the super class, it will work fine. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> And Multiple inheritance is not easily readable, this is >>>>>>>>>>>>> even a >>>>>>>>>>>>> diamond >>>>>>>>>>>>> inheritance model. >>>>>>>>>>>> >>>>>>>>>>>> Cooperative inheritance is used by design and IMHO is easily >>>>>>>>>>>> readable if >>>>>>>>>>>> you know how to read it. Every class defines a single bit of >>>>>>>>>>>> behavior. >>>>>>>>>>>> Without cooperative inheritance, it would have to be hardcoded >>>>>>>>>>>> and/or >>>>>>>>>>>> hacked around, which I wanted to avoid. >>>>>>>>>>>> >>>>>>>>>>>> This blog post explains it nicely: >>>>>>>>>>>> . >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Updated patch attached. >>>>>>>>>>> >>>>>>>>>>> Also attached is patch 425 which migrates ipa-server-install to >>>>>>>>>>> the >>>>>>>>>>> install >>>>>>>>>>> framework. >>>>>>>>>> >>>>>>>>>> Good job there. I am just curious, will this framework and new >>>>>>>>>> option >>>>>>>>>> processing be friendly to other types of option passing than >>>>>>>>>> just via >>>>>>>>>> options? >>>>>>>>>> I mean tickets >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4517 >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4468 >>>>>>>>>> >>>>>>>>>> Especially 4517 is important, we need to be able to run >>>>>>>>>> >>>>>>>>>> # cat install.conf >>>>>>>>>> ds_password=Secret123 >>>>>>>>>> admin_password=Secret456 >>>>>>>>>> ip_address=123456 >>>>>>>>>> setup_dns=False >>>>>>>>>> >>>>>>>>>> # ipa-server-install --unattended --conf install.conf >>>>>>>>>> >>>>>>>>>> I assume yes, but I am just making sure. >>>>>>>>> >>>>>>>>> Yes, definitely. >>>>>>>>> >>>>>>>> >>>>>>>> Updated patches attached. >>>>>>> >>>>>>> Another update, patches attached. >>>>>>> >>>>>> thank you, >>>>>> >>>>>> 1) >>>>>> ipa-server-install --uninstall prints 0 >>>>>> ... >>>>>> Unconfiguring ipa_memcached >>>>>> Unconfiguring ipa-otpd >>>>>> 0 >>>>>> The ipa-server-install command was successful >>>>> >>>>> Fixed. >>>>> >>>>>> >>>>>> >>>>>> 2) >>>>>> ipa-server-install --setup-dns >>>>>> 'ServerOptions' object has no attribute 'dnssec_master' >>>>> >>>>> Fixed. >>>>> >>>>>> >>>>>> 3) >>>>>> For record, this will be fixed in extra patch. >>>>>> info messages from ldapupdate are printed to console >>>>> >>>>> Could you provide the patch? >>>>> >>>>>> >>>>>> 4) >>>>>> + if default is not _missing: >>>>>> + class_dict['default'] = default >>>>>> >>>>>> Why is new _missing object needed? Isn't NoneType enough? >>>>> >>>>> None is a valid value here, there needs to be a distinction between >>>>> "value is not set" and "value is set to None". >>>>> >>>>> Updated patches attached. Note you first have to apply my patches >>>>> 436-438. >>>>> >>>> >>>> NACK >>>> >>>> Please provide a realm name [ABC.EXAMPLE.COM]: >>>> 'installer(Server)' object has no attribute 'unattended' >>>> >>>> also please fix private_ccache import. This function should be >>>> imported directly from ipautil, not via installutils >> >> Fixed. >> >>>> >>> I forgot to paste the traceback, here it is: >>> >>> DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >>> line 171, in execute >>> return_value = self.run() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line 216, in run >>> cfgr.run() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 278, in run >>> self.validate() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 287, in validate >>> for nothing in self._validator(): >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 342, in __runner >>> self._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 364, in _handle_exception >>> util.raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 332, in __runner >>> step() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> value = gen.send(prev_value) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 501, in _configure >>> validator.next() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 342, in __runner >>> self._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 420, in _handle_exception >>> self.__parent._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 364, in _handle_exception >>> util.raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 417, in _handle_exception >>> super(ComponentBase, self)._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 364, in _handle_exception >>> util.raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 332, in __runner >>> step() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> value = gen.send(prev_value) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>> line 63, in _install >>> for nothing in self._installer(self.parent): >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", >>> line 1633, in main >>> install_check(self) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", >>> line 264, in decorated >>> func(installer) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", >>> line 566, in install_check >>> dns.install_check(False, False, options, host_name) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>> line 64, in install_check >>> if not (bindinstance.check_inst(options.unattended) and >> >> Fixed. >> >> Updated patches attached. >> > > ACK > Thanks. Pushed to master: eb959221e12ed40fbe4f67ff245e9a7639111e45 -- Jan Cholasta From pvoborni at redhat.com Mon Jun 8 16:57:04 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 08 Jun 2015 18:57:04 +0200 Subject: [Freeipa-devel] [PATCH] 866 topology: allow only one node to be specified in, topologysegment-refresh Message-ID: <5575C960.8030703@redhat.com> https://fedorahosted.org/freeipa/ticket/4302 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0866-topology-allow-only-one-node-to-be-specified-in-topo.patch Type: text/x-patch Size: 2038 bytes Desc: not available URL: From pvoborni at redhat.com Mon Jun 8 16:57:06 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 08 Jun 2015 18:57:06 +0200 Subject: [Freeipa-devel] [PATCH] 867 topology: hide topologysuffix-add del mod commands Message-ID: <5575C962.1070408@redhat.com> Suffices are created on installation/upgrade. Users should not modify them. https://fedorahosted.org/freeipa/ticket/4302 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0867-topology-hide-topologysuffix-add-del-mod-commands.patch Type: text/x-patch Size: 1580 bytes Desc: not available URL: From tbabej at redhat.com Mon Jun 8 17:24:59 2015 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 08 Jun 2015 19:24:59 +0200 Subject: [Freeipa-devel] [PATCH] 866 topology: allow only one node to be specified in, topologysegment-refresh In-Reply-To: <5575C960.8030703@redhat.com> References: <5575C960.8030703@redhat.com> Message-ID: <5575CFEB.1050109@redhat.com> On 06/08/2015 06:57 PM, Petr Vobornik wrote: > > https://fedorahosted.org/freeipa/ticket/4302 > > ACK. Tomas From tbabej at redhat.com Mon Jun 8 17:26:51 2015 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 08 Jun 2015 19:26:51 +0200 Subject: [Freeipa-devel] [PATCH] 867 topology: hide topologysuffix-add del mod commands In-Reply-To: <5575C962.1070408@redhat.com> References: <5575C962.1070408@redhat.com> Message-ID: <5575D05B.8060105@redhat.com> On 06/08/2015 06:57 PM, Petr Vobornik wrote: > Suffices are created on installation/upgrade. Users should not > modify them. > > https://fedorahosted.org/freeipa/ticket/4302 > ACK Tomas From simo at redhat.com Mon Jun 8 18:23:17 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2015 14:23:17 -0400 Subject: [Freeipa-devel] [PATCH 524 fix s4u2proxy README Message-ID: <1433787797.20848.2.camel@willson.usersys.redhat.com> While reviewing http://www.freeipa.org/page/V4/Service_Constraint_Delegation#Implementation I found out errors and a potential for misunderstanding about some KDC flags we used. This fix makes things a lot more clear and hopefully avoid some bad surprises for admins. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-524-1-Fix-s4u2proxy-README-and-add-warning.patch Type: text/x-patch Size: 2801 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 8 18:27:30 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Jun 2015 14:27:30 -0400 Subject: [Freeipa-devel] [PATCH 524 fix s4u2proxy README In-Reply-To: <1433787797.20848.2.camel@willson.usersys.redhat.com> References: <1433787797.20848.2.camel@willson.usersys.redhat.com> Message-ID: <5575DE92.1080304@redhat.com> Simo Sorce wrote: > While reviewing > http://www.freeipa.org/page/V4/Service_Constraint_Delegation#Implementation I found out errors and a potential for misunderstanding about some KDC flags we used. > > This fix makes things a lot more clear and hopefully avoid some bad > surprises for admins. > > Simo. > > > ACK From simo at redhat.com Mon Jun 8 18:35:19 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2015 14:35:19 -0400 Subject: [Freeipa-devel] [PATCHES] (and RFC) Introduce ipa-custodia Message-ID: <1433788519.20848.10.camel@willson.usersys.redhat.com> These patches use git submodule to temporarily drag in the custodia and jwcrypto python projects needed as a foundation to build the ipa-custodia service. This service is used for key distribution between freeipa masters. The keys that can be transferred are hardwired in the ipakeys module and currently only the CA key can be transferred. This patchset implements the last part of [1] (keys service) but a full client is not provided with this code as radical changes to the replica installer are needed in order to be able to use this service. The ipa-custodia service is made automatically available upon install and upgrade. Access to the service is mediated via Apache using a proxy-pass directive that can be reached only after successful GSSAPI authentication. The ipa-custodia service itself can be accessed exclusively by the Apache user and requires that the GSS_NAME Header is set for key recovery purposes. Setting the header in an on itself does not grant any access to the keys. Access is granted only if corresponding keys for the requesting princiapl are found in cn=custodia,cn=ipa,cn=ets subtree and the signature on the request (a JWT object) can be verified. Once the first patch is applied developers will have to start dealing with submodules. However unless you are developing on the submodule part of the tree all you really need to do is to run git submodule update --remote when a submodule is updated via a patch in master (rarely). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-525-1-Temporarily-add-Custodia-and-Jwcrypto-submodules.patch Type: text/x-patch Size: 2748 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-526-1-IPA-Custodia-Daemon.patch Type: text/x-patch Size: 20453 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-527-1-Install-ipa-custodia-with-the-rest-of-ipa.patch Type: text/x-patch Size: 14113 bytes Desc: not available URL: From simo at redhat.com Mon Jun 8 18:38:37 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2015 14:38:37 -0400 Subject: [Freeipa-devel] [PATCH 524 fix s4u2proxy README In-Reply-To: <5575DE92.1080304@redhat.com> References: <1433787797.20848.2.camel@willson.usersys.redhat.com> <5575DE92.1080304@redhat.com> Message-ID: <1433788717.20848.11.camel@willson.usersys.redhat.com> On Mon, 2015-06-08 at 14:27 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > While reviewing > > http://www.freeipa.org/page/V4/Service_Constraint_Delegation#Implementation I found out errors and a potential for misunderstanding about some KDC flags we used. > > > > This fix makes things a lot more clear and hopefully avoid some bad > > surprises for admins. > > > > Simo. > > > > > > > > ACK Thanks, pushed to master: f530886193c5c109b9514e5f1ddd52e8b11825e1 Simo. -- Simo Sorce * Red Hat, Inc * New York From derny at redhat.com Mon Jun 8 19:37:58 2015 From: derny at redhat.com (Drew Erny) Date: Mon, 08 Jun 2015 15:37:58 -0400 Subject: [Freeipa-devel] Community Portal Milestone Message-ID: <5575EF16.5090808@redhat.com> Hi, all, I'm going to start working on the Community Portal milestone this week. The first thing I'm noticing is that for almost all of the community portal, there has to be some way for the IPA server to send email, which right now isn't possible. It has been brought to my attention, however, that there is an existing ticket (https://fedorahosted.org/freeipa/ticket/1593) that includes email under its purview. I don't want to write a bunch of code that'll get tossed when work starts on the notification system if I don't have to, but I will if I must. I need a little bit of guidance. Is working on code to let the IPA server send email to users a good place to start chipping at this? Thanks, Drew Erny derny at redhat.com From tbordaz at redhat.com Mon Jun 8 19:54:28 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 08 Jun 2015 21:54:28 +0200 Subject: [Freeipa-devel] Database error on replicas In-Reply-To: <5571DD63.8000300@redhat.com> References: <556EBBBD.6060205@redhat.com> <556EBECE.8000508@redhat.com> <556EC4BE.4080802@redhat.com> <55708A82.8050402@redhat.com> <5571DD63.8000300@redhat.com> Message-ID: <5575F2F4.1030702@redhat.com> On 06/05/2015 07:33 PM, thierry bordaz wrote: > Hi, > > So far I am still unable to reproduce the problem. > Comparing the errors logs of failing replica vs successful replica > they are very similar. Except this failure > > > Failing one > > ... > [03/Jun/2015:03:45:33 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > *LDAP error -1 (Can't contact LDAP server)* ((null)) errno 115 > (Operation now in progress) > [03/Jun/2015:03:45:33 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > [03/Jun/2015:03:45:33 -0400] NSMMReplicationPlugin - > agmt="cn=meTotestmaster.zaeba.li" (testmaster:389): Replication > bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP > server) () > [03/Jun/2015:03:45:38 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 2 (No > such file or directory) > > ... > > > Successful one: > > ... > [05/Jun/2015:17:51:20 +0200] NSMMReplicationPlugin - > agmt="cn=meTovm-229.idm.lab.eng.brq.redhat.com" (vm-229:389): > Replication bind with GSSAPI auth failed: *LDAP error -2 (Local > error)* (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos > credentials available)) > [05/Jun/2015:17:51:23 +0200] NSMMReplicationPlugin - > agmt="cn=meTovm-229.idm.lab.eng.brq.redhat.com" (vm-229:389): > Replication bind with GSSAPI auth resumed > [05/Jun/2015:18:47:26 +0200] - slapd shutting down - signaling > operation threads - op stack size 7 max work q size 2 max work q > stack size 2 > [05/Jun/2015:18:47:26 +0200] - slapd shutting down - waiting for 1 > thread to terminate > [05/Jun/2015:18:47:26 +0200] - slapd shutting down - closing down > internal subsystems and plugins > [05/Jun/2015:18:47:26 +0200] - Waiting for 4 database threads to stop > [05/Jun/2015:18:47:27 +0200] - All database threads now stopped > [05/Jun/2015:18:47:27 +0200] - slapd shutting down - freed 2 work > q stack objects - freed 8 op stack objects > [05/Jun/2015:18:47:27 +0200] - slapd stopped. > ... > > This is looking like in the failing case, the replica is not able to > connect to the master. > In the successful tests I did not install DNS while it was installed > in the failing tests. > We need to retry with DNS configuration, because it could be part of > the failure to access the master host. And I still fail to reproduce with DNS Master: #server install FREEIPACI_DNS_FORWARDER=x.y.z.t FREEIPACI_DNS_REVERSE_ZONE=e.f.g.h.......ip6.arpa. FREEIPACI_PASSWORD='Secret123' FREEIPACI_REALM= FREEIPACI_DOMAIN= ipa-server-install \ --setup-dns --forwarder=$FREEIPACI_DNS_FORWARDER \ -p $FREEIPACI_PASSWORD -a $FREEIPACI_PASSWORD \ -r $FREEIPACI_REALM -n $FREEIPACI_DOMAIN \ -U replica 1 ipa-replica-install --setup-ca --setup-dns --forwarder x.y.z.t /var/lib/ipa/replica-info-.gpg replica 2 ipa-replica-install --setup-ca --setup-dns --forwarder x.y.z.t /var/lib/ipa/replica-info-.gpg The error log is not enough to find the root cause why replication was broken but we the most probable cause was that the replicas did not find the master address. > > thanks > theirry > > On 06/04/2015 07:27 PM, thierry bordaz wrote: >> Hello Oleg, >> >> So far I have been unable to reproduce the problem. >> I tried various scenarios depending if the first update was on >> master/slave, or with 2 slaves, 1 slave, 1slave added later. >> >> Do you have any detail how you did your test ? >> >> If you can restart the remaining VM, I would be interested in the >> logs (access/errors). >> >> thanks >> thierry >> On 06/03/2015 11:11 AM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> On 06/03/2015 10:46 AM, Martin Babinsky wrote: >>>> On 06/03/2015 10:33 AM, Oleg Fayans wrote: >>>>> Hi, >>>>> >>>>> With the latest freeipa code containing Topology plugin patches, I am >>>>> unable to make any changes in replicas. >>>>> >>>>> I have the following topology: >>>>> replica1 <=> master <=> replica3 >>>>> Here is the output of the ipa topologysegment-find command: >>>>> >>>>> Suffix name: realm >>>>> ------------------ >>>>> 2 segments matched >>>>> ------------------ >>>>> Segment name: replica1.zaeba.li-to-testmaster.zaeba.li >>>>> Left node: replica1.zaeba.li >>>>> Right node: testmaster.zaeba.li >>>>> Connectivity: both >>>>> >>>>> Segment name: replica3.zaeba.li-to-testmaster.zaeba.li >>>>> Left node: replica3.zaeba.li >>>>> Right node: testmaster.zaeba.li >>>>> Connectivity: both >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> >>>>> >>>>> Any changes on master get replicated to replicas successfully. >>>>> However, >>>>> any attempts to change anything on replicas, for example, create a >>>>> user, >>>>> result in the error message about DatabaseError (attached). >>>>> >>>>> The corresponding part of the dirsrv log looks like this: >>>>> >>>>> 03/Jun/2015:04:11:55 -0400] slapi_ldap_bind - Error: could not >>>>> perform >>>>> interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -1 >>>>> (Can't contact LDAP server) >>>>> [03/Jun/2015:04:15:02 -0400] slapi_ldap_bind - Error: could not send >>>>> startTLS request: error -1 (Can't contact LDAP server) errno 0 >>>>> (Success) >>>>> [03/Jun/2015:04:16:55 -0400] slapd_ldap_sasl_interactive_bind - >>>>> Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP >>>>> error >>>>> -1 (Can't contact LDAP server) ((null)) errno 2 (No such file or >>>>> directory) >>>>> [03/Jun/2015:04:16:55 -0400] slapi_ldap_bind - Error: could not >>>>> perform >>>>> interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -1 >>>>> (Can't contact LDAP server) >>>>> >>>>> The full log is attached >>>>> >>>>> >>>>> >>>> Hi Oleg, >>>> >>>> could you also post the output of 'journalctl -xe' related to >>>> dirsrv (on master and also on replicas)? I have seen a couple of >>>> segfaults there during reviewing Petr Vobornik's topology* commands. >>>> >>> Attached >>> >>> >>> >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at thetimmy.com Mon Jun 8 23:45:33 2015 From: lists at thetimmy.com (Timothy Worman) Date: Mon, 8 Jun 2015 16:45:33 -0700 Subject: [Freeipa-devel] json/rpc from apache/java HttpClient Message-ID: <9625C46E-4CA9-45DC-B8A2-562BB7A69BBF@thetimmy.com> I have developed a java client that is able to successfully commit transactions to FreeIPA using the json/rpc API. If it is useful, I could abstract all this and package it up to share. But I am seeing some interesting things - some of it may be my lack of experience using HttpClient but I wanted to run it by the list to see what should be expected. I have been following Alexander?s guidelines (https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions) to develop this. I am able to establish a kerberized connection to https://hostname/ipa/session/login_kerberos with the HttpClient, Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and jaas config. The connection is successful and I am caching the ipa-session cookie string for subsequent use (sending a second command). I am performing this as a PrivilegedAction. After successful authentication, I send a second transaction - a typical ?list users? json formatted command to the server at https://hostname/ipa/json. I first attempted this without implementing PrivilegedAction since Alexander?s guide indicated I did NOT need to do any more authentication once I had a session key. I added a cookie header to a plain https transaction with the session cookie. This did not work - which surprised me. The app actually prompted me at this point for login credentials. Any thoughts here? I decided to create a new PrivilegedAction class to send subsequent json transactions to the server. I moved my code for the 2nd connection in there. This works. But as a test, I commented out instructions to explicitly add the session cookie to the transaction. And it still works. I found that I do not explicitly have to add the cookie header. I am assuming that HttpClient natively handles cookies without explicit interaction. Anyone with any HttpClient experience that could shed some light on some of the behaviors and whether they should be expected? It does appear that I have a working client in any case. Tim Worman From abokovoy at redhat.com Tue Jun 9 03:25:06 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 9 Jun 2015 06:25:06 +0300 Subject: [Freeipa-devel] json/rpc from apache/java HttpClient In-Reply-To: <9625C46E-4CA9-45DC-B8A2-562BB7A69BBF@thetimmy.com> References: <9625C46E-4CA9-45DC-B8A2-562BB7A69BBF@thetimmy.com> Message-ID: <20150609032506.GV10162@redhat.com> On Mon, 08 Jun 2015, Timothy Worman wrote: >I have developed a java client that is able to successfully commit >transactions to FreeIPA using the json/rpc API. If it is useful, I >could abstract all this and package it up to share. But I am seeing >some interesting things - some of it may be my lack of experience using >HttpClient but I wanted to run it by the list to see what should be >expected. > >I have been following Alexander?s guidelines >(https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions) >to develop this. > >I am able to establish a kerberized connection to >https://hostname/ipa/session/login_kerberos with the HttpClient, >Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and >jaas config. The connection is successful and I am caching the >ipa-session cookie string for subsequent use (sending a second >command). I am performing this as a PrivilegedAction. > >After successful authentication, I send a second transaction - a >typical ?list users? json formatted command to the server at >https://hostname/ipa/json. I first attempted this without implementing >PrivilegedAction since Alexander?s guide indicated I did NOT need to do >any more authentication once I had a session key. I added a cookie >header to a plain https transaction with the session cookie. This did >not work - which surprised me. The app actually prompted me at this >point for login credentials. Any thoughts here? You have to use session-enabled end point -- /ipa/session/json, not normal one. I think my article points out this clearly. >I decided to create a new PrivilegedAction class to send subsequent >json transactions to the server. I moved my code for the 2nd connection >in there. This works. But as a test, I commented out instructions to >explicitly add the session cookie to the transaction. And it still >works. I found that I do not explicitly have to add the cookie header. >I am assuming that HttpClient natively handles cookies without explicit >interaction. Yes, HttpClient automatically parses cookies sent in responses and puts them into a cookie store. Unless you are explicitly managing the cookie store, the default is to use the same cookie store for all requests sent associated with the client instance. >It does appear that I have a working client in any case. Great! -- / Alexander Bokovoy From lists at thetimmy.com Tue Jun 9 03:32:13 2015 From: lists at thetimmy.com (Timothy Worman) Date: Mon, 8 Jun 2015 20:32:13 -0700 Subject: [Freeipa-devel] json/rpc from apache/java HttpClient In-Reply-To: <20150609032506.GV10162@redhat.com> References: <9625C46E-4CA9-45DC-B8A2-562BB7A69BBF@thetimmy.com> <20150609032506.GV10162@redhat.com> Message-ID: <8B8D8E94-ECBC-4200-889F-F2628639254F@thetimmy.com> On Jun 8, 2015, at 8:25 PM, Alexander Bokovoy wrote: > > On Mon, 08 Jun 2015, Timothy Worman wrote: >> I have developed a java client that is able to successfully commit >> transactions to FreeIPA using the json/rpc API. If it is useful, I >> could abstract all this and package it up to share. But I am seeing >> some interesting things - some of it may be my lack of experience using >> HttpClient but I wanted to run it by the list to see what should be >> expected. >> >> I have been following Alexander?s guidelines >> (https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions) >> to develop this. >> >> I am able to establish a kerberized connection to >> https://hostname/ipa/session/login_kerberos with the HttpClient, >> Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and >> jaas config. The connection is successful and I am caching the >> ipa-session cookie string for subsequent use (sending a second >> command). I am performing this as a PrivilegedAction. >> >> After successful authentication, I send a second transaction - a >> typical ?list users? json formatted command to the server at >> https://hostname/ipa/json. I first attempted this without implementing >> PrivilegedAction since Alexander?s guide indicated I did NOT need to do >> any more authentication once I had a session key. I added a cookie >> header to a plain https transaction with the session cookie. This did >> not work - which surprised me. The app actually prompted me at this >> point for login credentials. Any thoughts here? > You have to use session-enabled end point -- /ipa/session/json, not > normal one. I think my article points out this clearly. It probably does, and I probably missed it as people sometimes do. ;-) I will run some tests with this. > I decided to create a new PrivilegedAction class to send subsequent >> json transactions to the server. I moved my code for the 2nd connection >> in there. This works. But as a test, I commented out instructions to >> explicitly add the session cookie to the transaction. And it still >> works. I found that I do not explicitly have to add the cookie header. >> I am assuming that HttpClient natively handles cookies without explicit >> interaction. > Yes, HttpClient automatically parses cookies sent in responses and puts > them into a cookie store. Unless you are explicitly managing the cookie > store, the default is to use the same cookie store for all requests sent > associated with the client instance. > >> It does appear that I have a working client in any case. > Great! Yes. In further tests I?ve actually found I do not need the initial connection I spoke of. If I use HttpClient initialized as I described and simply post my json to https://hostname/ipa/json a connection is negotiated and the list users transaction appears to go through normally. Alexander, your write-up was very helpful. Thanks. > -- > / Alexander Bokovoy From abokovoy at redhat.com Tue Jun 9 04:08:11 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 9 Jun 2015 07:08:11 +0300 Subject: [Freeipa-devel] json/rpc from apache/java HttpClient In-Reply-To: <8B8D8E94-ECBC-4200-889F-F2628639254F@thetimmy.com> References: <9625C46E-4CA9-45DC-B8A2-562BB7A69BBF@thetimmy.com> <20150609032506.GV10162@redhat.com> <8B8D8E94-ECBC-4200-889F-F2628639254F@thetimmy.com> Message-ID: <20150609040811.GW10162@redhat.com> On Mon, 08 Jun 2015, Timothy Worman wrote: >On Jun 8, 2015, at 8:25 PM, Alexander Bokovoy wrote: >> >> On Mon, 08 Jun 2015, Timothy Worman wrote: >>> I have developed a java client that is able to successfully commit >>> transactions to FreeIPA using the json/rpc API. If it is useful, I >>> could abstract all this and package it up to share. But I am seeing >>> some interesting things - some of it may be my lack of experience using >>> HttpClient but I wanted to run it by the list to see what should be >>> expected. >>> >>> I have been following Alexander?s guidelines >>> (https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions) >>> to develop this. >>> >>> I am able to establish a kerberized connection to >>> https://hostname/ipa/session/login_kerberos with the HttpClient, >>> Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and >>> jaas config. The connection is successful and I am caching the >>> ipa-session cookie string for subsequent use (sending a second >>> command). I am performing this as a PrivilegedAction. >>> >>> After successful authentication, I send a second transaction - a >>> typical ?list users? json formatted command to the server at >>> https://hostname/ipa/json. I first attempted this without implementing >>> PrivilegedAction since Alexander?s guide indicated I did NOT need to do >>> any more authentication once I had a session key. I added a cookie >>> header to a plain https transaction with the session cookie. This did >>> not work - which surprised me. The app actually prompted me at this >>> point for login credentials. Any thoughts here? >> You have to use session-enabled end point -- /ipa/session/json, not >> normal one. I think my article points out this clearly. > >It probably does, and I probably missed it as people sometimes do. ;-) I will run some tests with this. > >> I decided to create a new PrivilegedAction class to send subsequent >>> json transactions to the server. I moved my code for the 2nd connection >>> in there. This works. But as a test, I commented out instructions to >>> explicitly add the session cookie to the transaction. And it still >>> works. I found that I do not explicitly have to add the cookie header. >>> I am assuming that HttpClient natively handles cookies without explicit >>> interaction. >> Yes, HttpClient automatically parses cookies sent in responses and puts >> them into a cookie store. Unless you are explicitly managing the cookie >> store, the default is to use the same cookie store for all requests sent >> associated with the client instance. >> >>> It does appear that I have a working client in any case. >> Great! > >Yes. In further tests I?ve actually found I do not need the initial >connection I spoke of. If I use HttpClient initialized as I described >and simply post my json to https://hostname/ipa/json a connection is >negotiated and the list users transaction appears to go through >normally. I've looked at the code. If you initialize session with Kerberos, you can use either /ipa/session/json or /ipa/json because both rely on the same cookie. The difference is in what happens when your session is expired -- /ipa/session/json will redirect to the login page while /ipa/json will just report a ccache error. -- / Alexander Bokovoy From ftweedal at redhat.com Tue Jun 9 06:58:05 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 9 Jun 2015 16:58:05 +1000 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <55753AE2.5030802@redhat.com> References: <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> Message-ID: <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: > On 06/08/2015 03:31 AM, Fraser Tweedale wrote: > > New patches attached. Comments inline. > > Thanks Fraser! > > ... > >> 5) > >> Missing referint plugin configuration for attribute > >> 'ipacaaclmembercertprofile' > >> Please add it into install/updates/25-referint.update (+ other member > >> attributes if missing) > >> > > Added this. There is a comment in 25-referint.update: > > > > # pres and eq indexes defined in 20-indices.update must be set > > # for all the attributes > > > > Can you explain what is required here? Is it just to add: I see > > things for memberUser and memberHost in indices.ldif but nothing for > > memberService. Do I need to add to indices.ldif: > > > > dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > > changetype: add > > cn: memberProfile > > ObjectClass: top > > ObjectClass: nsIndex > > nsSystemIndex: false > > nsIndexType: eq > > nsIndexType: pres > > nsIndexType: sub > > > > , and similarly for memberCa? Sorry I do not know much about LDAP > > indexing. > > AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive > index to use and I now cannot think of memberProfile search where you would > need a substring... > > Thanks, > Martin Updated patch attached, which adds the indices. (Also rebased). There is a commit that seems to indicate that substring index is needed, so I have included substring indices in this patchset. Copied Honza in case he wants to comment. commit a10521a1dcf69960d6ce0bf5657180b709c297c0 Author: Jan Cholasta Date: Tue Jun 25 13:16:40 2013 +0000 Add missing substring indices for attributes managed by the referint plugin. The referint plugin does a substring search on these attributes each time an entry is deleted, which causes a noticable slowdown for large directories if the attributes are not indexed. https://fedorahosted.org/freeipa/ticket/3706 Cheers, Fraser -------------- next part -------------- From 4ac84d1fd4baccecf6a73669943d6598ad604ad6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. This rule is added during install but not upgrade. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 184 ++++++++++++ VERSION | 4 +- install/share/60certificate-profiles.ldif | 5 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 11 + install/share/indices.ldif | 20 ++ install/updates/20-indices.update | 18 ++ install/updates/25-referint.update | 2 + install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 476 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + 15 files changed, 745 insertions(+), 2 deletions(-) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..bf63cb4caac09fb9d9697290e31afdee0a364882 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cacategory || hostcategory || memberca || memberhost || memberprofile || memberservice || memberuser || profilecategory || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cacategory || cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipauniqueid || member || memberca || memberhost || memberprofile || memberservice || memberuser || modifytimestamp || objectclass || profilecategory || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 9e3f223b7ac338840d7090299f9108e951ea920a..13268ce1abb6edcbe71d4585d77f57e46a8711f8 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,190 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,12,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: StrEnum('profilecategory', attribute=True, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,14,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: StrEnum('profilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,14,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: StrEnum('profilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/VERSION b/VERSION index 535b3e228a3500f2013ea793b19a97d9fbd05021..911470c2d83d81e6abee3e8e41496cf472a11d19 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=126 -# Last change: edewata - added vault-archive and vault-retrieve +IPA_API_VERSION_MINOR=127 +# Last change: ftweedal - add caacl plugin diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..aa47c9b5d6b2db885b6273866cdf602df90c2e30 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,8 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'memberCa' DESC 'Reference to a CA member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'memberProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'caCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'profileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( caCategory $ profileCategory $ userCategory $ hostCategory $ serviceCategory $ memberCa $ memberProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..8acfb489522fe8c66afdc2ed6ac1105f249cd140 --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,11 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +memberprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX +hostcategory: all +servicecategory: all diff --git a/install/share/indices.ldif b/install/share/indices.ldif index ad678e0b2123d961c957d3071ba48ff70bf27e7a..98aedca2d9c61c58e9d318cae909317a7d9d29a0 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -227,3 +227,23 @@ ObjectClass: top ObjectClass: nsIndex nsSystemIndex: false nsIndexType: eq + +dn: cn=memberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: memberCa +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub + +dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: memberProfile +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 880e73f3bb1b2a32c2fa40f65666cfd594cdc659..da9529272773995553ad2c056f2c5c03b847745b 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -191,3 +191,21 @@ default:nsSystemIndex: false only:nsIndexType: eq only:nsIndexType: pres only:nsIndexType: sub + +dn: cn=memberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberCa +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub + +dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberProfile +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index 005cd0376d82c83b1b7ab368f992e209b0da5e9a..f173254e189f080e39b29ce214d684b35ae8057a 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -17,3 +17,5 @@ add: referint-membership-attr: ipasudorunasgroup add: referint-membership-attr: ipatokenradiusconfiglink add: referint-membership-attr: ipaassignedidview add: referint-membership-attr: ipaallowedtarget +add: referint-membership-attr: memberca +add: referint-membership-attr: memberprofile diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 93d7aaa7b0b5f0b47b8839e764ef168c1fe08c97..86b1ce8bd501845e7b5871773e86521d3c5d2ad9 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -120,6 +120,7 @@ DEFAULT_CONFIG = ( ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..c589e07b9b211d34239294baeddeee54178c68e6 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,476 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str, StrEnum +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + global_output_params, pkey_to_value) +from ipalib.plugins.hbacrule import is_all +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --usercat=all + ipa caacl-add-profile test --certprofiles UserCert + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 + ipa caacl-add-user alice_dnp3 --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + 'memberprofile': ['certprofile'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice', + 'ipauniqueid', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice' + }, + 'replaces': [ + '(targetattr = "memberca || memberprofile || memberuser || memberservice || memberhost || cacategory || profilecategory || usercategory || hostcategory || servicecategory")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + # Commented until subca plugin arrives + #StrEnum('cacategory?', + # cli_name='cacat', + # label=_('CA category'), + # doc=_('CA category the ACL applies to'), + # values=(u'all', ), + #), + StrEnum('profilecategory?', + cli_name='profilecat', + label=_('Profile category'), + doc=_('Profile category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('usercategory?', + cli_name='usercat', + label=_('User category'), + doc=_('User category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('hostcategory?', + cli_name='hostcat', + label=_('Host category'), + doc=_('Host category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('servicecategory?', + cli_name='servicecat', + label=_('Service category'), + doc=_('Service category the ACL applies to'), + values=(u'all', ), + ), + # Commented until subca plugin arrives + #Str('memberca_subca?', + # label=_('CAs'), + # flags=['no_create', 'no_update', 'no_search'], + #), + Str('memberprofile_certprofile?', + label=_('Profiles'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, attrs_list) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + + # Commented until subca plugin arrives + #if is_all(options, 'cacategory') and 'memberca' in entry_attrs: + # raise errors.MutuallyExclusiveError(reason=_( + # "CA category cannot be set to 'all' " + # "while there are allowed CAs")) + if is_all(options, 'profilecategory') and 'memberprofile' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "profile category cannot be set to 'all' " + "while there are allowed profiles")) + if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "user category cannot be set to 'all' " + "while there are allowed users")) + if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "host category cannot be set to 'all' " + "while there are allowed hosts")) + if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "service category cannot be set to 'all' " + "while there are allowed services")) + return dn + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ( + _('%i user or group added.'), + _('%i users or groups added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'usercategory'): + raise errors.MutuallyExclusiveError( + reason=_("users cannot be added when user category='all'")) + return dn + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ( + _('%i user or group removed.'), + _('%i users or groups removed.')) + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ( + _('%i host or hostgroup added.'), + _('%i hosts or hostgroups added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'hostcategory'): + raise errors.MutuallyExclusiveError( + reason=_("hosts cannot be added when host category='all'")) + return dn + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ( + _('%i host or hostgroup removed.'), + _('%i hosts or hostgroups removed.')) + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = (_('%i service added.'), _('%i services added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'servicecategory'): + raise errors.MutuallyExclusiveError(reason=_( + "services cannot be added when service category='all'")) + return dn + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove services from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = (_('%i service removed.'), _('%i services removed.')) + + +caacl_output_params = global_output_params + ( + Str('memberprofile', + label=_('Failed profiles'), + ), + # Commented until caacl plugin arrives + #Str('memberca', + # label=_('Failed CAs'), + #), +) + + + at register() +class caacl_add_profile(LDAPAddMember): + __doc__ = _('Add profiles to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['memberprofile'] + member_count_out = (_('%i profile added.'), _('%i profiles added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'profilecategory'): + raise errors.MutuallyExclusiveError(reason=_( + "profiles cannot be added when profile category='all'")) + return dn + + + at register() +class caacl_remove_profile(LDAPRemoveMember): + __doc__ = _('Remove profiles from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['memberprofile'] + member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) -- 2.1.0 -------------- next part -------------- From 3cf0f31fab9004fd1f16f8fdefa415d0d7aba0ad Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 +++++++++++ 2 files changed, 92 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index c589e07b9b211d34239294baeddeee54178c68e6..520b506a36474cfb2e29e571fb2c289799c947f6 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum from ipalib.plugable import Registry @@ -10,6 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, global_output_params, pkey_to_value) from ipalib.plugins.hbacrule import is_all +from ipalib.plugins.service import normalize_principal, split_any_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -50,6 +53,78 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + service, hostname, realm = split_any_principal(principal) + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + # Hardcoded until caacl plugin arrives + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + #if 'cacategory' in obj and obj['cacategory'][0].lower() == 'all': + # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + #else: + # rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'profilecategory' in obj and obj['profilecategory'][0].lower() == 'all': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + attr = 'memberprofile_certprofile' + rule.services.names = obj.get(attr, []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + category_attr = '{}category'.format(principal_type) + if category_attr in obj and obj[category_attr][0].lower() == 'all': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index d122900175db41ba5af429fd47af6cac6533cb6f..1878e5ad5f80fa93e1a77b0a88711c1da0016681 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From ftweedal at redhat.com Tue Jun 9 07:07:46 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 9 Jun 2015 17:07:46 +1000 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <55705981.2040105@redhat.com> References: <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <5570573B.2010408@redhat.com> <55705981.2040105@redhat.com> Message-ID: <20150609070746.GM23523@dhcp-40-8.bne.redhat.com> On Thu, Jun 04, 2015 at 03:58:25PM +0200, Martin Basti wrote: > On 04/06/15 15:48, Martin Kosek wrote: > >On 06/04/2015 03:40 PM, Martin Basti wrote: > >>On 04/06/15 08:59, Fraser Tweedale wrote: > >>>On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: > >>>>On 03/06/15 16:17, Fraser Tweedale wrote: > >>>>>On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: > >>>>>>On 02/06/15 14:11, Fraser Tweedale wrote: > >>>>>>>On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: > >>>>>>>>On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: > >>>>>>>>>On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: > >>>>>>>>>>On 05/29/2015 11:21 AM, Martin Basti wrote: > >>>>>>>>>>>On 29/05/15 06:17, Fraser Tweedale wrote: > >>>>>>>>>>>>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > >>>>>>>>>>>>>On 28/05/15 11:48, Martin Basti wrote: > >>>>>>>>>>>>>>On 27/05/15 16:04, Fraser Tweedale wrote: > >>>>>>>>>>>>>>>Hello all, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>Fresh certificate management patchset; Changelog: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>- Now depends on patch freeipa-ftweedal-0014 for correct > >>>>>>>>>>>>>>>cert-request behaviour with host and service principals. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>- Updated Dogtag dependency to 10.2.4-1. Should should be in > >>>>>>>>>>>>>>>f22 soon, but for f22 right now or for f21, please grab from my > >>>>>>>>>>>>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa > >>>>>>>>>>>>>>> copr? SRPM lives at > >>>>>>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>- cert-request now verifies that for user principals, CSR CN > >>>>>>>>>>>>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's > >>>>>>>>>>>>>>>email address, if either of those is present. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>- Fixed one or two other sneaky little bugs. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > >>>>>>>>>>>>>>>>Hi all, > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>Please find attached the latest certificate management > >>>>>>>>>>>>>>>>patchset, which introduces the `caacl' plugin and various fixes > >>>>>>>>>>>>>>>>and improvement to earlier patches. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>One important change to earlier patches is reverting the name > >>>>>>>>>>>>>>>>of the default profile to 'caIPAserviceCert' and using the > >>>>>>>>>>>>>>>>existing instance of this profile on upgrade (but not install) > >>>>>>>>>>>>>>>>in case it has been modified. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>Other notes: > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>- Still have changes in ipa-server-install (fewer lines now, > >>>>>>>>>>>>>>>>though) > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>- Still have the ugly import hack. It is not a high priority > >>>>>>>>>>>>>>>>for me, i.e. I think it should wait until after alpha > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>- Still need to update 'service' and 'host' plugins to support > >>>>>>>>>>>>>>>>multiple certificates. (The userCertificate attribute schema > >>>>>>>>>>>>>>>>itself is multi-valued, so there are no schema issues here) > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and > >>>>>>>>>>>>>>>>supporting multiple profiles for hosts and services (which > >>>>>>>>>>>>>>>>requires changes to framework only, not schema). [1]: > >>>>>>>>>>>>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>Happy reviewing! I am pleased with the initial cut of the > >>>>>>>>>>>>>>>>caacl plugin but I'm sure you will find some things to be fixed > >>>>>>>>>>>>>>>>:) > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>Cheers, Fraser > >>>>>>>>>>>>>>[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com > >>>>>>>>>>>>>>--ip-address 10.34.78.94 Directory Manager (existing master) > >>>>>>>>>>>>>>password: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>Preparing replica for vm-094.example.com from vm-093.example.com > >>>>>>>>>>>>>>Creating SSL certificate for the Directory Server not well-formed > >>>>>>>>>>>>>>(invalid token): line 2, column 14 > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>I cannot create replica file. It work on the upgraded server, > >>>>>>>>>>>>>>but it doesn't work on the newly installed server. I'm not sure > >>>>>>>>>>>>>>if this causes your patches which modifies the ca-installer, or > >>>>>>>>>>>>>>the newer version of dogtag. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>Or if there was any other changes in master, I will continue to > >>>>>>>>>>>>>>investigate with new RPM from master branch. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>Martin^2 > >>>>>>>>>>>>>> > >>>>>>>>>>>>>ipa-replica-prepare works for: * master branch * master branch + > >>>>>>>>>>>>>pki-ca 10.2.4-1 > >>>>>>>>>>>>> > >>>>>>>>>>>>>So something in your patches is breaking it > >>>>>>>>>>>>> > >>>>>>>>>>>>>Martin^2 > >>>>>>>>>>>>> > >>>>>>>>>>>>Martin, master + my patches with pki 10.2.4-1 is working for me on > >>>>>>>>>>>>f21 and f22. Can you provide ipa-replica-prepare --debug output and > >>>>>>>>>>>>Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) > >>>>>>>>>>>> > >>>>>>>>>>>>Thanks, > >>>>>>>>>>>>Fraser > >>>>>>>>>>>I can not reproduce it today. And I already recycled the VMs from > >>>>>>>>>>>yesterday. :-( > >>>>>>>>>>> > >>>>>>>>>>In that case I would suggest ACKing&pushing the patch and fixing the > >>>>>>>>>>bug if > >>>>>>>>>>it comes again. The tree may now be a bit unstable, given the number of > >>>>>>>>>>patches going in. > >>>>>>>>>> > >>>>>>>>>>My main motivation here is to unblock Fraser. > >>>>>>>>>> > >>>>>>>>>>Thanks, > >>>>>>>>>>Martin > >>>>>>>>>Rebased patchset attached; no other changes. > >>>>>>>>Heads up: I just discovered I have introduced a bug with > >>>>>>>>ipa-replica-install, when it is spawning the CA instance. I think > >>>>>>>>replication it only causes issues with ``--setup-ca``. > >>>>>>>> > >>>>>>>>I will try and sort it out tomorrow or later tonight (I have to head > >>>>>>>>out for a few hours now, though); and I'm not suggesting it should > >>>>>>>>block the push but it's something to be aware of. > >>>>>>>> > >>>>>>>>Cheers, > >>>>>>>>Fraser > >>>>>>>> > >>>>>>>New patchset attached ; haven't gotten to the bottom of the > >>>>>>>ipa-replica-install issue mentioned above, but it fixes an upgrade > >>>>>>>bug. > >>>>>>> > >>>>>>>The change is: > >>>>>>> > >>>>>>>diff --git a/ipaserver/install/server/upgrade.py > >>>>>>>b/ipaserver/install/server/upgrade.py > >>>>>>>index c288282..c5f4d37 100644 > >>>>>>>--- a/ipaserver/install/server/upgrade.py > >>>>>>>+++ b/ipaserver/install/server/upgrade.py > >>>>>>>@@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): > >>>>>>> caconfig.CS_CFG_PATH, > >>>>>>> directive, > >>>>>>> separator='=') > >>>>>>>- if value == 'ProfileSubsystem': > >>>>>>>+ if value == 'com.netscape.cmscore.profile.ProfileSubsystem': > >>>>>>> needs_update = True > >>>>>>> break > >>>>>>> except OSError, e: > >>>>>>>@@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): > >>>>>>> installutils.set_directive( > >>>>>>> caconfig.CS_CFG_PATH, > >>>>>>> directive, > >>>>>>>- 'LDAPProfileSubsystem', > >>>>>>>+ 'com.netscape.cmscore.profile.LDAPProfileSubsystem', > >>>>>>> quotes=False, > >>>>>>> separator='=') > >>>>>>> > >>>>>>>Cheers, > >>>>>>>Fraser > >>>>>>> > >>>>>>> > >>>>>>Thank you, > >>>>>> > >>>>>>1) > >>>>>>ipa-getcert request (getcert -c IPA) > >>>>>>doesnt work, > >>>>>> > >>>>>>Request ID '20150602145845': > >>>>>> status: CA_REJECTED > >>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our > >>>>>>request, giving up: 3007 (RPC failed at server. 'profile_id' is required). > >>>>>> > >>>>>>2) > >>>>>>Error from rpm install > >>>>>>Unexpected error - see /var/log/ipaupgrade.log for details: > >>>>>>SkipPluginModule: dogtag not selected as RA plugin > >>>>>> > >>>>>>Just for record as known issue, this will be fixed later in a new patch. > >>>>>> > >>>>>>3) > >>>>>>+ Str('profile_id', validate_profile_id, > >>>>>>+ label=_("Profile ID"), > >>>>>>+ doc=_("Certificate Profile to use"), > >>>>>>+ ) > >>>>>>Please mark this param as optional. ('profile_id?') > >>>>>>This will fix issue 1, but 1 will need a option to specify profile_id > >>>>>> > >>>>>>Also move API related change from patch 9 to patch 11 + increment VERSION > >>>>>> > >>>>>>4) > >>>>>>* Maybe I do everything wrong :) > >>>>>> > >>>>>> I'm not able to create certificate stored in FILE, via ipa-getcert request. > >>>>>>I'm getting error: > >>>>>>status: CA_UNREACHABLE > >>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, > >>>>>>will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host > >>>>>>not found). > >>>>>> > >>>>>>or error: > >>>>>>Request ID '20150602154115': > >>>>>> status: CA_REJECTED > >>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our > >>>>>>request, giving up: 2100 (RPC failed at server. Insufficient access: not > >>>>>>allowed to perform this command). > >>>>>>(I'm root and kinited as admin) > >>>>>> > >>>>>>Maybe additional ACI is required for cert_request as it is VirtualCommand > >>>>>> > >>>>>> > >>>>>>-- > >>>>>>Martin Basti > >>>>>> > >>>>>Thanks for report. Attached patchset should fix the certmonger > >>>>>issues, and also makes cert-request --profile-id argument optional. > >>>>> > >>>>>The changes were fixup'd into the appropriate patches but the > >>>>>combined diff follows. (Note that the API.txt and VERSION changes > >>>>>you recommended were executed but are missing from this diff.) > >>>>> > >>>>>Thanks, > >>>>>Fraser > >>>>> > >>>>>diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py > >>>>>index c09df86..a9dde86 100644 > >>>>>--- a/ipalib/plugins/caacl.py > >>>>>+++ b/ipalib/plugins/caacl.py > >>>>>@@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( > >>>>> LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, > >>>>> pkey_to_value) > >>>>> from ipalib.plugins.certprofile import validate_profile_id > >>>>>-from ipalib.plugins.service import normalize_principal > >>>>>+from ipalib.plugins.service import normalize_principal, split_any_principal > >>>>> from ipalib import _, ngettext > >>>>> from ipapython.dn import DN > >>>>>@@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, > >>>>>profile_id): > >>>>> groups = user_obj.get('memberof_group', []) > >>>>> groups += user_obj.get('memberofindirect_group', []) > >>>>> elif principal_type == 'host': > >>>>>- hostname = principal[5:] > >>>>>+ service, hostname, realm = split_any_principal(principal) > >>>>> host_obj = api.Command.host_show(hostname)['result'] > >>>>> groups = host_obj.get('memberof_hostgroup', []) > >>>>> groups += host_obj.get('memberofindirect_hostgroup', []) > >>>>>diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py > >>>>>index 70ae610..1878e5a 100644 > >>>>>--- a/ipalib/plugins/cert.py > >>>>>+++ b/ipalib/plugins/cert.py > >>>>>@@ -247,7 +247,7 @@ class cert_request(VirtualCommand): > >>>>> default=False, > >>>>> autofill=True > >>>>> ), > >>>>>- Str('profile_id', validate_profile_id, > >>>>>+ Str('profile_id?', validate_profile_id, > >>>>> label=_("Profile ID"), > >>>>> doc=_("Certificate Profile to use"), > >>>>> ) > >>>>>@@ -346,7 +346,14 @@ class cert_request(VirtualCommand): > >>>>> bind_principal = split_any_principal(getattr(context, 'principal')) > >>>>> bind_service, bind_name, bind_realm = bind_principal > >>>>>- if bind_principal != principal: > >>>>>+ if bind_service is None: > >>>>>+ bind_principal_type = USER > >>>>>+ elif bind_service == 'host': > >>>>>+ bind_principal_type = HOST > >>>>>+ else: > >>>>>+ bind_principal_type = SERVICE > >>>>>+ > >>>>>+ if bind_principal != principal and bind_principal_type != HOST: > >>>>> # Can the bound principal request certs for another principal? > >>>>> self.check_access() > >>>>>@@ -359,7 +366,7 @@ class cert_request(VirtualCommand): > >>>>> error=_("Failure decoding Certificate Signing Request: > >>>>>%s") % e) > >>>>> # host principals may bypass allowed ext check > >>>>>- if bind_service != 'host': > >>>>>+ if bind_principal_type != HOST: > >>>>> for ext in extensions: > >>>>> operation = self._allowed_extensions.get(ext) > >>>>> if operation: > >>>>>diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py > >>>>>index 659751e..53085f7 100644 > >>>>>--- a/ipapython/dogtag.py > >>>>>+++ b/ipapython/dogtag.py > >>>>>@@ -47,7 +47,7 @@ INCLUDED_PROFILES = { > >>>>> (u'caIPAserviceCert', u'Standard profile for network services', True), > >>>>> } > >>>>>-DEFAULT_PROFILE = 'caIPAserviceCert' > >>>>>+DEFAULT_PROFILE = u'caIPAserviceCert' > >>>>> class Dogtag10Constants(object): > >>>>> DOGTAG_VERSION = 10 > >>>>Should the user certificates behave in the same way as host and service > >>>>certificates, i.e should be revoked after user-del or user-mod operation?? > >>>>If yes it would be an additional patch. > >>>> > >>>>Please move API.txt fragment from patch 9 to patch 11 > >>>>With this change ACK for patches 1-11, to unblock testing. For patches 12-13 > >>>>I need more time. > >>>> > >>>>-- > >>>>Martin Basti > >>>> > >>>Updated patches attached. Only your requested change for 1-11. For > >>>12-13 (caacl plugin) it was updated to LDAPAddMember and > >>>LDAPRemoveMember functionality for adding profiles to ACL - this has > >>>the desirable effect of making sure the profile actually exists :) > >>> > >>>Thanks, > >>>Fraser > >>Hello, > >> > >>design page needs upgrade > >> > >>Please fix > >>1) > >>ngettext/ugettext missing? (several times) > >>('%i object added.', '%i objects added.') > >> > >>2) > >> --allprofiles=BOOL Allow use of all profiles > >> --allusers=BOOL Allow all users > >> --allhosts=BOOL Allow all hosts > >> --allservices=BOOL Allow all services > >> > >>Other commands use the separate words with '-', I suggest to use > >>--all-profiles=True, etc.. > >For these, should we follow the example in hbacrule or sudorule: > > > ># ipa hbacrule-mod --help > >Usage: ipa [global-options] hbacrule-mod NAME [options] > > > >Modify an HBAC rule. > >Options: > > -h, --help show this help message and exit > > --usercat=['all'] User category the rule applies to > > --hostcat=['all'] Host category the rule applies to > > --servicecat=['all'] Service category the rule applies to > > > >i.e. what I think Martin describes in 4) > > > >>3) > >>In the following example, there is missing ACL name: > >>+ ipa caacl-add-user --user=alice > >> > >>4) > >>attributes 'ipaCaAclAllCAs', 'ipaCaAclAllProfiles', 'ipaCaAclAllUsers', > >>'ipaCaAclAllHosts', 'ipaCaAclAllServices' should be called ipaCaAclCAsCategory, > >>etc... to be consistent, please reuse usercategory, hostcategory, etc. and > >>create new category attribute definitions for the rest. > >>Please read sudorule.py for details. > >>Respectively instead BOOLEAN True, the value 'all' should be there. This allows > >>to extend it in future. > >> > >>5) > >>Missing referint plugin configuration for attribute 'ipacaaclmembercertprofile' > >>Please add it into install/updates/25-referint.update (+ other member > >>attributes if missing) > >> > >>6) > >>ACI: > >>'memberhostgroup' is not virtual nor real attribute, please remove it from > >>there (Honza told me there is an error in HBAC ipa plugin, I will send fix) > >> > 7) > Missing upgrade? > > + self.step("creating default CA ACL rule", self.add_caacl) > > This was added to dsinstance, but I cannot found it in upgrade. > What heuristic should we use? We only ever want to add it on the first upgrade. Is it appropriate to do something like this: if sysupgrade.get_upgrade_state(...): return acls = search_caacls_in_ldap() if not acls: add_default_acl() sysupgrade.set_upgrade_state(..., True) This will only ever try to add the default ACL once, and it will only actually add it if there are no caacl objects. Next problem - I tried to implement the above but always had LDAP connection problems. What is the sure-fire way to talk to LDAP during upgrade process? Cheers, Fraser From pspacek at redhat.com Tue Jun 9 08:30:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 09 Jun 2015 10:30:18 +0200 Subject: [Freeipa-devel] DNA range distribution to replicas by default Message-ID: <5576A41A.4020604@redhat.com> Hello, I would like to discuss https://bugzilla.redhat.com/show_bug.cgi?id=1211366 "Error creating a user when jumping from an original server to replica". Currently the DNA ranges are distributed from master to other replicas on first attempt to get a number from particular range. This works well as long as the original master is reachable but fails miserably when the master is not reachable for any reason. It is apparently confusing to users [1][2] because it is counter-intuitive. They have created a replica to be sure that everything will work when the first server is down, right? Remediation is technically simple [3] (just assign a range to the new replica) but it is confusing to the users, error-prone, and personally I feel that this is an unnecessary obstacle. It seems to me that the original motivation for this behavior was that the masters were not able to request range back from other replicas when a local range was depleted. This deficiency is tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1029640 and it is slated for fix in 4.2.x time frame. Can we distribute ranges to the replicas during ipa-replica-install when we fix bug 1029640? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1211366#c0 [2] https://www.redhat.com/archives/freeipa-users/2015-May/msg00515.html [3] http://blog-rcritten.rhcloud.com/?p=50 -- Petr^2 Spacek From mbasti at redhat.com Tue Jun 9 10:28:59 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 09 Jun 2015 12:28:59 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <20150609070746.GM23523@dhcp-40-8.bne.redhat.com> References: <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <5570573B.2010408@redhat.com> <55705981.2040105@redhat.com> <20150609070746.GM23523@dhcp-40-8.bne.redhat.com> Message-ID: <5576BFEB.10503@redhat.com> On 09/06/15 09:07, Fraser Tweedale wrote: > On Thu, Jun 04, 2015 at 03:58:25PM +0200, Martin Basti wrote: >> On 04/06/15 15:48, Martin Kosek wrote: >>> On 06/04/2015 03:40 PM, Martin Basti wrote: >>>> On 04/06/15 08:59, Fraser Tweedale wrote: >>>>> On Wed, Jun 03, 2015 at 06:49:13PM +0200, Martin Basti wrote: >>>>>> On 03/06/15 16:17, Fraser Tweedale wrote: >>>>>>> On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote: >>>>>>>> On 02/06/15 14:11, Fraser Tweedale wrote: >>>>>>>>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>>>>>>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>>>>>>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: >>>>>>>>>>>> On 05/29/2015 11:21 AM, Martin Basti wrote: >>>>>>>>>>>>> On 29/05/15 06:17, Fraser Tweedale wrote: >>>>>>>>>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: >>>>>>>>>>>>>>> On 28/05/15 11:48, Martin Basti wrote: >>>>>>>>>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote: >>>>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Fresh certificate management patchset; Changelog: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct >>>>>>>>>>>>>>>>> cert-request behaviour with host and service principals. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1. Should should be in >>>>>>>>>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my >>>>>>>>>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Martin^1 could you please add to the quasi-official freeipa >>>>>>>>>>>>>>>>> copr? SRPM lives at >>>>>>>>>>>>>>>>> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - cert-request now verifies that for user principals, CSR CN >>>>>>>>>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's >>>>>>>>>>>>>>>>> email address, if either of those is present. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - Fixed one or two other sneaky little bugs. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Please find attached the latest certificate management >>>>>>>>>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes >>>>>>>>>>>>>>>>>> and improvement to earlier patches. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> One important change to earlier patches is reverting the name >>>>>>>>>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the >>>>>>>>>>>>>>>>>> existing instance of this profile on upgrade (but not install) >>>>>>>>>>>>>>>>>> in case it has been modified. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Other notes: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now, >>>>>>>>>>>>>>>>>> though) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> - Still have the ugly import hack. It is not a high priority >>>>>>>>>>>>>>>>>> for me, i.e. I think it should wait until after alpha >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support >>>>>>>>>>>>>>>>>> multiple certificates. (The userCertificate attribute schema >>>>>>>>>>>>>>>>>> itself is multi-valued, so there are no schema issues here) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and >>>>>>>>>>>>>>>>>> supporting multiple profiles for hosts and services (which >>>>>>>>>>>>>>>>>> requires changes to framework only, not schema). [1]: >>>>>>>>>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Happy reviewing! I am pleased with the initial cut of the >>>>>>>>>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed >>>>>>>>>>>>>>>>>> :) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Cheers, Fraser >>>>>>>>>>>>>>>> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com >>>>>>>>>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master) >>>>>>>>>>>>>>>> password: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com >>>>>>>>>>>>>>>> Creating SSL certificate for the Directory Server not well-formed >>>>>>>>>>>>>>>> (invalid token): line 2, column 14 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I cannot create replica file. It work on the upgraded server, >>>>>>>>>>>>>>>> but it doesn't work on the newly installed server. I'm not sure >>>>>>>>>>>>>>>> if this causes your patches which modifies the ca-installer, or >>>>>>>>>>>>>>>> the newer version of dogtag. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Or if there was any other changes in master, I will continue to >>>>>>>>>>>>>>>> investigate with new RPM from master branch. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ipa-replica-prepare works for: * master branch * master branch + >>>>>>>>>>>>>>> pki-ca 10.2.4-1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So something in your patches is breaking it >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on >>>>>>>>>>>>>> f21 and f22. Can you provide ipa-replica-prepare --debug output and >>>>>>>>>>>>>> Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Fraser >>>>>>>>>>>>> I can not reproduce it today. And I already recycled the VMs from >>>>>>>>>>>>> yesterday. :-( >>>>>>>>>>>>> >>>>>>>>>>>> In that case I would suggest ACKing&pushing the patch and fixing the >>>>>>>>>>>> bug if >>>>>>>>>>>> it comes again. The tree may now be a bit unstable, given the number of >>>>>>>>>>>> patches going in. >>>>>>>>>>>> >>>>>>>>>>>> My main motivation here is to unblock Fraser. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Martin >>>>>>>>>>> Rebased patchset attached; no other changes. >>>>>>>>>> Heads up: I just discovered I have introduced a bug with >>>>>>>>>> ipa-replica-install, when it is spawning the CA instance. I think >>>>>>>>>> replication it only causes issues with ``--setup-ca``. >>>>>>>>>> >>>>>>>>>> I will try and sort it out tomorrow or later tonight (I have to head >>>>>>>>>> out for a few hours now, though); and I'm not suggesting it should >>>>>>>>>> block the push but it's something to be aware of. >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Fraser >>>>>>>>>> >>>>>>>>> New patchset attached ; haven't gotten to the bottom of the >>>>>>>>> ipa-replica-install issue mentioned above, but it fixes an upgrade >>>>>>>>> bug. >>>>>>>>> >>>>>>>>> The change is: >>>>>>>>> >>>>>>>>> diff --git a/ipaserver/install/server/upgrade.py >>>>>>>>> b/ipaserver/install/server/upgrade.py >>>>>>>>> index c288282..c5f4d37 100644 >>>>>>>>> --- a/ipaserver/install/server/upgrade.py >>>>>>>>> +++ b/ipaserver/install/server/upgrade.py >>>>>>>>> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>>>>>> caconfig.CS_CFG_PATH, >>>>>>>>> directive, >>>>>>>>> separator='=') >>>>>>>>> - if value == 'ProfileSubsystem': >>>>>>>>> + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': >>>>>>>>> needs_update = True >>>>>>>>> break >>>>>>>>> except OSError, e: >>>>>>>>> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): >>>>>>>>> installutils.set_directive( >>>>>>>>> caconfig.CS_CFG_PATH, >>>>>>>>> directive, >>>>>>>>> - 'LDAPProfileSubsystem', >>>>>>>>> + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', >>>>>>>>> quotes=False, >>>>>>>>> separator='=') >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Fraser >>>>>>>>> >>>>>>>>> >>>>>>>> Thank you, >>>>>>>> >>>>>>>> 1) >>>>>>>> ipa-getcert request (getcert -c IPA) >>>>>>>> doesnt work, >>>>>>>> >>>>>>>> Request ID '20150602145845': >>>>>>>> status: CA_REJECTED >>>>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>>>>>> request, giving up: 3007 (RPC failed at server. 'profile_id' is required). >>>>>>>> >>>>>>>> 2) >>>>>>>> Error from rpm install >>>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>>>> SkipPluginModule: dogtag not selected as RA plugin >>>>>>>> >>>>>>>> Just for record as known issue, this will be fixed later in a new patch. >>>>>>>> >>>>>>>> 3) >>>>>>>> + Str('profile_id', validate_profile_id, >>>>>>>> + label=_("Profile ID"), >>>>>>>> + doc=_("Certificate Profile to use"), >>>>>>>> + ) >>>>>>>> Please mark this param as optional. ('profile_id?') >>>>>>>> This will fix issue 1, but 1 will need a option to specify profile_id >>>>>>>> >>>>>>>> Also move API related change from patch 9 to patch 11 + increment VERSION >>>>>>>> >>>>>>>> 4) >>>>>>>> * Maybe I do everything wrong :) >>>>>>>> >>>>>>>> I'm not able to create certificate stored in FILE, via ipa-getcert request. >>>>>>>> I'm getting error: >>>>>>>> status: CA_UNREACHABLE >>>>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml failed request, >>>>>>>> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host >>>>>>>> not found). >>>>>>>> >>>>>>>> or error: >>>>>>>> Request ID '20150602154115': >>>>>>>> status: CA_REJECTED >>>>>>>> ca-error: Server at https://vm-137.example.com/ipa/xml denied our >>>>>>>> request, giving up: 2100 (RPC failed at server. Insufficient access: not >>>>>>>> allowed to perform this command). >>>>>>>> (I'm root and kinited as admin) >>>>>>>> >>>>>>>> Maybe additional ACI is required for cert_request as it is VirtualCommand >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Basti >>>>>>>> >>>>>>> Thanks for report. Attached patchset should fix the certmonger >>>>>>> issues, and also makes cert-request --profile-id argument optional. >>>>>>> >>>>>>> The changes were fixup'd into the appropriate patches but the >>>>>>> combined diff follows. (Note that the API.txt and VERSION changes >>>>>>> you recommended were executed but are missing from this diff.) >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>>> >>>>>>> diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py >>>>>>> index c09df86..a9dde86 100644 >>>>>>> --- a/ipalib/plugins/caacl.py >>>>>>> +++ b/ipalib/plugins/caacl.py >>>>>>> @@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import ( >>>>>>> LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, >>>>>>> pkey_to_value) >>>>>>> from ipalib.plugins.certprofile import validate_profile_id >>>>>>> -from ipalib.plugins.service import normalize_principal >>>>>>> +from ipalib.plugins.service import normalize_principal, split_any_principal >>>>>>> from ipalib import _, ngettext >>>>>>> from ipapython.dn import DN >>>>>>> @@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, >>>>>>> profile_id): >>>>>>> groups = user_obj.get('memberof_group', []) >>>>>>> groups += user_obj.get('memberofindirect_group', []) >>>>>>> elif principal_type == 'host': >>>>>>> - hostname = principal[5:] >>>>>>> + service, hostname, realm = split_any_principal(principal) >>>>>>> host_obj = api.Command.host_show(hostname)['result'] >>>>>>> groups = host_obj.get('memberof_hostgroup', []) >>>>>>> groups += host_obj.get('memberofindirect_hostgroup', []) >>>>>>> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py >>>>>>> index 70ae610..1878e5a 100644 >>>>>>> --- a/ipalib/plugins/cert.py >>>>>>> +++ b/ipalib/plugins/cert.py >>>>>>> @@ -247,7 +247,7 @@ class cert_request(VirtualCommand): >>>>>>> default=False, >>>>>>> autofill=True >>>>>>> ), >>>>>>> - Str('profile_id', validate_profile_id, >>>>>>> + Str('profile_id?', validate_profile_id, >>>>>>> label=_("Profile ID"), >>>>>>> doc=_("Certificate Profile to use"), >>>>>>> ) >>>>>>> @@ -346,7 +346,14 @@ class cert_request(VirtualCommand): >>>>>>> bind_principal = split_any_principal(getattr(context, 'principal')) >>>>>>> bind_service, bind_name, bind_realm = bind_principal >>>>>>> - if bind_principal != principal: >>>>>>> + if bind_service is None: >>>>>>> + bind_principal_type = USER >>>>>>> + elif bind_service == 'host': >>>>>>> + bind_principal_type = HOST >>>>>>> + else: >>>>>>> + bind_principal_type = SERVICE >>>>>>> + >>>>>>> + if bind_principal != principal and bind_principal_type != HOST: >>>>>>> # Can the bound principal request certs for another principal? >>>>>>> self.check_access() >>>>>>> @@ -359,7 +366,7 @@ class cert_request(VirtualCommand): >>>>>>> error=_("Failure decoding Certificate Signing Request: >>>>>>> %s") % e) >>>>>>> # host principals may bypass allowed ext check >>>>>>> - if bind_service != 'host': >>>>>>> + if bind_principal_type != HOST: >>>>>>> for ext in extensions: >>>>>>> operation = self._allowed_extensions.get(ext) >>>>>>> if operation: >>>>>>> diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py >>>>>>> index 659751e..53085f7 100644 >>>>>>> --- a/ipapython/dogtag.py >>>>>>> +++ b/ipapython/dogtag.py >>>>>>> @@ -47,7 +47,7 @@ INCLUDED_PROFILES = { >>>>>>> (u'caIPAserviceCert', u'Standard profile for network services', True), >>>>>>> } >>>>>>> -DEFAULT_PROFILE = 'caIPAserviceCert' >>>>>>> +DEFAULT_PROFILE = u'caIPAserviceCert' >>>>>>> class Dogtag10Constants(object): >>>>>>> DOGTAG_VERSION = 10 >>>>>> Should the user certificates behave in the same way as host and service >>>>>> certificates, i.e should be revoked after user-del or user-mod operation?? >>>>>> If yes it would be an additional patch. >>>>>> >>>>>> Please move API.txt fragment from patch 9 to patch 11 >>>>>> With this change ACK for patches 1-11, to unblock testing. For patches 12-13 >>>>>> I need more time. >>>>>> >>>>>> -- >>>>>> Martin Basti >>>>>> >>>>> Updated patches attached. Only your requested change for 1-11. For >>>>> 12-13 (caacl plugin) it was updated to LDAPAddMember and >>>>> LDAPRemoveMember functionality for adding profiles to ACL - this has >>>>> the desirable effect of making sure the profile actually exists :) >>>>> >>>>> Thanks, >>>>> Fraser >>>> Hello, >>>> >>>> design page needs upgrade >>>> >>>> Please fix >>>> 1) >>>> ngettext/ugettext missing? (several times) >>>> ('%i object added.', '%i objects added.') >>>> >>>> 2) >>>> --allprofiles=BOOL Allow use of all profiles >>>> --allusers=BOOL Allow all users >>>> --allhosts=BOOL Allow all hosts >>>> --allservices=BOOL Allow all services >>>> >>>> Other commands use the separate words with '-', I suggest to use >>>> --all-profiles=True, etc.. >>> For these, should we follow the example in hbacrule or sudorule: >>> >>> # ipa hbacrule-mod --help >>> Usage: ipa [global-options] hbacrule-mod NAME [options] >>> >>> Modify an HBAC rule. >>> Options: >>> -h, --help show this help message and exit >>> --usercat=['all'] User category the rule applies to >>> --hostcat=['all'] Host category the rule applies to >>> --servicecat=['all'] Service category the rule applies to >>> >>> i.e. what I think Martin describes in 4) >>> >>>> 3) >>>> In the following example, there is missing ACL name: >>>> + ipa caacl-add-user --user=alice >>>> >>>> 4) >>>> attributes 'ipaCaAclAllCAs', 'ipaCaAclAllProfiles', 'ipaCaAclAllUsers', >>>> 'ipaCaAclAllHosts', 'ipaCaAclAllServices' should be called ipaCaAclCAsCategory, >>>> etc... to be consistent, please reuse usercategory, hostcategory, etc. and >>>> create new category attribute definitions for the rest. >>>> Please read sudorule.py for details. >>>> Respectively instead BOOLEAN True, the value 'all' should be there. This allows >>>> to extend it in future. >>>> >>>> 5) >>>> Missing referint plugin configuration for attribute 'ipacaaclmembercertprofile' >>>> Please add it into install/updates/25-referint.update (+ other member >>>> attributes if missing) >>>> >>>> 6) >>>> ACI: >>>> 'memberhostgroup' is not virtual nor real attribute, please remove it from >>>> there (Honza told me there is an error in HBAC ipa plugin, I will send fix) >>>> >> 7) >> Missing upgrade? >> >> + self.step("creating default CA ACL rule", self.add_caacl) >> >> This was added to dsinstance, but I cannot found it in upgrade. >> > What heuristic should we use? We only ever want to add it on the > first upgrade. Is it appropriate to do something like this: > > if sysupgrade.get_upgrade_state(...): > return > > acls = search_caacls_in_ldap() > if not acls: > add_default_acl() > > sysupgrade.set_upgrade_state(..., True) > > > This will only ever try to add the default ACL once, and it will > only actually add it if there are no caacl objects. IMO yes, looks good. > Next problem - I tried to implement the above but always had LDAP > connection problems. What is the sure-fire way to talk to LDAP > during upgrade process? You can use api.Backend.ldap2 connection, as is used in add_ca_dns_records. > > Cheers, > Fraser -- Martin Basti From pspacek at redhat.com Tue Jun 9 10:30:39 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 09 Jun 2015 12:30:39 +0200 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5575EF16.5090808@redhat.com> References: <5575EF16.5090808@redhat.com> Message-ID: <5576C04F.9070903@redhat.com> On 8.6.2015 21:37, Drew Erny wrote: > Hi, all, > > I'm going to start working on the Community Portal milestone this week. The > first thing I'm noticing is that for almost all of the community portal, there > has to be some way for the IPA server to send email, which right now isn't > possible. It has been brought to my attention, however, that there is an > existing ticket (https://fedorahosted.org/freeipa/ticket/1593) that includes > email under its purview. I don't want to write a bunch of code that'll get > tossed when work starts on the notification system if I don't have to, but I > will if I must. > > I need a little bit of guidance. Is working on code to let the IPA server send > email to users a good place to start chipping at this? Hello! I would recommend you to base your implementation on the generic principle sketched in https://fedorahosted.org/freeipa/ticket/1593 . Let's take https://fedorahosted.org/freeipa/ticket/3613 as an example: [RFE] Provide a self service enrollment capability with admin approval and notification workflow 1. User fills-in a web form for account registration. 2. A new user object in staging area is created. 3. FreeIPA framework calls a D-Bus method com.redhat.ipa.hook_user_self_registration (or something like that) This method/service/how is it called can be then provided by arbitrary script which can be connected to D-Bus using Oddjob. http://people.redhat.com/nalin/oddjob/ This will lift the burden of e-mail processing from you and will allow users to do anything with the data passed to hooks. I hope this helps. -- Petr^2 Spacek From mbabinsk at redhat.com Tue Jun 9 11:14:39 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 09 Jun 2015 13:14:39 +0200 Subject: [Freeipa-devel] [PATCH 0040] generalize certificate creation during testing Message-ID: <5576CA9F.6020309@redhat.com> A slight hack to ipatests/test_xmlrpc/testcert.py module in order to enable generation of multiple host/service/user certificates. It should make writing tests for new CA profile/sub-CA/user certificate functionality easier. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0040-generalize-certificate-creation-during-testing.patch Type: text/x-patch Size: 9398 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 9 12:02:03 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 09 Jun 2015 14:02:03 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands In-Reply-To: <555C5348.2030202@redhat.com> References: <552F964E.2060304@redhat.com> <553F437D.5080103@redhat.com> <553F44B7.6040100@redhat.com> <553F476E.8080502@redhat.com> <553F9BCE.6010000@redhat.com> <554869C3.2040509@redhat.com> <5551EF3E.1060503@redhat.com> <555216B9.1070106@redhat.com> <205373726.22060212.1431701099532.JavaMail.zimbra@redhat.com> <5559A3DD.7030002@redhat.com> <555C5348.2030202@redhat.com> Message-ID: <5576D5BB.8020500@redhat.com> Dne 20.5.2015 v 11:26 Jan Cholasta napsal(a): > Dne 18.5.2015 v 10:33 thierry bordaz napsal(a): >> On 05/15/2015 04:44 PM, David Kupka wrote: >>> Hello Thierry, >>> thanks for the patch set. Overall functionality of ULC feature looks >>> good to >>> me and is definitely "alpha ready". >>> >>> I found following issues but don't insist on fixing it right now: >>> >>> 1) When stageuser-activate fails due to already existent >>> active/deleted user. >>> DN is show instead of user name that's used in other commands (user-add, >>> stageuser-add). >>> $ ipa user-add tuser --first Test --last User >>> $ ipa stageuser-add tuser --first Test --last User >>> $ ipa stageuser-activate tuser >>> ipa: ERROR: Active user >>> uid=tuser,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>> >>> >>> already exists >> >> Hi David, Jan, >> >> Thanks you so much for all those tests and feedback. I agree, some minor >> bugs can be fixed separatly from this main patches. >> >> You are right, It should return the user ID not the DN. >> >>> >>> 2) According to the design there should be '--only-delete' and >>> '--also-delete' >>> options for user-find command instead there is '--preserved' option. >>> Honza proposed adding virtual boolean attribute 'deleted' to user >>> entry and >>> filter on it. >>> The 'deleted' attribute would be useful also in user-show where is no >>> way to >>> tell if the displayed user is active or deleted. (Except running with >>> --all >>> and looking on the dn). >> >> Yes a bit late to resynch the design. >> The final option is 'preserved' for user-find and 'preserve' for >> user-del. '--only-delete' or 'also-delete' are old name that I need to >> replace in the design. >> >> About the 'deleted' attribute, do you think adding a DS cos virtual >> attribute ? > > See the attached patch. Can someone please review the patch? > >> >>> >>> 3) uidNumber and gidNumber can't be set back to '-1' once set to other >>> value. >>> This would be useful when admin changes its mind and want IPA to >>> assign them. >>> IIUC, there should be no validation in cn=staged user container. All >>> validation should be done during stageuser-activate. >> >> Yes that comes from user plugin that enforce the number to be >0. >> That is a good point giving the ability to reset uidNumber/gidNumber. >> I will check if it is possible, how (give a value or an option to >> reset), and also if it would not create other issue. >>> >>> 4) Support for deleted -> stage workflow is still missing. But I'm >>> unsure if we >>> agreed to finish it now or later. >> >> Yes thanks >>> >>> 5) Twice deleting user with '--preserve' deletes him permanently. >>> $ ipa user-add tuser --first Test --last User >>> $ ipa user-del tuser --preserve >>> $ ipa user-del tuser --preserve >>> $ ipa user-find --preserved >>> ------------------------ >>> 0 (delete) users matched >>> ------------------------ >>> ---------------------------- >>> Number of entries returned 0 >>> ---------------------------- >> >> Deleting a deleted (preserved) entry, should permanently remove the >> entry. >> Now if the second time the preserve option is present, it makes sense to >> not delete it. > > BTW: I might be stating the obvious here, but it would be better to use > one boolean parameter rather than two mutually exclusive flags in user-del. I would like an opinion on this as well. -- Jan Cholasta From jcholast at redhat.com Tue Jun 9 12:06:10 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 09 Jun 2015 14:06:10 +0200 Subject: [Freeipa-devel] [PATCHES 439-442] install: Migrate ipa-replica-install to the install framework Message-ID: <5576D6B2.8090605@redhat.com> Hi, the attached patches implement another part of . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-439-install-Handle-Knob-cli_name-and-cli_aliases-values-.patch Type: text/x-patch Size: 7138 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-440-install-Add-support-for-positional-arguments-in-CLI-.patch Type: text/x-patch Size: 9673 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-441-install-Allow-setting-usage-in-CLI-tools.patch Type: text/x-patch Size: 2608 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-442-install-Migrate-ipa-replica-install-to-the-install-f.patch Type: text/x-patch Size: 24464 bytes Desc: not available URL: From simo at redhat.com Tue Jun 9 13:06:46 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 09 Jun 2015 09:06:46 -0400 Subject: [Freeipa-devel] DNA range distribution to replicas by default In-Reply-To: <5576A41A.4020604@redhat.com> References: <5576A41A.4020604@redhat.com> Message-ID: <1433855206.20848.21.camel@willson.usersys.redhat.com> On Tue, 2015-06-09 at 10:30 +0200, Petr Spacek wrote: > Hello, > > I would like to discuss > https://bugzilla.redhat.com/show_bug.cgi?id=1211366 > "Error creating a user when jumping from an original server to replica". > > Currently the DNA ranges are distributed from master to other replicas on > first attempt to get a number from particular range. > > This works well as long as the original master is reachable but fails > miserably when the master is not reachable for any reason. > > It is apparently confusing to users [1][2] because it is counter-intuitive. > They have created a replica to be sure that everything will work when the > first server is down, right? > > Remediation is technically simple [3] (just assign a range to the new replica) > but it is confusing to the users, error-prone, and personally I feel that this > is an unnecessary obstacle. > > It seems to me that the original motivation for this behavior was that the > masters were not able to request range back from other replicas when a local > range was depleted. > > This deficiency is tracked as > https://bugzilla.redhat.com/show_bug.cgi?id=1029640 and it is slated for fix > in 4.2.x time frame. > > Can we distribute ranges to the replicas during ipa-replica-install when we > fix bug 1029640? That was not the only reason, another reason is that you do not want to distribute and fragment ranges to replicas that will never be used to create users. What we should do perhaps, is to automatically give a range to CA enabled masters so that at least those servers have a range. If all your CAs are unavailable you have major issues anyway. Though it is a bit bad to have magic behaviors, maybe we should have a "main DNA range holder" role that can be assigned to arbitrary servers (maybe the first replica gets it by default), and when done the server acquire part of the range if it has none. Another option is that a replica can instantiate a whole new range if all the range bearing servers are not around, but that also comes with its own issues. In general I wouldn't want to split by default, because in domains with *many* replicas most of them are used for load balancing and will never be used to create users, so the range would be wasted. Simo. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1211366#c0 > [2] https://www.redhat.com/archives/freeipa-users/2015-May/msg00515.html > [3] http://blog-rcritten.rhcloud.com/?p=50 > > -- > Petr^2 Spacek > -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Tue Jun 9 13:28:59 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 09 Jun 2015 15:28:59 +0200 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5576C04F.9070903@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> Message-ID: <5576EA1B.7050300@redhat.com> On 9.6.2015 12:30, Petr Spacek wrote: > On 8.6.2015 21:37, Drew Erny wrote: >> Hi, all, >> >> I'm going to start working on the Community Portal milestone this week. The >> first thing I'm noticing is that for almost all of the community portal, there >> has to be some way for the IPA server to send email, which right now isn't >> possible. It has been brought to my attention, however, that there is an >> existing ticket (https://fedorahosted.org/freeipa/ticket/1593) that includes >> email under its purview. I don't want to write a bunch of code that'll get >> tossed when work starts on the notification system if I don't have to, but I >> will if I must. >> >> I need a little bit of guidance. Is working on code to let the IPA server send >> email to users a good place to start chipping at this? > > Hello! > > I would recommend you to base your implementation on the generic principle > sketched in https://fedorahosted.org/freeipa/ticket/1593 . > > Let's take https://fedorahosted.org/freeipa/ticket/3613 as an example: > [RFE] Provide a self service enrollment capability with admin approval and > notification workflow > > 1. User fills-in a web form for account registration. > 2. A new user object in staging area is created. > 3. FreeIPA framework calls a D-Bus method > com.redhat.ipa.hook_user_self_registration (or something like that) > > This method/service/how is it called can be then provided by arbitrary script > which can be connected to D-Bus using Oddjob. > http://people.redhat.com/nalin/oddjob/ > > This will lift the burden of e-mail processing from you and will allow users > to do anything with the data passed to hooks. > > I hope this helps. Speaking about D-Bus, interns in Brno successfully used this tutorial a month ago: http://excid3.com/blog/an-actually-decent-python-dbus-tutorial/ I do not remember why but we slightly modified the code for consumer to use Interface() constructor instead of get_dbus_method(): infopipe_obj = bus.get_object("org.freedesktop.sssd.infopipe", "/org/freedesktop/sssd/infopipe") ifp = dbus.Interface(infopipe_obj, dbus_interface='org.freedesktop.sssd.infopipe') # call the method remotely result = ifp.GetUserAttr(username, ["ipaSshPubKey"]) So, if you encounter a mysterious failure you might want to try this variant :-) FreeIPA framework should act as 'consumeservice.py' and oddjob will implement most of 'myservice.py' for you. Let us know if you have any questions! -- Petr^2 Spacek From cheimes at redhat.com Tue Jun 9 13:55:28 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 09 Jun 2015 15:55:28 +0200 Subject: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP) In-Reply-To: <5565C3AF.1070509@redhat.com> References: <5565C3AF.1070509@redhat.com> Message-ID: <5576F050.7070903@redhat.com> On 2015-05-27 15:16, Christian Heimes wrote: > Hello, > > here is my first patch for FreeIPA. The patch integrates python-kdcproxy > for MS-KKDCP support (aka Kerberos over HTTPS). > > https://www.freeipa.org/page/V4/KDC_Proxy > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch doesn't apply anymore. The new patch is based on the current master. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0001-3-Provide-Kerberos-over-HTTP-MS-KKDCP.patch Type: text/x-patch Size: 48388 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From ofayans at redhat.com Tue Jun 9 13:55:33 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 09 Jun 2015 15:55:33 +0200 Subject: [Freeipa-devel] topology issues Message-ID: <5576F055.2060603@redhat.com> Hi everybody, The current status of Topology plugin testing is as follows: 1. There is still no proper way of removing the replica. Standard procedure using `ipa-replica-manage del` throws "Server is unwilling to perform: Entry is managed by topology plugin.Deletion not allowed.". The replication agreement though does get deleted, but the topology information does not get updated. When I then issue `ipa topologysegment-del`, it fails due to "ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed." I tried to disable the segment first and then delete it, but with the segment properly disabled, the attempt to delete it raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/". I am not sure, where to search for corresponding logs. The session transcript is attached. 2. The following is probably unrelated to the topology plugin: I installed a replica with --setup-ca option. Then, on this replica tried to prepare another replica: ------------------------------------------------------------------------------------------------------------------------------------------------- root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare --ip-address 192.168.122.141 f22replica3.bagam.net Directory Manager (existing master) password: Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net Creating SSL certificate for the Directory Server Certificate issuance failed ------------------------------------------------------------------------------------------------------------------------------------------------- The corresponding line in the dirsrv log: [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not allowed -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- root at f22master:/home/ofayans]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: f22master.bagam.net-to-f22replica1.bagam.net Left node: f22master.bagam.net Right node: f22replica1.bagam.net Connectivity: both Segment name: f22master.bagam.net-to-f22replica2.bagam.net Left node: f22master.bagam.net Right node: f22replica2.bagam.net Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- root at f22master:/home/ofayans]$ ipa-replica-manage del f22replica1.bagam.net Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleting replication agreements between f22replica1.bagam.net and f22master.bagam.net ipa: INFO: Setting agreement cn=meTof22master.bagam.net,cn=replica,cn=dc\=bagam\,dc\=net,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTof22master.bagam.net,cn=replica,cn=dc\=bagam\,dc\=net,cn=mapping tree,cn=config ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 Unable to remove agreement on f22replica1.bagam.net: Server is unwilling to perform: Entry is managed by topology plugin.Deletion not allowed. Forcing removal on 'f22master.bagam.net' Any DNA range on 'f22replica1.bagam.net' will be lost There were issues removing a connection for f22replica1.bagam.net from f22master.bagam.net: Server is unwilling to perform: Entry is managed by topology plugin.Deletion not allowed. Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C root at f22master:/home/ofayans]$ ipa topologysegment-del Suffix name: realm Segment name: f22master.bagam.net-to-f22replica1.bagam.net ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. root at f22master:/home/ofayans]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --help show this help message and exit --leftnode=STR Left replication node - an IPA server --rightnode=STR Right replication node - an IPA server --direction=['both', 'left-right', 'right-left', 'none'] Direction of replication between left and right replication node --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. root at f22master:/home/ofayans]$ ipa topologysegment-mod --enabled=off Suffix name: realm Segment name: f22master.bagam.net-to-f22replica1.bagam.net --------------------------------------------------------------- Modified segment "f22master.bagam.net-to-f22replica1.bagam.net" --------------------------------------------------------------- Segment name: f22master.bagam.net-to-f22replica1.bagam.net Left node: f22master.bagam.net Right node: f22replica1.bagam.net Connectivity: both Replication agreement enabled: off root at f22master:/home/ofayans]$ ipa topologysegment-del ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ From lkrispen at redhat.com Tue Jun 9 14:04:28 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 09 Jun 2015 16:04:28 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F055.2060603@redhat.com> References: <5576F055.2060603@redhat.com> Message-ID: <5576F26C.7010802@redhat.com> On 06/09/2015 03:55 PM, Oleg Fayans wrote: > Hi everybody, > > The current status of Topology plugin testing is as follows: > > 1. There is still no proper way of removing the replica. > Standard procedure using `ipa-replica-manage del` throws "Server is > unwilling to perform: Entry is managed by topology plugin.Deletion not > allowed.". yes, that is for the first attempt to directly remove the agreement, but when the server is removed the agreements should be removed > The replication agreement though does get deleted, then it is ok, > but the topology information does not get updated. what do you mean, where do you check ? in the "remaining" topology the shared tree should be updated, for the removed replica it will not, but this should be uninstalled anyway > When I then issue `ipa topologysegment-del`, it fails due to "ipa: > ERROR: Server is unwilling to perform: Removal of Segment disconnects > topology.Deletion not allowed." correct, you can only do it after removal of the server > > I tried to disable the segment first and then delete it, but with the > segment properly disabled, the attempt to delete it raised a GSS > error: "ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS > failure. Minor code may provide more information', 851968)/('KDC > returned error string: PROCESS_TGS', -1765328324)/". I am not sure, > where to search for corresponding logs. The session transcript is > attached. > > 2. The following is probably unrelated to the topology plugin: > I installed a replica with --setup-ca option. Then, on this replica > tried to prepare another replica: > ------------------------------------------------------------------------------------------------------------------------------------------------- > > root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare --ip-address > 192.168.122.141 f22replica3.bagam.net > Directory Manager (existing master) password: > > Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net > Creating SSL certificate for the Directory Server > Certificate issuance failed > ------------------------------------------------------------------------------------------------------------------------------------------------- > > The corresponding line in the dirsrv log: > [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- > attribute "krbExtraData" not allowed > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Tue Jun 9 14:14:48 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 09 Jun 2015 16:14:48 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F26C.7010802@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> Message-ID: <5576F4D8.80907@redhat.com> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: > > On 06/09/2015 03:55 PM, Oleg Fayans wrote: >> Hi everybody, >> >> The current status of Topology plugin testing is as follows: >> >> 1. There is still no proper way of removing the replica. >> Standard procedure using `ipa-replica-manage del` throws "Server is >> unwilling to perform: Entry is managed by topology plugin.Deletion >> not allowed.". > yes, that is for the first attempt to directly remove the agreement, > but when the server is removed the agreements should be removed We should probably think of less threatening error message in this case. Just from reading the command output one might conclude that replica removal failed. >> The replication agreement though does get deleted, > then it is ok, >> but the topology information does not get updated. > what do you mean, where do you check ? in the "remaining" topology the > shared tree should be updated, for the removed replica it will not, > but this should be uninstalled anyway The problem here, is that the topology information does not get updated on master as well. >> When I then issue `ipa topologysegment-del`, it fails due to "ipa: >> ERROR: Server is unwilling to perform: Removal of Segment disconnects >> topology.Deletion not allowed." > correct, you can only do it after removal of the server I do not get it. Master still thinks it has the replica, it displays it both in CLI using `ipa topologysegment-find` and in the web-ui. (although it does not show it using `ipa host-find`, which is correct), and there is no way to manually make it change it's mind? >> >> I tried to disable the segment first and then delete it, but with the >> segment properly disabled, the attempt to delete it raised a GSS >> error: "ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS >> failure. Minor code may provide more information', 851968)/('KDC >> returned error string: PROCESS_TGS', -1765328324)/". I am not sure, >> where to search for corresponding logs. The session transcript is >> attached. >> >> 2. The following is probably unrelated to the topology plugin: >> I installed a replica with --setup-ca option. Then, on this replica >> tried to prepare another replica: >> ------------------------------------------------------------------------------------------------------------------------------------------------- >> >> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare --ip-address >> 192.168.122.141 f22replica3.bagam.net >> Directory Manager (existing master) password: >> >> Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net >> Creating SSL certificate for the Directory Server >> Certificate issuance failed >> ------------------------------------------------------------------------------------------------------------------------------------------------- >> >> The corresponding line in the dirsrv log: >> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- >> attribute "krbExtraData" not allowed >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jun 9 14:19:18 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 09 Jun 2015 16:19:18 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F4D8.80907@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> Message-ID: <5576F5E6.2030502@redhat.com> On 06/09/2015 04:14 PM, Oleg Fayans wrote: > > > On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >> >> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>> Hi everybody, >>> >>> The current status of Topology plugin testing is as follows: >>> >>> 1. There is still no proper way of removing the replica. >>> Standard procedure using `ipa-replica-manage del` throws "Server is >>> unwilling to perform: Entry is managed by topology plugin.Deletion >>> not allowed.". >> yes, that is for the first attempt to directly remove the agreement, >> but when the server is removed the agreements should be removed > We should probably think of less threatening error message in this > case. Just from reading the command output one might conclude that > replica removal failed. >>> The replication agreement though does get deleted, >> then it is ok, >>> but the topology information does not get updated. >> what do you mean, where do you check ? in the "remaining" topology >> the shared tree should be updated, for the removed replica it will >> not, but this should be uninstalled anyway > The problem here, is that the topology information does not get > updated on master as well. could you be a bit more precise. what do you still see ? the agreement will be only removed if the segment is removed, and this should be reoplicated to all severs in the remaining topology - if you don't disconnect it by removing the replica. and what was the topology structure and which replica did you remove, on which server did you remove it? >>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: >>> ERROR: Server is unwilling to perform: Removal of Segment >>> disconnects topology.Deletion not allowed." >> correct, you can only do it after removal of the server > I do not get it. Master still thinks it has the replica, it displays > it both in CLI using `ipa topologysegment-find` and in the web-ui. > (although it does not show it using `ipa host-find`, which is > correct), and there is no way to manually make it change it's mind? >>> >>> I tried to disable the segment first and then delete it, but with >>> the segment properly disabled, the attempt to delete it raised a GSS >>> error: "ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified >>> GSS failure. Minor code may provide more information', >>> 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/". I >>> am not sure, where to search for corresponding logs. The session >>> transcript is attached. >>> >>> 2. The following is probably unrelated to the topology plugin: >>> I installed a replica with --setup-ca option. Then, on this replica >>> tried to prepare another replica: >>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>> --ip-address 192.168.122.141 f22replica3.bagam.net >>> Directory Manager (existing master) password: >>> >>> Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net >>> Creating SSL certificate for the Directory Server >>> Certificate issuance failed >>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> The corresponding line in the dirsrv log: >>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" >>> -- attribute "krbExtraData" not allowed >>> >>> >>> >> >> >> > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Tue Jun 9 14:25:25 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 09 Jun 2015 16:25:25 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F5E6.2030502@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> Message-ID: <5576F755.7080809@redhat.com> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: > > On 06/09/2015 04:14 PM, Oleg Fayans wrote: >> >> >> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>> >>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>> Hi everybody, >>>> >>>> The current status of Topology plugin testing is as follows: >>>> >>>> 1. There is still no proper way of removing the replica. >>>> Standard procedure using `ipa-replica-manage del` throws "Server is >>>> unwilling to perform: Entry is managed by topology plugin.Deletion >>>> not allowed.". >>> yes, that is for the first attempt to directly remove the agreement, >>> but when the server is removed the agreements should be removed >> We should probably think of less threatening error message in this >> case. Just from reading the command output one might conclude that >> replica removal failed. >>>> The replication agreement though does get deleted, >>> then it is ok, >>>> but the topology information does not get updated. >>> what do you mean, where do you check ? in the "remaining" topology >>> the shared tree should be updated, for the removed replica it will >>> not, but this should be uninstalled anyway >> The problem here, is that the topology information does not get >> updated on master as well. > could you be a bit more precise. what do you still see ? the agreement > will be only removed if the segment is removed, and this should be > reoplicated to all severs in the remaining topology - if you don't > disconnect it by removing the replica. > and what was the topology structure and which replica did you remove, > on which server did you remove it? So, Here is the results of the `topologysegment-find` command before replica removal: root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: f22master.bagam.net-to-f22replica1.bagam.net Left node: f22master.bagam.net Right node: f22replica1.bagam.net Connectivity: both Segment name: f22master.bagam.net-to-f22replica2.bagam.net Left node: f22master.bagam.net Right node: f22replica2.bagam.net Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net --force` on the master, the same command on master still shows exactly the same topology: root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: f22master.bagam.net-to-f22replica1.bagam.net Left node: f22master.bagam.net Right node: f22replica1.bagam.net Connectivity: both Segment name: f22master.bagam.net-to-f22replica2.bagam.net Left node: f22master.bagam.net Right node: f22replica2.bagam.net Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- >>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: >>>> ERROR: Server is unwilling to perform: Removal of Segment >>>> disconnects topology.Deletion not allowed." >>> correct, you can only do it after removal of the server >> I do not get it. Master still thinks it has the replica, it displays >> it both in CLI using `ipa topologysegment-find` and in the web-ui. >> (although it does not show it using `ipa host-find`, which is >> correct), and there is no way to manually make it change it's mind? >>>> >>>> I tried to disable the segment first and then delete it, but with >>>> the segment properly disabled, the attempt to delete it raised a >>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: >>>> ('Unspecified GSS failure. Minor code may provide more >>>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>>> -1765328324)/". I am not sure, where to search for corresponding >>>> logs. The session transcript is attached. >>>> >>>> 2. The following is probably unrelated to the topology plugin: >>>> I installed a replica with --setup-ca option. Then, on this replica >>>> tried to prepare another replica: >>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>> >>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>> Directory Manager (existing master) password: >>>> >>>> Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net >>>> Creating SSL certificate for the Directory Server >>>> Certificate issuance failed >>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>> >>>> The corresponding line in the dirsrv log: >>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" >>>> -- attribute "krbExtraData" not allowed >>>> >>>> >>>> >>> >>> >>> >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jun 9 14:28:16 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 09 Jun 2015 16:28:16 +0200 Subject: [Freeipa-devel] #5056: Rename topologysegment-refresh to topologysegment-reinitialize Message-ID: <5576F800.1080800@redhat.com> FYI, as mentioned on today conversation, I filed the ticket to rename topologysegment-refresh to topologysegment-reinitialize: https://fedorahosted.org/freeipa/ticket/5056 If there are any objections, please shout. If not, Petr - you know what to do... -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From simo at redhat.com Tue Jun 9 14:28:30 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 09 Jun 2015 10:28:30 -0400 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F755.7080809@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> Message-ID: <1433860110.20848.25.camel@willson.usersys.redhat.com> On Tue, 2015-06-09 at 16:25 +0200, Oleg Fayans wrote: > Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net Is this a copy and paste error or the command you actually used ? (replica name is wrong). Simo. -- Simo Sorce * Red Hat, Inc * New York From ofayans at redhat.com Tue Jun 9 14:29:57 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 09 Jun 2015 16:29:57 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <1433860110.20848.25.camel@willson.usersys.redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <1433860110.20848.25.camel@willson.usersys.redhat.com> Message-ID: <5576F865.8030801@redhat.com> Simo, yep, I entered the name manually when writing this letter On 06/09/2015 04:28 PM, Simo Sorce wrote: > On Tue, 2015-06-09 at 16:25 +0200, Oleg Fayans wrote: >> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net > Is this a copy and paste error or the command you actually used ? > (replica name is wrong). > > Simo. > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From lkrispen at redhat.com Tue Jun 9 14:36:03 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 09 Jun 2015 16:36:03 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F755.7080809@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> Message-ID: <5576F9D3.2060100@redhat.com> On 06/09/2015 04:25 PM, Oleg Fayans wrote: > > > On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >> >> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>> >>> >>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>> >>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>> Hi everybody, >>>>> >>>>> The current status of Topology plugin testing is as follows: >>>>> >>>>> 1. There is still no proper way of removing the replica. >>>>> Standard procedure using `ipa-replica-manage del` throws "Server >>>>> is unwilling to perform: Entry is managed by topology >>>>> plugin.Deletion not allowed.". >>>> yes, that is for the first attempt to directly remove the >>>> agreement, but when the server is removed the agreements should be >>>> removed >>> We should probably think of less threatening error message in this >>> case. Just from reading the command output one might conclude that >>> replica removal failed. >>>>> The replication agreement though does get deleted, >>>> then it is ok, >>>>> but the topology information does not get updated. >>>> what do you mean, where do you check ? in the "remaining" topology >>>> the shared tree should be updated, for the removed replica it will >>>> not, but this should be uninstalled anyway >>> The problem here, is that the topology information does not get >>> updated on master as well. >> could you be a bit more precise. what do you still see ? the >> agreement will be only removed if the segment is removed, and this >> should be reoplicated to all severs in the remaining topology - if >> you don't disconnect it by removing the replica. >> and what was the topology structure and which replica did you remove, >> on which server did you remove it? > So, Here is the results of the `topologysegment-find` command before > replica removal: > root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: f22master.bagam.net-to-f22replica1.bagam.net > Left node: f22master.bagam.net > Right node: f22replica1.bagam.net > Connectivity: both > > Segment name: f22master.bagam.net-to-f22replica2.bagam.net > Left node: f22master.bagam.net > Right node: f22replica2.bagam.net > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net > --force` on the master, the same command on master still shows exactly > the same topology: > > root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: f22master.bagam.net-to-f22replica1.bagam.net > Left node: f22master.bagam.net > Right node: f22replica1.bagam.net > Connectivity: both > > Segment name: f22master.bagam.net-to-f22replica2.bagam.net > Left node: f22master.bagam.net > Right node: f22replica2.bagam.net > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- that's weird if the agreement is removed, the removal of the agreement is only done in the postop of the removal of the segment. do you have the access and error logs for the master ? > >>>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: >>>>> ERROR: Server is unwilling to perform: Removal of Segment >>>>> disconnects topology.Deletion not allowed." >>>> correct, you can only do it after removal of the server >>> I do not get it. Master still thinks it has the replica, it displays >>> it both in CLI using `ipa topologysegment-find` and in the web-ui. >>> (although it does not show it using `ipa host-find`, which is >>> correct), and there is no way to manually make it change it's mind? >>>>> >>>>> I tried to disable the segment first and then delete it, but with >>>>> the segment properly disabled, the attempt to delete it raised a >>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: >>>>> ('Unspecified GSS failure. Minor code may provide more >>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>>>> -1765328324)/". I am not sure, where to search for corresponding >>>>> logs. The session transcript is attached. >>>>> >>>>> 2. The following is probably unrelated to the topology plugin: >>>>> I installed a replica with --setup-ca option. Then, on this >>>>> replica tried to prepare another replica: >>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>> Directory Manager (existing master) password: >>>>> >>>>> Preparing replica for f22replica3.bagam.net from >>>>> f22replica2.bagam.net >>>>> Creating SSL certificate for the Directory Server >>>>> Certificate issuance failed >>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> The corresponding line in the dirsrv log: >>>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" >>>>> -- attribute "krbExtraData" not allowed >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> -- >>> Oleg Fayans >>> Quality Engineer >>> FreeIPA team >>> RedHat. >>> >>> >> >> >> > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 9 14:37:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 09 Jun 2015 16:37:56 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> References: <20150601071058.GI23523@dhcp-40-8.bne.redhat.com> <20150601072228.GJ23523@dhcp-40-8.bne.redhat.com> <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> Message-ID: <5576FA44.3000300@redhat.com> On 09/06/15 08:58, Fraser Tweedale wrote: > On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: >> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: >>> New patches attached. Comments inline. >> Thanks Fraser! >> >> ... >>>> 5) >>>> Missing referint plugin configuration for attribute >>>> 'ipacaaclmembercertprofile' >>>> Please add it into install/updates/25-referint.update (+ other member >>>> attributes if missing) >>>> >>> Added this. There is a comment in 25-referint.update: >>> >>> # pres and eq indexes defined in 20-indices.update must be set >>> # for all the attributes >>> >>> Can you explain what is required here? Is it just to add: I see >>> things for memberUser and memberHost in indices.ldif but nothing for >>> memberService. Do I need to add to indices.ldif: >>> >>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> changetype: add >>> cn: memberProfile >>> ObjectClass: top >>> ObjectClass: nsIndex >>> nsSystemIndex: false >>> nsIndexType: eq >>> nsIndexType: pres >>> nsIndexType: sub >>> >>> , and similarly for memberCa? Sorry I do not know much about LDAP >>> indexing. >> AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive >> index to use and I now cannot think of memberProfile search where you would >> need a substring... >> >> Thanks, >> Martin > Updated patch attached, which adds the indices. (Also rebased). > > There is a commit that seems to indicate that substring index is > needed, so I have included substring indices in this patchset. > Copied Honza in case he wants to comment. > > commit a10521a1dcf69960d6ce0bf5657180b709c297c0 > Author: Jan Cholasta > Date: Tue Jun 25 13:16:40 2013 +0000 > > Add missing substring indices for attributes managed by the referint plugin. > > The referint plugin does a substring search on these attributes each time an > entry is deleted, which causes a noticable slowdown for large directories if > the attributes are not indexed. > > https://fedorahosted.org/freeipa/ticket/3706 > > Cheers, > Fraser ACK Please send the upgrade patch ASAP :) -- Martin Basti From dkupka at redhat.com Tue Jun 9 14:43:14 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 09 Jun 2015 16:43:14 +0200 Subject: [Freeipa-devel] [PATCH 0051] Use 389-ds centralized scripts. Message-ID: <5576FB82.6030109@redhat.com> https://fedorahosted.org/freeipa/ticket/4051 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0051-Use-389-ds-centralized-scripts.patch Type: text/x-patch Size: 3585 bytes Desc: not available URL: From lkrispen at redhat.com Tue Jun 9 15:32:19 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 09 Jun 2015 17:32:19 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5576F755.7080809@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> Message-ID: <55770703.8030202@redhat.com> Hi Oleg, thanks for access to your machine, the replication agreements are still there - and that is expected since the server was not removed. In the access log I see: [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" scope=2 filter="(objectClass=*)" attrs=ALL [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 nentries=8 etime=0 notes=U [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 nentries=0 etime=0 csn=5576dceb000600040000 [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 nentries=0 etime=0 csn=5576dceb000700040000 [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 nentries=0 etime=1 csn=5576dcec000100040000 [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 entries, which then should be deleted, but only 3 ae deleted and the cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the topology segments are not deleted, and the agreement is not removed. I don't know why ipa-replica-manage del does stop deleting services and the master entry On 06/09/2015 04:25 PM, Oleg Fayans wrote: > > > On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >> >> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>> >>> >>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>> >>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>> Hi everybody, >>>>> >>>>> The current status of Topology plugin testing is as follows: >>>>> >>>>> 1. There is still no proper way of removing the replica. >>>>> Standard procedure using `ipa-replica-manage del` throws "Server >>>>> is unwilling to perform: Entry is managed by topology >>>>> plugin.Deletion not allowed.". >>>> yes, that is for the first attempt to directly remove the >>>> agreement, but when the server is removed the agreements should be >>>> removed >>> We should probably think of less threatening error message in this >>> case. Just from reading the command output one might conclude that >>> replica removal failed. >>>>> The replication agreement though does get deleted, >>>> then it is ok, >>>>> but the topology information does not get updated. >>>> what do you mean, where do you check ? in the "remaining" topology >>>> the shared tree should be updated, for the removed replica it will >>>> not, but this should be uninstalled anyway >>> The problem here, is that the topology information does not get >>> updated on master as well. >> could you be a bit more precise. what do you still see ? the >> agreement will be only removed if the segment is removed, and this >> should be reoplicated to all severs in the remaining topology - if >> you don't disconnect it by removing the replica. >> and what was the topology structure and which replica did you remove, >> on which server did you remove it? > So, Here is the results of the `topologysegment-find` command before > replica removal: > root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: f22master.bagam.net-to-f22replica1.bagam.net > Left node: f22master.bagam.net > Right node: f22replica1.bagam.net > Connectivity: both > > Segment name: f22master.bagam.net-to-f22replica2.bagam.net > Left node: f22master.bagam.net > Right node: f22replica2.bagam.net > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net > --force` on the master, the same command on master still shows exactly > the same topology: > > root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find > Suffix name: realm > ------------------ > 2 segments matched > ------------------ > Segment name: f22master.bagam.net-to-f22replica1.bagam.net > Left node: f22master.bagam.net > Right node: f22replica1.bagam.net > Connectivity: both > > Segment name: f22master.bagam.net-to-f22replica2.bagam.net > Left node: f22master.bagam.net > Right node: f22replica2.bagam.net > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > >>>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: >>>>> ERROR: Server is unwilling to perform: Removal of Segment >>>>> disconnects topology.Deletion not allowed." >>>> correct, you can only do it after removal of the server >>> I do not get it. Master still thinks it has the replica, it displays >>> it both in CLI using `ipa topologysegment-find` and in the web-ui. >>> (although it does not show it using `ipa host-find`, which is >>> correct), and there is no way to manually make it change it's mind? >>>>> >>>>> I tried to disable the segment first and then delete it, but with >>>>> the segment properly disabled, the attempt to delete it raised a >>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: >>>>> ('Unspecified GSS failure. Minor code may provide more >>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>>>> -1765328324)/". I am not sure, where to search for corresponding >>>>> logs. The session transcript is attached. >>>>> >>>>> 2. The following is probably unrelated to the topology plugin: >>>>> I installed a replica with --setup-ca option. Then, on this >>>>> replica tried to prepare another replica: >>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>> Directory Manager (existing master) password: >>>>> >>>>> Preparing replica for f22replica3.bagam.net from >>>>> f22replica2.bagam.net >>>>> Creating SSL certificate for the Directory Server >>>>> Certificate issuance failed >>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> The corresponding line in the dirsrv log: >>>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" >>>>> -- attribute "krbExtraData" not allowed >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> -- >>> Oleg Fayans >>> Quality Engineer >>> FreeIPA team >>> RedHat. >>> >>> >> >> >> > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Tue Jun 9 15:35:36 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 09 Jun 2015 17:35:36 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <55770703.8030202@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> Message-ID: <557707C8.5070902@redhat.com> On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: > Hi Oleg, > thanks for access to your machine, the replication agreements are > still there - and that is expected since the server was not removed. > > In the access log I see: > > [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH > base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > scope=2 filter="(objectClass=*)" attrs=ALL > [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 > nentries=8 etime=0 notes=U > [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL > dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 > nentries=0 etime=0 csn=5576dceb000600040000 > [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL > dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 > nentries=0 etime=0 csn=5576dceb000700040000 > [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL > dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 > nentries=0 etime=1 csn=5576dcec000100040000 > [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND > > the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 > entries, which then should be deleted, but only 3 ae deleted and the > cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the > topology segments are not deleted, and the agreement is not removed. > > I don't know why ipa-replica-manage del does stop deleting services > and the master entry You are welcome. This issue get reproduced regularly, so It is hardly an accidental disconnect. > > > > On 06/09/2015 04:25 PM, Oleg Fayans wrote: >> >> >> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>> >>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>> >>>> >>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>> >>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>> Hi everybody, >>>>>> >>>>>> The current status of Topology plugin testing is as follows: >>>>>> >>>>>> 1. There is still no proper way of removing the replica. >>>>>> Standard procedure using `ipa-replica-manage del` throws "Server >>>>>> is unwilling to perform: Entry is managed by topology >>>>>> plugin.Deletion not allowed.". >>>>> yes, that is for the first attempt to directly remove the >>>>> agreement, but when the server is removed the agreements should be >>>>> removed >>>> We should probably think of less threatening error message in this >>>> case. Just from reading the command output one might conclude that >>>> replica removal failed. >>>>>> The replication agreement though does get deleted, >>>>> then it is ok, >>>>>> but the topology information does not get updated. >>>>> what do you mean, where do you check ? in the "remaining" topology >>>>> the shared tree should be updated, for the removed replica it will >>>>> not, but this should be uninstalled anyway >>>> The problem here, is that the topology information does not get >>>> updated on master as well. >>> could you be a bit more precise. what do you still see ? the >>> agreement will be only removed if the segment is removed, and this >>> should be reoplicated to all severs in the remaining topology - if >>> you don't disconnect it by removing the replica. >>> and what was the topology structure and which replica did you >>> remove, on which server did you remove it? >> So, Here is the results of the `topologysegment-find` command before >> replica removal: >> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica1.bagam.net >> Connectivity: both >> >> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica2.bagam.net >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >> --force` on the master, the same command on master still shows >> exactly the same topology: >> >> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica1.bagam.net >> Connectivity: both >> >> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica2.bagam.net >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of Segment >>>>>> disconnects topology.Deletion not allowed." >>>>> correct, you can only do it after removal of the server >>>> I do not get it. Master still thinks it has the replica, it >>>> displays it both in CLI using `ipa topologysegment-find` and in the >>>> web-ui. (although it does not show it using `ipa host-find`, which >>>> is correct), and there is no way to manually make it change it's mind? >>>>>> >>>>>> I tried to disable the segment first and then delete it, but with >>>>>> the segment properly disabled, the attempt to delete it raised a >>>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: >>>>>> ('Unspecified GSS failure. Minor code may provide more >>>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>>>>> -1765328324)/". I am not sure, where to search for corresponding >>>>>> logs. The session transcript is attached. >>>>>> >>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>> replica tried to prepare another replica: >>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>> >>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>> Directory Manager (existing master) password: >>>>>> >>>>>> Preparing replica for f22replica3.bagam.net from >>>>>> f22replica2.bagam.net >>>>>> Creating SSL certificate for the Directory Server >>>>>> Certificate issuance failed >>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>> >>>>>> The corresponding line in the dirsrv log: >>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not >>>>>> allowed >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Oleg Fayans >>>> Quality Engineer >>>> FreeIPA team >>>> RedHat. >>>> >>>> >>> >>> >>> >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: From derny at redhat.com Tue Jun 9 20:15:21 2015 From: derny at redhat.com (Drew Erny) Date: Tue, 09 Jun 2015 16:15:21 -0400 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5576EA1B.7050300@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> Message-ID: <55774959.10503@redhat.com> Hey, Freeipa, same thread new subtopic. So, I was bouncing some ideas around with another developer (ayoung) and I think I have a pretty good idea for self-service user registration. The idea is that I put self-service user registration into its own application that calls out to ipa user-add after getting admin approval. Workflow goes like this: 1.) User goes to registration page, inputs details into form. Registration page and application are not part of FreeIPA. 2.) User's registration goes into a non-FreeIPA database, something like SQLite. 3.) Admin gets a notification email with a link to approve/deny registration. A.) Admin clicks approval link, registration application (which has limited privileges) makes call out to ipa user-add command, adding the new user to FreeIPA. B.) Admin click deny link, user is not added. 4.) User's registration information, approved or denied, is deleted from the external database. This has a couple of advantages. For starters, it provides a layer of protection against the creation of spam accounts. Accounts do not add directly to LDAP (inserting to LDAP is a slow operation), instead sit in intermediate area waiting approval. Second, we don't have to write a big extension to ipa user-add or staginguser-add that allows anonymous access to that command. Third, it can be bundled into its own package and given to the community separate from FreeIPA proper. Finally, it would allow me to gracefully defer becoming buried up to my neck in D-Bus notifications and whatever other fanciness we want to send email, because FreeIPA won't be sending the email. Opinions? From abokovoy at redhat.com Tue Jun 9 20:44:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 9 Jun 2015 23:44:25 +0300 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <55774959.10503@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> Message-ID: <20150609204425.GG4402@redhat.com> On Tue, 09 Jun 2015, Drew Erny wrote: >Hey, Freeipa, same thread new subtopic. > >So, I was bouncing some ideas around with another developer (ayoung) >and I think I have a pretty good idea for self-service user >registration. > >The idea is that I put self-service user registration into its own >application that calls out to ipa user-add after getting admin >approval. > >Workflow goes like this: > >1.) User goes to registration page, inputs details into form. >Registration page and application are not part of FreeIPA. >2.) User's registration goes into a non-FreeIPA database, something >like SQLite. >3.) Admin gets a notification email with a link to approve/deny >registration. > A.) Admin clicks approval link, registration application (which >has limited privileges) makes call out to ipa user-add command, adding >the new user to FreeIPA. > B.) Admin click deny link, user is not added. >4.) User's registration information, approved or denied, is deleted >from the external database. > >This has a couple of advantages. For starters, it provides a layer of >protection against the creation of spam accounts. Accounts do not add >directly to LDAP (inserting to LDAP is a slow operation), instead sit >in intermediate area waiting approval. Second, we don't have to write >a big extension to ipa user-add or staginguser-add that allows >anonymous access to that command. Third, it can be bundled into its >own package and given to the community separate from FreeIPA proper. >Finally, it would allow me to gracefully defer becoming buried up to >my neck in D-Bus notifications and whatever other fanciness we want to >send email, because FreeIPA won't be sending the email. > >Opinions? Sounds good. For external application like your portal to be able to call IPA CLI (or JSON) with Kerberos on behalf of an admin, you need to support S4U2Proxy configuration. See https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/ for details how to make it working. This would allow you to have an application running on a separate IPA client and still be able to re-use admin Kerberos credentials to perform the work after admin granted the permission to create a user or to reset a password. See also https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ how to communicate to IPA with JSON directly, without any dependency to IPA client tools. -- / Alexander Bokovoy From edewata at redhat.com Tue Jun 9 21:13:18 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Jun 2015 16:13:18 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <557568CB.3040503@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> <557568CB.3040503@redhat.com> Message-ID: <557756EE.8020507@redhat.com> Please take a look at the attached patch to add symmetric & asymmetric vaults. Some comments about the patch: 1. The vault_add was split into a client-side vault_add and server-side vault_add_internal since the parameters are different (i.e. public key file and future escrow-related params). Since vault_add inherits from Local all non-primary-key attributes have to be added explicitly. 2. Since the vault_archive_internal inherits from Update, it accepts all non primary-key attributes automatically. This is incorrect since we don't want to update these parameters during archival. Can this behavior be overridden? -- Endi S. Dewata -------------- next part -------------- >From 9cc5b1a22c4545124a13e73343db598d6fb58b2c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 24 Oct 2014 19:53:16 -0400 Subject: [PATCH] Added symmetric and asymmetric vaults. The vault plugin has been modified to support symmetric and asymmetric vaults to provide additional security over the standard vault by encrypting the data before it's sent to the server. The encryption functionality is implemented using the python-cryptography library. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 52 ++- VERSION | 4 +- freeipa.spec.in | 2 + install/share/60basev3.ldif | 4 +- ipalib/plugins/vault.py | 507 +++++++++++++++++++++++++++--- ipatests/test_xmlrpc/test_vault_plugin.py | 218 +++++++++++-- 6 files changed, 717 insertions(+), 70 deletions(-) diff --git a/API.txt b/API.txt index 9e3f223b7ac338840d7090299f9108e951ea920a..2ce57fb09293bf3cf1f82f4d0bf4e93b30e0fd60 100644 --- a/API.txt +++ b/API.txt @@ -5132,14 +5132,33 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,9,3 +args: 1,12,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description?', cli_name='desc') +option: Bytes('ipapublickey?', cli_name='public_key') +option: Str('ipavaulttype?', cli_name='type') +option: Str('public_key_file?', cli_name='public_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Flag('shared?', autofill=True, default=False) +option: Str('user?') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vault_add_internal +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True) -option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Bytes('ipapublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) +option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) +option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') -option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) option: Str('user?') option: Str('version?', exclude='webui') @@ -5147,11 +5166,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_archive -args: 1,8,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?') option: Str('in?') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) @@ -5160,11 +5181,14 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) -command: vault_archive_encrypted -args: 1,10,3 +command: vault_archive_internal +args: 1,13,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) +option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) +option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) option: Bytes('nonce') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') @@ -5188,11 +5212,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,11,4 +args: 1,12,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') @@ -5206,12 +5231,15 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: vault_mod -args: 1,11,3 +args: 1,14,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) +option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) +option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('service?') @@ -5223,10 +5251,14 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_retrieve -args: 1,7,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('out?') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) @@ -5235,7 +5267,7 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) -command: vault_retrieve_encrypted +command: vault_retrieve_internal args: 1,7,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/VERSION b/VERSION index 535b3e228a3500f2013ea793b19a97d9fbd05021..efc3cf0d105db540680002cf814991f81816a089 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=126 -# Last change: edewata - added vault-archive and vault-retrieve +IPA_API_VERSION_MINOR=127 +# Last change: edewata - added symmetric and asymmetric vaults diff --git a/freeipa.spec.in b/freeipa.spec.in index 23c3d1a8005d36ce253f9979235454ba80c3dbcf..fdf89f98a95e9d2d2818bd2bf5c506df63abcd79 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -64,6 +64,7 @@ BuildRequires: python-ldap BuildRequires: python-setuptools BuildRequires: python-krbV BuildRequires: python-nss +BuildRequires: python-cryptography BuildRequires: python-netaddr BuildRequires: python-kerberos >= 1.1-14 BuildRequires: python-rhsm @@ -286,6 +287,7 @@ Requires: iproute Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 +Requires: python-cryptography Requires: python-lxml Requires: python-netaddr Requires: libipa_hbac-python diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 33f4804e30ff1b3814ecf295bb41f07e2a8cd12f..cb159db05a5371c71e421160f60140d85ba5496f 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -56,6 +56,8 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') +attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -79,4 +81,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaPublicKey ) X-ORIGIN 'IPA v4.2' ) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index e1e64aa40331067e610661142fc7e4c1340a56dd..687e5da6e711ea376cea28d2631eea7626ccf51f 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -18,11 +18,20 @@ # along with this program. If not, see . import base64 +import getpass import json import os import sys import tempfile +from cryptography.fernet import Fernet, InvalidToken +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.serialization import load_pem_public_key,\ + load_pem_private_key + import nss.nss as nss import krbV @@ -50,6 +59,36 @@ Vaults """) + _(""" Manage vaults. """) + _(""" +Vault is a secure place to store a secret. +""") + _(""" +Based on the ownership there are three vault categories: +* user/private vault +* service vault +* shared vault +""") + _(""" +User vaults are vaults owned used by a particular user. Private +vaults are vaults owned the current user. Service vaults are +vaults owned by a service. Shared vaults are owned by the admin +but they can be used by other users or services. +""") + _(""" +Based on the security mechanism there are three types of +vaults: +* standard vault +* symmetric vault +* asymmetric vault +""") + _(""" +Standard vault uses a secure mechanism to transport and +store the secret. The secret can only be retrieved by users +that have access to the vault. +""") + _(""" +Symmetric vault is similar to the standard vault, but it +pre-encrypts the secret using a password before transport. +The secret can only be retrieved using the same password. +""") + _(""" +Asymmetric vault is similar to the standard vault, but it +pre-encrypts the secret using a public key before transport. +The secret can only be retrieved using the private key. +""") + _(""" EXAMPLES: """) + _(""" List private vaults: @@ -76,6 +115,12 @@ EXAMPLES: Add a user vault: ipa vault-add --user """) + _(""" + Add a symmetric vault: + ipa vault-add --type symmetric +""") + _(""" + Add an asymmetric vault: + ipa vault-add --type asymmetric +""") + _(""" Show a private vault: ipa vault-show """) + _(""" @@ -113,7 +158,7 @@ EXAMPLES: ipa vault-del --user """) + _(""" Display vault configuration: - ipa vault-config + ipa vaultconfig-show """) + _(""" Archive data into private vault: ipa vault-archive --in @@ -127,6 +172,12 @@ EXAMPLES: Archive data into user vault: ipa vault-archive --user --in """) + _(""" + Archive data into symmetric vault: + ipa vault-archive --in +""") + _(""" + Archive data into asymmetric vault: + ipa vault-archive --in +""") + _(""" Retrieve data from private vault: ipa vault-retrieve --out """) + _(""" @@ -137,7 +188,13 @@ EXAMPLES: ipa vault-retrieve --shared --out """) + _(""" Retrieve data from user vault: - ipa vault-retrieve --user --out + ipa vault-retrieve --user --out +""") + _(""" + Retrieve data from symmetric vault: + ipa vault-retrieve --out data.bin +""") + _(""" + Retrieve data from asymmetric vault: + ipa vault-retrieve --out data.bin --private-key-file private.pem """) register = Registry() @@ -146,7 +203,7 @@ register = Registry() vault_options = ( Str( 'service?', - doc=_('Service name'), + doc=_('Service name of the service vault'), ), Flag( 'shared?', @@ -154,7 +211,7 @@ vault_options = ( ), Str( 'user?', - doc=_('Username'), + doc=_('Username of the user vault'), ), ) @@ -174,6 +231,14 @@ class vault(LDAPObject): default_attributes = [ 'cn', 'description', + 'ipavaulttype', + 'ipavaultsalt', + 'ipapublickey', + ] + search_display_attributes = [ + 'cn', + 'description', + 'ipavaulttype', ] label = _('Vaults') @@ -195,6 +260,28 @@ class vault(LDAPObject): label=_('Description'), doc=_('Vault description'), ), + Str( + 'ipavaulttype?', + cli_name='type', + label=_('Type'), + doc=_('Vault type'), + default=u'standard', + autofill=True, + ), + Bytes( + 'ipavaultsalt?', + cli_name='salt', + label=_('Salt'), + doc=_('Vault salt'), + flags=['no_search'], + ), + Bytes( + 'ipapublickey?', + cli_name='public_key', + label=_('Public key'), + doc=_('Vault public key'), + flags=['no_search'], + ), ) def get_dn(self, *keys, **options): @@ -307,12 +394,168 @@ class vault(LDAPObject): return 'ipa:' + id + def get_password(self): + """ + Gets password from user. + """ + return getpass.getpass('Password: ').decode(sys.stdin.encoding) + + def generate_symmetric_key(self, password, salt): + """ + Generates symmetric key from password and salt. + """ + kdf = PBKDF2HMAC( + algorithm=hashes.SHA256(), + length=32, + salt=salt, + iterations=100000, + backend=default_backend() + ) + + return base64.b64encode(kdf.derive(password.encode('utf-8'))) + + def encrypt(self, data, symmetric_key=None, public_key=None): + """ + Encrypts data with symmetric key or public key. + """ + if symmetric_key: + fernet = Fernet(symmetric_key) + return fernet.encrypt(data) + + elif public_key: + rsa_public_key = load_pem_public_key( + data=public_key, + backend=default_backend() + ) + return rsa_public_key.encrypt( + data, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + + def decrypt(self, data, symmetric_key=None, private_key=None): + """ + Decrypts data with symmetric key or public key. + """ + if symmetric_key: + try: + fernet = Fernet(symmetric_key) + return fernet.decrypt(data) + except InvalidToken: + raise errors.AuthenticationError( + message=_('Invalid credentials')) + + elif private_key: + try: + rsa_private_key = load_pem_private_key( + data=private_key, + password=None, + backend=default_backend() + ) + return rsa_private_key.decrypt( + data, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + except AssertionError: + raise errors.AuthenticationError( + message=_('Invalid credentials')) + @register() -class vault_add(LDAPCreate): +class vault_add(PKQuery, Local): __doc__ = _('Create a new vault.') - takes_options = LDAPCreate.takes_options + vault_options + takes_options = LDAPCreate.takes_options + vault_options + ( + Str( + 'description?', + cli_name='desc', + doc=_('Vault description'), + ), + Str( + 'ipavaulttype?', + cli_name='type', + doc=_('Vault type'), + ), + Bytes( + 'ipapublickey?', + cli_name='public_key', + doc=_('Vault public key'), + ), + Str( # TODO: use File parameter + 'public_key_file?', + cli_name='public_key_file', + doc=_('File containing the vault public key'), + ), + ) + + has_output = output.standard_entry + + def forward(self, *args, **options): + + vault_type = options.get('ipavaulttype', u'standard') + public_key = options.get('ipapublickey') + public_key_file = options.get('public_key_file') + + # don't send these parameters to server + if 'ipapublickey' in options: + del options['ipapublickey'] + if 'public_key_file' in options: + del options['public_key_file'] + + if self.api.env.in_server: + backend = self.api.Backend.ldap2 + else: + backend = self.api.Backend.rpcclient + if not backend.isconnected(): + backend.connect(ccache=krbV.default_context().default_ccache()) + + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # generate vault salt + options['ipavaultsalt'] = os.urandom(16) + + elif vault_type == u'asymmetric': + + # get new vault public key + if public_key and public_key_file: + raise errors.MutuallyExclusiveError( + reason=_('Public key specified multiple times')) + + elif public_key: + pass + + elif public_key_file: + with open(public_key_file, 'rb') as f: + public_key = f.read() + + else: + raise errors.ValidationError( + name='ipapublickey', + error=_('Missing vault public key')) + + # store vault public key + options['ipapublickey'] = public_key + + return self.api.Command.vault_add_internal(*args, **options) + + + at register() +class vault_add_internal(LDAPCreate): + + NO_CLI = True + + takes_options = vault_options msg_summary = _('Added vault "%(value)s"') @@ -513,29 +756,46 @@ class vault_archive(PKQuery, Local): 'in?', doc=_('File containing data to archive'), ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), ) has_output = output.standard_entry - msg_summary = _('Archived data into vault "%(value)s"') - def forward(self, *args, **options): + name = args[-1] + data = options.get('data') input_file = options.get('in') + password = options.get('password') + password_file = options.get('password_file') + # don't send these parameters to server if 'data' in options: del options['data'] if 'in' in options: del options['in'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] # get data if data and input_file: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) - if input_file: + elif input_file: with open(input_file, 'rb') as f: data = f.read() @@ -549,13 +809,69 @@ class vault_archive(PKQuery, Local): if not backend.isconnected(): backend.connect(ccache=krbV.default_context().default_ccache()) + # retrieve vault info + vault = self.api.Command.vault_show(*args, **options)['result'] + + vault_type = vault['ipavaulttype'][0] + + if vault_type == u'standard': + + encrypted_key = None + + elif vault_type == u'symmetric': + + salt = vault['ipavaultsalt'][0] + + # get password + if password and password_file: + raise errors.MutuallyExclusiveError( + reason=_('Password specified multiple times')) + + elif password: + pass + + elif password_file: + with open(password_file) as f: + password = f.read().rstrip('\n').decode('utf-8') + + else: + password = self.obj.get_password() + + # generate encryption key from vault password + encryption_key = self.obj.generate_symmetric_key( + password, salt) + + # encrypt data with encryption key + data = self.obj.encrypt(data, symmetric_key=encryption_key) + + encrypted_key = None + + elif vault_type == u'asymmetric': + + public_key = vault['ipapublickey'][0].encode('utf-8') + + # generate encryption key + encryption_key = base64.b64encode(os.urandom(32)) + + # encrypt data with encryption key + data = self.obj.encrypt(data, symmetric_key=encryption_key) + + # encrypt encryption key with public key + encrypted_key = self.obj.encrypt( + encryption_key, public_key=public_key) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + # initialize NSS database current_dbdir = paths.IPA_NSSDB_DIR nss.nss_init(current_dbdir) # retrieve transport certificate - config = self.api.Command.vaultconfig_show() - transport_cert_der = config['result']['transport_cert'] + config = self.api.Command.vaultconfig_show()['result'] + transport_cert_der = config['transport_cert'] nss_transport_cert = nss.Certificate(transport_cert_der) # generate session key @@ -579,6 +895,10 @@ class vault_archive(PKQuery, Local): vault_data = {} vault_data[u'data'] = base64.b64encode(data).decode('utf-8') + if encrypted_key: + vault_data[u'encrypted_key'] = base64.b64encode(encrypted_key)\ + .decode('utf-8') + json_vault_data = json.dumps(vault_data) # wrap vault_data with session key @@ -595,16 +915,12 @@ class vault_archive(PKQuery, Local): options['vault_data'] = wrapped_vault_data - response = self.api.Command.vault_archive_encrypted(*args, **options) - - response['result'] = {} - del response['summary'] - - return response + return self.api.Command.vault_archive_internal(*args, **options) @register() -class vault_archive_encrypted(Update): +class vault_archive_internal(Update): + NO_CLI = True takes_options = vault_options + ( @@ -622,6 +938,8 @@ class vault_archive_encrypted(Update): ), ) + msg_summary = _('Archived data into vault "%(value)s"') + def execute(self, *args, **options): if not self.api.env.enable_kra: @@ -633,8 +951,7 @@ class vault_archive_encrypted(Update): wrapped_session_key = options.pop('session_key') # retrieve vault info - result = self.api.Command.vault_show(*args, **options) - vault = result['result'] + vault = self.api.Command.vault_show(*args, **options)['result'] # connect to KRA kra_client = self.api.Backend.kra.get_client() @@ -666,7 +983,14 @@ class vault_archive_encrypted(Update): kra_account.logout() - return result + response = { + 'value': args[-1], + 'result': {}, + } + + response['summary'] = self.msg_summary % response + + return response @register() @@ -678,6 +1002,26 @@ class vault_retrieve(PKQuery, Local): 'out?', doc=_('File to store retrieved data'), ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), ) has_output = output.standard_entry @@ -688,15 +1032,28 @@ class vault_retrieve(PKQuery, Local): ), ) - msg_summary = _('Retrieved data from vault "%(value)s"') - def forward(self, *args, **options): + name = args[-1] + output_file = options.get('out') + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') + # don't send these parameters to server if 'out' in options: del options['out'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] if self.api.env.in_server: backend = self.api.Backend.ldap2 @@ -705,13 +1062,18 @@ class vault_retrieve(PKQuery, Local): if not backend.isconnected(): backend.connect(ccache=krbV.default_context().default_ccache()) + # retrieve vault info + vault = self.api.Command.vault_show(*args, **options)['result'] + + vault_type = vault['ipavaulttype'][0] + # initialize NSS database current_dbdir = paths.IPA_NSSDB_DIR nss.nss_init(current_dbdir) # retrieve transport certificate - config = self.api.Command.vaultconfig_show() - transport_cert_der = config['result']['transport_cert'] + config = self.api.Command.vaultconfig_show()['result'] + transport_cert_der = config['transport_cert'] nss_transport_cert = nss.Certificate(transport_cert_der) # generate session key @@ -729,7 +1091,7 @@ class vault_retrieve(PKQuery, Local): # send retrieval request to server options['session_key'] = wrapped_session_key.data - response = self.api.Command.vault_retrieve_encrypted(*args, **options) + response = self.api.Command.vault_retrieve_internal(*args, **options) result = response['result'] nonce = result['nonce'] @@ -751,18 +1113,85 @@ class vault_retrieve(PKQuery, Local): vault_data = json.loads(json_vault_data) data = base64.b64decode(vault_data[u'data'].encode('utf-8')) + encrypted_key = None + + if 'encrypted_key' in vault_data: + encrypted_key = base64.b64decode(vault_data[u'encrypted_key'] + .encode('utf-8')) + + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + salt = vault['ipavaultsalt'][0] + + # get encryption key from vault password + if password and password_file: + raise errors.MutuallyExclusiveError( + reason=_('Password specified multiple times')) + + elif password: + pass + + elif password_file: + with open(password_file) as f: + password = f.read().rstrip('\n').decode('utf-8') + + else: + password = self.obj.get_password() + + # generate encryption key from password + encryption_key = self.obj.generate_symmetric_key(password, salt) + + # decrypt data with encryption key + data = self.obj.decrypt(data, symmetric_key=encryption_key) + + elif vault_type == u'asymmetric': + + # get encryption key with vault private key + if private_key and private_key_file: + raise errors.MutuallyExclusiveError( + reason=_('Private key specified multiple times')) + + elif private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + # decrypt encryption key with private key + encryption_key = self.obj.decrypt( + encrypted_key, private_key=private_key) + + # decrypt data with encryption key + data = self.obj.decrypt(data, symmetric_key=encryption_key) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + if output_file: with open(output_file, 'w') as f: f.write(data) - response['result'] = {'data': data} - del response['summary'] + else: + response['result'] = {'data': data} return response @register() -class vault_retrieve_encrypted(Retrieve): +class vault_retrieve_internal(Retrieve): + NO_CLI = True takes_options = vault_options + ( @@ -772,6 +1201,8 @@ class vault_retrieve_encrypted(Retrieve): ), ) + msg_summary = _('Retrieved data from vault "%(value)s"') + def execute(self, *args, **options): if not self.api.env.enable_kra: @@ -781,8 +1212,7 @@ class vault_retrieve_encrypted(Retrieve): wrapped_session_key = options.pop('session_key') # retrieve vault info - result = self.api.Command.vault_show(*args, **options) - vault = result['result'] + vault = self.api.Command.vault_show(*args, **options)['result'] # connect to KRA kra_client = self.api.Backend.kra.get_client() @@ -807,9 +1237,16 @@ class vault_retrieve_encrypted(Retrieve): key_info.get_key_id(), wrapped_session_key) - vault['vault_data'] = key.encrypted_data - vault['nonce'] = key.nonce_data - kra_account.logout() - return result + response = { + 'value': args[-1], + 'result': { + 'vault_data': key.encrypted_data, + 'nonce': key.nonce_data, + }, + } + + response['summary'] = self.msg_summary % response + + return response diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 4b18672c102e9d1cc5513b159c4f903a711da3f4..d68d06f4b5d7634b48ff5672ece41ed50d69e089 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -22,15 +22,63 @@ Test the `ipalib/plugins/vault.py` module. """ from ipalib import api, errors -from xmlrpc_test import Declarative +from xmlrpc_test import Declarative, fuzzy_string vault_name = u'test_vault' service_name = u'HTTP/server.example.com' user_name = u'testuser' +standard_vault_name = u'standard_test_vault' +symmetric_vault_name = u'symmetric_test_vault' +asymmetric_vault_name = u'asymmetric_test_vault' + # binary data from \x00 to \xff secret = ''.join(map(chr, xrange(0, 256))) +password = u'password' + +public_key = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/ +pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe +k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB +tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N +otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO +pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6 +3wIDAQAB +-----END PUBLIC KEY----- +""" + +private_key = """ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1 ++weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2 +38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ +OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr +igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9 +i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi +jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8 +X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7 +8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33 +e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom +fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27 +Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc +k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V +NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC +N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON +axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU +EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+ +YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx +lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh +higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/ +1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh +hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P +D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt +Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ +kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw== +-----END RSA PRIVATE KEY----- +""" + class test_vault_plugin(Declarative): @@ -42,6 +90,9 @@ class test_vault_plugin(Declarative): }), ('vault_del', [vault_name], {'shared': True, 'continue': True}), ('vault_del', [vault_name], {'user': user_name, 'continue': True}), + ('vault_del', [standard_vault_name], {'continue': True}), + ('vault_del', [symmetric_vault_name], {'continue': True}), + ('vault_del', [asymmetric_vault_name], {'continue': True}), ] tests = [ @@ -61,6 +112,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -81,6 +133,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -100,6 +153,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -119,6 +173,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -156,6 +211,7 @@ class test_vault_plugin(Declarative): % (vault_name, service_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -178,6 +234,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -199,6 +256,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -219,6 +277,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -258,6 +317,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -280,6 +340,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=shared,cn=vaults,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -301,6 +362,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=shared,cn=vaults,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -321,6 +383,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -360,6 +423,7 @@ class test_vault_plugin(Declarative): % (vault_name, user_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -382,6 +446,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -403,6 +468,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -423,6 +489,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -446,50 +513,53 @@ class test_vault_plugin(Declarative): }, { - 'desc': 'Create vault for archival', + 'desc': 'Create standard vault', 'command': ( 'vault_add', - [vault_name], + [standard_vault_name], {}, ), 'expected': { - 'value': vault_name, - 'summary': 'Added vault "%s"' % vault_name, + 'value': standard_vault_name, + 'summary': 'Added vault "%s"' % standard_vault_name, 'result': { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' - % (vault_name, api.env.basedn), + % (standard_vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], - 'cn': [vault_name], + 'cn': [standard_vault_name], + 'ipavaulttype': [u'standard'], }, }, }, { - 'desc': 'Archive secret', + 'desc': 'Archive secret into standard vault', 'command': ( 'vault_archive', - [vault_name], + [standard_vault_name], { 'data': secret, }, ), 'expected': { - 'value': vault_name, - 'summary': 'Archived data into vault "%s"' % vault_name, + 'value': standard_vault_name, + 'summary': 'Archived data into vault "%s"' + % standard_vault_name, 'result': {}, }, }, { - 'desc': 'Retrieve secret', + 'desc': 'Retrieve secret from standard vault', 'command': ( 'vault_retrieve', - [vault_name], + [standard_vault_name], {}, ), 'expected': { - 'value': vault_name, - 'summary': 'Retrieved data from vault "%s"' % vault_name, + 'value': standard_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % standard_vault_name, 'result': { 'data': secret, }, @@ -497,17 +567,121 @@ class test_vault_plugin(Declarative): }, { - 'desc': 'Delete vault for archival', + 'desc': 'Create symmetric vault', 'command': ( - 'vault_del', - [vault_name], - {}, + 'vault_add', + [symmetric_vault_name], + { + 'ipavaulttype': u'symmetric', + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Added vault "%s"' % symmetric_vault_name, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_name, api.env.basedn), + 'objectclass': [u'top', u'ipaVault'], + 'cn': [symmetric_vault_name], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Archive secret into symmetric vault', + 'command': ( + 'vault_archive', + [symmetric_vault_name], + { + 'password': password, + 'data': secret, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Archived data into vault "%s"' + % symmetric_vault_name, + 'result': {}, + }, + }, + + { + 'desc': 'Retrieve secret from symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_name], + { + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % symmetric_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + + { + 'desc': 'Create asymmetric vault', + 'command': ( + 'vault_add', + [asymmetric_vault_name], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + }, ), 'expected': { - 'value': [vault_name], - 'summary': u'Deleted vault "%s"' % vault_name, + 'value': asymmetric_vault_name, + 'summary': 'Added vault "%s"' % asymmetric_vault_name, 'result': { - 'failed': (), + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_name, api.env.basedn), + 'objectclass': [u'top', u'ipaVault'], + 'cn': [asymmetric_vault_name], + 'ipavaulttype': [u'asymmetric'], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Archive secret into asymmetric vault', + 'command': ( + 'vault_archive', + [asymmetric_vault_name], + { + 'data': secret, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Archived data into vault "%s"' + % asymmetric_vault_name, + 'result': {}, + }, + }, + + { + 'desc': 'Retrieve secret from asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_name], + { + 'private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % asymmetric_vault_name, + 'result': { + 'data': secret, }, }, }, -- 1.9.3 From simo at redhat.com Tue Jun 9 22:34:49 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 09 Jun 2015 18:34:49 -0400 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <55774959.10503@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> Message-ID: <1433889289.20848.40.camel@willson.usersys.redhat.com> On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: > Hey, Freeipa, same thread new subtopic. > > So, I was bouncing some ideas around with another developer (ayoung) and > I think I have a pretty good idea for self-service user registration. > > The idea is that I put self-service user registration into its own > application that calls out to ipa user-add after getting admin approval. > > Workflow goes like this: > > 1.) User goes to registration page, inputs details into form. > Registration page and application are not part of FreeIPA. > 2.) User's registration goes into a non-FreeIPA database, something like > SQLite. > 3.) Admin gets a notification email with a link to approve/deny > registration. > A.) Admin clicks approval link, registration application (which has > limited privileges) makes call out to ipa user-add command, adding the > new user to FreeIPA. > B.) Admin click deny link, user is not added. > 4.) User's registration information, approved or denied, is deleted from > the external database. > > This has a couple of advantages. For starters, it provides a layer of > protection against the creation of spam accounts. Accounts do not add > directly to LDAP (inserting to LDAP is a slow operation), instead sit in > intermediate area waiting approval. Second, we don't have to write a big > extension to ipa user-add or staginguser-add that allows anonymous > access to that command. Third, it can be bundled into its own package > and given to the community separate from FreeIPA proper. Finally, it > would allow me to gracefully defer becoming buried up to my neck in > D-Bus notifications and whatever other fanciness we want to send email, > because FreeIPA won't be sending the email. > > Opinions? You could avoid using an external database by using the new USer Lifecycle management feature [1]. This will allow you to do a simple ldapadd, but the user will not be enabled until an admin logs into the FreeIPA interface to enable the user. This manes your app never needs to see the admin's credentials or use s4u2proxy and will pose a lower risk to the system. Simo. [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management -- Simo Sorce * Red Hat, Inc * New York From mrniranjan at fedoraproject.org Tue Jun 9 22:59:10 2015 From: mrniranjan at fedoraproject.org (Niranjan) Date: Wed, 10 Jun 2015 04:29:10 +0530 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of StandardError In-Reply-To: <20150602224416.GA4049@mniranja.pnq.redhat.com> References: <20150601043325.GA5783@mniranja.pnq.redhat.com> <20150602224416.GA4049@mniranja.pnq.redhat.com> Message-ID: <20150609225910.GA6506@mniranja.pnq.redhat.com> Niranjan wrote: Greetings, Please find the modified patch for ipapython/adminutil.py. I have run few tests manually like running ipa-server-install as non-root user or provide --quiet and --verbose to see if it raises ScriptError properly. Also i checked by running ipa-server-install and using CTRL-C to break and see if the KeyboardInterrupt is properly caught. Please let me know your views on this. Regards Niranjan > Niranjan wrote: > > Greetings, > > > > I would like to present patch for replacing StandardError exception > > with Exception class in ipapython/adminutil.py. Also replacing > > BaseException class with Exception class. > > > > Though the use of StandardError is many places. I would like to start > > with ipapython/adminutil.py > > > > This is my first patch. Please let me know if my approach on this is > > correct. > Could anyone have a look at this please. > > > > Regards > > Niranjan > > > From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 > > From: Niranjan Mallapadi > > Date: Mon, 1 Jun 2015 09:41:05 +0530 > > Subject: [PATCH] Use Exception class instead of BaseException > > > > 1. Replace BaseException with Exception class. > > 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) > > 3 .From python3.0 use of , is not recommended, instead > > use "as" keyword (PEP 3110) > > > > Signed-off-by: Niranjan Mallapadi > > --- > > ipapython/admintool.py | 11 +++++++++-- > > 1 file changed, 9 insertions(+), 2 deletions(-) > > > > diff --git a/ipapython/admintool.py b/ipapython/admintool.py > > index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..891232b9f387182ac5dbfb279a6f666805261ba1 100644 > > --- a/ipapython/admintool.py > > +++ b/ipapython/admintool.py > > @@ -32,7 +32,7 @@ from ipapython import config > > from ipapython import ipa_log_manager > > > > > > -class ScriptError(StandardError): > > +class ScriptError(Exception): > > """An exception that records an error message and a return value > > """ > > def __init__(self, msg='', rval=1): > > @@ -169,13 +169,20 @@ class AdminTool(object): > > self.ask_for_options() > > self.setup_logging() > > return_value = self.run() > > - except BaseException, exception: > > + except Exception as exception: > > traceback = sys.exc_info()[2] > > error_message, return_value = self.handle_error(exception) > > if return_value: > > self.log_failure(error_message, return_value, exception, > > traceback) > > return return_value > > + except SystemExit as exception: > > + traceback = sys.exc_info()[2] > > + error_message, return_value = self.handle_error(exception) > > + if return_value: > > + self.log_failure(error_message, return_value, exception, > > + traceback) > > + return return_value > > self.log_success() > > return return_value > > > > -- > > 1.9.3 > > > > > > Removed an attachment of 322 bytes with the following headers: > > > > Content-Type: application/pgp-signature > > > -- > > Manage your subscription for the Freeipa-devel mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- From aa74dad193a42b8d7ea1715391c461bcbad888b4 Mon Sep 17 00:00:00 2001 From: Niranjan Mallapadi Date: Wed, 10 Jun 2015 04:19:46 +0530 Subject: [PATCH] Use Exception class instead of StandardError In except clause, use of "," is not recommended (PEP 3110) Signed-off-by: Niranjan Mallapadi --- ipapython/admintool.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/admintool.py b/ipapython/admintool.py index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..5aa1c19bb70f9d9049130d1e2a253abb4b86677b 100644 --- a/ipapython/admintool.py +++ b/ipapython/admintool.py @@ -32,7 +32,7 @@ from ipapython import config from ipapython import ipa_log_manager -class ScriptError(StandardError): +class ScriptError(Exception): """An exception that records an error message and a return value """ def __init__(self, msg='', rval=1): @@ -169,7 +169,7 @@ class AdminTool(object): self.ask_for_options() self.setup_logging() return_value = self.run() - except BaseException, exception: + except BaseException as exception: traceback = sys.exc_info()[2] error_message, return_value = self.handle_error(exception) if return_value: -- 1.9.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 311 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 10 03:11:05 2015 From: ayoung at redhat.com (Adam Young) Date: Tue, 09 Jun 2015 23:11:05 -0400 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <1433889289.20848.40.camel@willson.usersys.redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> Message-ID: <5577AAC9.1010007@redhat.com> On 06/09/2015 06:34 PM, Simo Sorce wrote: > On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: >> Hey, Freeipa, same thread new subtopic. >> >> So, I was bouncing some ideas around with another developer (ayoung) and >> I think I have a pretty good idea for self-service user registration. >> >> The idea is that I put self-service user registration into its own >> application that calls out to ipa user-add after getting admin approval. >> >> Workflow goes like this: >> >> 1.) User goes to registration page, inputs details into form. >> Registration page and application are not part of FreeIPA. >> 2.) User's registration goes into a non-FreeIPA database, something like >> SQLite. >> 3.) Admin gets a notification email with a link to approve/deny >> registration. >> A.) Admin clicks approval link, registration application (which has >> limited privileges) makes call out to ipa user-add command, adding the >> new user to FreeIPA. >> B.) Admin click deny link, user is not added. >> 4.) User's registration information, approved or denied, is deleted from >> the external database. >> >> This has a couple of advantages. For starters, it provides a layer of >> protection against the creation of spam accounts. Accounts do not add >> directly to LDAP (inserting to LDAP is a slow operation), instead sit in >> intermediate area waiting approval. Second, we don't have to write a big >> extension to ipa user-add or staginguser-add that allows anonymous >> access to that command. Third, it can be bundled into its own package >> and given to the community separate from FreeIPA proper. Finally, it >> would allow me to gracefully defer becoming buried up to my neck in >> D-Bus notifications and whatever other fanciness we want to send email, >> because FreeIPA won't be sending the email. >> >> Opinions? > You could avoid using an external database by using the new USer > Lifecycle management feature [1]. This will allow you to do a simple > ldapadd, but the user will not be enabled until an admin logs into the > FreeIPA interface to enable the user. > This manes your app never needs to see the admin's credentials or use > s4u2proxy and will pose a lower risk to the system. The big issue was having an unauthentiucated user add o the datastore; I don't think you want to push new values directly into LDAP. A separate Databse makes a lot of sense, and using SQLite for a proof of concept allows us to migrate up to MySQL for a live deployment. I don't think S4U2Proxy is necessary. A client app with permission to read from the registration app could use the users own credentials to push to the IPA server. This could be done in a a web app with CORS support as well. > > Simo. > > [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management > > From ayoung at redhat.com Wed Jun 10 04:11:09 2015 From: ayoung at redhat.com (Adam Young) Date: Wed, 10 Jun 2015 00:11:09 -0400 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <20150609204425.GG4402@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <20150609204425.GG4402@redhat.com> Message-ID: <5577B8DD.3080909@redhat.com> On 06/09/2015 04:44 PM, Alexander Bokovoy wrote: > On Tue, 09 Jun 2015, Drew Erny wrote: >> Hey, Freeipa, same thread new subtopic. >> >> So, I was bouncing some ideas around with another developer (ayoung) >> and I think I have a pretty good idea for self-service user >> registration. >> >> The idea is that I put self-service user registration into its own >> application that calls out to ipa user-add after getting admin approval. >> >> Workflow goes like this: >> >> 1.) User goes to registration page, inputs details into form. >> Registration page and application are not part of FreeIPA. >> 2.) User's registration goes into a non-FreeIPA database, something >> like SQLite. >> 3.) Admin gets a notification email with a link to approve/deny >> registration. >> A.) Admin clicks approval link, registration application (which >> has limited privileges) makes call out to ipa user-add command, >> adding the new user to FreeIPA. >> B.) Admin click deny link, user is not added. >> 4.) User's registration information, approved or denied, is deleted >> from the external database. >> >> This has a couple of advantages. For starters, it provides a layer of >> protection against the creation of spam accounts. Accounts do not add >> directly to LDAP (inserting to LDAP is a slow operation), instead sit >> in intermediate area waiting approval. Second, we don't have to write >> a big extension to ipa user-add or staginguser-add that allows >> anonymous access to that command. Third, it can be bundled into its >> own package and given to the community separate from FreeIPA proper. >> Finally, it would allow me to gracefully defer becoming buried up to >> my neck in D-Bus notifications and whatever other fanciness we want >> to send email, because FreeIPA won't be sending the email. >> >> Opinions? > Sounds good. For external application like your portal to be able to > call IPA CLI (or JSON) with Kerberos on behalf of an admin, you need to > support S4U2Proxy configuration. See > https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/ > for details how to make it working. This would allow you to have an > application running on a separate IPA client and still be able to re-use > admin Kerberos credentials to perform the work after admin granted the > permission to create a user or to reset a password. I don't think so; S4U2Proxy would only make sense if the user does not have direct access. I think that, with proper CORS support, we could have the admin users authenticate the new users directly. Should be a simpler set up. > > See also > https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > how to communicate to IPA with JSON directly, without any dependency to > IPA client tools. > From ftweedal at redhat.com Wed Jun 10 04:40:20 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 10 Jun 2015 14:40:20 +1000 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <5576FA44.3000300@redhat.com> References: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> <5576FA44.3000300@redhat.com> Message-ID: <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: > On 09/06/15 08:58, Fraser Tweedale wrote: > >On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: > >>On 06/08/2015 03:31 AM, Fraser Tweedale wrote: > >>>New patches attached. Comments inline. > >>Thanks Fraser! > >> > >>... > >>>>5) > >>>>Missing referint plugin configuration for attribute > >>>>'ipacaaclmembercertprofile' > >>>>Please add it into install/updates/25-referint.update (+ other member > >>>>attributes if missing) > >>>> > >>>Added this. There is a comment in 25-referint.update: > >>> > >>> # pres and eq indexes defined in 20-indices.update must be set > >>> # for all the attributes > >>> > >>>Can you explain what is required here? Is it just to add: I see > >>>things for memberUser and memberHost in indices.ldif but nothing for > >>>memberService. Do I need to add to indices.ldif: > >>> > >>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > >>> changetype: add > >>> cn: memberProfile > >>> ObjectClass: top > >>> ObjectClass: nsIndex > >>> nsSystemIndex: false > >>> nsIndexType: eq > >>> nsIndexType: pres > >>> nsIndexType: sub > >>> > >>>, and similarly for memberCa? Sorry I do not know much about LDAP > >>>indexing. > >>AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive > >>index to use and I now cannot think of memberProfile search where you would > >>need a substring... > >> > >>Thanks, > >>Martin > >Updated patch attached, which adds the indices. (Also rebased). > > > >There is a commit that seems to indicate that substring index is > >needed, so I have included substring indices in this patchset. > >Copied Honza in case he wants to comment. > > > > commit a10521a1dcf69960d6ce0bf5657180b709c297c0 > > Author: Jan Cholasta > > Date: Tue Jun 25 13:16:40 2013 +0000 > > > > Add missing substring indices for attributes managed by the referint plugin. > > > > The referint plugin does a substring search on these attributes each time an > > entry is deleted, which causes a noticable slowdown for large directories if > > the attributes are not indexed. > > > > https://fedorahosted.org/freeipa/ticket/3706 > > > >Cheers, > >Fraser > ACK > > Please send the upgrade patch ASAP :) > > -- > Martin Basti > Thank you for the ACK \o/ Since the patches have not been pushed, here is an updated patchset which adds the upgrade behaviour. There are no changes apart from the additions to ipaserver/install/server/upgrade.py. Cheers, Fraser -------------- next part -------------- From 4c18dde46c42abce4963f5ebe555b3865c84feeb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 184 ++++++++++++ VERSION | 4 +- install/share/60certificate-profiles.ldif | 5 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 11 + install/share/indices.ldif | 20 ++ install/updates/20-indices.update | 18 ++ install/updates/25-referint.update | 2 + install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 476 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + ipaserver/install/server/upgrade.py | 25 ++ 16 files changed, 770 insertions(+), 2 deletions(-) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..bf63cb4caac09fb9d9697290e31afdee0a364882 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cacategory || hostcategory || memberca || memberhost || memberprofile || memberservice || memberuser || profilecategory || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cacategory || cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipauniqueid || member || memberca || memberhost || memberprofile || memberservice || memberuser || modifytimestamp || objectclass || profilecategory || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 9e3f223b7ac338840d7090299f9108e951ea920a..13268ce1abb6edcbe71d4585d77f57e46a8711f8 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,190 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,12,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: StrEnum('profilecategory', attribute=True, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,14,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: StrEnum('profilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,14,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: StrEnum('profilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_remove_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_remove_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) command: cert_find args: 0,17,4 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') diff --git a/VERSION b/VERSION index 535b3e228a3500f2013ea793b19a97d9fbd05021..911470c2d83d81e6abee3e8e41496cf472a11d19 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=126 -# Last change: edewata - added vault-archive and vault-retrieve +IPA_API_VERSION_MINOR=127 +# Last change: ftweedal - add caacl plugin diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e53386e5bfe8b35e0c15858c693c5467..aa47c9b5d6b2db885b6273866cdf602df90c2e30 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,8 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'memberCa' DESC 'Reference to a CA member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'memberProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'caCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'profileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( caCategory $ profileCategory $ userCategory $ hostCategory $ serviceCategory $ memberCa $ memberProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be25c58b76cc71971852074d80c5514745..e97a89ca93f7f188e06dc982bd69e251f8082df3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b80640881f4631e4873a12c82b0ea48a..2387f220fd4fe6e3ccd59f4b592f2473d7acfa44 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 0000000000000000000000000000000000000000..8acfb489522fe8c66afdc2ed6ac1105f249cd140 --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,11 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +memberprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX +hostcategory: all +servicecategory: all diff --git a/install/share/indices.ldif b/install/share/indices.ldif index ad678e0b2123d961c957d3071ba48ff70bf27e7a..98aedca2d9c61c58e9d318cae909317a7d9d29a0 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -227,3 +227,23 @@ ObjectClass: top ObjectClass: nsIndex nsSystemIndex: false nsIndexType: eq + +dn: cn=memberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: memberCa +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub + +dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: memberProfile +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 880e73f3bb1b2a32c2fa40f65666cfd594cdc659..da9529272773995553ad2c056f2c5c03b847745b 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -191,3 +191,21 @@ default:nsSystemIndex: false only:nsIndexType: eq only:nsIndexType: pres only:nsIndexType: sub + +dn: cn=memberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberCa +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub + +dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberProfile +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index 005cd0376d82c83b1b7ab368f992e209b0da5e9a..f173254e189f080e39b29ce214d684b35ae8057a 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -17,3 +17,5 @@ add: referint-membership-attr: ipasudorunasgroup add: referint-membership-attr: ipatokenradiusconfiglink add: referint-membership-attr: ipaassignedidview add: referint-membership-attr: ipaallowedtarget +add: referint-membership-attr: memberca +add: referint-membership-attr: memberprofile diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 0000000000000000000000000000000000000000..a18b6ec946855c194077d9ac01a8adcfddf8542e --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624eac619cdddeba29b85440571d85fd69f..eddf4d850ed4b47d5526dc152149fa21b14779d4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA = \ 40-certprofile.update \ 40-otp.update \ 40-vault.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 93d7aaa7b0b5f0b47b8839e764ef168c1fe08c97..86b1ce8bd501845e7b5871773e86521d3c5d2ad9 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -120,6 +120,7 @@ DEFAULT_CONFIG = ( ('container_masters', DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py new file mode 100644 index 0000000000000000000000000000000000000000..c589e07b9b211d34239294baeddeee54178c68e6 --- /dev/null +++ b/ipalib/plugins/caacl.py @@ -0,0 +1,476 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, output +from ipalib import Bool, Str, StrEnum +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, + LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, + global_output_params, pkey_to_value) +from ipalib.plugins.hbacrule import is_all +from ipalib import _, ngettext +from ipapython.dn import DN + + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --usercat=all + ipa caacl-add-profile test --certprofiles UserCert + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 + ipa caacl-add-user alice_dnp3 --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + + at register() +class caacl(LDAPObject): + """ + CA ACL object. + """ + container_dn = api.env.container_caacl + object_name = _('CA ACL') + object_name_plural = _('CA ACLs') + object_class = ['ipaassociation', 'ipacaacl'] + permission_filter_objectclasses = ['ipacaacl'] + default_attributes = [ + 'cn', 'description', 'ipaenabledflag', + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice', + ] + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'memberservice': ['service'], + 'memberprofile': ['certprofile'], + } + managed_permissions = { + 'System: Read CA ACLs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice', + 'ipauniqueid', + 'objectclass', 'member', + }, + }, + 'System: Add CA ACL': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA ACL";allow (add) groupdn = "ldap:///cn=Add CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA ACL': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA ACL";allow (delete) groupdn = "ldap:///cn=Delete CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Manage CA ACL Membership': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cacategory', 'memberca', + 'profilecategory', 'memberprofile', + 'usercategory', 'memberuser', + 'hostcategory', 'memberhost', + 'servicecategory', 'memberservice' + }, + 'replaces': [ + '(targetattr = "memberca || memberprofile || memberuser || memberservice || memberhost || cacategory || profilecategory || usercategory || hostcategory || servicecategory")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Manage CA ACL membership";allow (write) groupdn = "ldap:///cn=Manage CA ACL membership,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA ACL': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', 'description', 'ipaenabledflag', + }, + 'replaces': [ + '(targetattr = "cn || description || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=caacls,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA ACL";allow (write) groupdn = "ldap:///cn=Modify CA ACL,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + label = _('CA ACLs') + label_singular = _('CA ACL') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('ACL name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + Bool('ipaenabledflag?', + label=_('Enabled'), + flags=['no_option'], + ), + # Commented until subca plugin arrives + #StrEnum('cacategory?', + # cli_name='cacat', + # label=_('CA category'), + # doc=_('CA category the ACL applies to'), + # values=(u'all', ), + #), + StrEnum('profilecategory?', + cli_name='profilecat', + label=_('Profile category'), + doc=_('Profile category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('usercategory?', + cli_name='usercat', + label=_('User category'), + doc=_('User category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('hostcategory?', + cli_name='hostcat', + label=_('Host category'), + doc=_('Host category the ACL applies to'), + values=(u'all', ), + ), + StrEnum('servicecategory?', + cli_name='servicecat', + label=_('Service category'), + doc=_('Service category the ACL applies to'), + values=(u'all', ), + ), + # Commented until subca plugin arrives + #Str('memberca_subca?', + # label=_('CAs'), + # flags=['no_create', 'no_update', 'no_search'], + #), + Str('memberprofile_certprofile?', + label=_('Profiles'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberuser_group?', + label=_('User Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + + at register() +class caacl_add(LDAPCreate): + __doc__ = _('Create a new CA ACL.') + + msg_summary = _('Added CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # CA ACLs are enabled by default + entry_attrs['ipaenabledflag'] = ['TRUE'] + return dn + + + at register() +class caacl_del(LDAPDelete): + __doc__ = _('Delete a CA ACL.') + + msg_summary = _('Deleted CA ACL "%(value)s"') + + + at register() +class caacl_mod(LDAPUpdate): + __doc__ = _('Modify a CA ACL.') + + msg_summary = _('Modified CA ACL "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, attrs_list) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + + # Commented until subca plugin arrives + #if is_all(options, 'cacategory') and 'memberca' in entry_attrs: + # raise errors.MutuallyExclusiveError(reason=_( + # "CA category cannot be set to 'all' " + # "while there are allowed CAs")) + if is_all(options, 'profilecategory') and 'memberprofile' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "profile category cannot be set to 'all' " + "while there are allowed profiles")) + if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "user category cannot be set to 'all' " + "while there are allowed users")) + if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "host category cannot be set to 'all' " + "while there are allowed hosts")) + if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "service category cannot be set to 'all' " + "while there are allowed services")) + return dn + + + at register() +class caacl_find(LDAPSearch): + __doc__ = _('Search for CA ACLs.') + + msg_summary = ngettext( + '%(count)d CA ACL matched', '%(count)d CA ACLs matched', 0 + ) + + + at register() +class caacl_show(LDAPRetrieve): + __doc__ = _('Display the properties of a CA ACL.') + + + at register() +class caacl_enable(LDAPQuery): + __doc__ = _('Enable a CA ACL.') + + msg_summary = _('Enabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['TRUE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_disable(LDAPQuery): + __doc__ = _('Disable a CA ACL.') + + msg_summary = _('Disabled CA ACL "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + try: + entry_attrs = ldap.get_entry(dn, ['ipaenabledflag']) + except errors.NotFound: + self.obj.handle_not_found(cn) + + entry_attrs['ipaenabledflag'] = ['FALSE'] + + try: + ldap.update_entry(entry_attrs) + except errors.EmptyModlist: + pass + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + + at register() +class caacl_add_user(LDAPAddMember): + __doc__ = _('Add users and groups to a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ( + _('%i user or group added.'), + _('%i users or groups added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'usercategory'): + raise errors.MutuallyExclusiveError( + reason=_("users cannot be added when user category='all'")) + return dn + + + at register() +class caacl_remove_user(LDAPRemoveMember): + __doc__ = _('Remove users and groups from a CA ACL.') + + member_attributes = ['memberuser'] + member_count_out = ( + _('%i user or group removed.'), + _('%i users or groups removed.')) + + + at register() +class caacl_add_host(LDAPAddMember): + __doc__ = _('Add target hosts and hostgroups to a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ( + _('%i host or hostgroup added.'), + _('%i hosts or hostgroups added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'hostcategory'): + raise errors.MutuallyExclusiveError( + reason=_("hosts cannot be added when host category='all'")) + return dn + + + at register() +class caacl_remove_host(LDAPRemoveMember): + __doc__ = _('Remove target hosts and hostgroups from a CA ACL.') + + member_attributes = ['memberhost'] + member_count_out = ( + _('%i host or hostgroup removed.'), + _('%i hosts or hostgroups removed.')) + + + at register() +class caacl_add_service(LDAPAddMember): + __doc__ = _('Add services to a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = (_('%i service added.'), _('%i services added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'servicecategory'): + raise errors.MutuallyExclusiveError(reason=_( + "services cannot be added when service category='all'")) + return dn + + + at register() +class caacl_remove_service(LDAPRemoveMember): + __doc__ = _('Remove services from a CA ACL.') + + member_attributes = ['memberservice'] + member_count_out = (_('%i service removed.'), _('%i services removed.')) + + +caacl_output_params = global_output_params + ( + Str('memberprofile', + label=_('Failed profiles'), + ), + # Commented until caacl plugin arrives + #Str('memberca', + # label=_('Failed CAs'), + #), +) + + + at register() +class caacl_add_profile(LDAPAddMember): + __doc__ = _('Add profiles to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['memberprofile'] + member_count_out = (_('%i profile added.'), _('%i profiles added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'profilecategory'): + raise errors.MutuallyExclusiveError(reason=_( + "profiles cannot be added when profile category='all'")) + return dn + + + at register() +class caacl_remove_profile(LDAPRemoveMember): + __doc__ = _('Remove profiles from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['memberprofile'] + member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f247ed18a750f0e1cbbd98f4e63718c03..9f24189b6e442e0c55d5de41d15a03f89ecc9578 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c5f4d37cc02658334d5c26f269ec5dd5e386df1d..306d1d27cda7a517117110ad3e6a760108f0fe19 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1254,6 +1254,30 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def add_default_caacl(ca): + root_logger.info('[Add default CA ACL]') + + if sysupgrade.get_upgrade_state('caacl', 'add_default_caacl'): + root_logger.info('Default CA ACL already added') + return + + if ca.is_configured(): + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) + return + + if not api.Command.caacl_find()['result']: + api.Command.caacl_add(u'hosts_services_caIPAserviceCert', + hostcategory=u'all', usercategory=u'all') + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + + sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1431,6 +1455,7 @@ def upgrade_configuration(): # itself require a restart. # ca_import_included_profiles(ca) + add_default_caacl(ca) set_sssd_domain_option('ipa_server_mode', 'True') -- 2.1.0 -------------- next part -------------- From 9743069a288c1b14bf2d913ccb6b4108de5d838e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 May 2015 04:44:20 -0400 Subject: [PATCH 13/13] Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/caacl.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ ipalib/plugins/cert.py | 17 +++++++++++ 2 files changed, 92 insertions(+) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index c589e07b9b211d34239294baeddeee54178c68e6..520b506a36474cfb2e29e571fb2c289799c947f6 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -2,6 +2,8 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +import pyhbac + from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum from ipalib.plugable import Registry @@ -10,6 +12,7 @@ from ipalib.plugins.baseldap import ( LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember, global_output_params, pkey_to_value) from ipalib.plugins.hbacrule import is_all +from ipalib.plugins.service import normalize_principal, split_any_principal from ipalib import _, ngettext from ipapython.dn import DN @@ -50,6 +53,78 @@ EXAMPLES: register = Registry() +def _acl_make_request(principal_type, principal, ca_ref, profile_id): + """Construct HBAC request for the given principal, CA and profile""" + req = pyhbac.HbacRequest() + req.targethost.name = ca_ref + req.service.name = profile_id + if principal_type == 'user': + req.user.name = principal + elif principal_type == 'host': + req.user.name = principal[:5] # strip 'host/' + elif principal_type == 'service': + req.user.name = normalize_principal(principal) + groups = [] + if principal_type == 'user': + user_obj = api.Command.user_show(principal)['result'] + groups = user_obj.get('memberof_group', []) + groups += user_obj.get('memberofindirect_group', []) + elif principal_type == 'host': + service, hostname, realm = split_any_principal(principal) + host_obj = api.Command.host_show(hostname)['result'] + groups = host_obj.get('memberof_hostgroup', []) + groups += host_obj.get('memberofindirect_hostgroup', []) + req.user.groups = sorted(set(groups)) + return req + + +def _acl_make_rule(principal_type, obj): + """Turn CA ACL object into HBAC rule. + + ``principal_type`` + String in {'user', 'host', 'service'} + """ + rule = pyhbac.HbacRule(obj['cn'][0]) + rule.enabled = obj['ipaenabledflag'][0] + rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} + + # add CA(s) + # Hardcoded until caacl plugin arrives + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + #if 'cacategory' in obj and obj['cacategory'][0].lower() == 'all': + # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + #else: + # rule.targethosts.names = obj.get('ipacaaclcaref', []) + + # add profiles + if 'profilecategory' in obj and obj['profilecategory'][0].lower() == 'all': + rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + attr = 'memberprofile_certprofile' + rule.services.names = obj.get(attr, []) + + # add principals and principal's groups + m = {'user': 'group', 'host': 'hostgroup', 'service': None} + category_attr = '{}category'.format(principal_type) + if category_attr in obj and obj[category_attr][0].lower() == 'all': + rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + principal_attr = 'member{}_{}'.format(principal_type, principal_type) + rule.users.names = obj.get(principal_attr, []) + if m[principal_type] is not None: + group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) + rule.users.groups = obj.get(group_attr, []) + + return rule + + +def acl_evaluate(principal_type, principal, ca_ref, profile_id): + req = _acl_make_request(principal_type, principal, ca_ref, profile_id) + acls = api.Command.caacl_find()['result'] + rules = [_acl_make_rule(principal_type, obj) for obj in acls] + return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW + + @register() class caacl(LDAPObject): """ diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index d122900175db41ba5af429fd47af6cac6533cb6f..1878e5ad5f80fa93e1a77b0a88711c1da0016681 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -33,6 +33,7 @@ from ipalib.plugins.virtual import * from ipalib.plugins.baseldap import pkey_to_value from ipalib.plugins.service import split_any_principal from ipalib.plugins.certprofile import validate_profile_id +import ipalib.plugins.caacl import base64 import traceback from ipalib.text import _ @@ -326,6 +327,22 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + ca = '.' # top-level CA hardcoded until subca plugin implemented + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal -- 2.1.0 From abokovoy at redhat.com Wed Jun 10 04:40:21 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Jun 2015 07:40:21 +0300 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5577B8DD.3080909@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <20150609204425.GG4402@redhat.com> <5577B8DD.3080909@redhat.com> Message-ID: <20150610044021.GH4402@redhat.com> On Wed, 10 Jun 2015, Adam Young wrote: >On 06/09/2015 04:44 PM, Alexander Bokovoy wrote: >>On Tue, 09 Jun 2015, Drew Erny wrote: >>>Hey, Freeipa, same thread new subtopic. >>> >>>So, I was bouncing some ideas around with another developer >>>(ayoung) and I think I have a pretty good idea for self-service >>>user registration. >>> >>>The idea is that I put self-service user registration into its own >>>application that calls out to ipa user-add after getting admin >>>approval. >>> >>>Workflow goes like this: >>> >>>1.) User goes to registration page, inputs details into form. >>>Registration page and application are not part of FreeIPA. >>>2.) User's registration goes into a non-FreeIPA database, >>>something like SQLite. >>>3.) Admin gets a notification email with a link to approve/deny >>>registration. >>> A.) Admin clicks approval link, registration application (which >>>has limited privileges) makes call out to ipa user-add command, >>>adding the new user to FreeIPA. >>> B.) Admin click deny link, user is not added. >>>4.) User's registration information, approved or denied, is >>>deleted from the external database. >>> >>>This has a couple of advantages. For starters, it provides a layer >>>of protection against the creation of spam accounts. Accounts do >>>not add directly to LDAP (inserting to LDAP is a slow operation), >>>instead sit in intermediate area waiting approval. Second, we >>>don't have to write a big extension to ipa user-add or >>>staginguser-add that allows anonymous access to that command. >>>Third, it can be bundled into its own package and given to the >>>community separate from FreeIPA proper. Finally, it would allow me >>>to gracefully defer becoming buried up to my neck in D-Bus >>>notifications and whatever other fanciness we want to send email, >>>because FreeIPA won't be sending the email. >>> >>>Opinions? >>Sounds good. For external application like your portal to be able to >>call IPA CLI (or JSON) with Kerberos on behalf of an admin, you need to >>support S4U2Proxy configuration. See >>https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/ >>for details how to make it working. This would allow you to have an >>application running on a separate IPA client and still be able to re-use >>admin Kerberos credentials to perform the work after admin granted the >>permission to create a user or to reset a password. >I don't think so; S4U2Proxy would only make sense if the user does >not have direct access. I think that, with proper CORS support, we >could have the admin users authenticate the new users directly. Should >be a simpler set up. ??? You would need admin to login into the community portal to approve users. And you would then want to use admin credentials to connect to IPA to actually create users/set passwords/etc. This is what S4U2Proxy is for, not for the users themselves. The users would not have direct access as the idea of the community portal is to allow reset passwords and create additional users. If you want to make it all accessible under a different account, you'd need to add a number of permissions and it would quickly become unmanageable. I see very little use in that. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jun 10 04:41:35 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Jun 2015 07:41:35 +0300 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5577AAC9.1010007@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> <5577AAC9.1010007@redhat.com> Message-ID: <20150610044135.GI4402@redhat.com> On Tue, 09 Jun 2015, Adam Young wrote: >On 06/09/2015 06:34 PM, Simo Sorce wrote: >>On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: >>>Hey, Freeipa, same thread new subtopic. >>> >>>So, I was bouncing some ideas around with another developer (ayoung) and >>>I think I have a pretty good idea for self-service user registration. >>> >>>The idea is that I put self-service user registration into its own >>>application that calls out to ipa user-add after getting admin approval. >>> >>>Workflow goes like this: >>> >>>1.) User goes to registration page, inputs details into form. >>>Registration page and application are not part of FreeIPA. >>>2.) User's registration goes into a non-FreeIPA database, something like >>>SQLite. >>>3.) Admin gets a notification email with a link to approve/deny >>>registration. >>> A.) Admin clicks approval link, registration application (which has >>>limited privileges) makes call out to ipa user-add command, adding the >>>new user to FreeIPA. >>> B.) Admin click deny link, user is not added. >>>4.) User's registration information, approved or denied, is deleted from >>>the external database. >>> >>>This has a couple of advantages. For starters, it provides a layer of >>>protection against the creation of spam accounts. Accounts do not add >>>directly to LDAP (inserting to LDAP is a slow operation), instead sit in >>>intermediate area waiting approval. Second, we don't have to write a big >>>extension to ipa user-add or staginguser-add that allows anonymous >>>access to that command. Third, it can be bundled into its own package >>>and given to the community separate from FreeIPA proper. Finally, it >>>would allow me to gracefully defer becoming buried up to my neck in >>>D-Bus notifications and whatever other fanciness we want to send email, >>>because FreeIPA won't be sending the email. >>> >>>Opinions? >>You could avoid using an external database by using the new USer >>Lifecycle management feature [1]. This will allow you to do a simple >>ldapadd, but the user will not be enabled until an admin logs into the >>FreeIPA interface to enable the user. >>This manes your app never needs to see the admin's credentials or use >>s4u2proxy and will pose a lower risk to the system. >The big issue was having an unauthentiucated user add o the datastore; >I don't think you want to push new values directly into LDAP. A >separate Databse makes a lot of sense, and using SQLite for a proof of >concept allows us to migrate up to MySQL for a live deployment. > >I don't think S4U2Proxy is necessary. A client app with permission to >read from the registration app could use the users own credentials to >push to the IPA server. This could be done in a a web app with CORS >support as well. So now you have two apps instead of one. How would you do password resets in this scheme? Password resets is what Drew is doing in first place. -- / Alexander Bokovoy From mkosek at redhat.com Wed Jun 10 06:13:21 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 08:13:21 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <557756EE.8020507@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> <557568CB.3040503@redhat.com> <557756EE.8020507@redhat.com> Message-ID: <5577D581.1020800@redhat.com> On 06/09/2015 11:13 PM, Endi Sukma Dewata wrote: > Please take a look at the attached patch to add symmetric & asymmetric vaults. > Some comments about the patch: > > 1. The vault_add was split into a client-side vault_add and server-side > vault_add_internal since the parameters are different (i.e. public key file and > future escrow-related params). Since vault_add inherits from Local all > non-primary-key attributes have to be added explicitly. > > 2. Since the vault_archive_internal inherits from Update, it accepts all non > primary-key attributes automatically. This is incorrect since we don't want to > update these parameters during archival. Can this behavior be overridden? Just for the record, this changes API, right? It would be better to have this in Alpha planned for this week. Not a blocker for Alpha though, we can give warning that the internal API may change before GA. From mkosek at redhat.com Wed Jun 10 06:52:12 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 08:52:12 +0200 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5577AAC9.1010007@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> <5577AAC9.1010007@redhat.com> Message-ID: <5577DE9C.1030004@redhat.com> On 06/10/2015 05:11 AM, Adam Young wrote: > On 06/09/2015 06:34 PM, Simo Sorce wrote: >> On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: >>> Hey, Freeipa, same thread new subtopic. >>> >>> So, I was bouncing some ideas around with another developer (ayoung) and >>> I think I have a pretty good idea for self-service user registration. >>> >>> The idea is that I put self-service user registration into its own >>> application that calls out to ipa user-add after getting admin approval. >>> >>> Workflow goes like this: >>> >>> 1.) User goes to registration page, inputs details into form. >>> Registration page and application are not part of FreeIPA. >>> 2.) User's registration goes into a non-FreeIPA database, something like >>> SQLite. >>> 3.) Admin gets a notification email with a link to approve/deny >>> registration. >>> A.) Admin clicks approval link, registration application (which has >>> limited privileges) makes call out to ipa user-add command, adding the >>> new user to FreeIPA. >>> B.) Admin click deny link, user is not added. >>> 4.) User's registration information, approved or denied, is deleted from >>> the external database. >>> >>> This has a couple of advantages. For starters, it provides a layer of >>> protection against the creation of spam accounts. Accounts do not add >>> directly to LDAP (inserting to LDAP is a slow operation), instead sit in >>> intermediate area waiting approval. Second, we don't have to write a big >>> extension to ipa user-add or staginguser-add that allows anonymous >>> access to that command. Third, it can be bundled into its own package >>> and given to the community separate from FreeIPA proper. Finally, it >>> would allow me to gracefully defer becoming buried up to my neck in >>> D-Bus notifications and whatever other fanciness we want to send email, >>> because FreeIPA won't be sending the email. >>> >>> Opinions? >> You could avoid using an external database by using the new USer >> Lifecycle management feature [1]. This will allow you to do a simple >> ldapadd, but the user will not be enabled until an admin logs into the >> FreeIPA interface to enable the user. >> This manes your app never needs to see the admin's credentials or use >> s4u2proxy and will pose a lower risk to the system. > The big issue was having an unauthentiucated user add o the datastore; I don't > think you want to push new values directly into LDAP. A separate Databse makes > a lot of sense, and using SQLite for a proof of concept allows us to migrate up > to MySQL for a live deployment. The separate database does not make lot of sense to me, why not using the Stage User tree when it's there, ready for you? I would like to know what is the motivation and reasoning for using completely separate DB. Besides others, I think Stage Users area for example checks for login name or UID/GID collisions. The Selfservice just needs to operate under an identity that has a Stage User Administrator privilege or we can create more contained privilege that could just add the staged users and not modify/remove them. From mkosek at redhat.com Wed Jun 10 07:12:57 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 09:12:57 +0200 Subject: [Freeipa-devel] Stage users - inconsistent permission names Message-ID: <5577E379.6010604@redhat.com> Hello Thierry/David, I saw the new privileges and permissions for the Staged Users functionality and found couple spelling/English issues that I think we should fix before Alpha/GA so that we can just rename them and not care about upgrade changes. Namely: # ipa permission-find stage | grep -i "Permission name" Permission name: System: Add Stage Users by Provisioning and Administrators Should be "System: Add Stage User" Permission should not care who will do it, it is privilege/role's job. Permission name: System: Delete modify Stage Users by administrators Why is Modify and Delete combined in 1 permission? Should be "System: Modify Stage User" and "System: Remove Stage User" Permission name: System: Preserve an active user to a delete Users Maybe "System: Preserve User"? We do not use "deleted users" bur rather "preserved users anyway" Permission name: System: Reactive delete users "System: Undelete User" to reflect the command name. Permission name: System: Read Stage User kerberos principal key and password Rather "System: Read Stage User password" - I do not think we need to call out the principal key explicitly, but this is negotiable. Permission name: System: Read Stage Users by administrators "System: Read Stage Users" Permission name: System: Read/Write delete Users by administrators This needs to be 2 permissions: "System: Read Preserved Users" "System: Modify Preserved Users" Permission name: System: Reset userPassord and kerberos keys of delete users by administrator Rather "System: Reset Preserved User password" Permission name: System: Write Active Users RDN by administrators Rather "System: Modify User RDN" Permission name: System: Write Delete Users RDN by administrators Why is this permission needed, isn't "System: Modify Preserved Users" enough? -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From lkrispen at redhat.com Wed Jun 10 07:13:40 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 10 Jun 2015 09:13:40 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <55770703.8030202@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> Message-ID: <5577E3A4.90309@redhat.com> Hi, there seems to be somethin going wrong in the code to delete the services. The code is: # delete master entry with all active services try: dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.suffix) entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) if entries: entries.sort(key=lambda x: len(x.dn), reverse=True) for entry in entries: self.conn.delete_entry(entry) except errors.NotFound: pass except Exception, e: if not force: raise e elif not err: err = e In the access log we see: [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" scope=2 filter="(objectClass=*)" attrs=ALL [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 nentries=8 etime=0 notes=U this was the get_entries, it returns 8 entries [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 nentries=0 etime=0 csn=5576dceb000600040000 [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 nentries=0 etime=0 csn=5576dceb000700040000 [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 nentries=0 etime=1 csn=5576dcec000100040000 here it stops after deleting three entries, and it should do it in reverse order of the dn length, but KDC is deleted before MEMCACHE [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND Are there any ideas what is going on or how to debug it ? On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: > Hi Oleg, > thanks for access to your machine, the replication agreements are > still there - and that is expected since the server was not removed. > > In the access log I see: > > [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH > base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > scope=2 filter="(objectClass=*)" attrs=ALL > [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 > nentries=8 etime=0 notes=U > [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL > dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 > nentries=0 etime=0 csn=5576dceb000600040000 > [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL > dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 > nentries=0 etime=0 csn=5576dceb000700040000 > [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL > dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 > nentries=0 etime=1 csn=5576dcec000100040000 > [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND > > the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 > entries, which then should be deleted, but only 3 ae deleted and the > cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the > topology segments are not deleted, and the agreement is not removed. > > I don't know why ipa-replica-manage del does stop deleting services > and the master entry > > > > On 06/09/2015 04:25 PM, Oleg Fayans wrote: >> >> >> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>> >>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>> >>>> >>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>> >>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>> Hi everybody, >>>>>> >>>>>> The current status of Topology plugin testing is as follows: >>>>>> >>>>>> 1. There is still no proper way of removing the replica. >>>>>> Standard procedure using `ipa-replica-manage del` throws "Server >>>>>> is unwilling to perform: Entry is managed by topology >>>>>> plugin.Deletion not allowed.". >>>>> yes, that is for the first attempt to directly remove the >>>>> agreement, but when the server is removed the agreements should be >>>>> removed >>>> We should probably think of less threatening error message in this >>>> case. Just from reading the command output one might conclude that >>>> replica removal failed. >>>>>> The replication agreement though does get deleted, >>>>> then it is ok, >>>>>> but the topology information does not get updated. >>>>> what do you mean, where do you check ? in the "remaining" topology >>>>> the shared tree should be updated, for the removed replica it will >>>>> not, but this should be uninstalled anyway >>>> The problem here, is that the topology information does not get >>>> updated on master as well. >>> could you be a bit more precise. what do you still see ? the >>> agreement will be only removed if the segment is removed, and this >>> should be reoplicated to all severs in the remaining topology - if >>> you don't disconnect it by removing the replica. >>> and what was the topology structure and which replica did you >>> remove, on which server did you remove it? >> So, Here is the results of the `topologysegment-find` command before >> replica removal: >> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica1.bagam.net >> Connectivity: both >> >> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica2.bagam.net >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >> --force` on the master, the same command on master still shows >> exactly the same topology: >> >> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find >> Suffix name: realm >> ------------------ >> 2 segments matched >> ------------------ >> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica1.bagam.net >> Connectivity: both >> >> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >> Left node: f22master.bagam.net >> Right node: f22replica2.bagam.net >> Connectivity: both >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of Segment >>>>>> disconnects topology.Deletion not allowed." >>>>> correct, you can only do it after removal of the server >>>> I do not get it. Master still thinks it has the replica, it >>>> displays it both in CLI using `ipa topologysegment-find` and in the >>>> web-ui. (although it does not show it using `ipa host-find`, which >>>> is correct), and there is no way to manually make it change it's mind? >>>>>> >>>>>> I tried to disable the segment first and then delete it, but with >>>>>> the segment properly disabled, the attempt to delete it raised a >>>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: >>>>>> ('Unspecified GSS failure. Minor code may provide more >>>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>>>>> -1765328324)/". I am not sure, where to search for corresponding >>>>>> logs. The session transcript is attached. >>>>>> >>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>> replica tried to prepare another replica: >>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>> >>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>> Directory Manager (existing master) password: >>>>>> >>>>>> Preparing replica for f22replica3.bagam.net from >>>>>> f22replica2.bagam.net >>>>>> Creating SSL certificate for the Directory Server >>>>>> Certificate issuance failed >>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>> >>>>>> The corresponding line in the dirsrv log: >>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not >>>>>> allowed >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Oleg Fayans >>>> Quality Engineer >>>> FreeIPA team >>>> RedHat. >>>> >>>> >>> >>> >>> >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Wed Jun 10 07:28:49 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 10 Jun 2015 09:28:49 +0200 Subject: [Freeipa-devel] [PATCHES 439-442] install: Migrate ipa-replica-install to the install framework In-Reply-To: <5576D6B2.8090605@redhat.com> References: <5576D6B2.8090605@redhat.com> Message-ID: <5577E731.9030302@redhat.com> On 06/09/2015 02:06 PM, Jan Cholasta wrote: > Hi, > > the attached patches implement another part of > . > > Honza > > > Works for me, ACK. -- David Kupka From jcholast at redhat.com Wed Jun 10 07:30:53 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 10 Jun 2015 09:30:53 +0200 Subject: [Freeipa-devel] [PATCHES 439-442] install: Migrate ipa-replica-install to the install framework In-Reply-To: <5577E731.9030302@redhat.com> References: <5576D6B2.8090605@redhat.com> <5577E731.9030302@redhat.com> Message-ID: <5577E7AD.6070202@redhat.com> Dne 10.6.2015 v 09:28 David Kupka napsal(a): > On 06/09/2015 02:06 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patches implement another part of >> . >> >> Honza >> >> >> > Works for me, ACK. > Thanks. Pushed to master: 46cbe26b51f7eeeeac8f24351d165c50d415326f -- Jan Cholasta From dkupka at redhat.com Wed Jun 10 08:01:53 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 10 Jun 2015 10:01:53 +0200 Subject: [Freeipa-devel] Stage users - inconsistent permission names In-Reply-To: <5577E379.6010604@redhat.com> References: <5577E379.6010604@redhat.com> Message-ID: <5577EEF1.7090500@redhat.com> On 06/10/2015 09:12 AM, Martin Kosek wrote: > Hello Thierry/David, > > I saw the new privileges and permissions for the Staged Users functionality and > found couple spelling/English issues that I think we should fix before Alpha/GA > so that we can just rename them and not care about upgrade changes. > > Namely: > > # ipa permission-find stage | grep -i "Permission name" > Permission name: System: Add Stage Users by Provisioning and Administrators > > Should be "System: Add Stage User" > > Permission should not care who will do it, it is privilege/role's job. > > Permission name: System: Delete modify Stage Users by administrators > > Why is Modify and Delete combined in 1 permission? > > Should be "System: Modify Stage User" and "System: Remove Stage User" > > Permission name: System: Preserve an active user to a delete Users > > Maybe "System: Preserve User"? We do not use "deleted users" bur rather > "preserved users anyway" > > Permission name: System: Reactive delete users > > "System: Undelete User" to reflect the command name. > > Permission name: System: Read Stage User kerberos principal key and password > > Rather "System: Read Stage User password" - I do not think we need to call out > the principal key explicitly, but this is negotiable. > > Permission name: System: Read Stage Users by administrators > > "System: Read Stage Users" > > Permission name: System: Read/Write delete Users by administrators > > This needs to be 2 permissions: > > "System: Read Preserved Users" > "System: Modify Preserved Users" > > Permission name: System: Reset userPassord and kerberos keys of delete users > by administrator > > Rather "System: Reset Preserved User password" > > Permission name: System: Write Active Users RDN by administrators > > Rather "System: Modify User RDN" > > Permission name: System: Write Delete Users RDN by administrators > > Why is this permission needed, isn't "System: Modify Preserved Users" enough? > Hello, it's probably my fault, I should have paid more attention when reviewing the patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and can fix it. -- David Kupka From jcholast at redhat.com Wed Jun 10 08:39:46 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 10 Jun 2015 10:39:46 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <557568CB.3040503@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> <557568CB.3040503@redhat.com> Message-ID: <5577F7D2.3050302@redhat.com> Dne 8.6.2015 v 12:04 Jan Cholasta napsal(a): > Dne 5.6.2015 v 21:50 Endi Sukma Dewata napsal(a): >> On 6/5/2015 7:13 AM, Jan Cholasta wrote: >>> BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with >>> pki-core-10.2.1-3. >> >> There's a bug in IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1228671 Cloned the bug to . > > The patch needs a rebase and version bumb ("VERSION" line at the top of > ipa-pki-proxy.conf). I have bumped VERSION and rebased the patch, see attachment. Pushed to master: 62ef11efad4ebbb8fa6f13a15c5ed8e833e90d43 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fixed-KRA-installation-problem.patch Type: text/x-patch Size: 3941 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 10 08:41:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 10:41:20 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5577E3A4.90309@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> <5577E3A4.90309@redhat.com> Message-ID: <5577F830.8020208@redhat.com> On 10/06/15 09:13, Ludwig Krispenz wrote: > Hi, > > there seems to be somethin going wrong in the code to delete the > services. > > The code is: > > # delete master entry with all active services > try: > dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), > ('cn', 'etc'), self.suffix) > entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) > if entries: > entries.sort(key=lambda x: len(x.dn), reverse=True) > for entry in entries: > self.conn.delete_entry(entry) > except errors.NotFound: > pass > except Exception, e: > if not force: > raise e > elif not err: > err = e > > In the access log we see: > > > [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH > base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > scope=2 filter="(objectClass=*)" attrs=ALL > [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 > nentries=8 etime=0 notes=U > > this was the get_entries, it returns 8 entries > > [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL > dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 > nentries=0 etime=0 csn=5576dceb000600040000 > [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL > dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 > nentries=0 etime=0 csn=5576dceb000700040000 > [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL > dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" > [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 > nentries=0 etime=1 csn=5576dcec000100040000 > > here it stops after deleting three entries, and it should do it in > reverse order of the dn length, but KDC is deleted before MEMCACHE > [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND > > > Are there any ideas what is going on or how to debug it ? > Actually, the both DNs of KDC and MEMCACHE has the same length. IPA implements own DN class, where length is the number of AVA/RDN parts (mixed in code, but it means the 'cn=user' has length 1, and 'cn=user,cn=accounts' has length 2) def __len__(self): return len(self.rdns) This reverse sort guarantees the child entries will be removed before the parent entries. To debug, maybe print the entries from IPA code, before sort and after sort might help. Martin^2 > > On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: >> Hi Oleg, >> thanks for access to your machine, the replication agreements are >> still there - and that is expected since the server was not removed. >> >> In the access log I see: >> >> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> scope=2 filter="(objectClass=*)" attrs=ALL >> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >> nentries=8 etime=0 notes=U >> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >> nentries=0 etime=0 csn=5576dceb000600040000 >> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >> nentries=0 etime=0 csn=5576dceb000700040000 >> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >> nentries=0 etime=1 csn=5576dcec000100040000 >> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >> >> the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 >> entries, which then should be deleted, but only 3 ae deleted and the >> cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the >> topology segments are not deleted, and the agreement is not removed. >> >> I don't know why ipa-replica-manage del does stop deleting services >> and the master entry >> >> >> >> On 06/09/2015 04:25 PM, Oleg Fayans wrote: >>> >>> >>> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>>> >>>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>>> >>>>> >>>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>>> >>>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>>> Hi everybody, >>>>>>> >>>>>>> The current status of Topology plugin testing is as follows: >>>>>>> >>>>>>> 1. There is still no proper way of removing the replica. >>>>>>> Standard procedure using `ipa-replica-manage del` throws "Server >>>>>>> is unwilling to perform: Entry is managed by topology >>>>>>> plugin.Deletion not allowed.". >>>>>> yes, that is for the first attempt to directly remove the >>>>>> agreement, but when the server is removed the agreements should >>>>>> be removed >>>>> We should probably think of less threatening error message in this >>>>> case. Just from reading the command output one might conclude that >>>>> replica removal failed. >>>>>>> The replication agreement though does get deleted, >>>>>> then it is ok, >>>>>>> but the topology information does not get updated. >>>>>> what do you mean, where do you check ? in the "remaining" >>>>>> topology the shared tree should be updated, for the removed >>>>>> replica it will not, but this should be uninstalled anyway >>>>> The problem here, is that the topology information does not get >>>>> updated on master as well. >>>> could you be a bit more precise. what do you still see ? the >>>> agreement will be only removed if the segment is removed, and this >>>> should be reoplicated to all severs in the remaining topology - if >>>> you don't disconnect it by removing the replica. >>>> and what was the topology structure and which replica did you >>>> remove, on which server did you remove it? >>> So, Here is the results of the `topologysegment-find` command >>> before replica removal: >>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>> topologysegment-find >>> Suffix name: realm >>> ------------------ >>> 2 segments matched >>> ------------------ >>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>> Left node: f22master.bagam.net >>> Right node: f22replica1.bagam.net >>> Connectivity: both >>> >>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>> Left node: f22master.bagam.net >>> Right node: f22replica2.bagam.net >>> Connectivity: both >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >>> --force` on the master, the same command on master still shows >>> exactly the same topology: >>> >>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>> topologysegment-find >>> Suffix name: realm >>> ------------------ >>> 2 segments matched >>> ------------------ >>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>> Left node: f22master.bagam.net >>> Right node: f22replica1.bagam.net >>> Connectivity: both >>> >>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>> Left node: f22master.bagam.net >>> Right node: f22replica2.bagam.net >>> Connectivity: both >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> >>>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of Segment >>>>>>> disconnects topology.Deletion not allowed." >>>>>> correct, you can only do it after removal of the server >>>>> I do not get it. Master still thinks it has the replica, it >>>>> displays it both in CLI using `ipa topologysegment-find` and in >>>>> the web-ui. (although it does not show it using `ipa host-find`, >>>>> which is correct), and there is no way to manually make it change >>>>> it's mind? >>>>>>> >>>>>>> I tried to disable the segment first and then delete it, but >>>>>>> with the segment properly disabled, the attempt to delete it >>>>>>> raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos error: >>>>>>> ('Unspecified GSS failure. Minor code may provide more >>>>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>>>>>> -1765328324)/". I am not sure, where to search for corresponding >>>>>>> logs. The session transcript is attached. >>>>>>> >>>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>>> replica tried to prepare another replica: >>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>> >>>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>>> Directory Manager (existing master) password: >>>>>>> >>>>>>> Preparing replica for f22replica3.bagam.net from >>>>>>> f22replica2.bagam.net >>>>>>> Creating SSL certificate for the Directory Server >>>>>>> Certificate issuance failed >>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>> >>>>>>> The corresponding line in the dirsrv log: >>>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not >>>>>>> allowed >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Oleg Fayans >>>>> Quality Engineer >>>>> FreeIPA team >>>>> RedHat. >>>>> >>>>> >>>> >>>> >>>> >>> >>> -- >>> Oleg Fayans >>> Quality Engineer >>> FreeIPA team >>> RedHat. >>> >>> >> >> >> > > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 10 08:51:36 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 10 Jun 2015 10:51:36 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5577F830.8020208@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> <5577E3A4.90309@redhat.com> <5577F830.8020208@redhat.com> Message-ID: <5577FA98.9070808@redhat.com> On 06/10/2015 10:41 AM, Martin Basti wrote: > On 10/06/15 09:13, Ludwig Krispenz wrote: >> Hi, >> >> there seems to be somethin going wrong in the code to delete the >> services. >> >> The code is: >> >> # delete master entry with all active services >> try: >> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), >> ('cn', 'etc'), self.suffix) >> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >> if entries: >> entries.sort(key=lambda x: len(x.dn), reverse=True) >> for entry in entries: >> self.conn.delete_entry(entry) >> except errors.NotFound: >> pass >> except Exception, e: >> if not force: >> raise e >> elif not err: >> err = e >> >> In the access log we see: >> >> >> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> scope=2 filter="(objectClass=*)" attrs=ALL >> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >> nentries=8 etime=0 notes=U >> >> this was the get_entries, it returns 8 entries >> >> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >> nentries=0 etime=0 csn=5576dceb000600040000 >> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >> nentries=0 etime=0 csn=5576dceb000700040000 >> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >> nentries=0 etime=1 csn=5576dcec000100040000 >> >> here it stops after deleting three entries, and it should do it in >> reverse order of the dn length, but KDC is deleted before MEMCACHE >> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >> >> >> Are there any ideas what is going on or how to debug it ? >> > Actually, the both DNs of KDC and MEMCACHE has the same length. > IPA implements own DN class, where length is the number of AVA/RDN > parts (mixed in code, but it means the 'cn=user' has length 1, and > 'cn=user,cn=accounts' has length 2) > > def __len__(self): > return len(self.rdns) > > This reverse sort guarantees the child entries will be removed before > the parent entries. thanks, then it is ok, but it does not explain why not all services and the master were not deleted. > > To debug, maybe print the entries from IPA code, before sort and after > sort might help. yep, but so far only Oleg reprted this, and he's not here today, I haven't reproduced the issue > > Martin^2 > >> >> On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: >>> Hi Oleg, >>> thanks for access to your machine, the replication agreements are >>> still there - and that is expected since the server was not removed. >>> >>> In the access log I see: >>> >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> scope=2 filter="(objectClass=*)" attrs=ALL >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>> nentries=8 etime=0 notes=U >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>> nentries=0 etime=0 csn=5576dceb000600040000 >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>> nentries=0 etime=0 csn=5576dceb000700040000 >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>> nentries=0 etime=1 csn=5576dcec000100040000 >>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>> >>> the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 >>> entries, which then should be deleted, but only 3 ae deleted and the >>> cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the >>> topology segments are not deleted, and the agreement is not removed. >>> >>> I don't know why ipa-replica-manage del does stop deleting services >>> and the master entry >>> >>> >>> >>> On 06/09/2015 04:25 PM, Oleg Fayans wrote: >>>> >>>> >>>> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>>>> >>>>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>>>> >>>>>> >>>>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>>>> >>>>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>>>> Hi everybody, >>>>>>>> >>>>>>>> The current status of Topology plugin testing is as follows: >>>>>>>> >>>>>>>> 1. There is still no proper way of removing the replica. >>>>>>>> Standard procedure using `ipa-replica-manage del` throws >>>>>>>> "Server is unwilling to perform: Entry is managed by topology >>>>>>>> plugin.Deletion not allowed.". >>>>>>> yes, that is for the first attempt to directly remove the >>>>>>> agreement, but when the server is removed the agreements should >>>>>>> be removed >>>>>> We should probably think of less threatening error message in >>>>>> this case. Just from reading the command output one might >>>>>> conclude that replica removal failed. >>>>>>>> The replication agreement though does get deleted, >>>>>>> then it is ok, >>>>>>>> but the topology information does not get updated. >>>>>>> what do you mean, where do you check ? in the "remaining" >>>>>>> topology the shared tree should be updated, for the removed >>>>>>> replica it will not, but this should be uninstalled anyway >>>>>> The problem here, is that the topology information does not get >>>>>> updated on master as well. >>>>> could you be a bit more precise. what do you still see ? the >>>>> agreement will be only removed if the segment is removed, and this >>>>> should be reoplicated to all severs in the remaining topology - if >>>>> you don't disconnect it by removing the replica. >>>>> and what was the topology structure and which replica did you >>>>> remove, on which server did you remove it? >>>> So, Here is the results of the `topologysegment-find` command >>>> before replica removal: >>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>> topologysegment-find >>>> Suffix name: realm >>>> ------------------ >>>> 2 segments matched >>>> ------------------ >>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>> Left node: f22master.bagam.net >>>> Right node: f22replica1.bagam.net >>>> Connectivity: both >>>> >>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>> Left node: f22master.bagam.net >>>> Right node: f22replica2.bagam.net >>>> Connectivity: both >>>> ---------------------------- >>>> Number of entries returned 2 >>>> ---------------------------- >>>> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >>>> --force` on the master, the same command on master still shows >>>> exactly the same topology: >>>> >>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>> topologysegment-find >>>> Suffix name: realm >>>> ------------------ >>>> 2 segments matched >>>> ------------------ >>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>> Left node: f22master.bagam.net >>>> Right node: f22replica1.bagam.net >>>> Connectivity: both >>>> >>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>> Left node: f22master.bagam.net >>>> Right node: f22replica2.bagam.net >>>> Connectivity: both >>>> ---------------------------- >>>> Number of entries returned 2 >>>> ---------------------------- >>>> >>>>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of Segment >>>>>>>> disconnects topology.Deletion not allowed." >>>>>>> correct, you can only do it after removal of the server >>>>>> I do not get it. Master still thinks it has the replica, it >>>>>> displays it both in CLI using `ipa topologysegment-find` and in >>>>>> the web-ui. (although it does not show it using `ipa host-find`, >>>>>> which is correct), and there is no way to manually make it change >>>>>> it's mind? >>>>>>>> >>>>>>>> I tried to disable the segment first and then delete it, but >>>>>>>> with the segment properly disabled, the attempt to delete it >>>>>>>> raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos >>>>>>>> error: ('Unspecified GSS failure. Minor code may provide more >>>>>>>> information', 851968)/('KDC returned error string: >>>>>>>> PROCESS_TGS', -1765328324)/". I am not sure, where to search >>>>>>>> for corresponding logs. The session transcript is attached. >>>>>>>> >>>>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>>>> replica tried to prepare another replica: >>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>>>> Directory Manager (existing master) password: >>>>>>>> >>>>>>>> Preparing replica for f22replica3.bagam.net from >>>>>>>> f22replica2.bagam.net >>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>> Certificate issuance failed >>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> The corresponding line in the dirsrv log: >>>>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not >>>>>>>> allowed >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Oleg Fayans >>>>>> Quality Engineer >>>>>> FreeIPA team >>>>>> RedHat. >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Oleg Fayans >>>> Quality Engineer >>>> FreeIPA team >>>> RedHat. >>>> >>>> >>> >>> >>> >> >> >> > > > -- > Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jun 10 10:16:50 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 12:16:50 +0200 Subject: [Freeipa-devel] Stage users - inconsistent permission names In-Reply-To: <5577EEF1.7090500@redhat.com> References: <5577E379.6010604@redhat.com> <5577EEF1.7090500@redhat.com> Message-ID: <55780E92.6090501@redhat.com> On 06/10/2015 10:01 AM, David Kupka wrote: > On 06/10/2015 09:12 AM, Martin Kosek wrote: >> Hello Thierry/David, >> >> I saw the new privileges and permissions for the Staged Users functionality and >> found couple spelling/English issues that I think we should fix before Alpha/GA >> so that we can just rename them and not care about upgrade changes. >> >> Namely: >> >> # ipa permission-find stage | grep -i "Permission name" >> Permission name: System: Add Stage Users by Provisioning and Administrators >> >> Should be "System: Add Stage User" >> >> Permission should not care who will do it, it is privilege/role's job. >> >> Permission name: System: Delete modify Stage Users by administrators >> >> Why is Modify and Delete combined in 1 permission? >> >> Should be "System: Modify Stage User" and "System: Remove Stage User" >> >> Permission name: System: Preserve an active user to a delete Users >> >> Maybe "System: Preserve User"? We do not use "deleted users" bur rather >> "preserved users anyway" >> >> Permission name: System: Reactive delete users >> >> "System: Undelete User" to reflect the command name. >> >> Permission name: System: Read Stage User kerberos principal key and password >> >> Rather "System: Read Stage User password" - I do not think we need to call out >> the principal key explicitly, but this is negotiable. >> >> Permission name: System: Read Stage Users by administrators >> >> "System: Read Stage Users" >> >> Permission name: System: Read/Write delete Users by administrators >> >> This needs to be 2 permissions: >> >> "System: Read Preserved Users" >> "System: Modify Preserved Users" >> >> Permission name: System: Reset userPassord and kerberos keys of delete users >> by administrator >> >> Rather "System: Reset Preserved User password" >> >> Permission name: System: Write Active Users RDN by administrators >> >> Rather "System: Modify User RDN" >> >> Permission name: System: Write Delete Users RDN by administrators >> >> Why is this permission needed, isn't "System: Modify Preserved Users" enough? >> > Hello, > it's probably my fault, I should have paid more attention when reviewing the > patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and > can fix it. > Great, thanks! Ideally, this should be fixed for Alpha - it should not be that hard, the names are now already proposed. From tbordaz at redhat.com Wed Jun 10 10:45:23 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 10 Jun 2015 12:45:23 +0200 Subject: [Freeipa-devel] Stage users - inconsistent permission names In-Reply-To: <55780E92.6090501@redhat.com> References: <5577E379.6010604@redhat.com> <5577EEF1.7090500@redhat.com> <55780E92.6090501@redhat.com> Message-ID: <55781543.1040300@redhat.com> On 06/10/2015 12:16 PM, Martin Kosek wrote: > On 06/10/2015 10:01 AM, David Kupka wrote: >> On 06/10/2015 09:12 AM, Martin Kosek wrote: >>> Hello Thierry/David, >>> >>> I saw the new privileges and permissions for the Staged Users functionality and >>> found couple spelling/English issues that I think we should fix before Alpha/GA >>> so that we can just rename them and not care about upgrade changes. >>> >>> Namely: >>> >>> # ipa permission-find stage | grep -i "Permission name" >>> Permission name: System: Add Stage Users by Provisioning and Administrators >>> >>> Should be "System: Add Stage User" >>> >>> Permission should not care who will do it, it is privilege/role's job. >>> >>> Permission name: System: Delete modify Stage Users by administrators >>> >>> Why is Modify and Delete combined in 1 permission? Hello Martin, David, Sorry for the delay. Each permission creates a DS aci. At first to limit the number of aci I tried to group them. So I should rather separate each individual right into separate permission (e.g. 'write'/MOD and 'delete'/DEL), is that correct ? I agree it is cleaner and easier to maintain. >>> >>> Should be "System: Modify Stage User" and "System: Remove Stage User" >>> >>> Permission name: System: Preserve an active user to a delete Users >>> >>> Maybe "System: Preserve User"? We do not use "deleted users" bur rather >>> "preserved users anyway" Yes. Petr Viktorin already warned be to use the proper naming. Deleted users are better renamed in Preserved users (due to the CLI option) >>> >>> Permission name: System: Reactive delete users >>> >>> "System: Undelete User" to reflect the command name. >>> >>> Permission name: System: Read Stage User kerberos principal key and password >>> >>> Rather "System: Read Stage User password" - I do not think we need to call out >>> the principal key explicitly, but this is negotiable. That fine for me. In initial version of the patch I put 'credentials' but then switched to exact attributes. >>> Permission name: System: Read Stage Users by administrators >>> >>> "System: Read Stage Users" >>> >>> Permission name: System: Read/Write delete Users by administrators >>> >>> This needs to be 2 permissions: >>> >>> "System: Read Preserved Users" >>> "System: Modify Preserved Users" >>> >>> Permission name: System: Reset userPassord and kerberos keys of delete users >>> by administrator >>> >>> Rather "System: Reset Preserved User password" >>> >>> Permission name: System: Write Active Users RDN by administrators >>> >>> Rather "System: Modify User RDN" >>> >>> Permission name: System: Write Delete Users RDN by administrators >>> >>> Why is this permission needed, isn't "System: Modify Preserved Users" enough? Absolutely you are right, this aci is already covered by "Modify Preserved Users" thanks thierry >>> >> Hello, >> it's probably my fault, I should have paid more attention when reviewing the >> patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and >> can fix it. >> > Great, thanks! Ideally, this should be fixed for Alpha - it should not be that > hard, the names are now already proposed. From jcholast at redhat.com Wed Jun 10 11:25:19 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 10 Jun 2015 13:25:19 +0200 Subject: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install Message-ID: <55781E9F.3000002@redhat.com> Hi, the attached patches fix several shortcomings in ipa-kra-install, see commit messages. (Patch 434 was introduced in .) Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-434.1-vault-Move-vaults-to-cn-vaults-cn-kra.patch Type: text/x-patch Size: 14794 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-443-install-Initialize-API-early-in-server-and-replica-i.patch Type: text/x-patch Size: 19132 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-444-vault-Fix-ipa-kra-install.patch Type: text/x-patch Size: 20033 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 10 11:44:03 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 13:44:03 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> References: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> <5576FA44.3000300@redhat.com> <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> Message-ID: <55782303.7070209@redhat.com> On 10/06/15 06:40, Fraser Tweedale wrote: > On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: >> On 09/06/15 08:58, Fraser Tweedale wrote: >>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: >>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: >>>>> New patches attached. Comments inline. >>>> Thanks Fraser! >>>> >>>> ... >>>>>> 5) >>>>>> Missing referint plugin configuration for attribute >>>>>> 'ipacaaclmembercertprofile' >>>>>> Please add it into install/updates/25-referint.update (+ other member >>>>>> attributes if missing) >>>>>> >>>>> Added this. There is a comment in 25-referint.update: >>>>> >>>>> # pres and eq indexes defined in 20-indices.update must be set >>>>> # for all the attributes >>>>> >>>>> Can you explain what is required here? Is it just to add: I see >>>>> things for memberUser and memberHost in indices.ldif but nothing for >>>>> memberService. Do I need to add to indices.ldif: >>>>> >>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>>>> changetype: add >>>>> cn: memberProfile >>>>> ObjectClass: top >>>>> ObjectClass: nsIndex >>>>> nsSystemIndex: false >>>>> nsIndexType: eq >>>>> nsIndexType: pres >>>>> nsIndexType: sub >>>>> >>>>> , and similarly for memberCa? Sorry I do not know much about LDAP >>>>> indexing. >>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive >>>> index to use and I now cannot think of memberProfile search where you would >>>> need a substring... >>>> >>>> Thanks, >>>> Martin >>> Updated patch attached, which adds the indices. (Also rebased). >>> >>> There is a commit that seems to indicate that substring index is >>> needed, so I have included substring indices in this patchset. >>> Copied Honza in case he wants to comment. >>> >>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0 >>> Author: Jan Cholasta >>> Date: Tue Jun 25 13:16:40 2013 +0000 >>> >>> Add missing substring indices for attributes managed by the referint plugin. >>> >>> The referint plugin does a substring search on these attributes each time an >>> entry is deleted, which causes a noticable slowdown for large directories if >>> the attributes are not indexed. >>> >>> https://fedorahosted.org/freeipa/ticket/3706 >>> >>> Cheers, >>> Fraser >> ACK >> >> Please send the upgrade patch ASAP :) >> >> -- >> Martin Basti >> > Thank you for the ACK \o/ > > Since the patches have not been pushed, here is an updated patchset > which adds the upgrade behaviour. There are no changes apart from > the additions to ipaserver/install/server/upgrade.py. > > Cheers, > Fraser ACK -- Martin Basti From mbasti at redhat.com Wed Jun 10 11:47:03 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 13:47:03 +0200 Subject: [Freeipa-devel] [PATCH 0264] Server Upgrade: disconnect ldap2 connection before DS restart Message-ID: <557823B7.3070205@redhat.com> Without this patch, upgrade may failed when api.Backend.ldap2 was connected before DS restart. Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0264-Server-Upgrade-disconnect-ldap2-connection-before-DS.patch Type: text/x-patch Size: 1146 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 10 11:50:35 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 10 Jun 2015 13:50:35 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <55782303.7070209@redhat.com> References: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> <5576FA44.3000300@redhat.com> <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> <55782303.7070209@redhat.com> Message-ID: <5578248B.3010805@redhat.com> Dne 10.6.2015 v 13:44 Martin Basti napsal(a): > On 10/06/15 06:40, Fraser Tweedale wrote: >> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: >>> On 09/06/15 08:58, Fraser Tweedale wrote: >>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: >>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: >>>>>> New patches attached. Comments inline. >>>>> Thanks Fraser! >>>>> >>>>> ... >>>>>>> 5) >>>>>>> Missing referint plugin configuration for attribute >>>>>>> 'ipacaaclmembercertprofile' >>>>>>> Please add it into install/updates/25-referint.update (+ other >>>>>>> member >>>>>>> attributes if missing) >>>>>>> >>>>>> Added this. There is a comment in 25-referint.update: >>>>>> >>>>>> # pres and eq indexes defined in 20-indices.update must be set >>>>>> # for all the attributes >>>>>> >>>>>> Can you explain what is required here? Is it just to add: I see >>>>>> things for memberUser and memberHost in indices.ldif but nothing for >>>>>> memberService. Do I need to add to indices.ldif: >>>>>> >>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm >>>>>> database,cn=plugins,cn=config >>>>>> changetype: add >>>>>> cn: memberProfile >>>>>> ObjectClass: top >>>>>> ObjectClass: nsIndex >>>>>> nsSystemIndex: false >>>>>> nsIndexType: eq >>>>>> nsIndexType: pres >>>>>> nsIndexType: sub >>>>>> >>>>>> , and similarly for memberCa? Sorry I do not know much about LDAP >>>>>> indexing. >>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite >>>>> an expensive >>>>> index to use and I now cannot think of memberProfile search where >>>>> you would >>>>> need a substring... >>>>> >>>>> Thanks, >>>>> Martin >>>> Updated patch attached, which adds the indices. (Also rebased). >>>> >>>> There is a commit that seems to indicate that substring index is >>>> needed, so I have included substring indices in this patchset. >>>> Copied Honza in case he wants to comment. >>>> >>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0 >>>> Author: Jan Cholasta >>>> Date: Tue Jun 25 13:16:40 2013 +0000 >>>> >>>> Add missing substring indices for attributes managed by the >>>> referint plugin. >>>> >>>> The referint plugin does a substring search on these >>>> attributes each time an >>>> entry is deleted, which causes a noticable slowdown for >>>> large directories if >>>> the attributes are not indexed. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3706 >>>> >>>> Cheers, >>>> Fraser >>> ACK >>> >>> Please send the upgrade patch ASAP :) >>> >>> -- >>> Martin Basti >>> >> Thank you for the ACK \o/ >> >> Since the patches have not been pushed, here is an updated patchset >> which adds the upgrade behaviour. There are no changes apart from >> the additions to ipaserver/install/server/upgrade.py. >> >> Cheers, >> Fraser > ACK NACK, the new OIDs are not registered. BTW all new attribute names should have the "ipa" prefix. Also I would prefer "CertProfile" instead of just "Profile" in certificate profile related names. Please rename the attributes as follows: memberCa -> ipaMemberCa memberProfile -> ipaMemberCertProfile caCategory -> ipaCaCategory profileCategory -> ipaCertProfileCategory Honza -- Jan Cholasta From mkosek at redhat.com Wed Jun 10 11:57:04 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 13:57:04 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <5578248B.3010805@redhat.com> References: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> <5576FA44.3000300@redhat.com> <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> <55782303.7070209@redhat.com> <5578248B.3010805@redhat.com> Message-ID: <55782610.5080308@redhat.com> On 06/10/2015 01:50 PM, Jan Cholasta wrote: > Dne 10.6.2015 v 13:44 Martin Basti napsal(a): >> On 10/06/15 06:40, Fraser Tweedale wrote: >>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: >>>> On 09/06/15 08:58, Fraser Tweedale wrote: >>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: >>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: >>>>>>> New patches attached. Comments inline. >>>>>> Thanks Fraser! >>>>>> >>>>>> ... >>>>>>>> 5) >>>>>>>> Missing referint plugin configuration for attribute >>>>>>>> 'ipacaaclmembercertprofile' >>>>>>>> Please add it into install/updates/25-referint.update (+ other >>>>>>>> member >>>>>>>> attributes if missing) >>>>>>>> >>>>>>> Added this. There is a comment in 25-referint.update: >>>>>>> >>>>>>> # pres and eq indexes defined in 20-indices.update must be set >>>>>>> # for all the attributes >>>>>>> >>>>>>> Can you explain what is required here? Is it just to add: I see >>>>>>> things for memberUser and memberHost in indices.ldif but nothing for >>>>>>> memberService. Do I need to add to indices.ldif: >>>>>>> >>>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm >>>>>>> database,cn=plugins,cn=config >>>>>>> changetype: add >>>>>>> cn: memberProfile >>>>>>> ObjectClass: top >>>>>>> ObjectClass: nsIndex >>>>>>> nsSystemIndex: false >>>>>>> nsIndexType: eq >>>>>>> nsIndexType: pres >>>>>>> nsIndexType: sub >>>>>>> >>>>>>> , and similarly for memberCa? Sorry I do not know much about LDAP >>>>>>> indexing. >>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite >>>>>> an expensive >>>>>> index to use and I now cannot think of memberProfile search where >>>>>> you would >>>>>> need a substring... >>>>>> >>>>>> Thanks, >>>>>> Martin >>>>> Updated patch attached, which adds the indices. (Also rebased). >>>>> >>>>> There is a commit that seems to indicate that substring index is >>>>> needed, so I have included substring indices in this patchset. >>>>> Copied Honza in case he wants to comment. >>>>> >>>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0 >>>>> Author: Jan Cholasta >>>>> Date: Tue Jun 25 13:16:40 2013 +0000 >>>>> >>>>> Add missing substring indices for attributes managed by the >>>>> referint plugin. >>>>> >>>>> The referint plugin does a substring search on these >>>>> attributes each time an >>>>> entry is deleted, which causes a noticable slowdown for >>>>> large directories if >>>>> the attributes are not indexed. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/3706 >>>>> >>>>> Cheers, >>>>> Fraser >>>> ACK >>>> >>>> Please send the upgrade patch ASAP :) >>>> >>>> -- >>>> Martin Basti >>>> >>> Thank you for the ACK \o/ >>> >>> Since the patches have not been pushed, here is an updated patchset >>> which adds the upgrade behaviour. There are no changes apart from >>> the additions to ipaserver/install/server/upgrade.py. >>> >>> Cheers, >>> Fraser >> ACK > > NACK, the new OIDs are not registered. > > BTW all new attribute names should have the "ipa" prefix. Also I would prefer > "CertProfile" instead of just "Profile" in certificate profile related names. > Please rename the attributes as follows: > > memberCa -> ipaMemberCa > memberProfile -> ipaMemberCertProfile > caCategory -> ipaCaCategory > profileCategory -> ipaCertProfileCategory > > Honza > +1. I see that other attributes from this feature use the ipa prefix already: dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) Those OIDs should be BTW registered as well, if not already From tbordaz at redhat.com Wed Jun 10 12:13:13 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 10 Jun 2015 14:13:13 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <5577FA98.9070808@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> <5577E3A4.90309@redhat.com> <5577F830.8020208@redhat.com> <5577FA98.9070808@redhat.com> Message-ID: <557829D9.10901@redhat.com> On 06/10/2015 10:51 AM, Ludwig Krispenz wrote: > > On 06/10/2015 10:41 AM, Martin Basti wrote: >> On 10/06/15 09:13, Ludwig Krispenz wrote: >>> Hi, >>> >>> there seems to be somethin going wrong in the code to delete the >>> services. >>> >>> The code is: >>> >>> # delete master entry with all active services >>> try: >>> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), >>> ('cn', 'etc'), self.suffix) >>> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >>> if entries: >>> entries.sort(key=lambda x: len(x.dn), reverse=True) >>> for entry in entries: >>> self.conn.delete_entry(entry) >>> except errors.NotFound: >>> pass >>> except Exception, e: >>> if not force: >>> raise e >>> elif not err: >>> err = e >>> >>> In the access log we see: >>> >>> >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> scope=2 filter="(objectClass=*)" attrs=ALL >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>> nentries=8 etime=0 notes=U >>> >>> this was the get_entries, it returns 8 entries >>> >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>> nentries=0 etime=0 csn=5576dceb000600040000 >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>> nentries=0 etime=0 csn=5576dceb000700040000 >>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>> nentries=0 etime=1 csn=5576dcec000100040000 >>> >>> here it stops after deleting three entries, and it should do it in >>> reverse order of the dn length, but KDC is deleted before MEMCACHE Something surprising is that according to the code # delete master entry with all active services try: dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.suffix) entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) if entries: entries.sort(key=lambda x: len(x.dn), reverse=True) for entry in entries: self.conn.delete_entry(entry) except errors.NotFound: pass except Exception, e: if not force: raise e elif not err: err = e try: entry = *self.conn.get_entry*( DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), ['aci']) sub = {'suffix': self.suffix, 'fqdn': replica} ... We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion of those entries. But the next op is an UNBIND. Is that the code executed by ipa-replica-manage ? >>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>> >>> >>> Are there any ideas what is going on or how to debug it ? >>> >> Actually, the both DNs of KDC and MEMCACHE has the same length. >> IPA implements own DN class, where length is the number of AVA/RDN >> parts (mixed in code, but it means the 'cn=user' has length 1, and >> 'cn=user,cn=accounts' has length 2) >> >> def __len__(self): >> return len(self.rdns) >> >> This reverse sort guarantees the child entries will be removed before >> the parent entries. > thanks, then it is ok, but it does not explain why not all services > and the master were not deleted. >> >> To debug, maybe print the entries from IPA code, before sort and >> after sort might help. > yep, but so far only Oleg reprted this, and he's not here today, I > haven't reproduced the issue >> >> Martin^2 >> >>> >>> On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: >>>> Hi Oleg, >>>> thanks for access to your machine, the replication agreements are >>>> still there - and that is expected since the server was not removed. >>>> >>>> In the access log I see: >>>> >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>> nentries=8 etime=0 notes=U >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>> >>>> the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 >>>> entries, which then should be deleted, but only 3 ae deleted and the >>>> cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so >>>> the topology segments are not deleted, and the agreement is not >>>> removed. >>>> >>>> I don't know why ipa-replica-manage del does stop deleting services >>>> and the master entry >>>> >>>> >>>> >>>> On 06/09/2015 04:25 PM, Oleg Fayans wrote: >>>>> >>>>> >>>>> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>>>>> >>>>>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>>>>> >>>>>>> >>>>>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>>>>> >>>>>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>>>>> Hi everybody, >>>>>>>>> >>>>>>>>> The current status of Topology plugin testing is as follows: >>>>>>>>> >>>>>>>>> 1. There is still no proper way of removing the replica. >>>>>>>>> Standard procedure using `ipa-replica-manage del` throws >>>>>>>>> "Server is unwilling to perform: Entry is managed by topology >>>>>>>>> plugin.Deletion not allowed.". >>>>>>>> yes, that is for the first attempt to directly remove the >>>>>>>> agreement, but when the server is removed the agreements should >>>>>>>> be removed >>>>>>> We should probably think of less threatening error message in >>>>>>> this case. Just from reading the command output one might >>>>>>> conclude that replica removal failed. >>>>>>>>> The replication agreement though does get deleted, >>>>>>>> then it is ok, >>>>>>>>> but the topology information does not get updated. >>>>>>>> what do you mean, where do you check ? in the "remaining" >>>>>>>> topology the shared tree should be updated, for the removed >>>>>>>> replica it will not, but this should be uninstalled anyway >>>>>>> The problem here, is that the topology information does not get >>>>>>> updated on master as well. >>>>>> could you be a bit more precise. what do you still see ? the >>>>>> agreement will be only removed if the segment is removed, and >>>>>> this should be reoplicated to all severs in the remaining >>>>>> topology - if you don't disconnect it by removing the replica. >>>>>> and what was the topology structure and which replica did you >>>>>> remove, on which server did you remove it? >>>>> So, Here is the results of the `topologysegment-find` command >>>>> before replica removal: >>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>> topologysegment-find >>>>> Suffix name: realm >>>>> ------------------ >>>>> 2 segments matched >>>>> ------------------ >>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>> Left node: f22master.bagam.net >>>>> Right node: f22replica1.bagam.net >>>>> Connectivity: both >>>>> >>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>> Left node: f22master.bagam.net >>>>> Right node: f22replica2.bagam.net >>>>> Connectivity: both >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >>>>> --force` on the master, the same command on master still shows >>>>> exactly the same topology: >>>>> >>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>> topologysegment-find >>>>> Suffix name: realm >>>>> ------------------ >>>>> 2 segments matched >>>>> ------------------ >>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>> Left node: f22master.bagam.net >>>>> Right node: f22replica1.bagam.net >>>>> Connectivity: both >>>>> >>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>> Left node: f22master.bagam.net >>>>> Right node: f22replica2.bagam.net >>>>> Connectivity: both >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> >>>>>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of >>>>>>>>> Segment disconnects topology.Deletion not allowed." >>>>>>>> correct, you can only do it after removal of the server >>>>>>> I do not get it. Master still thinks it has the replica, it >>>>>>> displays it both in CLI using `ipa topologysegment-find` and in >>>>>>> the web-ui. (although it does not show it using `ipa host-find`, >>>>>>> which is correct), and there is no way to manually make it >>>>>>> change it's mind? >>>>>>>>> >>>>>>>>> I tried to disable the segment first and then delete it, but >>>>>>>>> with the segment properly disabled, the attempt to delete it >>>>>>>>> raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos >>>>>>>>> error: ('Unspecified GSS failure. Minor code may provide more >>>>>>>>> information', 851968)/('KDC returned error string: >>>>>>>>> PROCESS_TGS', -1765328324)/". I am not sure, where to search >>>>>>>>> for corresponding logs. The session transcript is attached. >>>>>>>>> >>>>>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>>>>> replica tried to prepare another replica: >>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>>>>> Directory Manager (existing master) password: >>>>>>>>> >>>>>>>>> Preparing replica for f22replica3.bagam.net from >>>>>>>>> f22replica2.bagam.net >>>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>>> Certificate issuance failed >>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> The corresponding line in the dirsrv log: >>>>>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not >>>>>>>>> allowed >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Oleg Fayans >>>>>>> Quality Engineer >>>>>>> FreeIPA team >>>>>>> RedHat. >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Oleg Fayans >>>>> Quality Engineer >>>>> FreeIPA team >>>>> RedHat. >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> -- >> Martin Basti > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Wed Jun 10 12:14:15 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 10 Jun 2015 14:14:15 +0200 Subject: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate. Message-ID: <55782A17.4070203@redhat.com> https://fedorahosted.org/freeipa/ticket/5057 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0052-Stage-User-Fix-permissions-naming-and-split-them-whe.patch Type: text/x-patch Size: 18375 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 10 12:15:00 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 14:15:00 +0200 Subject: [Freeipa-devel] [PATCH] 866 topology: allow only one node to be specified in, topologysegment-refresh In-Reply-To: <5575CFEB.1050109@redhat.com> References: <5575C960.8030703@redhat.com> <5575CFEB.1050109@redhat.com> Message-ID: <55782A44.8060205@redhat.com> On 06/08/2015 07:24 PM, Tomas Babej wrote: > On 06/08/2015 06:57 PM, Petr Vobornik wrote: >> >> https://fedorahosted.org/freeipa/ticket/4302 >> >> > > ACK. > > Tomas > Pushed to master: 4232c39f6767d27b9f812a15cfc5ee2c5be69d5e -- Petr Vobornik From pvoborni at redhat.com Wed Jun 10 12:16:25 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 14:16:25 +0200 Subject: [Freeipa-devel] [PATCH] 867 topology: hide topologysuffix-add del mod commands In-Reply-To: <5575D05B.8060105@redhat.com> References: <5575C962.1070408@redhat.com> <5575D05B.8060105@redhat.com> Message-ID: <55782A99.4000809@redhat.com> On 06/08/2015 07:26 PM, Tomas Babej wrote: > On 06/08/2015 06:57 PM, Petr Vobornik wrote: >> Suffices are created on installation/upgrade. Users should not >> modify them. >> >> https://fedorahosted.org/freeipa/ticket/4302 >> > > ACK > > Tomas > Pushed to master: 2661a860e0049c75088fffe2765d67b051c31c9b -- Petr Vobornik From lkrispen at redhat.com Wed Jun 10 12:19:22 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 10 Jun 2015 14:19:22 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <557829D9.10901@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> <5577E3A4.90309@redhat.com> <5577F830.8020208@redhat.com> <5577FA98.9070808@redhat.com> <557829D9.10901@redhat.com> Message-ID: <55782B4A.1040903@redhat.com> On 06/10/2015 02:13 PM, thierry bordaz wrote: > On 06/10/2015 10:51 AM, Ludwig Krispenz wrote: >> >> On 06/10/2015 10:41 AM, Martin Basti wrote: >>> On 10/06/15 09:13, Ludwig Krispenz wrote: >>>> Hi, >>>> >>>> there seems to be somethin going wrong in the code to delete the >>>> services. >>>> >>>> The code is: >>>> >>>> # delete master entry with all active services >>>> try: >>>> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), >>>> ('cn', 'etc'), self.suffix) >>>> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >>>> if entries: >>>> entries.sort(key=lambda x: len(x.dn), reverse=True) >>>> for entry in entries: >>>> self.conn.delete_entry(entry) >>>> except errors.NotFound: >>>> pass >>>> except Exception, e: >>>> if not force: >>>> raise e >>>> elif not err: >>>> err = e >>>> >>>> In the access log we see: >>>> >>>> >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>> nentries=8 etime=0 notes=U >>>> >>>> this was the get_entries, it returns 8 entries >>>> >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>> >>>> here it stops after deleting three entries, and it should do it in >>>> reverse order of the dn length, but KDC is deleted before MEMCACHE > > Something surprising is that according to the code > > # delete master entry with all active services > try: > dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), > ('cn', 'etc'), self.suffix) > entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) > if entries: > entries.sort(key=lambda x: len(x.dn), reverse=True) > for entry in entries: > self.conn.delete_entry(entry) > except errors.NotFound: > pass > except Exception, e: > if not force: > raise e > elif not err: > err = e > > try: > entry = *self.conn.get_entry*( > DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), > ['aci']) > > sub = {'suffix': self.suffix, 'fqdn': replica} > ... > > We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion > of those entries. > But the next op is an UNBIND. yes, that is strange, maybe we hit an exception and the connection was closed > Is that the code executed by ipa-replica-manage ? I think so, yes. > > >>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>> >>>> >>>> Are there any ideas what is going on or how to debug it ? >>>> >>> Actually, the both DNs of KDC and MEMCACHE has the same length. >>> IPA implements own DN class, where length is the number of AVA/RDN >>> parts (mixed in code, but it means the 'cn=user' has length 1, and >>> 'cn=user,cn=accounts' has length 2) >>> >>> def __len__(self): >>> return len(self.rdns) >>> >>> This reverse sort guarantees the child entries will be removed >>> before the parent entries. >> thanks, then it is ok, but it does not explain why not all services >> and the master were not deleted. >>> >>> To debug, maybe print the entries from IPA code, before sort and >>> after sort might help. >> yep, but so far only Oleg reprted this, and he's not here today, I >> haven't reproduced the issue >>> >>> Martin^2 >>> >>>> >>>> On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: >>>>> Hi Oleg, >>>>> thanks for access to your machine, the replication agreements are >>>>> still there - and that is expected since the server was not removed. >>>>> >>>>> In the access log I see: >>>>> >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>>> nentries=8 etime=0 notes=U >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>>> >>>>> the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 >>>>> entries, which then should be deleted, but only 3 ae deleted and the >>>>> cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so >>>>> the topology segments are not deleted, and the agreement is not >>>>> removed. >>>>> >>>>> I don't know why ipa-replica-manage del does stop deleting >>>>> services and the master entry >>>>> >>>>> >>>>> >>>>> On 06/09/2015 04:25 PM, Oleg Fayans wrote: >>>>>> >>>>>> >>>>>> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>>>>>> >>>>>>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>>>>>> >>>>>>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>>>>>> Hi everybody, >>>>>>>>>> >>>>>>>>>> The current status of Topology plugin testing is as follows: >>>>>>>>>> >>>>>>>>>> 1. There is still no proper way of removing the replica. >>>>>>>>>> Standard procedure using `ipa-replica-manage del` throws >>>>>>>>>> "Server is unwilling to perform: Entry is managed by topology >>>>>>>>>> plugin.Deletion not allowed.". >>>>>>>>> yes, that is for the first attempt to directly remove the >>>>>>>>> agreement, but when the server is removed the agreements >>>>>>>>> should be removed >>>>>>>> We should probably think of less threatening error message in >>>>>>>> this case. Just from reading the command output one might >>>>>>>> conclude that replica removal failed. >>>>>>>>>> The replication agreement though does get deleted, >>>>>>>>> then it is ok, >>>>>>>>>> but the topology information does not get updated. >>>>>>>>> what do you mean, where do you check ? in the "remaining" >>>>>>>>> topology the shared tree should be updated, for the removed >>>>>>>>> replica it will not, but this should be uninstalled anyway >>>>>>>> The problem here, is that the topology information does not get >>>>>>>> updated on master as well. >>>>>>> could you be a bit more precise. what do you still see ? the >>>>>>> agreement will be only removed if the segment is removed, and >>>>>>> this should be reoplicated to all severs in the remaining >>>>>>> topology - if you don't disconnect it by removing the replica. >>>>>>> and what was the topology structure and which replica did you >>>>>>> remove, on which server did you remove it? >>>>>> So, Here is the results of the `topologysegment-find` command >>>>>> before replica removal: >>>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>>> topologysegment-find >>>>>> Suffix name: realm >>>>>> ------------------ >>>>>> 2 segments matched >>>>>> ------------------ >>>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>>> Left node: f22master.bagam.net >>>>>> Right node: f22replica1.bagam.net >>>>>> Connectivity: both >>>>>> >>>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>>> Left node: f22master.bagam.net >>>>>> Right node: f22replica2.bagam.net >>>>>> Connectivity: both >>>>>> ---------------------------- >>>>>> Number of entries returned 2 >>>>>> ---------------------------- >>>>>> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >>>>>> --force` on the master, the same command on master still shows >>>>>> exactly the same topology: >>>>>> >>>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>>> topologysegment-find >>>>>> Suffix name: realm >>>>>> ------------------ >>>>>> 2 segments matched >>>>>> ------------------ >>>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>>> Left node: f22master.bagam.net >>>>>> Right node: f22replica1.bagam.net >>>>>> Connectivity: both >>>>>> >>>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>>> Left node: f22master.bagam.net >>>>>> Right node: f22replica2.bagam.net >>>>>> Connectivity: both >>>>>> ---------------------------- >>>>>> Number of entries returned 2 >>>>>> ---------------------------- >>>>>> >>>>>>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of >>>>>>>>>> Segment disconnects topology.Deletion not allowed." >>>>>>>>> correct, you can only do it after removal of the server >>>>>>>> I do not get it. Master still thinks it has the replica, it >>>>>>>> displays it both in CLI using `ipa topologysegment-find` and in >>>>>>>> the web-ui. (although it does not show it using `ipa >>>>>>>> host-find`, which is correct), and there is no way to manually >>>>>>>> make it change it's mind? >>>>>>>>>> >>>>>>>>>> I tried to disable the segment first and then delete it, but >>>>>>>>>> with the segment properly disabled, the attempt to delete it >>>>>>>>>> raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos >>>>>>>>>> error: ('Unspecified GSS failure. Minor code may provide >>>>>>>>>> more information', 851968)/('KDC returned error string: >>>>>>>>>> PROCESS_TGS', -1765328324)/". I am not sure, where to search >>>>>>>>>> for corresponding logs. The session transcript is attached. >>>>>>>>>> >>>>>>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>>>>>> replica tried to prepare another replica: >>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>> >>>>>>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>>>>>> Directory Manager (existing master) password: >>>>>>>>>> >>>>>>>>>> Preparing replica for f22replica3.bagam.net from >>>>>>>>>> f22replica2.bagam.net >>>>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>>>> Certificate issuance failed >>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>> >>>>>>>>>> The corresponding line in the dirsrv log: >>>>>>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not >>>>>>>>>> allowed >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Oleg Fayans >>>>>>>> Quality Engineer >>>>>>>> FreeIPA team >>>>>>>> RedHat. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Oleg Fayans >>>>>> Quality Engineer >>>>>> FreeIPA team >>>>>> RedHat. >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> -- >>> Martin Basti >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 10 12:26:20 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 10 Jun 2015 14:26:20 +0200 Subject: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments In-Reply-To: <5575ABBB.30208@redhat.com> References: <556EF8BD.1000906@redhat.com> <1433348418.3020.42.camel@willson.usersys.redhat.com> <5575AB1E.8090407@redhat.com> <5575ABBB.30208@redhat.com> Message-ID: <55782CEC.8000207@redhat.com> Hi Petr, On 06/08/2015 04:50 PM, Ludwig Krispenz wrote: > > On 06/08/2015 04:47 PM, Petr Vobornik wrote: >> On 06/03/2015 06:20 PM, Simo Sorce wrote: >>> On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote: >>>> Hi, >>>> >>>> this should prevent adding duplicate segments or segments with same >>>> start and end node >>> >>> LGTM! >>> >>> Simo. >>> >> >> The self referential check is done only in ipa_topo_pre_add. But it >> is still possible to create self referential in mod. >> >> Interesting thing is if I: >> - have segment (A, B) >> - modify it to (A, A) (success) >> - add (A, B), got: "Server is unwilling to perform: Segment already >> exists in topology or is self referential. Add rejected." >> - removal of (A, A): "Server is unwilling to perform: Removal of >> Segment disconnects topology.Deletion not allowed." note that, there >> are also: (A, D) and (A, C) segments. >> >> ACK if it will be addressed in separate patch. did you push this patch ? > yes, it will be. but it will take more work, if we want to properly allow mods to change connectivity and endpoints, then we would need to check if the mod disconnects the topology, delete existing agreements, check if the new would be a duplicate and create new agmts. There could be some difficult scenarios,like having A <--> B <--> C <--> D, if you modify the segment B-C to A-D topology breaks and is then reconnected. So I think we should reject segment mods affecting endpoints of the segment, at least for alpha, beta ... > You find interesting scenarios :-) > From pvoborni at redhat.com Wed Jun 10 12:27:44 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 14:27:44 +0200 Subject: [Freeipa-devel] [PATCH] 868 rename topologysegment_refresh to topologysegment_reinitialize Message-ID: <55782D40.4010606@redhat.com> https://fedorahosted.org/freeipa/ticket/5056 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0868-rename-topologysegment_refresh-to-topologysegment_re.patch Type: text/x-patch Size: 2318 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 10 12:37:21 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 14:37:21 +0200 Subject: [Freeipa-devel] [PATCH 0011] check-for-existing-and-self-referential-segments In-Reply-To: <55782CEC.8000207@redhat.com> References: <556EF8BD.1000906@redhat.com> <1433348418.3020.42.camel@willson.usersys.redhat.com> <5575AB1E.8090407@redhat.com> <5575ABBB.30208@redhat.com> <55782CEC.8000207@redhat.com> Message-ID: <55782F81.2020507@redhat.com> On 06/10/2015 02:26 PM, Ludwig Krispenz wrote: > Hi Petr, > On 06/08/2015 04:50 PM, Ludwig Krispenz wrote: >> >> On 06/08/2015 04:47 PM, Petr Vobornik wrote: >>> On 06/03/2015 06:20 PM, Simo Sorce wrote: >>>> On Wed, 2015-06-03 at 14:53 +0200, Ludwig Krispenz wrote: >>>>> Hi, >>>>> >>>>> this should prevent adding duplicate segments or segments with same >>>>> start and end node >>>> >>>> LGTM! >>>> >>>> Simo. >>>> >>> >>> The self referential check is done only in ipa_topo_pre_add. But it >>> is still possible to create self referential in mod. >>> >>> Interesting thing is if I: >>> - have segment (A, B) >>> - modify it to (A, A) (success) >>> - add (A, B), got: "Server is unwilling to perform: Segment already >>> exists in topology or is self referential. Add rejected." >>> - removal of (A, A): "Server is unwilling to perform: Removal of >>> Segment disconnects topology.Deletion not allowed." note that, there >>> are also: (A, D) and (A, C) segments. >>> >>> ACK if it will be addressed in separate patch. > did you push this patch ? Pushed to master: 777a9500ceba11e6adbd85306f460e8a320504cb >> yes, it will be. > but it will take more work, if we want to properly allow mods to change > connectivity and endpoints, then we would need to check if the mod > disconnects the topology, delete existing agreements, check if the new > would be a duplicate and create new agmts. There could be some difficult > scenarios,like having > > A <--> B <--> C <--> D, > > if you modify the segment B-C to A-D topology breaks and is then > reconnected. > > So I think we should reject segment mods affecting endpoints of the > segment, at least for alpha, beta ... >> You find interesting scenarios :-) >> I think it's even more proper. IMHO, this operation should be done by "add" and "del" anyway. So then, so we should add "no_update" flag in ipalib and reject it in topology plugin. I'll adjust the ipalib part. -- Petr Vobornik From tbordaz at redhat.com Wed Jun 10 12:42:27 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 10 Jun 2015 14:42:27 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <55782B4A.1040903@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> <5577E3A4.90309@redhat.com> <5577F830.8020208@redhat.com> <5577FA98.9070808@redhat.com> <557829D9.10901@redhat.com> <55782B4A.1040903@redhat.com> Message-ID: <557830B3.2030706@redhat.com> On 06/10/2015 02:19 PM, Ludwig Krispenz wrote: > > On 06/10/2015 02:13 PM, thierry bordaz wrote: >> On 06/10/2015 10:51 AM, Ludwig Krispenz wrote: >>> >>> On 06/10/2015 10:41 AM, Martin Basti wrote: >>>> On 10/06/15 09:13, Ludwig Krispenz wrote: >>>>> Hi, >>>>> >>>>> there seems to be somethin going wrong in the code to delete the >>>>> services. >>>>> >>>>> The code is: >>>>> >>>>> # delete master entry with all active services >>>>> try: >>>>> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', 'ipa'), >>>>> ('cn', 'etc'), self.suffix) >>>>> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >>>>> if entries: >>>>> entries.sort(key=lambda x: len(x.dn), reverse=True) >>>>> for entry in entries: >>>>> self.conn.delete_entry(entry) >>>>> except errors.NotFound: >>>>> pass >>>>> except Exception, e: >>>>> if not force: >>>>> raise e >>>>> elif not err: >>>>> err = e >>>>> >>>>> In the access log we see: >>>>> >>>>> >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>>> nentries=8 etime=0 notes=U >>>>> >>>>> this was the get_entries, it returns 8 entries >>>>> >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>>> >>>>> here it stops after deleting three entries, and it should do it in >>>>> reverse order of the dn length, but KDC is deleted before MEMCACHE >> >> Something surprising is that according to the code >> >> # delete master entry with all active services >> try: >> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', >> 'ipa'), >> ('cn', 'etc'), self.suffix) >> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >> if entries: >> entries.sort(key=lambda x: len(x.dn), reverse=True) >> for entry in entries: >> self.conn.delete_entry(entry) >> except errors.NotFound: >> pass >> except Exception, e: >> if not force: >> raise e >> elif not err: >> err = e >> >> try: >> entry = *self.conn.get_entry*( >> DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), >> ['aci']) >> >> sub = {'suffix': self.suffix, 'fqdn': replica} >> ... >> >> We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion >> of those entries. >> But the next op is an UNBIND. > yes, that is strange, maybe we hit an exception and the connection was > closed With UNBIND logged, it looks like the closure is triggered by the CLI. I agree it should be some exception but my understanding is that 'force' was set. so when it started deleting entries any exception is caught and we should do the following search. >> Is that the code executed by ipa-replica-manage ? > I think so, yes. >> >> >>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>>> >>>>> >>>>> Are there any ideas what is going on or how to debug it ? >>>>> >>>> Actually, the both DNs of KDC and MEMCACHE has the same length. >>>> IPA implements own DN class, where length is the number of AVA/RDN >>>> parts (mixed in code, but it means the 'cn=user' has length 1, and >>>> 'cn=user,cn=accounts' has length 2) >>>> >>>> def __len__(self): >>>> return len(self.rdns) >>>> >>>> This reverse sort guarantees the child entries will be removed >>>> before the parent entries. >>> thanks, then it is ok, but it does not explain why not all services >>> and the master were not deleted. >>>> >>>> To debug, maybe print the entries from IPA code, before sort and >>>> after sort might help. >>> yep, but so far only Oleg reprted this, and he's not here today, I >>> haven't reproduced the issue >>>> >>>> Martin^2 >>>> >>>>> >>>>> On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: >>>>>> Hi Oleg, >>>>>> thanks for access to your machine, the replication agreements are >>>>>> still there - and that is expected since the server was not removed. >>>>>> >>>>>> In the access log I see: >>>>>> >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>>>> nentries=8 etime=0 notes=U >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>>>> >>>>>> the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 >>>>>> entries, which then should be deleted, but only 3 ae deleted and the >>>>>> cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so >>>>>> the topology segments are not deleted, and the agreement is not >>>>>> removed. >>>>>> >>>>>> I don't know why ipa-replica-manage del does stop deleting >>>>>> services and the master entry >>>>>> >>>>>> >>>>>> >>>>>> On 06/09/2015 04:25 PM, Oleg Fayans wrote: >>>>>>> >>>>>>> >>>>>>> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>>>>>>> >>>>>>>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>>>>>>> >>>>>>>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>>>>>>> Hi everybody, >>>>>>>>>>> >>>>>>>>>>> The current status of Topology plugin testing is as follows: >>>>>>>>>>> >>>>>>>>>>> 1. There is still no proper way of removing the replica. >>>>>>>>>>> Standard procedure using `ipa-replica-manage del` throws >>>>>>>>>>> "Server is unwilling to perform: Entry is managed by >>>>>>>>>>> topology plugin.Deletion not allowed.". >>>>>>>>>> yes, that is for the first attempt to directly remove the >>>>>>>>>> agreement, but when the server is removed the agreements >>>>>>>>>> should be removed >>>>>>>>> We should probably think of less threatening error message in >>>>>>>>> this case. Just from reading the command output one might >>>>>>>>> conclude that replica removal failed. >>>>>>>>>>> The replication agreement though does get deleted, >>>>>>>>>> then it is ok, >>>>>>>>>>> but the topology information does not get updated. >>>>>>>>>> what do you mean, where do you check ? in the "remaining" >>>>>>>>>> topology the shared tree should be updated, for the removed >>>>>>>>>> replica it will not, but this should be uninstalled anyway >>>>>>>>> The problem here, is that the topology information does not >>>>>>>>> get updated on master as well. >>>>>>>> could you be a bit more precise. what do you still see ? the >>>>>>>> agreement will be only removed if the segment is removed, and >>>>>>>> this should be reoplicated to all severs in the remaining >>>>>>>> topology - if you don't disconnect it by removing the replica. >>>>>>>> and what was the topology structure and which replica did you >>>>>>>> remove, on which server did you remove it? >>>>>>> So, Here is the results of the `topologysegment-find` command >>>>>>> before replica removal: >>>>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>>>> topologysegment-find >>>>>>> Suffix name: realm >>>>>>> ------------------ >>>>>>> 2 segments matched >>>>>>> ------------------ >>>>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>>>> Left node: f22master.bagam.net >>>>>>> Right node: f22replica1.bagam.net >>>>>>> Connectivity: both >>>>>>> >>>>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>>>> Left node: f22master.bagam.net >>>>>>> Right node: f22replica2.bagam.net >>>>>>> Connectivity: both >>>>>>> ---------------------------- >>>>>>> Number of entries returned 2 >>>>>>> ---------------------------- >>>>>>> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >>>>>>> --force` on the master, the same command on master still shows >>>>>>> exactly the same topology: >>>>>>> >>>>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>>>> topologysegment-find >>>>>>> Suffix name: realm >>>>>>> ------------------ >>>>>>> 2 segments matched >>>>>>> ------------------ >>>>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>>>> Left node: f22master.bagam.net >>>>>>> Right node: f22replica1.bagam.net >>>>>>> Connectivity: both >>>>>>> >>>>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>>>> Left node: f22master.bagam.net >>>>>>> Right node: f22replica2.bagam.net >>>>>>> Connectivity: both >>>>>>> ---------------------------- >>>>>>> Number of entries returned 2 >>>>>>> ---------------------------- >>>>>>> >>>>>>>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>>>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of >>>>>>>>>>> Segment disconnects topology.Deletion not allowed." >>>>>>>>>> correct, you can only do it after removal of the server >>>>>>>>> I do not get it. Master still thinks it has the replica, it >>>>>>>>> displays it both in CLI using `ipa topologysegment-find` and >>>>>>>>> in the web-ui. (although it does not show it using `ipa >>>>>>>>> host-find`, which is correct), and there is no way to manually >>>>>>>>> make it change it's mind? >>>>>>>>>>> >>>>>>>>>>> I tried to disable the segment first and then delete it, but >>>>>>>>>>> with the segment properly disabled, the attempt to delete it >>>>>>>>>>> raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos >>>>>>>>>>> error: ('Unspecified GSS failure. Minor code may provide >>>>>>>>>>> more information', 851968)/('KDC returned error string: >>>>>>>>>>> PROCESS_TGS', -1765328324)/". I am not sure, where to search >>>>>>>>>>> for corresponding logs. The session transcript is attached. >>>>>>>>>>> >>>>>>>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>>>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>>>>>>> replica tried to prepare another replica: >>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>>> >>>>>>>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>>>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>>>>>>> Directory Manager (existing master) password: >>>>>>>>>>> >>>>>>>>>>> Preparing replica for f22replica3.bagam.net from >>>>>>>>>>> f22replica2.bagam.net >>>>>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>>>>> Certificate issuance failed >>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>>> >>>>>>>>>>> The corresponding line in the dirsrv log: >>>>>>>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>>>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" >>>>>>>>>>> not allowed >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Oleg Fayans >>>>>>>>> Quality Engineer >>>>>>>>> FreeIPA team >>>>>>>>> RedHat. >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Oleg Fayans >>>>>>> Quality Engineer >>>>>>> FreeIPA team >>>>>>> RedHat. >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Martin Basti >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Jun 10 12:51:34 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 14:51:34 +0200 Subject: [Freeipa-devel] topology issues In-Reply-To: <557830B3.2030706@redhat.com> References: <5576F055.2060603@redhat.com> <5576F26C.7010802@redhat.com> <5576F4D8.80907@redhat.com> <5576F5E6.2030502@redhat.com> <5576F755.7080809@redhat.com> <55770703.8030202@redhat.com> <5577E3A4.90309@redhat.com> <5577F830.8020208@redhat.com> <5577FA98.9070808@redhat.com> <557829D9.10901@redhat.com> <55782B4A.1040903@redhat.com> <557830B3.2030706@redhat.com> Message-ID: <557832D6.1060006@redhat.com> On 06/10/2015 02:42 PM, thierry bordaz wrote: > On 06/10/2015 02:19 PM, Ludwig Krispenz wrote: >> >> On 06/10/2015 02:13 PM, thierry bordaz wrote: >>> On 06/10/2015 10:51 AM, Ludwig Krispenz wrote: >>>> >>>> On 06/10/2015 10:41 AM, Martin Basti wrote: >>>>> On 10/06/15 09:13, Ludwig Krispenz wrote: >>>>>> Hi, >>>>>> >>>>>> there seems to be somethin going wrong in the code to delete the >>>>>> services. >>>>>> >>>>>> The code is: >>>>>> >>>>>> # delete master entry with all active services >>>>>> try: >>>>>> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', >>>>>> 'ipa'), >>>>>> ('cn', 'etc'), self.suffix) >>>>>> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >>>>>> if entries: >>>>>> entries.sort(key=lambda x: len(x.dn), reverse=True) >>>>>> for entry in entries: >>>>>> self.conn.delete_entry(entry) >>>>>> except errors.NotFound: >>>>>> pass >>>>>> except Exception, e: >>>>>> if not force: >>>>>> raise e >>>>>> elif not err: >>>>>> err = e >>>>>> >>>>>> In the access log we see: >>>>>> >>>>>> >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>>>> nentries=8 etime=0 notes=U >>>>>> >>>>>> this was the get_entries, it returns 8 entries >>>>>> >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>> >>>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>>>> >>>>>> here it stops after deleting three entries, and it should do it in >>>>>> reverse order of the dn length, but KDC is deleted before MEMCACHE >>> >>> Something surprising is that according to the code >>> >>> # delete master entry with all active services >>> try: >>> dn = DN(('cn', replica), ('cn', 'masters'), ('cn', >>> 'ipa'), >>> ('cn', 'etc'), self.suffix) >>> entries = self.conn.get_entries(dn, ldap.SCOPE_SUBTREE) >>> if entries: >>> entries.sort(key=lambda x: len(x.dn), reverse=True) >>> for entry in entries: >>> self.conn.delete_entry(entry) >>> except errors.NotFound: >>> pass >>> except Exception, e: >>> if not force: >>> raise e >>> elif not err: >>> err = e >>> >>> try: >>> entry = *self.conn.get_entry*( >>> DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), >>> ['aci']) >>> >>> sub = {'suffix': self.suffix, 'fqdn': replica} >>> ... >>> >>> We should see a search on cn=ipa,cn=etc,SUFFIX following the deletion >>> of those entries. >>> But the next op is an UNBIND. >> yes, that is strange, maybe we hit an exception and the connection was >> closed > With UNBIND logged, it looks like the closure is triggered by the CLI. > I agree it should be some exception but my understanding is that 'force' > was set. so when it started deleting entries any exception is caught and > we should do the following search. Btw, the `ipa-replica-manage del ` issues should have been handled by new version of tbabej's patch 329. Given that Tomas is on PTO, I'll update his patch to handle only 'connect' and 'disconnect' cases and create a new one for 'del'. > > > >>> Is that the code executed by ipa-replica-manage ? >> I think so, yes. >>> >>> >>>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>>>> >>>>>> >>>>>> Are there any ideas what is going on or how to debug it ? >>>>>> >>>>> Actually, the both DNs of KDC and MEMCACHE has the same length. >>>>> IPA implements own DN class, where length is the number of AVA/RDN >>>>> parts (mixed in code, but it means the 'cn=user' has length 1, and >>>>> 'cn=user,cn=accounts' has length 2) >>>>> >>>>> def __len__(self): >>>>> return len(self.rdns) >>>>> >>>>> This reverse sort guarantees the child entries will be removed >>>>> before the parent entries. >>>> thanks, then it is ok, but it does not explain why not all services >>>> and the master were not deleted. >>>>> >>>>> To debug, maybe print the entries from IPA code, before sort and >>>>> after sort might help. >>>> yep, but so far only Oleg reprted this, and he's not here today, I >>>> haven't reproduced the issue >>>>> >>>>> Martin^2 >>>>> >>>>>> >>>>>> On 06/09/2015 05:32 PM, Ludwig Krispenz wrote: >>>>>>> Hi Oleg, >>>>>>> thanks for access to your machine, the replication agreements are >>>>>>> still there - and that is expected since the server was not removed. >>>>>>> >>>>>>> In the access log I see: >>>>>>> >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH >>>>>>> base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>>> scope=2 filter="(objectClass=*)" attrs=ALL >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 >>>>>>> nentries=8 etime=0 notes=U >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL >>>>>>> dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>>> >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 >>>>>>> nentries=0 etime=0 csn=5576dceb000600040000 >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL >>>>>>> dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>>> >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 >>>>>>> nentries=0 etime=0 csn=5576dceb000700040000 >>>>>>> [09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL >>>>>>> dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" >>>>>>> >>>>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 >>>>>>> nentries=0 etime=1 csn=5576dcec000100040000 >>>>>>> [09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND >>>>>>> >>>>>>> the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 >>>>>>> entries, which then should be deleted, but only 3 ae deleted and the >>>>>>> cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so >>>>>>> the topology segments are not deleted, and the agreement is not >>>>>>> removed. >>>>>>> >>>>>>> I don't know why ipa-replica-manage del does stop deleting >>>>>>> services and the master entry >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 06/09/2015 04:25 PM, Oleg Fayans wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote: >>>>>>>>> >>>>>>>>> On 06/09/2015 04:14 PM, Oleg Fayans wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote: >>>>>>>>>>> >>>>>>>>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote: >>>>>>>>>>>> Hi everybody, >>>>>>>>>>>> >>>>>>>>>>>> The current status of Topology plugin testing is as follows: >>>>>>>>>>>> >>>>>>>>>>>> 1. There is still no proper way of removing the replica. >>>>>>>>>>>> Standard procedure using `ipa-replica-manage del` throws >>>>>>>>>>>> "Server is unwilling to perform: Entry is managed by >>>>>>>>>>>> topology plugin.Deletion not allowed.". >>>>>>>>>>> yes, that is for the first attempt to directly remove the >>>>>>>>>>> agreement, but when the server is removed the agreements >>>>>>>>>>> should be removed >>>>>>>>>> We should probably think of less threatening error message in >>>>>>>>>> this case. Just from reading the command output one might >>>>>>>>>> conclude that replica removal failed. >>>>>>>>>>>> The replication agreement though does get deleted, >>>>>>>>>>> then it is ok, >>>>>>>>>>>> but the topology information does not get updated. >>>>>>>>>>> what do you mean, where do you check ? in the "remaining" >>>>>>>>>>> topology the shared tree should be updated, for the removed >>>>>>>>>>> replica it will not, but this should be uninstalled anyway >>>>>>>>>> The problem here, is that the topology information does not >>>>>>>>>> get updated on master as well. >>>>>>>>> could you be a bit more precise. what do you still see ? the >>>>>>>>> agreement will be only removed if the segment is removed, and >>>>>>>>> this should be reoplicated to all severs in the remaining >>>>>>>>> topology - if you don't disconnect it by removing the replica. >>>>>>>>> and what was the topology structure and which replica did you >>>>>>>>> remove, on which server did you remove it? >>>>>>>> So, Here is the results of the `topologysegment-find` command >>>>>>>> before replica removal: >>>>>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>>>>> topologysegment-find >>>>>>>> Suffix name: realm >>>>>>>> ------------------ >>>>>>>> 2 segments matched >>>>>>>> ------------------ >>>>>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>>>>> Left node: f22master.bagam.net >>>>>>>> Right node: f22replica1.bagam.net >>>>>>>> Connectivity: both >>>>>>>> >>>>>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>>>>> Left node: f22master.bagam.net >>>>>>>> Right node: f22replica2.bagam.net >>>>>>>> Connectivity: both >>>>>>>> ---------------------------- >>>>>>>> Number of entries returned 2 >>>>>>>> ---------------------------- >>>>>>>> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net >>>>>>>> --force` on the master, the same command on master still shows >>>>>>>> exactly the same topology: >>>>>>>> >>>>>>>> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa >>>>>>>> topologysegment-find >>>>>>>> Suffix name: realm >>>>>>>> ------------------ >>>>>>>> 2 segments matched >>>>>>>> ------------------ >>>>>>>> Segment name: f22master.bagam.net-to-f22replica1.bagam.net >>>>>>>> Left node: f22master.bagam.net >>>>>>>> Right node: f22replica1.bagam.net >>>>>>>> Connectivity: both >>>>>>>> >>>>>>>> Segment name: f22master.bagam.net-to-f22replica2.bagam.net >>>>>>>> Left node: f22master.bagam.net >>>>>>>> Right node: f22replica2.bagam.net >>>>>>>> Connectivity: both >>>>>>>> ---------------------------- >>>>>>>> Number of entries returned 2 >>>>>>>> ---------------------------- >>>>>>>> >>>>>>>>>>>> When I then issue `ipa topologysegment-del`, it fails due to >>>>>>>>>>>> "ipa: ERROR: Server is unwilling to perform: Removal of >>>>>>>>>>>> Segment disconnects topology.Deletion not allowed." >>>>>>>>>>> correct, you can only do it after removal of the server >>>>>>>>>> I do not get it. Master still thinks it has the replica, it >>>>>>>>>> displays it both in CLI using `ipa topologysegment-find` and >>>>>>>>>> in the web-ui. (although it does not show it using `ipa >>>>>>>>>> host-find`, which is correct), and there is no way to manually >>>>>>>>>> make it change it's mind? >>>>>>>>>>>> >>>>>>>>>>>> I tried to disable the segment first and then delete it, but >>>>>>>>>>>> with the segment properly disabled, the attempt to delete it >>>>>>>>>>>> raised a GSS error: "ipa: ERROR: Kerberos error: Kerberos >>>>>>>>>>>> error: ('Unspecified GSS failure. Minor code may provide >>>>>>>>>>>> more information', 851968)/('KDC returned error string: >>>>>>>>>>>> PROCESS_TGS', -1765328324)/". I am not sure, where to search >>>>>>>>>>>> for corresponding logs. The session transcript is attached. >>>>>>>>>>>> >>>>>>>>>>>> 2. The following is probably unrelated to the topology plugin: >>>>>>>>>>>> I installed a replica with --setup-ca option. Then, on this >>>>>>>>>>>> replica tried to prepare another replica: >>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>>>> >>>>>>>>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare >>>>>>>>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net >>>>>>>>>>>> Directory Manager (existing master) password: >>>>>>>>>>>> >>>>>>>>>>>> Preparing replica for f22replica3.bagam.net from >>>>>>>>>>>> f22replica2.bagam.net >>>>>>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>>>>>> Certificate issuance failed >>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>>>> >>>>>>>>>>>> The corresponding line in the dirsrv log: >>>>>>>>>>>> [09/Jun/2015:09:54:46 -0400] - Entry >>>>>>>>>>>> "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" >>>>>>>>>>>> not allowed >>>>>>>>>>>> -- Petr Vobornik From pvoborni at redhat.com Wed Jun 10 13:13:06 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 15:13:06 +0200 Subject: [Freeipa-devel] [PATCH] 869 topology: restrict direction changes Message-ID: <557837E2.6080007@redhat.com> topology plugin doesn't properly handle: - creation of segment with direction 'none' and then upgrade to other direction - downgrade of direction These situations are now forbidden in API. part of: https://fedorahosted.org/freeipa/ticket/4302 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0869-topology-restrict-direction-changes.patch Type: text/x-patch Size: 7627 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 10 13:13:53 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 15:13:53 +0200 Subject: [Freeipa-devel] [PATCH] 870 disallow mod of topology segment nodes Message-ID: <55783811.4050003@redhat.com> Mod of segment end will be disallowed in topology plugin. Reasoning (by Ludwig): if we want to properly allow mods to change connectivity and endpoints, then we would need to check if the mod disconnects the topology, delete existing agreements, check if the new would be a duplicate and create new agmts. There could be some difficult scenarios, like having A <--> B <--> C <--> D, if you modify the segment B-C to A-D topology breaks and is then reconnected. part of: https://fedorahosted.org/freeipa/ticket/4302 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0870-disallow-mod-of-topology-segment-nodes.patch Type: text/x-patch Size: 4200 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 10 13:24:38 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 15:24:38 +0200 Subject: [Freeipa-devel] [PATCH] 871 webui: make topology suffices UI readonly Message-ID: <55783A96.2080609@redhat.com> Admins should not modify topology suffices. They are created on install/upgrade. part of: https://fedorahosted.org/freeipa/ticket/4997 -- Petr Vobornik From mbasti at redhat.com Wed Jun 10 13:25:18 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 15:25:18 +0200 Subject: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation In-Reply-To: <55706E96.8000807@redhat.com> References: <553A3D88.6080200@redhat.com> <55423032.9080505@redhat.com> <5548BED1.1060806@redhat.com> <554A1539.3040002@redhat.com> <554B0D69.5040008@redhat.com> <554B3C19.9080002@redhat.com> <554B8F01.9010501@redhat.com> <55561ACD.6070306@redhat.com> <5559D191.4070406@redhat.com> <556EF9C4.9020406@redhat.com> <556F19D3.70109@redhat.com> <55706E96.8000807@redhat.com> Message-ID: <55783ABE.2070305@redhat.com> On 04/06/15 17:28, Petr Spacek wrote: > On 3.6.2015 17:14, Martin Basti wrote: >> On 03/06/15 14:57, Petr Spacek wrote: >>> On 18.5.2015 13:48, Martin Basti wrote: >>>> On 15/05/15 18:11, Petr Spacek wrote: >>>>> On 7.5.2015 18:12, Martin Basti wrote: >>>>>> On 07/05/15 12:19, Petr Spacek wrote: >>>>>>> On 7.5.2015 08:59, David Kupka wrote: >>>>>>>> On 05/06/2015 03:20 PM, Martin Basti wrote: >>>>>>>>> On 05/05/15 15:00, Martin Basti wrote: >>>>>>>>>> On 30/04/15 15:37, David Kupka wrote: >>>>>>>>>>> On 04/24/2015 02:56 PM, Martin Basti wrote: >>>>>>>>>>>> Patches attached. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> thanks for patches. >>>>>>>>>>> >>>>>>>>>>> 1. You changed message in DNSServerNotRespondingWarning class but not >>>>>>>>>>> the test in ipatest/test_xmlrpc/test_dns_plugin.py >>>>>>>>>>> >>>>>>>>>>> nitpick. Please spell 'edns' correctly. I've seen several instances >>>>>>>>>>> of 'ends'. >>>>>>>>>>> >>>>>>>>>> Thank you, >>>>>>>>>> >>>>>>>>>> updated patches attached: >>>>>>>>>> * new error messages >>>>>>>>>> * logging to debug log server output if exception was raised >>>>>>>>>> * fixed test >>>>>>>>>> * fixed spelling >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Fixed tests (again) >>>>>>>>> >>>>>>>>> Updated patches attached >>>>>>>>> >>>>>>>> The code looks good to me and tests are no longer broken. (I would prefer >>>>>>>> better fix of the tests but given that the priorities are different now >>>>>>>> it can >>>>>>>> wait.) >>>>>>>> >>>>>>>> Petr, can you please confirm that the patch set works for you? >>>>>>> Sorry, NACK: >>>>>>> >>>>>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>>>>> Server will check DNS forwarder(s). >>>>>>> This may take some time, please wait ... >>>>>>> ipa: ERROR: an internal error has occurred >>>>>>> >>>>>>> # /var/log/httpd/error_log >>>>>>> ipa: ERROR: non-public: AssertionError: >>>>>>> Traceback (most recent call last): >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line >>>>>>> 350, in >>>>>>> wsgi_execute >>>>>>> result = self.Command[name](*args, **options) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >>>>>>> 443, in >>>>>>> __call__ >>>>>>> ret = self.run(*args, **options) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, >>>>>>> in run >>>>>>> return self.execute(*args, **options) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>>>>> 4444, in >>>>>>> execute >>>>>>> **options) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line >>>>>>> 4405, in >>>>>>> _warning_if_forwarders_do_not_work >>>>>>> log=self.log) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 715, in >>>>>>> validate_dnssec_zone_forwarder_step2 >>>>>>> timeout=timeout) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 610, in >>>>>>> _resolve_record >>>>>>> assert isinstance(nameserver_ip, basestring) >>>>>>> AssertionError >>>>>>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(>>>>>> name ptr.test.>, idnsforwarders=(u'10.34.47.236',), all=False, raw=False, >>>>>>> version=u'2.116'): AssertionError >>>>>>> >>>>>>> This is constantly reproducible in my vm-090.abc. Let me know if you >>>>>>> want to >>>>>>> take a look. >>>>>>> >>>>>>> >>>>>>> I'm attaching little response.patch which improves compatibility with older >>>>>>> python-dns packages. This patch allows IPA to work while error messages are >>>>>>> simply not as nice as they could be with latest python-dns :-) >>>>>>> >>>>>>> check_fwd_msg.patch is a little nitpick, just to make sure everyone >>>>>>> understands the message. >>>>>>> >>>>>>> BTW why some messages in check_forwarders() are printed using 'print' and >>>>>>> others using logger? I would prefer to use logger for everything to make >>>>>>> sure >>>>>>> that logs contain all the information, including warnings. >>>>>>> >>>>>>> Thank you for your time! >>>>>>> >>>>>> Thank you, fixed. >>>>>> >>>>>> I added missing except block after forwarders validation step2. >>>>> I confirm that this works but I just discovered another deficiency. >>>>> >>>>> Setup: >>>>> - DNSSEC validation is enabled on IPA server >>>>> - forwarders uses fake TLD, e.g. 'test.' >>>>> - remote DNS server is responding, supports EDNS0 and so on >>>>> >>>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>>> Server will check DNS forwarder(s). >>>>> This may take some time, please wait ... >>>>> ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query >>>>> name does not exist: ptr.test.. >>>>> >>>>> Huh? Let's check named log: >>>>> forward zone 'ptr.test': loaded >>>>> validating ./SOA: got insecure response; parent indicates it should be >>>>> secure >>>>> >>>>> Sometimes I get SERVFAIL from IPA server, too. >>>>> >>>>> >>>>> Unfortunately this check was the main reason for writing this patchset so we >>>>> need to improve it. >>>>> >>>>> Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and >>>>> print the DNSSEC-validation-failed error, too? The problem is that it could >>>>> trigger some false positives because NXDOMAIN may simply be caused by a delay >>>>> somewhere. >>>>> >>>>> Any ideas? >>>> I add catch block for NXDOMAIN >>>>> By the way, this is also weird: >>>>> >>>>> $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 >>>>> Server will check DNS forwarder(s). >>>>> This may take some time, please wait ... >>>>> ipa: ERROR: DNS forward zone with name "ptr.test." already exists >>>>> >>>>> Is it actually doing the check even if the forward zone exists already? (This >>>>> is just nitpick, not a blocker!) >>>>> >>>> The first part is written by IPA client, it is not response from server. >>>> It is just written when user use --forwarder option. >>>> >>>> Updated patch attached. >>> NACK, it does not work for me - it explodes when I try to add a forward zone: >>> >>> $ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1 >>> >>> ipa: ERROR: non-public: TypeError: _warning_if_forwarders_do_not_work() got >>> multiple values for keyword argument 'new_zone' >>> Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in >>> wsgi_execute >>> result = self.Command[name](*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >>> __call__ >>> ret = self.run(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run >>> return self.execute(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 4461, in >>> execute >>> result, new_zone=True, *keys, **options) >>> TypeError: _warning_if_forwarders_do_not_work() got multiple values for >>> keyword argument 'new_zone' >>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsforwardzone_add(>> name ptr.test.>, idnsforwarders=(u'192.0.2.1',), all=False, raw=False, >>> version=u'2.123'): TypeError >>> >> updated patch attached. > Attached patch fixes the case where one domain is shadowed by another domain. > > ACK for your patches, please review my patch :-) > Patches 233-244 can be pushed. -- Martin Basti From pvoborni at redhat.com Wed Jun 10 13:25:23 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 15:25:23 +0200 Subject: [Freeipa-devel] [PATCH] 871 webui: make topology suffices UI readonly In-Reply-To: <55783A96.2080609@redhat.com> References: <55783A96.2080609@redhat.com> Message-ID: <55783AC3.5010005@redhat.com> On 06/10/2015 03:24 PM, Petr Vobornik wrote: > Admins should not modify topology suffices. They are created on > install/upgrade. > > part of: https://fedorahosted.org/freeipa/ticket/4997 and with patch... -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0871-webui-make-topology-suffices-UI-readonly.patch Type: text/x-patch Size: 1707 bytes Desc: not available URL: From dkupka at redhat.com Wed Jun 10 13:49:42 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 10 Jun 2015 15:49:42 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands In-Reply-To: <555C5348.2030202@redhat.com> References: <552F964E.2060304@redhat.com> <553F437D.5080103@redhat.com> <553F44B7.6040100@redhat.com> <553F476E.8080502@redhat.com> <553F9BCE.6010000@redhat.com> <554869C3.2040509@redhat.com> <5551EF3E.1060503@redhat.com> <555216B9.1070106@redhat.com> <205373726.22060212.1431701099532.JavaMail.zimbra@redhat.com> <5559A3DD.7030002@redhat.com> <555C5348.2030202@redhat.com> Message-ID: <55784076.4030007@redhat.com> Dne 20.5.2015 v 11:26 Jan Cholasta napsal(a): > Dne 18.5.2015 v 10:33 thierry bordaz napsal(a): >> On 05/15/2015 04:44 PM, David Kupka wrote: >>> Hello Thierry, >>> thanks for the patch set. Overall functionality of ULC feature looks >>> good to >>> me and is definitely "alpha ready". >>> >>> I found following issues but don't insist on fixing it right now: >>> >>> 1) When stageuser-activate fails due to already existent >>> active/deleted user. >>> DN is show instead of user name that's used in other commands (user-add, >>> stageuser-add). >>> $ ipa user-add tuser --first Test --last User >>> $ ipa stageuser-add tuser --first Test --last User >>> $ ipa stageuser-activate tuser >>> ipa: ERROR: Active user >>> uid=tuser,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>> >>> >>> already exists >> >> Hi David, Jan, >> >> Thanks you so much for all those tests and feedback. I agree, some minor >> bugs can be fixed separatly from this main patches. >> >> You are right, It should return the user ID not the DN. >> >>> >>> 2) According to the design there should be '--only-delete' and >>> '--also-delete' >>> options for user-find command instead there is '--preserved' option. >>> Honza proposed adding virtual boolean attribute 'deleted' to user >>> entry and >>> filter on it. >>> The 'deleted' attribute would be useful also in user-show where is no >>> way to >>> tell if the displayed user is active or deleted. (Except running with >>> --all >>> and looking on the dn). >> >> Yes a bit late to resynch the design. >> The final option is 'preserved' for user-find and 'preserve' for >> user-del. '--only-delete' or 'also-delete' are old name that I need to >> replace in the design. >> >> About the 'deleted' attribute, do you think adding a DS cos virtual >> attribute ? > > See the attached patch. > >> >>> >>> 3) uidNumber and gidNumber can't be set back to '-1' once set to other >>> value. >>> This would be useful when admin changes its mind and want IPA to >>> assign them. >>> IIUC, there should be no validation in cn=staged user container. All >>> validation should be done during stageuser-activate. >> >> Yes that comes from user plugin that enforce the number to be >0. >> That is a good point giving the ability to reset uidNumber/gidNumber. >> I will check if it is possible, how (give a value or an option to >> reset), and also if it would not create other issue. >>> >>> 4) Support for deleted -> stage workflow is still missing. But I'm >>> unsure if we >>> agreed to finish it now or later. >> >> Yes thanks >>> >>> 5) Twice deleting user with '--preserve' deletes him permanently. >>> $ ipa user-add tuser --first Test --last User >>> $ ipa user-del tuser --preserve >>> $ ipa user-del tuser --preserve >>> $ ipa user-find --preserved >>> ------------------------ >>> 0 (delete) users matched >>> ------------------------ >>> ---------------------------- >>> Number of entries returned 0 >>> ---------------------------- >> >> Deleting a deleted (preserved) entry, should permanently remove the >> entry. >> Now if the second time the preserve option is present, it makes sense to >> not delete it. > > BTW: I might be stating the obvious here, but it would be better to use > one boolean parameter rather than two mutually exclusive flags in user-del. > >> >> >> thanks >> theirry > Overall, LGTM, Just 2 nitpicks: 1) preserved attribute label: 'Preserved deleted user' -> 'Preserved user' 2) 'preserved' attribute should be shown in user-{find,show} when '--all' is specified Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-427.1-User-life-cycle-provide-preserved-user-virtual-attri.patch Type: text/x-patch Size: 7917 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 10 13:50:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 15:50:22 +0200 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <55782610.5080308@redhat.com> References: <20150602121127.GU23523@dhcp-40-8.bne.redhat.com> <556DDBD6.70007@redhat.com> <20150603141717.GZ23523@dhcp-40-8.bne.redhat.com> <556F3009.1090503@redhat.com> <20150604065944.GB23523@dhcp-40-8.bne.redhat.com> <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> <5576FA44.3000300@redhat.com> <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> <55782303.7070209@redhat.com> <5578248B.3010805@redhat.com> <55782610.5080308@redhat.com> Message-ID: <5578409E.2060805@redhat.com> On 10/06/15 13:57, Martin Kosek wrote: > On 06/10/2015 01:50 PM, Jan Cholasta wrote: >> Dne 10.6.2015 v 13:44 Martin Basti napsal(a): >>> On 10/06/15 06:40, Fraser Tweedale wrote: >>>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: >>>>> On 09/06/15 08:58, Fraser Tweedale wrote: >>>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: >>>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: >>>>>>>> New patches attached. Comments inline. >>>>>>> Thanks Fraser! >>>>>>> >>>>>>> ... >>>>>>>>> 5) >>>>>>>>> Missing referint plugin configuration for attribute >>>>>>>>> 'ipacaaclmembercertprofile' >>>>>>>>> Please add it into install/updates/25-referint.update (+ other >>>>>>>>> member >>>>>>>>> attributes if missing) >>>>>>>>> >>>>>>>> Added this. There is a comment in 25-referint.update: >>>>>>>> >>>>>>>> # pres and eq indexes defined in 20-indices.update must be set >>>>>>>> # for all the attributes >>>>>>>> >>>>>>>> Can you explain what is required here? Is it just to add: I see >>>>>>>> things for memberUser and memberHost in indices.ldif but nothing for >>>>>>>> memberService. Do I need to add to indices.ldif: >>>>>>>> >>>>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm >>>>>>>> database,cn=plugins,cn=config >>>>>>>> changetype: add >>>>>>>> cn: memberProfile >>>>>>>> ObjectClass: top >>>>>>>> ObjectClass: nsIndex >>>>>>>> nsSystemIndex: false >>>>>>>> nsIndexType: eq >>>>>>>> nsIndexType: pres >>>>>>>> nsIndexType: sub >>>>>>>> >>>>>>>> , and similarly for memberCa? Sorry I do not know much about LDAP >>>>>>>> indexing. >>>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite >>>>>>> an expensive >>>>>>> index to use and I now cannot think of memberProfile search where >>>>>>> you would >>>>>>> need a substring... >>>>>>> >>>>>>> Thanks, >>>>>>> Martin >>>>>> Updated patch attached, which adds the indices. (Also rebased). >>>>>> >>>>>> There is a commit that seems to indicate that substring index is >>>>>> needed, so I have included substring indices in this patchset. >>>>>> Copied Honza in case he wants to comment. >>>>>> >>>>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0 >>>>>> Author: Jan Cholasta >>>>>> Date: Tue Jun 25 13:16:40 2013 +0000 >>>>>> >>>>>> Add missing substring indices for attributes managed by the >>>>>> referint plugin. >>>>>> >>>>>> The referint plugin does a substring search on these >>>>>> attributes each time an >>>>>> entry is deleted, which causes a noticable slowdown for >>>>>> large directories if >>>>>> the attributes are not indexed. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/3706 >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>> ACK >>>>> >>>>> Please send the upgrade patch ASAP :) >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>> Thank you for the ACK \o/ >>>> >>>> Since the patches have not been pushed, here is an updated patchset >>>> which adds the upgrade behaviour. There are no changes apart from >>>> the additions to ipaserver/install/server/upgrade.py. >>>> >>>> Cheers, >>>> Fraser >>> ACK >> NACK, the new OIDs are not registered. >> >> BTW all new attribute names should have the "ipa" prefix. Also I would prefer >> "CertProfile" instead of just "Profile" in certificate profile related names. >> Please rename the attributes as follows: >> >> memberCa -> ipaMemberCa >> memberProfile -> ipaMemberCertProfile >> caCategory -> ipaCaCategory >> profileCategory -> ipaCertProfileCategory >> >> Honza >> > +1. I see that other attributes from this feature use the ipa prefix already: > > dn: cn=schema > attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' > DESC 'Store certificates issued using this profile' EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) > objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top > STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA > v4.2' ) > > Those OIDs should be BTW registered as well, if not already OID registered. Patches with updated names attached. Can you Fraser check if I didn't break anything? :) -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ftweedal+mbasti-0012.12-Add-CA-ACL-plugin.patch Type: text/x-patch Size: 45198 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ftweedal+mbasti-0013.12-Enforce-CA-ACLs-in-cert-request-command.patch Type: text/x-patch Size: 6249 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 10 13:51:31 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 15:51:31 +0200 Subject: [Freeipa-devel] [PATCH 0051] Use 389-ds centralized scripts. In-Reply-To: <5576FB82.6030109@redhat.com> References: <5576FB82.6030109@redhat.com> Message-ID: <557840E3.60004@redhat.com> On 09/06/15 16:43, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/4051 ACK -- Martin Basti From mbasti at redhat.com Wed Jun 10 13:53:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 10 Jun 2015 15:53:06 +0200 Subject: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40 In-Reply-To: <5575A420.50006@redhat.com> References: <5575A420.50006@redhat.com> Message-ID: <55784142.2010902@redhat.com> On 08/06/15 16:18, Petr Spacek wrote: > Hello, > > Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. > > SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with > Blowfish mechanisms. > > > Older code *cannot* work SoftHSM 2.0.0rc1 and newer. > > Symptoms include errors like this: > > On DNSSEC key master: > ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer > length: 0x70 > > On DNSSEC replicas: > ipa-dnskeysyncd: subprocess.CalledProcessError: Command > ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 > ACK -- Martin Basti From pvoborni at redhat.com Wed Jun 10 14:06:08 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 16:06:08 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <556DA07E.7030300@redhat.com> References: <556D9D3B.3040901@redhat.com> <556DA07E.7030300@redhat.com> Message-ID: <55784450.5050707@redhat.com> On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: > hi, > > is there a real replacement for "del", it is not in the scope of the > topology commands, the removal of teh agreement is rejected and later > done by the plugin, but what about removal of the host, services, > cleanruv ? > > Ludwig > On 06/02/2015 02:10 PM, Tomas Babej wrote: >> Hi, >> >> With Domain Level 1 and above, the usage of ipa-replica-manage commands >> that alter the replica topology is deprecated. Following commands >> are prohibited: >> >> * connect >> * disconnect >> * del >> >> Upon executing any of these commands, users are pointed out to the >> ipa topologysegment-* replacements. >> >> Part of: https://fedorahosted.org/freeipa/ticket/4302 >> Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0329-2-ipa-replica-manage-Do-not-allow-topology-altering-co.patch Type: text/x-patch Size: 2613 bytes Desc: not available URL: From derny at redhat.com Wed Jun 10 14:09:13 2015 From: derny at redhat.com (Drew Erny) Date: Wed, 10 Jun 2015 10:09:13 -0400 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <5577DE9C.1030004@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> <5577AAC9.1010007@redhat.com> <5577DE9C.1030004@redhat.com> Message-ID: <55784509.4090006@redhat.com> On 06/10/2015 02:52 AM, Martin Kosek wrote: > On 06/10/2015 05:11 AM, Adam Young wrote: >> On 06/09/2015 06:34 PM, Simo Sorce wrote: >>> On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: >>>> Hey, Freeipa, same thread new subtopic. >>>> >>>> So, I was bouncing some ideas around with another developer (ayoung) and >>>> I think I have a pretty good idea for self-service user registration. >>>> >>>> The idea is that I put self-service user registration into its own >>>> application that calls out to ipa user-add after getting admin approval. >>>> >>>> Workflow goes like this: >>>> >>>> 1.) User goes to registration page, inputs details into form. >>>> Registration page and application are not part of FreeIPA. >>>> 2.) User's registration goes into a non-FreeIPA database, something like >>>> SQLite. >>>> 3.) Admin gets a notification email with a link to approve/deny >>>> registration. >>>> A.) Admin clicks approval link, registration application (which has >>>> limited privileges) makes call out to ipa user-add command, adding the >>>> new user to FreeIPA. >>>> B.) Admin click deny link, user is not added. >>>> 4.) User's registration information, approved or denied, is deleted from >>>> the external database. >>>> >>>> This has a couple of advantages. For starters, it provides a layer of >>>> protection against the creation of spam accounts. Accounts do not add >>>> directly to LDAP (inserting to LDAP is a slow operation), instead sit in >>>> intermediate area waiting approval. Second, we don't have to write a big >>>> extension to ipa user-add or staginguser-add that allows anonymous >>>> access to that command. Third, it can be bundled into its own package >>>> and given to the community separate from FreeIPA proper. Finally, it >>>> would allow me to gracefully defer becoming buried up to my neck in >>>> D-Bus notifications and whatever other fanciness we want to send email, >>>> because FreeIPA won't be sending the email. >>>> >>>> Opinions? >>> You could avoid using an external database by using the new USer >>> Lifecycle management feature [1]. This will allow you to do a simple >>> ldapadd, but the user will not be enabled until an admin logs into the >>> FreeIPA interface to enable the user. >>> This manes your app never needs to see the admin's credentials or use >>> s4u2proxy and will pose a lower risk to the system. >> The big issue was having an unauthentiucated user add o the datastore; I don't >> think you want to push new values directly into LDAP. A separate Databse makes >> a lot of sense, and using SQLite for a proof of concept allows us to migrate up >> to MySQL for a live deployment. > The separate database does not make lot of sense to me, why not using the Stage > User tree when it's there, ready for you? I would like to know what is the > motivation and reasoning for using completely separate DB. Besides others, I > think Stage Users area for example checks for login name or UID/GID collisions. > > The Selfservice just needs to operate under an identity that has a Stage User > Administrator privilege or we can create more contained privilege that could > just add the staged users and not modify/remove them. > Well, I'm led to believe that LDAP modifications are a slow operation. My concern is that if a site got hit with a load of spam, it could slow down a lot. Enforcing a separation between verified users (who are in the LDAP database) and the unwashed masses (who sit isolated in a small relational database, good performance) might be a good thing in a public environment. We're not talking about much of a database, either; it should top out at a couple dozen entries on a massive site if the admins are diligent in clearing it out. If the possible performance hit isn't a concern (and LDAP databases are not as slow as I'd guessed) then I'll just the user staging area. Is performance a concern? From mkosek at redhat.com Wed Jun 10 14:16:18 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 16:16:18 +0200 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <55784509.4090006@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> <5577AAC9.1010007@redhat.com> <5577DE9C.1030004@redhat.com> <55784509.4090006@redhat.com> Message-ID: <557846B2.6090103@redhat.com> On 06/10/2015 04:09 PM, Drew Erny wrote: > On 06/10/2015 02:52 AM, Martin Kosek wrote: >> On 06/10/2015 05:11 AM, Adam Young wrote: >>> On 06/09/2015 06:34 PM, Simo Sorce wrote: >>>> On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: >>>>> Hey, Freeipa, same thread new subtopic. >>>>> >>>>> So, I was bouncing some ideas around with another developer (ayoung) and >>>>> I think I have a pretty good idea for self-service user registration. >>>>> >>>>> The idea is that I put self-service user registration into its own >>>>> application that calls out to ipa user-add after getting admin approval. >>>>> >>>>> Workflow goes like this: >>>>> >>>>> 1.) User goes to registration page, inputs details into form. >>>>> Registration page and application are not part of FreeIPA. >>>>> 2.) User's registration goes into a non-FreeIPA database, something like >>>>> SQLite. >>>>> 3.) Admin gets a notification email with a link to approve/deny >>>>> registration. >>>>> A.) Admin clicks approval link, registration application (which has >>>>> limited privileges) makes call out to ipa user-add command, adding the >>>>> new user to FreeIPA. >>>>> B.) Admin click deny link, user is not added. >>>>> 4.) User's registration information, approved or denied, is deleted from >>>>> the external database. >>>>> >>>>> This has a couple of advantages. For starters, it provides a layer of >>>>> protection against the creation of spam accounts. Accounts do not add >>>>> directly to LDAP (inserting to LDAP is a slow operation), instead sit in >>>>> intermediate area waiting approval. Second, we don't have to write a big >>>>> extension to ipa user-add or staginguser-add that allows anonymous >>>>> access to that command. Third, it can be bundled into its own package >>>>> and given to the community separate from FreeIPA proper. Finally, it >>>>> would allow me to gracefully defer becoming buried up to my neck in >>>>> D-Bus notifications and whatever other fanciness we want to send email, >>>>> because FreeIPA won't be sending the email. >>>>> >>>>> Opinions? >>>> You could avoid using an external database by using the new USer >>>> Lifecycle management feature [1]. This will allow you to do a simple >>>> ldapadd, but the user will not be enabled until an admin logs into the >>>> FreeIPA interface to enable the user. >>>> This manes your app never needs to see the admin's credentials or use >>>> s4u2proxy and will pose a lower risk to the system. >>> The big issue was having an unauthentiucated user add o the datastore; I don't >>> think you want to push new values directly into LDAP. A separate Databse makes >>> a lot of sense, and using SQLite for a proof of concept allows us to migrate up >>> to MySQL for a live deployment. >> The separate database does not make lot of sense to me, why not using the Stage >> User tree when it's there, ready for you? I would like to know what is the >> motivation and reasoning for using completely separate DB. Besides others, I >> think Stage Users area for example checks for login name or UID/GID collisions. >> >> The Selfservice just needs to operate under an identity that has a Stage User >> Administrator privilege or we can create more contained privilege that could >> just add the staged users and not modify/remove them. >> > Well, I'm led to believe that LDAP modifications are a slow operation. Yes. With LDAP, reads are quick, writes are slow. > My > concern is that if a site got hit with a load of spam, it could slow down a > lot. Enforcing a separation between verified users (who are in the LDAP > database) and the unwashed masses (who sit isolated in a small relational > database, good performance) might be a good thing in a public environment. > We're not talking about much of a database, either; it should top out at a > couple dozen entries on a massive site if the admins are diligent in clearing > it out. If the possible performance hit isn't a concern (and LDAP databases are > not as slow as I'd guessed) then I'll just the user staging area. Is > performance a concern? I do not see that the performance should be the main decision point for this work. Maybe we would get there later, right now this may be just premature optimization. LDAP database should not be *that* slow. My naive guess is that if the user registration portal contains some decent Captcha or other mechanism, the number of wrong new user entries should be low. AFAIK, this work would form some standalone page utilizing the FreeIPA Web UI framework we have already, to get the same look and feel. Using FreeIPA API to store/manipulate user entries should be thus much easier, then taking care of separate database. Also, if Stage user tree is used, the admins doing the validation of user entries may also have other responsibilities in FreeIPA, so they may welcome having these entries in Stage User in the FreeIPA Web UI without going to special application. Just my thoughts, I would welcome other feedback. From pvoborni at redhat.com Wed Jun 10 14:39:15 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 16:39:15 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <55784450.5050707@redhat.com> References: <556D9D3B.3040901@redhat.com> <556DA07E.7030300@redhat.com> <55784450.5050707@redhat.com> Message-ID: <55784C13.6090301@redhat.com> On 06/10/2015 04:06 PM, Petr Vobornik wrote: > On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: >> hi, >> >> is there a real replacement for "del", it is not in the scope of the >> topology commands, the removal of teh agreement is rejected and later >> done by the plugin, but what about removal of the host, services, >> cleanruv ? >> >> Ludwig >> On 06/02/2015 02:10 PM, Tomas Babej wrote: >>> Hi, >>> >>> With Domain Level 1 and above, the usage of ipa-replica-manage commands >>> that alter the replica topology is deprecated. Following commands >>> are prohibited: >>> >>> * connect >>> * disconnect >>> * del >>> >>> Upon executing any of these commands, users are pointed out to the >>> ipa topologysegment-* replacements. >>> >>> Part of: https://fedorahosted.org/freeipa/ticket/4302 >>> > > > Tomas is on vacation. I've removed 'del' from his patch and will create > a new one for handling of 'del'. > > If that's OK, we can push this one. > > NACK 'connect' and 'disconnect' serve also for setting up/removing of winsync replication agreements. This patch forbids it. I've not tested if topology plugin ignores winsync agreements. Does it? -- Petr Vobornik From derny at redhat.com Wed Jun 10 14:55:36 2015 From: derny at redhat.com (Drew Erny) Date: Wed, 10 Jun 2015 10:55:36 -0400 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <557846B2.6090103@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> <5577AAC9.1010007@redhat.com> <5577DE9C.1030004@redhat.com> <55784509.4090006@redhat.com> <557846B2.6090103@redhat.com> Message-ID: <55784FE8.30506@redhat.com> On 06/10/2015 10:16 AM, Martin Kosek wrote: > AFAIK, this work would form some standalone page utilizing the FreeIPA > Web UI framework we have already, to get the same look and feel. Using > FreeIPA API to store/manipulate user entries should be thus much > easier, then taking care of separate database. Also, if Stage user > tree is used, the admins doing the validation of user entries may also > have other responsibilities in FreeIPA, so they may welcome having > these entries in Stage User in the FreeIPA Web UI without going to > special application. Just my thoughts, I would welcome other feedback. I'm worried if I try to fit this into the existing WebUI framework, I'm gonna end up wrangling with the fact that the WebUI expects to have an authenticated LDAP user, but we need anonymous access for both self-service registration and (eventually) for password reset. I'm not sure what kind of changes would be needed to make this work. I'll use the stageuser tree either way, though; your argument on that is definitely correct. From lkrispen at redhat.com Wed Jun 10 14:57:52 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 10 Jun 2015 16:57:52 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <55784C13.6090301@redhat.com> References: <556D9D3B.3040901@redhat.com> <556DA07E.7030300@redhat.com> <55784450.5050707@redhat.com> <55784C13.6090301@redhat.com> Message-ID: <55785070.4070501@redhat.com> On 06/10/2015 04:39 PM, Petr Vobornik wrote: > On 06/10/2015 04:06 PM, Petr Vobornik wrote: >> On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: >>> hi, >>> >>> is there a real replacement for "del", it is not in the scope of the >>> topology commands, the removal of teh agreement is rejected and later >>> done by the plugin, but what about removal of the host, services, >>> cleanruv ? >>> >>> Ludwig >>> On 06/02/2015 02:10 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> With Domain Level 1 and above, the usage of ipa-replica-manage >>>> commands >>>> that alter the replica topology is deprecated. Following commands >>>> are prohibited: >>>> >>>> * connect >>>> * disconnect >>>> * del >>>> >>>> Upon executing any of these commands, users are pointed out to the >>>> ipa topologysegment-* replacements. >>>> >>>> Part of: https://fedorahosted.org/freeipa/ticket/4302 >>>> >> >> >> Tomas is on vacation. I've removed 'del' from his patch and will create >> a new one for handling of 'del'. >> >> If that's OK, we can push this one. >> >> > > NACK > > 'connect' and 'disconnect' serve also for setting up/removing of > winsync replication agreements. This patch forbids it. > > I've not tested if topology plugin ignores winsync agreements. Does it? yes. it only manages "normal" agreements From dkupka at redhat.com Wed Jun 10 16:08:43 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 10 Jun 2015 18:08:43 +0200 Subject: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install In-Reply-To: <55781E9F.3000002@redhat.com> References: <55781E9F.3000002@redhat.com> Message-ID: <5578610B.2030201@redhat.com> Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a): > Hi, > > the attached patches fix several shortcomings in ipa-kra-install, see > commit messages. > > > > (Patch 434 was introduced in > .) > > Honza > There are two issues: 1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing check and can be fixed later. 2) kra.install() was called before http_install() but kra installation needs httpd running. This is fixed in attached patch. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-444.1-vault-Fix-ipa-kra-install.patch Type: text/x-patch Size: 20752 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 10 16:11:12 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 18:11:12 +0200 Subject: [Freeipa-devel] Community Portal Milestone In-Reply-To: <55784FE8.30506@redhat.com> References: <5575EF16.5090808@redhat.com> <5576C04F.9070903@redhat.com> <5576EA1B.7050300@redhat.com> <55774959.10503@redhat.com> <1433889289.20848.40.camel@willson.usersys.redhat.com> <5577AAC9.1010007@redhat.com> <5577DE9C.1030004@redhat.com> <55784509.4090006@redhat.com> <557846B2.6090103@redhat.com> <55784FE8.30506@redhat.com> Message-ID: <557861A0.8060701@redhat.com> On 06/10/2015 04:55 PM, Drew Erny wrote: > > > On 06/10/2015 10:16 AM, Martin Kosek wrote: >> AFAIK, this work would form some standalone page utilizing the FreeIPA >> Web UI framework we have already, to get the same look and feel. Using >> FreeIPA API to store/manipulate user entries should be thus much >> easier, then taking care of separate database. Also, if Stage user >> tree is used, the admins doing the validation of user entries may also >> have other responsibilities in FreeIPA, so they may welcome having >> these entries in Stage User in the FreeIPA Web UI without going to >> special application. Just my thoughts, I would welcome other feedback. > I'm worried if I try to fit this into the existing WebUI framework, I'm > gonna end up wrangling with the fact that the WebUI expects to have an > authenticated LDAP user, but we need anonymous access for both > self-service registration and (eventually) for password reset. I'm not > sure what kind of changes would be needed to make this work. I'll use > the stageuser tree either way, though; your argument on that is > definitely correct. > https://ipa.demo1.freeipa.org/ipa/ui/sync_otp.html is an example of such standalone page. Web UI framework doesn't need authentication until it talks to IPA API. -- Petr Vobornik From dkupka at redhat.com Wed Jun 10 16:14:12 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 10 Jun 2015 18:14:12 +0200 Subject: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install In-Reply-To: <5578610B.2030201@redhat.com> References: <55781E9F.3000002@redhat.com> <5578610B.2030201@redhat.com> Message-ID: <55786254.2060908@redhat.com> Dne 10.6.2015 v 18:08 David Kupka napsal(a): > Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a): >> Hi, >> >> the attached patches fix several shortcomings in ipa-kra-install, see >> commit messages. >> >> >> >> (Patch 434 was introduced in >> .) >> >> Honza >> > > There are two issues: > 1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing > check and can be fixed later. > > 2) kra.install() was called before http_install() but kra installation > needs httpd running. This is fixed in attached patch. > > I accidentally included change in Makefile, updated patch attached. Also I forget to explicitly write 'ACK' to fulfill the process requirements, so: Works for me, ACK. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-444.2-vault-Fix-ipa-kra-install.patch Type: text/x-patch Size: 20313 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 10 16:18:01 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 10 Jun 2015 18:18:01 +0200 Subject: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install In-Reply-To: <55786254.2060908@redhat.com> References: <55781E9F.3000002@redhat.com> <5578610B.2030201@redhat.com> <55786254.2060908@redhat.com> Message-ID: <55786339.5060504@redhat.com> Dne 10.6.2015 v 18:14 David Kupka napsal(a): > Dne 10.6.2015 v 18:08 David Kupka napsal(a): >> Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a): >>> Hi, >>> >>> the attached patches fix several shortcomings in ipa-kra-install, see >>> commit messages. >>> >>> >>> >>> (Patch 434 was introduced in >>> .) >>> >>> >>> Honza >>> >> >> There are two issues: >> 1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing >> check and can be fixed later. >> >> 2) kra.install() was called before http_install() but kra installation >> needs httpd running. This is fixed in attached patch. >> >> > > I accidentally included change in Makefile, updated patch attached. > Also I forget to explicitly write 'ACK' to fulfill the process > requirements, so: Works for me, ACK. Thanks. Pushed to master: e7ac57e1390c76c3d7fdb2710808def107d21d6d -- Jan Cholasta From pspacek at redhat.com Wed Jun 10 17:07:09 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 10 Jun 2015 19:07:09 +0200 Subject: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter Message-ID: <55786EBD.9080209@redhat.com> Hello, Replace isc_atomic_* in MetaLDAP with reference counter abstraction. + Replace isc_atomic_* in instance tainting with reference counter abstraction. Reference counters are used as abstraction which hides missing isc_atomic_*() functions on some architectures. This change is necessary for architectures like s390x and ppc64le where BIND does not provide isc_atomic_* abstractions. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0384-Replace-isc_atomic_-in-instance-tainting-with-refere.patch Type: text/x-patch Size: 3746 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0385-Replace-isc_atomic_-in-MetaLDAP-with-reference-count.patch Type: text/x-patch Size: 3871 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 10 17:23:08 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Jun 2015 19:23:08 +0200 Subject: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands In-Reply-To: <55784C13.6090301@redhat.com> References: <556D9D3B.3040901@redhat.com> <556DA07E.7030300@redhat.com> <55784450.5050707@redhat.com> <55784C13.6090301@redhat.com> Message-ID: <5578727C.5080305@redhat.com> On 06/10/2015 04:39 PM, Petr Vobornik wrote: > On 06/10/2015 04:06 PM, Petr Vobornik wrote: >> On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: >>> hi, >>> >>> is there a real replacement for "del", it is not in the scope of the >>> topology commands, the removal of teh agreement is rejected and later >>> done by the plugin, but what about removal of the host, services, >>> cleanruv ? >>> >>> Ludwig >>> On 06/02/2015 02:10 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> With Domain Level 1 and above, the usage of ipa-replica-manage commands >>>> that alter the replica topology is deprecated. Following commands >>>> are prohibited: >>>> >>>> * connect >>>> * disconnect >>>> * del >>>> >>>> Upon executing any of these commands, users are pointed out to the >>>> ipa topologysegment-* replacements. >>>> >>>> Part of: https://fedorahosted.org/freeipa/ticket/4302 >>>> >> >> >> Tomas is on vacation. I've removed 'del' from his patch and will create >> a new one for handling of 'del'. >> >> If that's OK, we can push this one. >> >> > > NACK > > 'connect' and 'disconnect' serve also for setting up/removing of winsync > replication agreements. This patch forbids it. attaching patch which addresses this issue and replaces Tomas' patch(which was used as a basis). Patch for 'del' will follow. > > I've not tested if topology plugin ignores winsync agreements. Does it? -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0872-ipa-replica-manage-Do-not-allow-topology-altering-co.patch Type: text/x-patch Size: 5222 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jun 11 05:16:35 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 11 Jun 2015 15:16:35 +1000 Subject: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs In-Reply-To: <5578409E.2060805@redhat.com> References: <55705542.4000002@redhat.com> <20150608013122.GH23523@dhcp-40-8.bne.redhat.com> <55753AE2.5030802@redhat.com> <20150609065805.GL23523@dhcp-40-8.bne.redhat.com> <5576FA44.3000300@redhat.com> <20150610044020.GO23523@dhcp-40-8.bne.redhat.com> <55782303.7070209@redhat.com> <5578248B.3010805@redhat.com> <55782610.5080308@redhat.com> <5578409E.2060805@redhat.com> Message-ID: <20150611051635.GU23523@dhcp-40-8.bne.redhat.com> On Wed, Jun 10, 2015 at 03:50:22PM +0200, Martin Basti wrote: > On 10/06/15 13:57, Martin Kosek wrote: > >On 06/10/2015 01:50 PM, Jan Cholasta wrote: > >>Dne 10.6.2015 v 13:44 Martin Basti napsal(a): > >>>On 10/06/15 06:40, Fraser Tweedale wrote: > >>>>On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: > >>>>>On 09/06/15 08:58, Fraser Tweedale wrote: > >>>>>>On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: > >>>>>>>On 06/08/2015 03:31 AM, Fraser Tweedale wrote: > >>>>>>>>New patches attached. Comments inline. > >>>>>>>Thanks Fraser! > >>>>>>> > >>>>>>>... > >>>>>>>>>5) > >>>>>>>>>Missing referint plugin configuration for attribute > >>>>>>>>>'ipacaaclmembercertprofile' > >>>>>>>>>Please add it into install/updates/25-referint.update (+ other > >>>>>>>>>member > >>>>>>>>>attributes if missing) > >>>>>>>>> > >>>>>>>>Added this. There is a comment in 25-referint.update: > >>>>>>>> > >>>>>>>> # pres and eq indexes defined in 20-indices.update must be set > >>>>>>>> # for all the attributes > >>>>>>>> > >>>>>>>>Can you explain what is required here? Is it just to add: I see > >>>>>>>>things for memberUser and memberHost in indices.ldif but nothing for > >>>>>>>>memberService. Do I need to add to indices.ldif: > >>>>>>>> > >>>>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm > >>>>>>>>database,cn=plugins,cn=config > >>>>>>>> changetype: add > >>>>>>>> cn: memberProfile > >>>>>>>> ObjectClass: top > >>>>>>>> ObjectClass: nsIndex > >>>>>>>> nsSystemIndex: false > >>>>>>>> nsIndexType: eq > >>>>>>>> nsIndexType: pres > >>>>>>>> nsIndexType: sub > >>>>>>>> > >>>>>>>>, and similarly for memberCa? Sorry I do not know much about LDAP > >>>>>>>>indexing. > >>>>>>>AFAIR, yes. BTW, where does the "sub" index come from? It is quite > >>>>>>>an expensive > >>>>>>>index to use and I now cannot think of memberProfile search where > >>>>>>>you would > >>>>>>>need a substring... > >>>>>>> > >>>>>>>Thanks, > >>>>>>>Martin > >>>>>>Updated patch attached, which adds the indices. (Also rebased). > >>>>>> > >>>>>>There is a commit that seems to indicate that substring index is > >>>>>>needed, so I have included substring indices in this patchset. > >>>>>>Copied Honza in case he wants to comment. > >>>>>> > >>>>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0 > >>>>>> Author: Jan Cholasta > >>>>>> Date: Tue Jun 25 13:16:40 2013 +0000 > >>>>>> > >>>>>> Add missing substring indices for attributes managed by the > >>>>>>referint plugin. > >>>>>> > >>>>>> The referint plugin does a substring search on these > >>>>>>attributes each time an > >>>>>> entry is deleted, which causes a noticable slowdown for > >>>>>>large directories if > >>>>>> the attributes are not indexed. > >>>>>> > >>>>>> https://fedorahosted.org/freeipa/ticket/3706 > >>>>>> > >>>>>>Cheers, > >>>>>>Fraser > >>>>>ACK > >>>>> > >>>>>Please send the upgrade patch ASAP :) > >>>>> > >>>>>-- > >>>>>Martin Basti > >>>>> > >>>>Thank you for the ACK \o/ > >>>> > >>>>Since the patches have not been pushed, here is an updated patchset > >>>>which adds the upgrade behaviour. There are no changes apart from > >>>>the additions to ipaserver/install/server/upgrade.py. > >>>> > >>>>Cheers, > >>>>Fraser > >>>ACK > >>NACK, the new OIDs are not registered. > >> > >>BTW all new attribute names should have the "ipa" prefix. Also I would prefer > >>"CertProfile" instead of just "Profile" in certificate profile related names. > >>Please rename the attributes as follows: > >> > >> memberCa -> ipaMemberCa > >> memberProfile -> ipaMemberCertProfile > >> caCategory -> ipaCaCategory > >> profileCategory -> ipaCertProfileCategory > >> > >>Honza > >> > >+1. I see that other attributes from this feature use the ipa prefix already: > > > >dn: cn=schema > >attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' > >DESC 'Store certificates issued using this profile' EQUALITY booleanMatch > >SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) > >objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top > >STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA > >v4.2' ) > > > >Those OIDs should be BTW registered as well, if not already > OID registered. > Thanks! > Patches with updated names attached. > Can you Fraser check if I didn't break anything? :) > Everything LGTM. Did some simple tessting. There were conflicts; rebased patches attached (no other changes). Cheers, Fraser -------------- next part -------------- From 1900b9bf4dd30c56615fe12547fd6faee35cee87 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 10 + API.txt | 184 ++++++++++++ VERSION | 4 +- install/share/60certificate-profiles.ldif | 5 + install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 6 + install/share/default-caacl.ldif | 11 + install/share/indices.ldif | 20 ++ install/updates/20-indices.update | 18 ++ install/updates/25-referint.update | 2 + install/updates/41-caacl.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 1 + ipalib/plugins/caacl.py | 477 ++++++++++++++++++++++++++++++ ipaserver/install/dsinstance.py | 4 + ipaserver/install/server/upgrade.py | 25 ++ 16 files changed, 771 insertions(+), 2 deletions(-) create mode 100644 install/share/default-caacl.ldif create mode 100644 install/updates/41-caacl.update create mode 100644 ipalib/plugins/caacl.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..60e9ebb10bc9b7266ff0d42a05d4d165d4ed2d55 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,16 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "hostcategory || ipacacategory || ipacertprofilecategory || ipamemberca || ipamembercertprofile || memberhost || memberservice || memberuser || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=caacls,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 9e41ece74c94d5d1f9ee2900461b02b56a6f562b..fddecadcd0fd72518d9332b2217af7ced75580e4 100644 --- a/API.txt +++ b/API.txt @@ -456,6 +456,190 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: caacl_add +args: 1,12,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: StrEnum('ipacertprofilecategory', attribute=True, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_add_host +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_profile +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('certprofile*', alwaysask=True, cli_name='certprofiles', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_service +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_add_user +args: 1,6,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: caacl_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: caacl_disable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_enable +args: 1,1,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: caacl_find +args: 1,14,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',)) +option: StrEnum('ipacertprofilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: caacl_mod +args: 1,14,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) +option: StrEnum('ipacertprofilecategory', attribute=True, autofill=False, cli_name='profilecat', multivalue=False, required=False, values=(u'all',)) +option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenabledflag', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, required=False, values=(u'all',)) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (