[Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs

Martin Basti mbasti at redhat.com
Tue Jun 2 16:37:42 UTC 2015 

On 02/06/15 14:11, Fraser Tweedale wrote:
> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote:
>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote:
>>> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote:
>>>> On 05/29/2015 11:21 AM, Martin Basti wrote:
>>>>> On 29/05/15 06:17, Fraser Tweedale wrote:
>>>>>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
>>>>>>> On 28/05/15 11:48, Martin Basti wrote:
>>>>>>>> On 27/05/15 16:04, Fraser Tweedale wrote:
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> Fresh certificate management patchset; Changelog:
>>>>>>>>>
>>>>>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct
>>>>>>>>> cert-request behaviour with host and service principals.
>>>>>>>>>
>>>>>>>>> - Updated Dogtag dependency to 10.2.4-1.  Should should be in
>>>>>>>>> f22 soon, but for f22 right now or for f21, please grab from my
>>>>>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
>>>>>>>>>
>>>>>>>>>    Martin^1 could you please add to the quasi-official freeipa
>>>>>>>>>    copr?  SRPM lives at
>>>>>>>>>    https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
>>>>>>>>>
>>>>>>>>> - cert-request now verifies that for user principals, CSR CN
>>>>>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's
>>>>>>>>> email address, if either of those is present.
>>>>>>>>>
>>>>>>>>> - Fixed one or two other sneaky little bugs.
>>>>>>>>>
>>>>>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> Please find attached the latest certificate management
>>>>>>>>>> patchset, which introduces the `caacl' plugin and various fixes
>>>>>>>>>> and improvement to earlier patches.
>>>>>>>>>>
>>>>>>>>>> One important change to earlier patches is reverting the name
>>>>>>>>>> of the default profile to 'caIPAserviceCert' and using the
>>>>>>>>>> existing instance of this profile on upgrade (but not install)
>>>>>>>>>> in case it has been modified.
>>>>>>>>>>
>>>>>>>>>> Other notes:
>>>>>>>>>>
>>>>>>>>>> - Still have changes in ipa-server-install (fewer lines now,
>>>>>>>>>> though)
>>>>>>>>>>
>>>>>>>>>> - Still have the ugly import hack.  It is not a high priority
>>>>>>>>>> for me, i.e. I think it should wait until after alpha
>>>>>>>>>>
>>>>>>>>>> - Still need to update 'service' and 'host' plugins to support
>>>>>>>>>> multiple certificates.  (The userCertificate attribute schema
>>>>>>>>>> itself is multi-valued, so there are no schema issues here)
>>>>>>>>>>
>>>>>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and
>>>>>>>>>> supporting multiple profiles for hosts and services (which
>>>>>>>>>> requires changes to framework only, not schema).  [1]:
>>>>>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>>>>>>>>>
>>>>>>>>>> Happy reviewing!  I am pleased with the initial cut of the
>>>>>>>>>> caacl plugin but I'm sure you will find some things to be fixed
>>>>>>>>>> :)
>>>>>>>>>>
>>>>>>>>>> Cheers, Fraser
>>>>>>>> [root at vm-093 ~]#  ipa-replica-prepare vm-094.example.com
>>>>>>>> --ip-address 10.34.78.94 Directory Manager (existing master)
>>>>>>>> password:
>>>>>>>>
>>>>>>>> Preparing replica for vm-094.example.com from vm-093.example.com
>>>>>>>> Creating SSL certificate for the Directory Server not well-formed
>>>>>>>> (invalid token): line 2, column 14
>>>>>>>>
>>>>>>>> I cannot create replica file.  It work on the upgraded server,
>>>>>>>> but it doesn't work on the newly installed server.  I'm not sure
>>>>>>>> if this causes your patches which modifies the ca-installer, or
>>>>>>>> the newer version of dogtag.
>>>>>>>>
>>>>>>>> Or if there was any other changes in master, I will continue to
>>>>>>>> investigate with new RPM from master branch.
>>>>>>>>
>>>>>>>> Martin^2
>>>>>>>>
>>>>>>> ipa-replica-prepare works for: * master branch * master branch +
>>>>>>> pki-ca 10.2.4-1
>>>>>>>
>>>>>>> So something in your patches is breaking it
>>>>>>>
>>>>>>> Martin^2
>>>>>>>
>>>>>> Martin, master + my patches with pki 10.2.4-1 is working for me on
>>>>>> f21 and f22.  Can you provide ipa-replica-prepare --debug output and
>>>>>> Dogtag debug log?  ( /var/log/pki/pki-tomcat/ca/debug )
>>>>>>
>>>>>> Thanks,
>>>>>> Fraser
>>>>> I can not reproduce it today. And I already recycled the VMs from yesterday. :-(
>>>>>
>>>> In that case I would suggest ACKing&pushing the patch and fixing the bug if
>>>> it comes again. The tree may now be a bit unstable, given the number of
>>>> patches going in.
>>>>
>>>> My main motivation here is to unblock Fraser.
>>>>
>>>> Thanks,
>>>> Martin
>>> Rebased patchset attached; no other changes.
>> Heads up: I just discovered I have introduced a bug with
>> ipa-replica-install, when it is spawning the CA instance.  I think
>> replication it only causes issues with ``--setup-ca``.
>>
>> I will try and sort it out tomorrow or later tonight (I have to head
>> out for a few hours now, though); and I'm not suggesting it should
>> block the push but it's something to be aware of.
>>
>> Cheers,
>> Fraser
>>
> New patchset attached ; haven't gotten to the bottom of the
> ipa-replica-install issue mentioned above, but it fixes an upgrade
> bug.
>
> The change is:
>
> diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
> index c288282..c5f4d37 100644
> --- a/ipaserver/install/server/upgrade.py
> +++ b/ipaserver/install/server/upgrade.py
> @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca):
>                   caconfig.CS_CFG_PATH,
>                   directive,
>                   separator='=')
> -            if value == 'ProfileSubsystem':
> +            if value == 'com.netscape.cmscore.profile.ProfileSubsystem':
>                   needs_update = True
>                   break
>       except OSError, e:
> @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca):
>           installutils.set_directive(
>               caconfig.CS_CFG_PATH,
>               directive,
> -            'LDAPProfileSubsystem',
> +            'com.netscape.cmscore.profile.LDAPProfileSubsystem',
>               quotes=False,
>               separator='=')
>
> Cheers,
> Fraser
>
>
Thank you,

1)
ipa-getcert request  (getcert -c IPA)
doesnt work,

Request ID '20150602145845':
     status: CA_REJECTED
     ca-error: Server at https://vm-137.example.com/ipa/xml denied our 
request, giving up: 3007 (RPC failed at server.  'profile_id' is required).

2)
Error from rpm install
Unexpected error - see /var/log/ipaupgrade.log for details:
SkipPluginModule: dogtag not selected as RA plugin

Just for record as known issue, this will be fixed later in a new patch.

3)
+        Str('profile_id', validate_profile_id,
+            label=_("Profile ID"),
+            doc=_("Certificate Profile to use"),
+        )
Please mark this param as optional. ('profile_id?')
This will fix issue 1, but 1 will need a option to specify profile_id

Also move API related change from patch 9 to patch 11 + increment VERSION

4)
* Maybe I do everything wrong :)

  I'm not able to create certificate stored in FILE, via ipa-getcert 
request.
I'm getting error:
status: CA_UNREACHABLE
     ca-error: Server at https://vm-137.example.com/ipa/xml failed 
request, will retry: 4001 (RPC failed at server. 
vm-137.example.com at example.com: host not found).

or error:
Request ID '20150602154115':
     status: CA_REJECTED
     ca-error: Server at https://vm-137.example.com/ipa/xml denied our 
request, giving up: 2100 (RPC failed at server.  Insufficient access: 
not allowed to perform this command).
(I'm root and kinited as admin)

Maybe additional ACI is required for cert_request as it is VirtualCommand


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150602/20cff203/attachment.htm>

More information about the Freeipa-devel mailing list